Service Definition Document QinetiQ Secure Cloud Protective Monitoring Service (AWARE) QinetiQ Secure Cloud Protective Monitoring Service (DETER) Secure Multi-Tenant Protective Monitoring Service (AWARE) Secure Multi-Tenant Protective Monitoring Service (DETER) Specialist Cloud Services version 5.0
Content 1. Introduction... 3 2. QinetiQ Secure Cloud Protective Monitoring Service (AWARE)... 4 3. QinetiQ Secure Cloud Protective Monitoring Service (DETER)... 8 4. Secure Multi-Tenant Protective Monitoring Service (AWARE)... 13 5. Secure Multi-Tenant Protective Monitoring Service (DETER)... 17 QinetiQ Limited, 2014 Page 2 of 21
1. Introduction With the advent of Cloud technologies, it has never been more important for Government and Private companies to comply with regulatory standards and, more importantly, have a mechanism by which they are able to effectively manage and mitigate risks. To assist in meeting this challenge QinetiQ developed the UK s first GPG13 AWARE and DETER Protective Monitoring Managed Services. QinetiQ draws on a unique heritage of providing security expertise to UK and other Governments to achieve high levels of security. Through this knowledge and expertise, QinetiQ has developed the following service offerings, that can be easily adopted and tailored to meet customers specific risk management requirements: Secure Cloud Protective Monitoring Service at AWARE; a Cloud based Protective Monitoring Service for customers with deployed services within the Skyscape Cloud virtual environment, providing centralised storage of Security event data following guidance at the IS1 AWARE segment. Secure Cloud Protective Monitoring Service at DETER; a Cloud based Protective Monitoring Service for customers with deployed services within the Skyscape Cloud virtual environment, providing a fully Managed Service operating against IS1 and IS2 DETER, providing 24x7 monitoring and alerting of Security events and alerts. Secure Multi-tenanted Protective Monitoring Service at AWARE; A centralised multitenanted architecture delivering centralised storage of Security event data following guidance at the IS1 AWARE segment. Secure Multi-tenanted Protective Monitoring Service at DETER; A centralised multitenanted architecture delivering a fully Managed Service operating against IS1 and IS2 DETER, providing 24x7 monitoring and alerting of Security events and alerts. QinetiQ Limited, 2014 Page 3 of 21
2. QinetiQ Secure Cloud Protective Monitoring Service (AWARE) Service Overview The QinetiQ Secure Cloud Protective Monitoring Service enables customer organisations to effectively manage and mitigate risks posed to their Information Technology environments deployed upon the Skyscape Cloud Services virtual architecture. The Secure Cloud Protective Monitoring Service consists of a set of robust business processes, underpinned by technology, delivered by people and operated in line with the guidelines defined within HMG Good Practice Guide Protective Monitoring for HMG ICT Systems, Issue 1.7 (GPG13). The Secure Cloud Protective Monitoring Service provides collection and compilation of appropriate security audit event logs. This provides a solution to challenges faced by organisations where oversight of how their IT is used (or abused) is essential. This service acts as a central point within G-Cloud services for the consistent storage of Accounting or Event logs and operates in compliance with the requirements identified within the AWARE segment of GPG13. The Secure Cloud Protective Monitoring solution provides a centralised Protective Monitoring capability that can be employed to provide monitoring across a customer s cloud based virtual environments. The solution has been specifically designed to be secure, have the agility to dynamically scale, provide logically separate monitoring and reporting views and provide customers with a high value, effective monitoring capability that has a low total cost of ownership and an easy adoption process. The QinetiQ solution integrates with a customer s virtual network deployed at Skyscape. QinetiQ provides each client with a seamless and simple on-boarding process ensuring that the protective monitoring of a customer s virtual network can be initiated swiftly allowing the Customer to receive value from the Protective Monitoring Service promptly. In embracing the G-Cloud offerings and realising the benefits of efficient IT services, there can be a significant challenge to organisations in considering a risk treatment method. Protective Monitoring by QinetiQ is delivered to the customer alongside the HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2) process and provides a method of risk mitigation to assist with the overall security assurance process. QinetiQ is aware of the recent transition from the Government Protective Marking Scheme (GPMS) to the Government Security Classification (GSC) policy for the classification of all system security. Whether deploying Protective monitoring onto a GPMS or GSC classified system, QinetiQ ensures that compliance with the system requirements is met. The QinetiQ service operates within ISO27001 certified security policies and processes and is delivered from a List X site. Service Features Protective Monitoring is delivered alongside the HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2) process and provides and method of both risk mitigation and monitoring to provide assistance and risk reduction and treatment activities in support of the overall security assurance process. This service provides a centralised event storage service in support of the Customer s requirement to Protectively Monitor its ICT Systems following the guidance provided in CESG Good Practice Guide No.13 (GPG13) at the IS1 AWARE segment. QinetiQ Limited, 2014 Page 4 of 21
