G-Cloud Service Definition Atos Security Professional Services SCS
Atos Security Professional Services SCS Security Professional Services delivered by experienced certified professionals empowered by market leading products that have been carefully chosen to provide cost effective efficient solutions for the security risks that face organisations today. Our Security Services are equally applicable to cloud based and non cloud based systems. Atos Security Professional Services SCS Alignment to your specific needs Professional security services for bespoke security solutions. Certified Security Specialists Experienced certified security professionals and security specialists from the Atos Cyber Security Academy in conjunction with Derby University. Cleared Security Specialists Atos provides security specialists with UK government clearances from SC to DV. Access to Atos Partners and SMEs Atos operate the SME Harbour (http://uk.atos.net/en-uk/home/yourbusiness/government/sme-harbour.html) for organisations to benefit from SME products and services and fulfil government commitment to place work with SMEs. What is it? We provide specialist services for information security needs within government organisations for advice, design, build and operation of security solutions for: Analytics for the gathering, logging and correlating of security events in compliance with CESG GPG13 Protective Monitoring Assessment of the IT security landscape Mitigation of security threats in proportion to the threat posed Governance Risk and Compliance (GRC) policy, strategy, processes and auditing. Skills and Resources: CEH Certified Ethical Hackers CISSP Certified Information Systems Security Professionals CISM Certified Information Security Managers PCI DSS Payment Card Industry Data Security Standard advisors Atos Cyber Security Academy in conjunction with Derby University (60 Credits of Level 6 education) leading to SSCP qualification. UK Security Operations Centres appropriate for IL5 (Top Secret) work, subject to a formal accreditation. ii
The security tools and products we typically employ and have experience in: IBM: Tivoli Identity Manager Tivoli Access Manager IBM Guardium IBM SiteProtector Oracle: Oracle Access Manager Oracle Adaptive Access Manager Oracle Identity Analytics Oracle Identity Manager Oracle Internet Directory Oracle Unified Directory Oracle Database Firewall Oracle Enterprise Single Sign On (ESSO) Microsoft: Microsoft Forefront Identity Manager RSA: RSA Archer RSA DLP RSA envision Novell: Novell Sentinel 7 Novell Identity Manager Novell Access Manager Novell edirectory DirX: DirX Access DirX Identity SafeNet Authentication Service Verisec Freja Authentication Solution WCK GRC SourceFire IPS (NGIPS) FireEye Verdasys Outpost24 ncircle LogRhythm, TripWire Splunk Open Source iii
What makes us unique? As Worldwide IT partner of the International Olympic Committee, Atos have designed, integrated and managed the multiple IT systems of every Games since 2002. The Olympics is not only a security challenge but also a Project Management challenge. How many of your projects experience delays? The Olympics is unmovable in terms of start and end date; each event needs to begin at its exact scheduled time. Atos has consistently met every deadline required by the Olympics to ensure the Games operate like clockwork from an IT and security point of view. At London 2012, with more than four billion people watching on any device, anywhere, anytime, cyberspace threats were at the highest level ever recorded. It was the first social Games with an unprecedented level of social media activity, creating new sources of unknown cyber threats. The Atos SIEM recorded over 255 million syslog messages during the London 2012 Olympic Games. From these raw messages 4.5 million significant events were identified and of these, 5,324 were raised for SOC assessment. During the London 2012 Olympic Games 0 security incidents impacted the live competition. However, because of our approach, we ensured that no threat, whether known or unknown, affected the smooth running of the Games or threatened critical information. In December 2013, the International Olympic Committee signed up Atos as the IT Services Partner for the Olympics until 2024, following a successful competitive bid. This extended the relationship with the Olympics that first started in 1989. The offering includes: Professional services from Certified Security Specialists that hold UK Government Security Clearances up to SC and DV levels. Access to the skills to implement bespoke implementations of leading security products and services. Benefit of the Atos SME Harbour for organisations to fulfil the UK Government commitment to place more business with SME suppliers either directly or through the Atos supply chain. Organisations for whom standard generic implementations of security services and products will not adequately mitigate the security risks they face. Organisation s wishing to leverage Atos security expertise throughout the enterprise and the whole project lifecycle. We acknowledge that not all security needs can be solved by standard configured services. This offering satisfies the need for security solutions that recognise that our customers sometimes have very specific needs and hard constraints that cannot be relaxed in order to take on a standard product or service. This offering can be used to tailor our other Atos security products: Atos Secure Identity Authentication for Cloud - SafeNet Atos Information Security Wireless Scanning Service. iv
