Lot 1 Service Specification MANAGED SECURITY SERVICES



Similar documents
Service Definition Document

Lot 4 Service Specification BUSINESS PROCESS MANAGEMENT (BPM) PROFESSIONAL SERVICES

SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE. Classification: Open

Agilisys G-Cloud Service V

External Supplier Control Requirements

Marval Software Limited. G Cloud iii Framework Service Definition

Aberdeen City Council IT Security (Network and perimeter)

Software as a Service (SaaS) Online HR

PROTECTIVE MONITORING SERVICE G-CLOUD SERVICE DEFINITION

Secure Remote Backup (IL3) G-Cloud Lot3 IaaS

CASSIDIAN CYBERSECURITY SECURITY OPERATIONS CENTRE SERVICES

Solution Overview. Our Solution employs two tiers of storage aligning costs of storage with the changing value of data over time.

GPG13 Protective Monitoring. Service Definition

NOS for Network Support (903)

Caretower s SIEM Managed Security Services

The Education Fellowship Finance Centralisation IT Security Strategy

Client Security Risk Assessment Questionnaire

Cloud Enablement. Lot 4 - Specialist Cloud Services. Version: 2.0, Issue Date: 05/02/2014. Classification: Open

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Cloud Enablement. Lot 4 - Specialist Cloud Services. Version: 3.0, Issue Date: 05/02/2014. Classification: Open

PSN Protective Monitoring. Service Definition

Cyber Essentials Scheme

PCI Compliance for Cloud Applications

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Firewall Administration and Management

G-CLOUD 7 - VIRTUAL ASSET MANAGER (VAM) SPECIALIST CLOUD SERVICES (SCS)

Amazon Relational Database Service (RDS)

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

JOB DESCRIPTION CONTRACTUAL POSITION

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open

Service Management and ICT Monitoring and Reporting Advisory and Implementation Services

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

REDCENTRIC MANAGED SERVER SERVICE DEFINITION

Xerox Remote Infrastructure Monitoring (XRIM)

G-Cloud 7 Service Definition. Atos Oracle Cloud ERP Implementation Services

I.T. Security Specialists. Cyber Security Solutions and Services. Caretower Corporate Brochure

Ubertas Cloud Services: Service Definition

CloudCheck Compliance Certification Program

SmartImpact MS Dynamics CRM. Support Service Definition

Remote Access Service (RAS)

A Decision Maker s Guide to Securing an IT Infrastructure

G-Cloud Service Definition. Atos Oracle Cloud ERP Implementation Services

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

Service Integration &

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Cloud Infrastructure Security Management

Italy. EY s Global Information Security Survey 2013

How RSA has helped EMC to secure its Virtual Infrastructure

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Amazon Compute - EC2 and Related Services

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Router and Vetting G-Cloud Service Definition

G-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS

IPL Service Definition - Data Recovery, Conversion and Migration

External Supplier Control Requirements

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

DBC 999 Incident Reporting Procedure

G-Cloud Service Description. Atos: Cloud Professional Services: Requirements Specification

V1.4. Spambrella Continuity SaaS. August 2

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

Validating Enterprise Systems: A Practical Guide

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Introduction to Centerprise International Limited

Managing internet security

Service Definition - HR and Payroll Solutions

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Vodafone secure mail services

PCI DSS Reporting WHITEPAPER

Thales Service Definition for NOC Services for Cloud

Vodafone Private Cloud

Xerox Print Monitoring Service (XPMS)

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

Cloud-based Infrastructure and Application Support Service Definition

Nine Steps to Smart Security for Small Businesses

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Cloud Vendor Evaluation

Information security controls. Briefing for clients on Experian information security controls

INNOVATE. MSP Services Overview SVEN RADEMACHER THROUGH MOTIVATION

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Transcription:

Lot 1 Service Specification MANAGED SECURITY SERVICES Fujitsu Services Limited, 2013