The service is designed to receive event logs from pre identified customer devices which the customer has configured to send via a secure channel to QinetiQ for processing. The output of the Aware Protective Monitoring service consists of: Security event data stored in a consistent format Secure access to security event log data. Example Use Cases The service can be used to receive and collate accounting logs from various and disparate customer owned assets (such as differing virtual machines, applications and security enforcing appliances). This will allow for the safe, centralised storage of accounting logs in a structured manner The Protective Monitoring solution provides an independent storage of normalised accounting data to provide enduring storage of security audit data for post incident and retrospective audit The Protective Monitoring Service provides an intuitive method by which management information relating to the event data can be accessed through a secure web browser based interface. Technical Features A methodical approach based on a well-established architecture Automated event normalisation and processing Standards based security architecture Out of the box list of supported COTS devices Storage and event treatment in line with the advice and guidance of GPG13. An overview of the G-Cloud Service (functional, non-functional) Customer s access to the solution, for the retrieval and review of collated accounting data will be via the secure online portal. Two factor authentication together with role based access control will ensure that data access is permitted only to authorised users. Information assurance Impact Level (IL) at which the G-Cloud Service is accredited to hold and process information Business Impact Level 2 as standard, though capable of operating at differing impact levels. The service will, as standard, cover the Protective Monitoring Controls within GPG13 associated with the InfoSec Standard No.1 Part 2 AWARE Segment. Connectivity Available Secure Connectivity between QinetiQ and the Skyscape Cloud platform is provided within the scope of this Service. Details of the level of backup/restore and disaster recovery that will be provided Storage of accounting data will be provided on resilient storage infrastructure supported by an archive to offline storage and data daily data replication activity to create a separate backup. Accounting data will be deleted from the archive once the retention period expires. QinetiQ Limited, 2014 Page 5 of 21
On-boarding and Off-boarding processes/scope etc. The on-boarding process requires an understanding of the type of data to be presented to QinetiQ and the method by which it will be received. A Protective Monitoring Controls and Compliancy Matrix (PMCCM) shall be used as the mechanism to agree with the customer the data streams that shall be configured within the QinetiQ service. Once agreed, the data streams will be integrated into the Event Storage system. Off-boarding will primarily consist of the cessation of the data stream, the handover of any data sets currently processed or stored by QinetiQ to the Customer, followed by sanitisation of the Customer event data. Service Options QinetiQ is able to provide consultancy services to Customers to assist with the identification of the appropriate log data and define the level of accounting information required on the monitored systems. QinetiQ is also able to provide support to Information Assurance and Accreditation activities. Service Management Details Access to a 24x7 Service Desk is available to enable interaction and advice on security incidents. Service Management is delivered in alignment with the ISO20000 standard. Ordering and Invoicing On receipt of a request, QinetiQ will provide a proposal for the required resources to deliver the service. Services must be purchased for a minimum term of one year. Billing for the service will be monthly in advance against the contracted consumption rate. Deviation from the contracted consumption will be retrospectively annotated and charged within the following invoice. Termination terms By consumers (i.e. consumption) By the Supplier (removal of the G-Cloud Service) Costs are payable by the consumer for termination during the annual term. These will be calculated based upon remaining committed costs. Data Restoration / Service Migration QinetiQ will provide appropriate access to Customer data for the purposes of data migration, including any Customer documentation as appropriate. Bandwidth charges for the transfer of data held by QinetiQ are provided. Consumer Responsibilities The consumer will be required to provide details of systems to be integrated into the service and access to associated subject matter experts for the purposes of supporting the initial on-boarding and baseline process. The Consumer is required to provide evidence retrospectively on a monthly basis, in support of identifying the total VM per hour usage across the monitored solution. The consumer is also responsible for ensuring they apply suitable controls to this sensitive data/application. The Consumer is responsible for any privacy impact assessment. QinetiQ Limited, 2014 Page 6 of 21
Technical requirements (service dependencies and detailed technical interfaces, e.g. client side requirements, bandwidth/latency requirements etc.) Data streams will need to be presented to the Protective Monitoring system via an appropriate format, ideally TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) based. QinetiQ will support a customer during the on boarding process to ensure that the forwarding of device accounting data is configured correctly. It is recommended that where available, encrypted transports should be used such as SSL/TLS (Secure Sockets Layer / Transport Layer Security). QinetiQ Limited, 2014 Page 7 of 21
