SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE. Classification: Open

Similar documents
Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open

Managed Backup. Lot 4 - Specialist Cloud Services. Version: 3.0, Issue Date: 05/02/2014. Classification: Open

Application Management. Lot 4 - Specialist Cloud Services. Version: 3.0, Issue Date: 05/02/2014. Classification: Open

Connecting to the Cloud. Lot 4 - Specialist Cloud Services. Version: 3.0, Issue Date: 01/12/2014. Classification: Open

Managed Server. Lot 2 - Platform as a Service. Version: 3.0, Issue Date: 05/02/2014. Classification: Open

Cloud Enablement. Lot 4 - Specialist Cloud Services. Version: 3.0, Issue Date: 05/02/2014. Classification: Open

Cloud Enablement. Lot 4 - Specialist Cloud Services. Version: 2.0, Issue Date: 05/02/2014. Classification: Open

Lot 1 Service Specification MANAGED SECURITY SERVICES

GPG13 Protective Monitoring. Service Definition

PSN Protective Monitoring. Service Definition

Service Definition Document

Data Warehouse as a Service. Lot 2 - Platform as a Service. Version: 1.1, Issue Date: 05/02/2014. Classification: Open

Dedicated Compute Cloud. Lot 1 - Infrastructure as a Service. Version: 1.0, Issue Date: 09/12/2014. Classification: Open

Secure Remote Backup (IL3) G-Cloud Lot3 IaaS

Solution Overview. Our Solution employs two tiers of storage aligning costs of storage with the changing value of data over time.

Desktop Services (Production) Lot 2 - Platform as a Service. Version: 2.0, Issue Date: 05/02/2014. Classification: Open

Open Source Sales Force Automation (SFA) in the Cloud SaaS

G-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS

Service description RFL Virtual Data Centre

Software as a Service (SaaS) Online HR

G-CLOUD FRAMEWORK SERVICE DEFINITION. Kofax Model Office Bundle Proposal ISSUE 1

Service Management and ICT Monitoring and Reporting Advisory and Implementation Services

Cloud-based Infrastructure and Application Support Service Definition

Platform as a Service

Amazon Relational Database Service (RDS)

Marval Software Limited. G Cloud iii Framework Service Definition

SERVICE DEFINITION DOCUMENT MANAGEMENT IN THE CLOUD

IBM G-Cloud Microsoft Windows Active Directory as a Service

Ubertas Cloud Services: Service Definition

Service Description. Communications Data WorkFlow Management Software from Cyclops Cloud. Product Overview

Service Description for Hosted Server

Audit Management. service definition document

Backup as a Service. Service Definition. G-Cloud VI. Information Security Management System

Service Definition MMaaS Mobile Device Management. G- Cloud VII. Service Definition Nine23 MMaaS Mobile Device Management

and Collaboration as a Service. Lot 3 - Software as a Service. Version: 2.0, Issue Date: 05/02/2014. Classification: Open

G-Cloud 7 Service Definition. Atos Oracle Cloud ERP Implementation Services

PROTECTIVE MONITORING SERVICE G-CLOUD SERVICE DEFINITION

STL Microsoft Dynamics CRM Consulting and Support Services

G-CLOUD 7 - VIRTUAL ASSET MANAGER (VAM) SPECIALIST CLOUD SERVICES (SCS)

Tactical Cost Reduction

IPL Service Definition - Data Recovery, Conversion and Migration

IBM Smartcloud Managed Backup

SFW CRM for Stakeholders - MS Dynamics CRM

Online Backup Service Definition

Customer Hosted Service Description and Service Level

SmartImpact MS Dynamics CRM. Support Service Definition

GCloud Application Development Service Definition. Application Development

Cloud Storage. Lot 1 - Infrastructure as a Service. Version: 3.0, Issue Date: 03/12/2014. Classification: Open

IBM Web Server as a Service

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

Documentum Document Management in the Cloud Service Definition

Service Description Archive Storage in the Cloud

Growth Through Excellence

CenturyLink Disaster Recovery Service. G-Cloud V Lot 4 (Specialist Cloud Services)

Big Data Analytics Service Definition G-Cloud 7

Assured Public Cloud Foundry. Lot 2 - Platform as a Service. Version: 1.0, Issue Date: 05/02/2014. Classification: Open

Neocol E-Discovery Consulting Services

Service: Contract Management (Software as a Service)

Amazon Compute - EC2 and Related Services

THOMSON REUTERS C-TRACK E-FILING SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6

Vodafone secure mail services

G-Cloud 6 SERVICE DEFINITION

CenturyLink IT Consulting Services. G-Cloud 6 - SCS. REFERENCE NUMBER RM1557vi

e2e Secure Cloud Connect Service - Service Definition Document

G-Cloud Service Description. Atos Microsoft Dynamics CRM on Demand

SQL Server Database as a Service (DBaaS)

Implementing Deep-Secure guards in NATO Information Exchange Gateways

G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

G-Cloud Service Definition. Atos Infrastructure as a Service (IL3) for Cloud IaaS

WebFOCUS Cloud Express. The WebFOCUS Cloud Express service is delivered as a managed G-Cloud service by Amtex Solutions Ltd.