OVERVIEW OF FUJITSU MANAGED SECURITY SERVICES Fujitsu delivers a comprehensive range of information security services across the private and public sectors. We bring real experience forged by over 40 years of delivering secure information services to a wide customer base including UK government departments and FTSE250 companies. Fujitsu provides essential security capabilities to its customers, supporting their drive to protect information assets in the face of emerging strategic and operational business challenges. We are a critical component of our customers approach to their regulatory and legislatory demands, assisting them in managing their information security risks flexibly and effectively. Fujitsu takes responsibility for the ongoing management of specific security capabilities on behalf of customers. We use market leading security products and expert professional services to support the assessment of risk, define requirements, provide technical and service design and architecture, as well as ensuring effective deployment and operation of the Managed Security Services (MSS). Our broad range of MSS can provide defence-in-depth solutions ranging from network protection technologies such as firewalls, web security and intrusion prevention systems, through to host encryption services and endpoint protection services (e.g. anti-malware and anti-spam). All our services give customers the 24x7 cover needed. DELIVERABLES The Managed Security Services that Fujitsu provide include: Boundary Protection Managed Firewall Services and Intrusion Detection / Prevention Systems (IDS/IPS) that provide protection against unauthorised access to critical information assets and monitor/block network traffic for malicious activity providing security alerts for analysis and remediation. Web and Email Security Protects against: Web-based threats and malicious code as well as enabling the filtering of web content Inbound and outbound email threats including spam, malware, phishing etc. Security Information and Event Management (SIEM) Provides real-time visibility of risks, threats and critical operations issues that are otherwise undetectable in any practical way. This enables the customer to detect and swiftly respond to: Sophisticated intrusions Insider threats Fraud Compliance violations Disruptions to IT Services Many other critical events. SIEM underpins security compliance (including PCI DSS and CESG Good Practice Guide 13) as well as enabling retrospective analysis to support security investigations. Endpoint Protection and Encryption Ensures consistent endpoint protection across the enterprise to meet malware threats. The service can include: Anti-Virus and Anti-Spyware, application and device control, desktop firewalls, host intrusion prevention, network access control and endpoint encryption. Data Loss Prevention (DLP) Protects brand and reputation through the enforcement of defined policies to mitigate the risk of sensitive data loss and also to report on compliance requirements. Page 2 of 7 Fujitsu Services Limited, 2013

Vulnerability Management Scans the IT infrastructure to identify, prioritise and report any known vulnerabilities, which can then be used to drive the remediation activity and enhance the protection of critical information assets. ON-BOARDING AND OFF-BOARDING PROCESSES/SCOPE On Boarding Fujitsu s approach would be work with the G Cloud Customer to define the detailed requirements, which would then be used to derive a quotation and agreed scope and delivery approach. Fujitsu s on-boarding process has five overarching phases: Define the scope Discover: conduct a detailed analysis of the current estate Design the new infrastructure based on definition and discovery Develop the solution Deploy and release The approach is underpinned by the following key components: Project/programme management activities aligned to PRINCE2/Managing Successful Programmes (MSP) Robust change management Externally verified risk management processes Active security management Staged approach with formal entry and exit criteria controlling stage progression. Once transitioned into service, the Managed Security Services would be supported from our Security Operations Centre Off Boarding Fujitsu will work with the G Cloud Customer to define the scope and timescales required as part of the Off Boarding. The approach to off boarding will ensure an orderly transition of the transferring services to the replacement supplier. A key priority for Fujitsu in any service exit event is maintaining the contracted levels of service for the remaining period of the Term. As such, Fujitsu would look to work with the new incoming supplier to: Agree a strategy for exit arrangements that is cost effective and risk adverse to maintain the integrity of the service Agree the commercial terms of the exit of Fujitsu with the Customer Agree the new supplier s transition timescales, with the aim of ensuring a seamless transfer of services. Page 3 of 7 Fujitsu Services Limited, 2013

SERVICE LEVELS The response and target fix times provided for the Fujitsu Managed Security Services are outlined below. Term Technical Response Time Incident: Severity 1 30 minutes 4 hours Incident: Severity 2 1 hour 8 hours Target Fix Time Incident: Severity 3 4 hours 16 hours Incident: Severity 4 1 day 3 days SERVICE CREDITS N/A SERVICE MANAGEMENT The Fujitsu Managed Security Services are operated under an ITIL-aligned, ISO/IEC 20000 compliant service management framework. Fujitsu will implement and maintain the agreed policies for the MSS and any changes to the policies shall be managed through the Managed Service Change process. The MSS shall contain the following principal elements: Incident Management Problem Management Change Management Release Management Configuration Management Service Level Management Quality Management Availability and Capacity Management Service Continuity Management Continuous Improvement Third Party Management, where required. Fujitsu s SOC will react to security incidents using the following approach: Event Analysis Upon detection, events which impact on security shall be analysed to ascertain whether they need to be upgraded to a Security Incident for further action Security Incident Categorisation If the event is defined as a Security Incident, it shall be categorised considering the cause, priority, potential impact and the urgency of response Security Incident Response The security analysts, resolver groups and service management team, plus identified Customer stakeholders as defined within the overarching Service Design and communications plan, shall agree on the most appropriate course of action. When a course of action has been implemented, its effectiveness in resolving the incident shall be assessed so that if the chosen course of action is not effective, further course/s of action can be taken. The Security Incident shall be tracked to resolution Post Incident Analysis - After each Security Incident, post incident analysis shall be undertaken to: Ensure that the conduct of the investigation was appropriate Consider lessons identified, where conduct of the investigation could be improved Ensure that all mitigating actions have been taken Page 4 of 7 Fujitsu Services Limited, 2013