3. QinetiQ Secure Cloud Protective Monitoring Service (DETER) Service Overview The QinetiQ Secure Cloud Protective Monitoring Service enables customer organisations to effectively manage and mitigate risks posed to their Information Technology environments deployed upon the Skyscape Cloud Services virtual architecture. The Secure Cloud Protective Monitoring Service consists of a set of robust business processes, underpinned by technology, delivered by people and operated in line with the guidelines defined within HMG Good Practice Guide Protective Monitoring for HMG ICT Systems, Issue 1.7 (GPG13). The Secure Cloud Protective Monitoring Service provides aggregation, compilation, analysis, behavioural trending, correlation, and interpretation of security audit event logs. Applying to this the specialist vulnerability and comprehensive threat knowledge at QinetiQ then provides the customer with actionable intelligence of active incidents as well as recommendations for management and remediation. The service acts in full support of the Security Management of an estate providing a solution to challenges faced by organisations where oversight of how their IT is used (or abused) is essential. This service acts as a central point within G-Cloud services for receiving, processing, analysis, correlation, alerting and reporting (24x7) of security matters and the delivery of advice in support of all remediation and resolution activities. The Secure Cloud Protective Monitoring solution provides a centralised Protective Monitoring capability that can be employed to provide monitoring across a customer s cloud based virtual environments. The solution has been specifically designed to be secure, have the agility to dynamically scale, provide logically separate monitoring and reporting views and provide each customer with a high value, effective monitoring, alerting and reporting capability that has a low total cost of ownership and an easy adoption process. The QinetiQ solution integrates with a customer s Virtual network deployed at Skyscape. QinetiQ provides each client with a seamless and simple on boarding process ensuring that the protective monitoring of a customer s virtual network can be initiated swiftly allowing the Customer to receive value from the Protective Monitoring Service promptly. In embracing the G-Cloud offerings and realising the benefits of efficient IT services, there can be a significant challenge to organisations in considering a risk treatment method. Protective Monitoring by QinetiQ is delivered to the customer alongside the HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2) process and provides a method of risk mitigation to assist with the overall security assurance process. QinetiQ is aware of the recent transition from the Government Protective Marking Scheme (GPMS) to the Government Security Classifications (GSC) policy for the classification of all system security. Whether deploying Protective monitoring onto a GPMS or GSC classified system, QinetiQ ensures that compliance with the system requirements is met. The QinetiQ service operates within ISO27001 certified security policies and processes and is delivered from a List X site. QinetiQ Limited, 2014 Page 8 of 21
Service Features Protective Monitoring is delivered alongside the HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2) process and provides and method of both risk mitigation and monitoring to provide assistance and risk reduction and treatment activities in support of the overall security assurance process. This service provides a centralised event aggregation and analysis service in support of the Customer s requirement to Protectively Monitor its ICT Systems following the guidance provided in CESG Good Practice Guide No.13 (GPG13) at the IS1 DETER segment. The service operates 24x7 at Business Impact Level 3, baseline GPG13 DETER. QinetiQ analysts and Engineers operate under an ITIL aligned ISO20000 framework with ISO27001 certified policies and processes. The service delivers a 24 x 7 analysis function, supported by an underlying Security Incident & Event Management (SIEM) technology that receives accounting data from customer owned assets, over appropriately secured connectivity, providing real time analysis and correlation. Correlation autonomously looks for common attributes, and links events together through association, integrating data from different sources in order to turn separate accounting data feeds into an essential view of network activity. Analysis of the output of correlation and behavioural anomaly provides an assessment of internal and external behaviour within the monitored estate; triggering security alerts and recommendations for improvements in security. QinetiQ Security Analysts analyse each security alert and supporting event data, apply specialist vulnerability and threat knowledge, and then raise prioritised Incidents with the customer where appropriate. Advice for management and remediation is provided to the customer, using our knowledge of the architecture and the customer s critical business processes. Service levels and response times are managed within strict Service Level Agreements (SLAs). The output of the event monitoring correlation and analysis function consists of: Information Security Incidents notifications raised with the Customer on a 24x7 basis. These notifications will have a priority classification relating to criticality and impact Automated Weekly Reports. These will include an analysis of the Week s Events, classified according to the GPG13 Protective Monitoring Controls (PMCs) Monthly Management Reporting summarising Events classified according to the GPG13 PMCs. It will include an analysis of the month s Events by QinetiQ Analysts Aggregated accounting data stored in a consistent format Secure access, by the customer to review accounting data. Example Use Cases Identification of potential external threats to G-Cloud host applications and customers critical business processes through proactive Protective Monitoring Identification of potential insider threat from within a Customer's organisation Analysis, alerting, advice and recommendations to aid and enable mitigation of risk, management of incidents and remediation activities to improve the security of a network QinetiQ Limited, 2014 Page 9 of 21