v
Contents 1. Introduction... 1 1.1 Service summary... 1 1.2 How this product can be used... 2 2. Service overview... 3 2.1 Service Roadmap... 5 3. Information assurance... 6 4. Backup/restore and disaster recovery... 7 5. On-boarding and off-boarding... 8 6. Pricing... 9 7. Service management... 10 8. Service constraints... 11 9. Service levels... 12 10. Financial recompense... 13 11. Training... 14 12. Ordering and invoicing process... 15 13. Termination terms... 16 13.1 By consumers (i.e. consumption)... 16 13.2 By the Supplier (removal of the G-Cloud Service)... 16 14. Data restoration / service migration... 17 15. Consumer responsibilities... 18 16. Technical requirements... 19 17. Trial service... 20 18. Glossary of Terms... 21 vi
1. Introduction Atos provides a wide range of security solutions that help organisations save money whilst simultaneously increasing security. Atos Security Professional Services are delivered by experienced certified professionals empowered by market leading products that have been carefully chosen to provide cost effective efficient solutions for the security risks that face organisations today. 1.1 Service summary Atos provide specialist services for information security needs within government organisations for advice, design, build and operation of security solutions for: Analytics for the gathering, logging and correlating of security events Assessment of the IT security landscape Mitigation of security threats in proportion to the threat posed Governance Risk and Compliance (GRC) policy, strategy, processes and auditing. Skills and Resources: CEH Certified Ethical Hackers CISSP Certified Information Systems Security Professionals CISM Certified Information Security Managers PCI DSS Payment Card Industry Data Security Standard advisors Atos Cyber Security Academy in conjunction with Derby University (60 Credits of Level 6 education) leading to SSCP qualification UK Security Operations Centres appropriate for IL5 (Top Secret) work, subject to a formal accreditation. The security tools and products Atos typically employ and have experience in: IBM: Oracle: Tivoli Identity Manager Tivoli Access Manager IBM Guardium IBM SiteProtector Oracle Access Manager Oracle Adaptive Access Manager Oracle Identity Analytics Oracle Identity Manager Oracle Internet Directory Oracle Unified Directory Oracle Database Firewall Oracle Enterprise Single Sign On (ESSO) 1
Microsoft: Microsoft Forefront Identity Manager RSA: RSA Archer RSA DLP RSA envision Novell: Novell Sentinel 7 Novell Identity Manager Novell Access Manager Novell edirectory DirX: DirX Access DirX Identity SafeNet Authentication Service Verisec Freja Authentication Solution WCK GRC SourceFire IPS (NGIPS) FireEye Verdasys Outpost24 ncircle LogRhythm TripWire Splunk Open Source. 1.2 How this product can be used Atos has provided a suite of specialist products and services that enable the client organisation to leverage Atos security expertise throughout the enterprise and the whole project lifecycle. Atos acknowledge that not all security needs can be solved by standard configured services. This product satisfies the need for security solutions that recognise that Atos customers sometimes have very specific requirements and hard constraints that cannot be relaxed in order to take on a standard product or service. Please look at Atos other Atos security products: Atos Secure Identity Authentication for Cloud - SafeNet Atos Information Security Wireless Scanning Service. 2
2. Service overview From the outset it s vital to understand the unique security challenges that an organisation faces. The most successful approach is based on a four-stage cycle of analytics, assessment, mitigation and governance. All with the goal of reducing risk, growing value and instilling trust in an organization. Atos supplies experienced security professionals to collaborate with Atos customers, suppliers and stakeholders to analyse the data; assess the risk; mitigate the threat; govern security compliance; responding at a level appropriate to the security threats Atos customers face. Atos can provide professional services for any one or all of these Atos quadrants. This product can be used standalone or for providing advice and bespoke security solutions in support of Atos G-Cloud security products and services: Atos Secure Identity Authentication for Cloud SafeNet Atos Information Security Wireless Scanning Service. Analytics Analytics gathers the data and correlations in preparation for the risk assessment. Analytics can be performed as a one off advisory activity or as an activity within Atos mitigation solutions. The analytics: Identify all the valuable data; scan the systems to locate the data and discover who has access to the data Scan the infrastructure internally and externally for vulnerabilities. Feed these results into an analytics engine to relate infrastructure to end business services. This reveals business impact of the vulnerabilities Review the governance of organisation security policies and compare them to industry best practice and international legislation for compliance Scan the identity stores, identify erroneous accounts, discover access privileges. 3