Remote Access Service (RAS)

MANAGED CLOUD INFRASTRUCTURE Bronze Disaster Recovery Services

G-Cloud Service Definition. Atos Oracle Cloud ERP Implementation Services

Introduction to Centerprise International Limited

Private Cloud Foundry. Lot 2 - Platform as a Service. Version: 0.7, Issue Date: 07/12/2014. Classification: Open

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Thales Service Definition for NOC Services for Cloud

DIGITAL MARKETPLACE (G CLOUD 7) OFFERING. Sopra Steria Integration Platform Support as a Service. Service Overview. Sopra Steria in the public sector

Agilisys G-Cloud Service V

Desktop as a Service Service Definition

ROLE PROFILE. Business Function: Software Operations Managed Cloud Services eg s Head Office, Dunston Business Village, Staffordshire

Backup to the Cloud Service Definition

Service Definition Nine23 MDM

G - Cloud Service Definition IT Infrastructure Monitoring And Helpdesk

Transcription:

SERVICE DEFINITION G-CLOUD 7 SECURE FILE TRANSFER DIODE Classification: Open

Classification: Open ii MDS Technologies Ltd 2015. Other than for the sole purpose of evaluating this Response, no part of this material may be reproduced or transmitted in any form, or by any means, electronic, mechanical, photocopied, recorded or otherwise or stored in any retrieval system of any nature without the written permission of MDS Technologies Ltd. MDS Technologies Ltd, 2 Methuen Park, Chippenham, Wiltshire, SN14 0GX Telephone: 01225 816220, Fax: 01225 816281 CONTENTS WHY MDS?... 3 SUMMARY OF SERVICE FEATURES... 3 PRODUCT OVERVIEW... 3 PRODUCT FEATURES... 4 BUSINESS BENEFITS... 5 TECHNICAL FEATURES... 5 EXAMPLE USE CASES... 6 INFORMATION ASSURANCE... 7 ON BOARDING AND OFF BOARDING PROCESSES... 7 PRICE MODEL... 9 SERVICE MANAGEMENT... 9 SERVICE CONSTRAINTS... 9 SERVICE LEVELS... 10 ORDERING AND INVOICE PROCESS... 12 SERVICE LEAD TIME... 12 TERMINATION COSTS... 13 BACKUP/RESTORE AND DISASTER RECOVERY... 13 DATA RESTORATION/SERVICE MIGRATION... 13 CUSTOMER RESPONSIBILITIES... 13 TECHNICAL REQUIREMENTS... 14 RELATED SERVICES... 14

WHY MDS? Bespoke cloud solutions that fit your business needs Trusted provider of agile, scalable and assured digital services Full range of cloud hosting and enablement solutions Security Cleared (SC) operational support staff Honest providers of services, support and practical advice 24/7 support through our ITIL-aligned Service Desk A privately owned, UK sovereign company We are an SME - agile with minimal bureaucracy Providing infrastructure services to the Public Sector for over 12 years Certified against ISO 27001, ISO 9001, ISO14001 and Cyber Essentials Plus We listen to our customers, we understand, we deliver PROFESSIONAL, PERSONALISED SOLUTIONS SUMMARY OF SERVICE FEATURES Secure cross domain information sharing with customers, suppliers and partners Deal with less trusted organisations without compromising your sensitive data Malware protection and data loss prevention reduces information security risk Transformation technology protects against many zero day attacks Ensured one-way information transfer Enhanced security operations for remediation and response to attack/compromise Enhanced defence for your critical systems and sensitive information Demonstrable compliance with policy, standards and legislation Simple integration with existing capabilities improves efficiency Users held to account for their information sharing actions PRODUCT OVERVIEW MDS can provide a File Transfer Diode Service which enables information exchange to be controlled when data is moved between security domains. The service simplifies the ability to ensure files are safely transferred whilst limiting the risk of data inappropriately flowing back in the opposite direction. The service is available to protect a range of one-way file transfer use cases. The service can be tailored to meet a customer s specific file sharing needs and the associated security accreditation requirements in accordance with its security risk appetite. This puts the customer in control of what its staff can share and with whom they can share it, maintaining the necessary log data to hold users to account for their decisions. The service also provides a range of optional utilities which facilitate automatic and manually controlled file sharing through the service. This minimises integration activities and ensures consistent application of an organisation s information sharing policy. A 24/7 Service Desk enables the customer to rapidly access policy configuration and operation experts to allow a swift response to any Incidents impacting your business information sharing.