A service to provide Protective Monitoring of elements within a customer's IaaS Virtual Data Centre container and of their applications The service can be used to collate the accounting logs from various and disparate sources. This will allow for the safe, centralised storage of the accounting logs Through the centralisation of Accounting Logs in a common structure, analysis of adherence to GPG13 can be derived, along with contextual based reporting and alerting to agreed service levels Provides for the independent storage of event data from Cloud service providers, to provide enduring storage of security audit data for post incident and retrospective audit Provides an intuitive method by which management information relating to the event data can be accessed through a secure web browser based interface. Technical Features Established architecture patterns providing scale and flexibility driving a methodical approach Automated event normalisation and processing Validation of outputs by expert Protective Monitoring analysts Accredited, standards based security architecture Out of the Box list of supported COTS devices Storage and event treatment in line with the advice and guidance of GPG13. An Overview of the G-Cloud Service (functional, non-functional) Customer s access to the solution, for a display of the level of adherence to GPG13, and to the weekly and monthly reports, including details on any incidents alerted to the Customer, and the retrieval and review of collated accounting data will be via the secure online portal. Two factor authentications together with role based access will ensure that data access is permitted only to authorised users. Information Assurance Impact Level (IL) at which the G-Cloud Service is accredited to hold and process information Business Impact Level 3 as standard, though capable of operating at differing impact levels to meet the requirements of the monitored system. The service will as standard cover the InfoSec Standard No.1 Part 2 DETER Segment. Connectivity Available Secure Connectivity between QinetiQ and the Skyscape Cloud platform is provided within the scope of this Service. Details of the level of backup/restore and disaster recovery that will be provided Storage of accounting data will be provided on resilient storage infrastructure supported by an archive to offline storage and data daily data replication activity to create a separate backup. Accounting data will be deleted from the archive once the retention period expires. On-boarding and Off-boarding processes/scope etc The on-boarding process requires an understanding of the type of data to be presented to QinetiQ and the method by which it will be received. The Protective Monitoring Controls and Compliancy Matrix (PMCCM) shall be used as the mechanism to agree with the QinetiQ Limited, 2014 Page 10 of 21
customer the data streams that shall be configured within the QinetiQ service. Once agreed, the data streams will be baseline tuned to remove normal and accepted activity or other background processes, leaving the events which require analysis to demonstrate adherence to GPG13 and to be able to detect anomalous behaviour within the data stream. Off-boarding will primarily consist of the cessation of the data stream and the handover of any data sets currently processed or stored by QinetiQ to the Customer, followed by sanitisation of the Customer event data. Service Options QinetiQ is able to provide consultancy services to Customers to assist with the identification of the appropriate log data and define the level of accounting information required on the monitored systems. Through assessment of the risk and threat profile a more tailored and cost effective solution can be delivered. QinetiQ is also able to provide support to Information Assurance and Accreditation activities. Service Management Details Access to a 24x7 Service Desk is available to enable interaction and advice on security incidents. Service Management is delivered in alignment with the ISO20000 standard. Ordering and Invoicing On receipt of a request, QinetiQ will provide a proposal for the required resources to deliver the service. Services must be purchased for a minimum term of one year on an annual basis. Billing for the service will be monthly in advance against the contracted consumption rate. Deviation from the contracted consumption will be retrospectively annotated and charged within the following invoice. Termination terms By consumers (i.e. consumption) By the Supplier (removal of the G-Cloud Service) Costs are payable by the consumer for termination during the annual term. These will be calculated based upon remaining committed costs. Data Restoration / Service Migration QinetiQ will provide appropriate access to Customer data for the purposes of data migration, including any Customer documentation as appropriate. Bandwidth charges for the transfer of data held by QinetiQ are provided. Consumer Responsibilities The consumer will be required to provide details of systems to be integrated into the service and access to associated subject matter experts for the purposes of supporting the initial baseline process. The Consumer is required to provide evidence retrospectively on a monthly basis, in support of identifying the total VM per hour usage across the monitored solution. The consumer is also responsible for ensuring they apply suitable controls to this sensitive data/application. The Consumer is responsible for any privacy impact assessment. QinetiQ Limited, 2014 Page 11 of 21