Assessment Assessment takes the analytics and advises on the appropriate response to the threats and gaps revealed in to the collected data. Atos regularly review, test and audit IT systems. Atos can give remediation advice based on real world experience not pure theory for: Compliance assistance, Atos security specialists can help prepare and ensure relevant compliance mandates are adhered to. For example: ISO27001 PCI DSS Testing: to verify the correct implementation of the security design. Atos uses CHECK testers and sophisticated tools to ensure no vulnerabilities are present Regulation, Atos has many years of experience in this field and help find solutions and services designed to meet the needs of information security standards, International Law and Data Privacy. Mitigation Atos provide many professional services for the design, build and operation of solutions that mitigate the security threats facing Atos customers. These include solutions for: Authentication on premise and fully managed cloud service solutions for two factor authentication (2FA) solutions across diverse IT estates that need remote access. Atos have a G-Cloud service and capability to deliver bespoke solutions: Atos Secure Authentication for Cloud - SafeNet Custom identity authentication solutions Protective monitoring design, build and operation of product based solutions for protecting IT systems. Bespoke solutions as alternatives to Atos G-Cloud SaaS, Atos Cloud Security SaaS Wireless Scanning for regular scanning and reporting of wireless (wifi) activity and vulnerabilities across the IT estate. Infrastructure Vulnerability Scanning using a custom scanning platform to discover security weaknesses and vulnerabilities in IT Infrastructure prior to a formal penetration test Outsource Information Security Monitoring bespoke product based solutions for Security Information and Event Management (SIEM) controlled and monitored through Atos UK Information Security Centres. Solution complies with needs of CESG GPG13 Protective Monitoring Data loss protection custom product based solutions to prevent the loss of sensitive data through many risk vectors, including email, webmail, social media, FTP, Web, Web 2.0, PCs, virtual machines, smartphones and USB Biometrics application of practical experience and biometric implementations from Atos dedicated biometrics and smartcard research centre Single Sign On (SSO) Atos have solutions strong enough for UK Government organisations to have single sign-on (SSO and ESSO) across, laptops, tablets and mobile phone from all the major suppliers Advanced Persistent Threat Protection (APT) Solutions designed to protect against advanced threat vectors and emerging attack methodologies. 4
Governance Governance is a requirement of all legal requirements and standards for security compliance. Atos can help design and implement the governance and compliance framework for: Enterprise Governance Risk and Compliance (EGRC) advanced technologies designed to provide single point overview of the organisational GRC status Impact Assessment, Atos can help identify what is worth protecting and if so to what degree Identity, identity governance can help ensure staff are a customer s greatest asset and do not become their greatest liability Incident Response, Atos can advise on defining the policies, roles and processes for effective and robust response to security incidents. 2.1 Service Roadmap Atos use a wide range of security products and security threats are constantly evolving. Atos continuously monitor the security threat landscape to stay up to date in product versions and Atos choice of security products. Consequently, Atos can advise on and provide cost effective bespoke security protection for Atos customers. 5
3. Information assurance The services are supported from Atos UK Information Security Centres and appropriate for impact levels up to IL5, subject to a formal accreditation. 6
4. Backup/restore and disaster recovery Backup/restore and Disaster Recovery will be configured to the Customer specific needs and according to the specification of the products employed. Atos has extensive experience in providing these capabilities from IL0 to IL5, subject to a formal accreditation. 7
5. On-boarding and off-boarding On-boarding and Off-boarding will be dependent upon the products employed and the service delivered. It will be discussed, documented and agreed prior to commencement of on-boarding. 8
6. Pricing The service is priced according to the time and material and the agreed SFIA Rate Card - Atos Travel and Subsistence Payable at the Customer s standard T&S rate Mileage Payable at the Customer s standard T&S rate Professional Indemnity Insurance included in day rate. 9
7. Service management The services are typically available during standard Working Hours/Days Monday to Friday 09:00 to 17:30 excluding public holidays. Extended hours can be arranged when required. 10
8. Service constraints Depending upon the customers requirements needs, Atos may need: Authorisation to access to the Customer estate and IT resources Discuss the Customer needs with Atos security partners within relevant Non Disclosure Agreement ( NDA) frameworks Procure specific hardware, to be determined during analysis and design activities and agreed with the Customer prior to purchase Specific software purchases, to be determined during analysis and design activities and agreed with the Customer prior to purchase. 11