The core service covers the following scope: Provision of a Deep-Secure Minerva Diode licence for the period of the service Deployment of the software on customer or third party service infrastructure Integration of the Diode with High and Low side infrastructure Configuration of a standard templated Diode policy for permitted information exchanges Service test to ensure correct configuration and integration 24/7 Service DeskDiode software patch provision Diode software update provision The following additional service options may be chosen: Configuration of a tailored Diode policy for permitted information exchanges which meets the organisations specific information exchange needs Deployment of file sharing applications and/or utilities software on High and Low side customer or third party service infrastructure Integration of file sharing applications and/or utilities software on High and Low side customer or third party service infrastructure Configuration of file sharing applications and/or utilities software File sharing applications and/or utilities software patch provision File sharing applications and/or utilities software update provision Diode policy, application and utility configuration and management training Day-to-day Diode administration tasks MDS is a reseller of this Deep Secure service. PRODUCT FEATURES Our File Transfer Diode Service has the following key features: One-way information transfer A robust security architecture supporting CESG design patterns for cross domain information exchange Inclusion of data transformation techniques where content control and validation is required Sharing of multiple business information types supported: Files XML data

SNMP and SYSLOG management information Self-defending security architecture Suitable for protecting Tier 1, Tier 2 and Tier 3 information Fully supports use of Government Security Classifications for information sharing policy 24/7 Service Desk support Named Account Manager The following options may be purchased: File transfer utilities and applications to simplify file transfer capabilities BUSINESS BENEFITS Compliance with HMG Policy, Standards and Legislation Secure cross domain information sharing with customers, suppliers and partners Deal with less trusted organisations without compromising your sensitive data Malware protection and data loss prevention reduces information security risk Transformation technology protects against many zero day attacks Ensured one-way information transfer Enhanced security operations for remediation and response to attack/compromise Enhanced defence for your critical systems and sensitive information Demonstrable compliance with policy, standards and legislation Simple integration with existing capabilities improves efficiency Users held to account for their information sharing actions TECHNICAL FEATURES The File Transfer Diode Service has the following technical features: Protocol Whitelisting: HTTP/HTTP(S) SFTP SYSLOG SNMP Low-to-High and High-to-Low variants available for one way transfer Fibre optic controlled one way data flow with options to meet EAL7 certification within appropriate delivery platform

Integrated data transformation to enhance assurance where file content control is required XML schema validation Handling of encrypted content to enable controlled flow where required e.g. HTTP(S) Information protected in transit between the user and the service infrastructure utilising: TLS for HTTP(S) SNMP V3 encryption for network management Government Security Classification label support for informal (e.g. header, footer, first line of text, XML field) security labels Logging is configurable for both successful and unsuccessful attempts to move data across the File Transfer Diode Service The following technical features are available depending on options purchased: File sharing web application Automated file sharing utilities Data Source Minerva H2L Data Destination Proxy Server Decompose Data Verify Structure Check Policy Diode TX Diode RX Recompose Data Proxy Client High Side Protected Network Connected Network Low Side Figure 1: File Transfer Diode Service showing Minerva High-to-Low Option High Side Low Side Proxy Client Recompose Data Check Policy Verify Structure Diode RX Diode TX Decompose Data Proxy Server Data Destination Protected Network Minerva L2H Connected Network Data Source Figure 2: File Transfer Diode Service showing Minerva Low-to-High Option EXAMPLE USE CASES This service supports the following information sharing use cases: Assured one-way transfer enforcement: Limiting the flow of business information to a single direction only with no risk of data flowing back

Cross domain file transfer: Verification of files transferred to ensure policy compliance to include highly assurable data transformation Validated XML schema based application information sharing: XML schema validation to protect applications and services from malformed or out of range XML content File import utilising Personal Exchange (PX) Web Service: Holding users to account for what they import or export Windows Server Update Services (WSUS) transfer: Securing the ability to update Windows platforms within sensitive systems Sophos AV signature update transfer: Securing the ability to update AV signatures for Sophos AV checkers within sensitive systems Controlling software updates: Securing the ability to update platforms within sensitive systems with software updates from untrusted domains Secure sharing policy compliance enforcement INFORMATION ASSURANCE The File Transfer Diode Service is suitable to meet the requirements for all sensitivity levels within the GSC Scheme subject to the considerations of accreditation best practice and specific use case considerations. Deep-Secure are ISO 27001 aligned for the Secure File Transfer Diode Service and certified to CES/IASME. The service can be hosted within an assured Cloud platform, which is aligned to the CESG Cloud Security Principles and Pan Government Accredited at IL2 and IL3 (e.g. Skyscape s Self-managed Cross Domain Solution) or on an appropriately accredited customer platform. ON BOARDING AND OFF BOARDING PROCESSES On-boarding As part of on-boarding we will: Deploy the Diode software, and work with your organisation to set up and configure the service Test the service to ensure information exchange is correctly configured and that reports and alerts are working as expected