Technical requirements (service dependencies and detailed technical interfaces, e.g. client side requirements, bandwidth/latency requirements etc.) Data streams will need to be presented to the Protective Monitoring system via an appropriate format, ideally TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) based. QinetiQ will support a customer during the on boarding process to ensure that the forwarding of device accounting data is configured correctly. It is recommended that where available, encrypted transports should be used such as SSL/TLS (Secure Sockets Layer / Transport Layer Security). QinetiQ Limited, 2014 Page 12 of 21
4. Secure Multi-Tenant Protective Monitoring Service (AWARE) Service Overview The QinetiQ Secure Multi-tenant Protective Monitoring Service enables customer organisations to effectively manage and mitigate risks posed to their Information Technology environments. The Protective Monitoring Service, provided by QinetiQ, consists of a set of robust business processes, underpinned by technology, delivered by people and operated in line with the guidelines defined within HMG Good Practice Guide Protective Monitoring for HMG ICT Systems, Issue 1.7 (GPG13). The Secure Multi-tenant Protective Monitoring Service provides collection and compilation of appropriate security audit event logs. This provides a solution to challenges faced by organisations where oversight of how their IT is used (or abused) is essential. This service acts as a central point within G-Cloud services for the consistent storage of Accounting or Event logs and operates in compliance with the requirements identified within the AWARE segment of GPG13. The Secure Multi-tenant Protective Monitoring Service provides a centralised Protective Monitoring capability that can be employed to provide monitoring across a customer s network(/s). The solution is purpose- designed to be secure, have the agility to dynamically scale, provide logically separate monitoring and reporting views and provide customers with a high value, effective monitoring capability that has a low total cost of ownership and an easy adoption process. The QinetiQ solution integrates with a customer s network, be it a Virtual container within a multi- tenanted virtual environment or a distinct installation within one or many data centres. QinetiQ Support, implement and manage a number of secure connectivity options, subject to application, from IPSEC VPN through CPA foundation encryption to dedicated least line. Should a customer wish to extend their secure communications to provide connectivity, this can be accommodated also. No matter which option is selected, the monitoring of a system can be initiated swiftly allowing the Customer to receive value from the Protective Monitoring Service promptly. In embracing the G-Cloud offerings and realising the benefits of efficient IT services, there can be a significant challenge to organisations in considering a risk treatment method. Protective Monitoring by QinetiQ is delivered to the customer alongside the HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2) process and provides a method of risk mitigation to assist with the overall security assurance process. QinetiQ is aware of the recent transition from the Government Protective Marking Scheme (GPMS) to the Government Security Classification (GSC) policy for the classification of all system security. Whether deploying Protective monitoring onto a GPMS or GSC classified system, QinetiQ ensures that compliance with the system requirements is met. The QinetiQ service operates within ISO27001 certified security policies and processes and is delivered from a List X site. Service Features Protective Monitoring is delivered alongside the HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2) process and provides and method of both risk mitigation and monitoring to provide assistance and risk reduction and treatment activities in support of the overall security assurance process. QinetiQ Limited, 2014 Page 13 of 21
This service provides a centralised event storage service in support of the Customer s requirement to Protectively Monitor its ICT Systems following the guidance provided in CESG Good Practice Guide No.13 (GPG13) at the IS1 AWARE segment. The service is designed to receive event logs from pre identified customer devices which the customer has configured to send via a secure channel to QinetiQ for processing. The output of the Aware Protective Monitoring service consists of: Security event data stored in a consistent format Access to security event log data. Example Use Cases The service can be used to receive and collate accounting logs from various and disparate customer owned assets (such as differing virtual machines, applications and security enforcing appliances). This will allow for the safe, centralised storage of accounting logs in a structured manner. The Protective Monitoring solution provides an independent storage of normalised accounting data to provide enduring storage of security audit data for post incident and retrospective audit. The Protective Monitoring Service provides an intuitive method by which management information relating to the event data can be