PRICING As an indicative cost for one of the Managed Security Services that Fujitsu could provide: There would a fixed charge of 15,673 for the provisioning activity for a new High Availability Email Security fully managed service including requirements definition, design, build, install and test (excluding hardware, licensing and vendor support, which will be defined and agreed as part of the requirements definition) for up to 10,000 users. Should any additional effort be required in order to complete work or carry out additional work which is out of the scope of this Service Definition then such additional effort and any applicable charges will be agreed by both parties in the form of a new statement of work. There would also be a charge of 28,743 per annum for the ongoing management of the service. (Indicative cost for typical service). These charges are exclusive of Value Added Tax (VAT) and any other applicable sales taxes. Customer agrees to pay amounts equal to any VAT or other levy. Detailed requirements would need to be defined and agreed prior to a formal quotation being provided to the Customer. ORDERING AND INVOICING PROCESS The Customer will be invoiced for the Charges on completion of the set up and provisioning of the Managed Security Service and then monthly in arrears for the ongoing management of the service. When remitting payment, the Customer will include the applicable Fujitsu invoice that the payment applies to. INFORMATION ASSURANCE Fujitsu s Managed Security Services are provided from an ITIL aligned ISO 27001 certified support organisation and Fujitsu provides Managed Security Services from its Security Operations Centre to a number of Public Sector customers up to and including IL4. LEVEL OF BACKUP/RESTORE AND DISASTER RECOVERY Fujitsu will retain configuration back-up to enable rebuild/restoration in the event of failure/fault. Fujitsu s standard environment platform backup processes shall be utilised and tested. DATA RESTORATION / SERVICE MIGRATION Fujitsu has extensive experience of transitioning services. Transition of services will include definition of the scope, detailed analysis of the current estate and the definition of the required activities as part of an overarching transition plan to ensure that services are assured during the transition phase. TRAINING N/A DETAILS OF ANY TRIAL SERVICE AVAILABLE N/A SERVICE CONSTRAINTS Each of the respective Managed Security Services has specific service constraints. These shall be provided as part of the process of producing a definition of requirements. MINIMUM AND MAXIMUM TERMS There is a minimum term of 12 months. TERMINATION TERMS The Customer or Fujitsu may terminate a Managed Security Service (MSS) by giving not less than ninety (90) days notice to the other party. Page 5 of 7 Fujitsu Services Limited, 2013

Should the Customer decide to terminate the service, termination fees shall apply, which will be detailed as part of the contract and will be dependent upon the specific MSS being subject to termination. Additionally, should the Customer terminate a MSS, the Customer shall be liable for any Software Licensing or Hardware support costs that arise as a result of the early termination. CONSUMER RESPONSIBILITIES Successful delivery of the Fujitsu Managed Security Service is subject to the following dependencies upon the Customer: The Customer shall maintain the applicable Customer Security Policy regarding the MSS Advise Fujitsu prior to any security testing The Customer shall notify Fujitsu of potential Security Incidents via the Service Desk using the agreed method of incident logging The Customer shall ensure that all Security Incidents are logged with all of the required details of the Security Incident The Customer shall use all reasonable endeavours to ensure that it does not report incidents under this agreement which relate to equipment and services that is not within the scope of the Support Services Software components deployed onto servers for log file collection (for example agents) may require certain prerequisite patches and applications to be installed The Customer will provide Fujitsu with access to the equipment for the purpose of undertaking its obligations as described herein The Customer shall utilise the Fujitsu-provided software in accordance with the prevailing licence terms. TECHNICAL REQUIREMENTS As part of the definition of the Managed Security Service (MSS) requirements with the G Cloud Customer, Fujitsu shall define the technical requirements, which will be dependent upon the specific MSS to be delivered, and document and agree them with the Customer. SERVICE CONSTRAINTS Fujitsu shall not be liable for Customer s take up, non-take up or other discretionary use of the information provided by Fujitsu or of any of the recommendations or options generated from the Service and activities under this Service Definition. Page 6 of 7 Fujitsu Services Limited, 2013

DEFINITIONS Any terms used in this Service Specification have the meaning assigned to it by the Fujitsu Cloud Service Agreement Terms and Conditions. Additional terms used have the meaning assigned by this paragraph. In the event of any conflict between the terms of this Service Specification and the other documents that comprise the Agreement, the provisions of this Service Specification shall prevail. Table 1: DEFINITIONS Definition CESG Good Practice Guide 13 IDS/IPS MSS PCI DSS Security Incident Service Design SOC Meaning HMG security guidance on Protective Monitoring Intrusion Detection Systems / Intrusion Prevention Systems Managed Security Service Payment Card Industry Data Security Standards The outcome of the analysis of security events which are not part of standard operation and/or may cause a breach of security policy. Defines how the Managed Security Service integrates with the wider service management framework. Security Operations Centre SERVICE EXCLUSIONS The following elements are not included or applicable as part of the offered Service and are therefore not included within this Service Definition: Hardware and software plus ongoing licensing and support. These would need to be defined as part of the initial requirements definition with the Customer. Page 7 of 7 Fujitsu Services Limited, 2013

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information