9. Service levels Support Hours Support hours are: Standard Working Hours/Days Monday to Friday 09:00 to 17:30 excluding public holidays Additional hours can be provided by arrangement. Availability Target service availability will be dependent upon the security risk, demand profile and cost benefit. Atos operate a range of availabilities from standard working days to services like Atos Secure Authentication for Cloud SafeNet that is 24x7x365 with 99.999% availability. 12
10. Financial recompense To minimise the cost to users, Atos does not provide service credits for use of the service. All Atos services are provided on a reasonable endeavours basis. Please refer to G Cloud terms and conditions. In accordance with the guidance within the GPS G-Cloud Framework Terms and Conditions, the Customer may terminate the contract at any time, without cause, by giving at least thirty (30) Working Days prior notice in writing. The Call Off Contract terms and conditions and the Atos terms will define the circumstances where a refund of any pre-paid service charges may be available. 13
11. Training Atos security specialists will identify and discuss training options during analysis and design activities and agreed prior to purchase of software and hardware products. 14
12. Ordering and invoicing process Ordering this product is a straightforward process. Please forward your requirements to the email address GCloud@atos.net Atos will prepare a quotation and agree that quotation with you, including any volume discounts that may be applicable. Once the quotation is agreed, Atos will issue the customer with the necessary documentation (as required by the G-Cloud Framework) and ask for the customer to provide Atos with a purchase order. Once received, the customer services will be configured to the requirements as per the original quotation. For new customers, additional new supplier forms may need to be completed. Invoices will be issued to the customer and Shared Services (quoting the purchase order number) for the services procured. On a monthly basis, Atos will also complete the mandated management information reports to Government Procurement Services detailing the spend that the customer has placed with us. Cabinet Office publish a summary of this monthly management information at: http://gcloud.civilservice.gov.uk/about/sales-information/. 15
13. Termination terms 13.1 By consumers (i.e. consumption) Termination shall be in accordance with: The G-Cloud Framework terms and conditions Any terms agreed within the Call Off Contract under section 10.2 of the Order Form (termination without cause) where the Government Procurement Service (GPS) guidance states At least thirty (30) Working Days in accordance with Clause CO-9.2 of the Call-Off Contract Atos Supplier Terms for this Service as listed on the G-Cloud CloudStore. For this specific service, by default Atos ask for at least thirty (30) Working Days prior written notice of termination as per the guidance within the GPS G-Cloud Framework Terms and Conditions. 13.2 By the Supplier (removal of the G-Cloud Service) Atos commits to continue to provide the service for the duration of the Call Off Contract subject to the terms and conditions of the G-Cloud Framework and Atos Supplier Terms. 16
14. Data restoration / service migration Data restoration and service migration will be dependent upon the products employed and the service delivered. It will be discussed, documented and agreed prior to commencement of data collection or service. 17
15. Consumer responsibilities The consumer responsibilities are dependent upon the products and services delivered. The principal needs are: The consumer will authorise access to customer sites, IT infrastructure and data needed to perform the duties requested The consumer will assist Atos in collaboration and integration with the customer s other product suppliers and service providers The consumer will provide all possible assistance to allow the Atos security specialists to operate at the specified sites receiving this service The consumer will escalate and manage the actions required to deal with any security threats that impact upon the service delivered by Atos but fall outside of Atos contracted responsibility to mitigate or resolve. 18
16. Technical requirements Technical requirements will be discussed and agreed with the customer and their representatives during analysis and design activities and agreed prior to purchase of software and hardware products. 19
17. Trial service Not all products or services have a trial service but where this can be arranged with product vendors Atos will be pleased to arrange this. 20
18. Glossary of Terms Term 2FA ASAC-S GPS IL LDAP NDA OATH RADIUS RSA SAML SMS SSL SSO TCO VPN Explanation Two Factor Authentication Atos Secure Authentication for Cloud SafeNet Government Procurement Service Impact Level Lightweight Directory Access Protocol Non Disclosure Agreement Open AuTHentication an open source standard Remote Authentication Dial-In User Service Product Vendor Security Assertion Markup Language Short Message Service Secure Socket Layer Single Sign On Total Cost of Ownership Virtual Private Network 21
22