accessed through a secure web browser based interface. Technical Features A methodical approach based on a well-established architecture Automated event normalisation and processing Standards based security architecture Out of the box list of supported COTS devices Storage and event treatment in line with the advice and guidance of GPG13. An overview of the G-Cloud Service (functional, non-functional) Customer s access to the solution, for the retrieval and review of collated accounting data will be via the secure online portal. Two factor authentication together with role based access control will ensure that data access is permitted only to authorised users. Information assurance Impact Level (IL) at which the G-Cloud Service is accredited to hold and process information Business Impact Level 2 as standard, though capable of operating at differing impact levels. The service will, as standard, cover the Protective Monitoring Controls within GPG13 associated with the InfoSec Standard No.1 Part 2 AWARE Segment. Connectivity Available Accessible over either Internet following establishment of secure communications or UK Government community networks. Utilising appropriately secure communication capabilities such as IPSEC or CPA Foundation cryptographic encryption techniques. QinetiQ Limited, 2014 Page 14 of 21
Details of the level of backup/restore and disaster recovery that will be provided Storage of accounting data will be provided on resilient storage infrastructure supported by an archive to offline storage and data daily data replication activity to create a separate backup. Accounting data will be deleted from the archive once the retention period expires. On-boarding and Off-boarding processes/scope etc. The on-boarding process requires an understanding of the type of data to be presented to QinetiQ and the method by which it will be received. A Protective Monitoring Controls and Compliancy Matrix (PMCCM) shall be used as the mechanism to agree with the customer the data streams that shall be configured within the QinetiQ service. Once agreed, the data streams will be integrated into the Event Storage system. Off-boarding will primarily consist of the cessation of the data stream, the handover of any data sets currently processed or stored by QinetiQ to the Customer, followed by sanitisation of the Customer event data. Service Options QinetiQ is able to provide consultancy services to Customers to assist with the identification of the appropriate log data and define the level of accounting information required on the monitored systems. QinetiQ is also able to provide support to Information Assurance and Accreditation activities. Service Management Details Access to a 24x7 Service Desk is available to enable interaction and advice on security incidents. Service Management is delivered in alignment with the ISO20000 standard. Ordering and Invoicing On receipt of a request, QinetiQ will provide a proposal for the required resources to deliver the service. Services must be purchased for a minimum of one year. Billing for the service will be monthly in advance against the contracted consumption rate. Deviation from the contracted consumption will be retrospectively annotated and charged within the following invoice. Termination terms By consumers (i.e. consumption) By the Supplier (removal of the G-Cloud Service) Costs are payable by the consumer for termination during the annual term. These will be calculated based upon remaining committed costs. Data Restoration / Service Migration QinetiQ will provide appropriate access to Customer data for the purposes of data migration, including any Customer documentation as appropriate. Bandwidth charges for the transfer of data held by QinetiQ are provided. Consumer Responsibilities The consumer will be required to provide details of systems to be integrated into the service and access to associated subject matter experts for the purposes of supporting QinetiQ Limited, 2014 Page 15 of 21
the initial on-boarding and baseline process. The consumer is also responsible for ensuring they apply suitable controls to this sensitive data/application. The Consumer is responsible for any privacy impact assessment. Technical requirements (service dependencies and detailed technical interfaces, e.g. client side requirements, bandwidth/latency requirements etc.) Data streams will need to be presented to QinetiQ in an appropriate format, ideally TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) based. It is recommended that where available, encrypted transports should be used such as SSL/TLS (Secure Sockets Layer / Transport Layer Security) QinetiQ Limited, 2014 Page 16 of 21
5. Secure Multi-Tenant Protective Monitoring Service (DETER) Service Overview The QinetiQ Secure Multi-tenant Protective Monitoring Service enables customer organisations to effectively manage and mitigate risks posed to their Information Technology environments. The Protective Monitoring Service, provided by QinetiQ, consists of a set of robust business processes, underpinned by technology, delivered by people and operated in line with the guidelines defined within HMG Good Practice Guide Protective Monitoring for HMG ICT Systems, Issue 1.7 (GPG13). The Secure Multi-tenant Protective Monitoring Service provides aggregation, compilation, analysis, behavioural trending, correlation, and interpretation of security audit event logs. Applying to this the specialist vulnerability and comprehensive threat knowledge at QinetiQ provides the customer with actionable intelligence of active incidents as well as recommendations for management and remediation. The service acts in full support of the Security Management of an estate providing a solution to challenges faced by organisations where oversight of how their IT is used (or abused) is essential. This Service acts as a central point within G-Cloud services for the processing, analysis, correlation, alerting and reporting (24x7) on security matters and the delivery of advice in support of all remediation and resolution activities. The Secure Multi-tenant Protective Monitoring Service provides a centralised capability that can be employed to provide monitoring across a customer s network(s). The solution is purpose-designed to be secure, have the agility to dynamically scale, provide logically separate monitoring and reporting views and provide customers with a high value, effective monitoring capability that has a low total cost of ownership and an easy adoption process. The QinetiQ solution integrates with a customer s network, be it a Virtual container within a multi-tenanted virtual environment or a distinct installation within one or many data centres. QinetiQ support, implement and manage a number of secure connectivity options, subject to application, from IPSEC VPN through CPA foundation encryption. Should a customer wish to extend their secure communications to provide connectivity, this can be accommodated also. No matter which connectivity option is requested, the monitoring of a system can be initiated swiftly allowing the Customer to receive value from the Protective Monitoring Service promptly. In embracing the G-Cloud offerings and realising the benefits of efficient IT services, there can be a significant challenge to organisations in considering a risk treatment method. Protective Monitoring by QinetiQ is delivered to the customer alongside the HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2) process and provides a method of risk mitigation to assist with the overall security assurance process. QinetiQ is aware of the recent transition from the Government protective Marking Scheme (GPMS) to the Government Security Classification (GSC) Policy for the classification of all system security. Whether deploying Protective Monitoring onto a GPMS or GSC classified system, QinetiQ ensures that compliance with the system requirements is met. The service operates within ISO27001 certified security policies and processes and is delivered from a List X site. QinetiQ Limited, 2014 Page 17 of 21
Service Features Protective Monitoring is delivered alongside the HMG Risk Management standard, IA Standard No. 1 and 2 (IS1 & 2) process and provides and method of both risk mitigation and monitoring to provide assistance and risk reduction and treatment activities in support of the overall security assurance process. This service provides a centralised event aggregation and analysis service in support of the Customer s requirement to Protectively Monitor its ICT Systems following the guidance provided in CESG Good Practice Guide No.13 (GPG13) at the IS1 DETER segment. The service operates 24x7 at Business Impact Level 3, baseline GPG13 DETER. QinetiQ analysts and Engineers operate under an ITIL aligned ISO20000 framework with ISO27001 certified policies and processes. The service delivers a 24 x 7 analysis function, supported by an underlying Security Incident & Event Management (SIEM) technology that receives accounting data from customer owned assets, over appropriately secured connectivity, providing real time analysis and correlation. Correlation autonomously looks for common attributes, and links events together into meaningful bundles, integrating data from different sources in order to turn separate accounting data feeds into an essential view of network activity. Analysis of the output of correlation and behavioural anomaly provides an assessment of internal and external behaviour within the monitored estate; triggering security alerts and recommendations for improvements in security. QinetiQ Security Analysts analyse each security alert and supporting event data, apply specialist vulnerability and threat knowledge, then raise prioritised Incidents with the customer where appropriate. Advice for management and remediation is provided to the customer, using our knowledge of the architecture and the customer s critical business processes. Service levels and response times are managed within strict Service Level Agreements (SLAs) The output of the event monitoring correlation and analysis function consists of: Information Security Incidents notifications raised with the Customer on a 24x7 basis. These notifications will have a priority classification relating to criticality and impact Automated Weekly Reports. These will include an analysis of the Week s Events, classified according to the GPG13 Protective Monitoring Controls (PMCs) Monthly Management Reporting summarising Events classified according to the GPG13 PMCs. It will include an analysis of the month s Events by QinetiQ Analysts Aggregated accounting data stored in a consistent format Secure access, by the customer to review accounting data. Example Use Cases Identification of potential external threats to G-Cloud host applications and customers critical business processes through proactive Protective Monitoring Identification of potential insider threat from within a Customer s organisation Analysis, alerting, advice and recommendations to aid and enable mitigation of risk, management of incidents and remediation activities to improve the security of their network A service to provide Protective Monitoring of elements within a customer s IaaS Virtual Data Centre container and of their applications QinetiQ Limited, 2014 Page 18 of 21
The service can be used to collate the accounting logs from various and disparate sources (such as differing virtual machines or applications potentially provided at differing G-Cloud providers). This will allow for the safe, centralised storage of the accounting logs Through the centralisation of Accounting Logs in a common structure, analysis of adherence to GPG13 can be derived, along with contextual based reporting and alerting to agreed service levels Provides for the independent storage of event data from Cloud service providers, to provide enduring storage of security audit data for post incident and retrospective audit Provides an intuitive method by which management information relating to the event data can be accessed through a secure web browser based interface. Technical Features Established architecture patterns providing scale and flexibility driving a methodical approach Automated event normalisation and processing Validation of outputs by expert Protective Monitoring analysts Accredited, standards based security architecture Out of the Box list of supported COTS devices Storage and event treatment in line with the advice and guidance of GPG13. An overview of the G-Cloud Service (functional, non-functional) Customer s access to the solution, for a display of the level of adherence to GPG13, and to the weekly and monthly reports including details on any incidents alerted to the Customer, and the retrieval and review of collated accounting data will be via the secure online portal. Two factor authentications together with role based access will ensure that data access is permitted only to authorised users. Information assurance Impact Level (IL) at which the G-Cloud Service is accredited to hold and process information Business Impact Level 3 as standard, though capable of operating at differing impact levels to meet the requirements of the monitored system. The service will as standard cover the InfoSec Standard No.1 Part 2 DETER Segment. Connectivity Available Accessible over either Internet following establishment of secure communications or UK Government community networks. Utilising appropriately secure communication capabilities such as IPSEC or CPA Foundation cryptographic encryption techniques. Details of the level of backup/restore and disaster recovery that will be provided Storage of accounting data will be provided on resilient storage infrastructure supported by an archive to offline storage and daily data replication activity to create a separate backup. Accounting data will be deleted from the archive once the retention period expires. On-boarding and Off-boarding processes/scope etc. The on-boarding process requires an understanding of the type of data to be presented to QinetiQ and the method by which it will be received. The Protective Monitoring Controls and Compliancy Matrix (PMCCM) shall be used as the mechanism to agree with the QinetiQ Limited, 2014 Page 19 of 21
customer the data streams that shall be configured within the QinetiQ service. Once agreed, the data streams will be baseline tuned to remove normal and accepted activity or other background processes, leaving the events which require analysis to demonstrate adherence to GPG13 and to be able to detect anomalous behaviour within the data stream. Off-boarding will primarily consist of the cessation of the data stream and the handover of any data sets currently processed or stored by QinetiQ to the Customer, followed by sanitisation of the Customer event data. Service Options QinetiQ is able to provide consultancy services to Customers to assist with the identification of the appropriate log data and define the level of accounting information required on the monitored systems. Through assessment of the risk and threat profile a more tailored and cost effective solution can be delivered. QinetiQ is also able to provide support to Information Assurance and Accreditation activities. Service Management Details Access to a 24x7 Service Desk is available to enable interaction and advice on security incidents. Service Management is delivered in alignment with the ISO20000 standard. Ordering and Invoicing On receipt of a request, QinetiQ will provide a proposal for the required resources to deliver the service. Services must be purchased for a minimum term of one year. Billing for the service will be monthly in advance against the contracted consumption rate. Deviation from the contracted consumption will be retrospectively annotated and charged within the following invoice. Termination terms By consumers (i.e. consumption)by the Supplier (removal of the G-Cloud Service) Costs are payable by the consumer for termination during the annual term. These will be calculated based upon remaining committed costs. Data restoration / service migration QinetiQ will provide appropriate access to Customer data for the purposes of data migration, including any Customer documentation as appropriate. Bandwidth charges for the transfer of data held by QinetiQ are provided. Consumer Responsibilities The consumer will be required to provide details of systems to be integrated into the service and access to associated subject matter experts for the purposes of supporting the initial baseline process. The consumer is also responsible for ensuring they apply suitable controls to this sensitive data/application. The Consumer is responsible for any privacy impact assessment. QinetiQ Limited, 2014 Page 20 of 21
Technical requirements (service dependencies and detailed technical interfaces, e.g. client side requirements, bandwidth/latency requirements etc.) Data streams will need to be presented to QinetiQ in an appropriate format, ideally TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) based. It is recommended that where available, encrypted transports should be used such as SSL/TLS (Secure Sockets Layer / Transport Layer Security). QinetiQ Limited, 2014 Page 21 of 21