We offer two methods of on-boarding, based on the service needs: A standard templated configuration based on a fixed application in line with the use cases outlined in the preceding section An optional tailored configuration of file sharing requirements which meet your specific risk profile We work with your organisation to determine your specific cross domain information exchange policy requirements as they differ from the standard templated configuration including any specific associated logging and compliance requirements All service on-boarding is delivered in line with the Deep-Secure ISO9001 Certified Quality Management System processes for the implementation of the File Transfer Diode Service product. Order Acknowledgement QF17 Form Sales Order Form (approved and uploaded to CRM) Plan PSO Deployment Plan Product Delivery Engage Finance Training Dates Agreed dates with External Trainer and Customer Tailored Deployment Statement of Work Tailored policy specification Standard Deployment Agreed dates with Customer Invoice Schedule Training (QF12 issued) PSO (QF14 issued) Support (QF16 issued) Product (QF11 issued) Customer Review Order 3 rd party SW QF21 Purchase Request 3 rd Party SW Licences Customer Acceptance Email Document Allocate SW Licences & Create CD Perform Training Training Materials Presentations Deployment Activities & Test Licence Allocation QF20 Licence Number Register QF19 Licence Record Deployment CD Training Feedback QF12 External Training Feedback Form Completion Document QF14 Customer Feedback Questionnaire Deliver Product to Customer Delivery Documentation QF11 Delivery Note QF25 Certificate of Conformance (optional) Figure 3: Service deployment process

Off-boarding As part of off-boarding we will: Provide you with access to the logs held within the service at the point of decommissioning, if required Decommission the Deep-Secure Diode software Delete all accounts and data Recover all licensed software We will charge a single day at our professional services rates (see Pricing) for off-boarding activities. PRICE MODEL Our core File Transfer Diode Service is based on a monthly charge per Diode instance required by the customer. In addition, there is a service on-boarding charge that covers installation, configuration of the standard (templated) Diode policy and testing. Optional service elements include: File sharing utilities based on an on-boarding charge and a monthly charge File sharing applications based on an on-boarding charge and a monthly charge per 10 users enabled Training based on a charge per course per attendee Full details of pricing are contained in the service pricing document. Pricing excludes costs associated with the provision of compute and storage infrastructure required to host the File Transfer Diode Service. This will vary depending on the nature of the information exchange requirements that are part of a customer s specific solution. Pricing excludes day-to-day Diode administration tasks. This can be provided at our professional services rates (see Pricing), or through the MDS Managed Guard Service. SERVICE MANAGEMENT The File Transfer Diode Service includes full software maintenance and support for the sustainment of the deployed instances and the associated resources required. This excludes day to day administration tasks. This can be provided at our professional services rates (see Pricing), or through the MDS Managed Guard service. The support offered is covered under a comprehensive service management pack as detailed in the subsequent sections. SERVICE CONSTRAINTS None.

SERVICE LEVELS The Deep Secure Service Desk is available: Monday-Friday, 08.30-17.30, local UK time, excluding bank and public holidays. Support is provided by experienced Deep-Secure technical engineers who are specifically trained to perform in-depth diagnostic and troubleshooting activities in order to resolve product issues as quickly as possible along with carrying out any product execution tasks included within the File Transfer Diode Service. All Customer interaction details will be recorded and a Case Reference Number (CRN) assigned. Engineers work in small flexible multi-skilled units. This facilitates a team approach to service provision and ensures that more than one engineer is aware and able to discuss and resolve your service requests. Service Request Categories The following table sets out the categories that will be assigned to each Service Request. Table SL1 Category Description 1 Total service failure of (operational) system or failure of a component of a critical process 2 Failure of one or more system functions making use of the system difficult (e.g. service still running and operational but not to full capacity) 3 Failure of a non-critical function having no significant effect on the system operation (e.g. failure of a sub-component such as a new version of an AV product) 4 Any incident having minimal impact on the system operation, requests for information or requests for enhancements. Service Levels The times indicated in table SL2 below are the target times for the Service Provider to respond to or provide a workaround for incidents as set forth in the Agreement. All periods of time commence from when the Service Provider first receives notification of a new incident.

Table SL2 Response and Workaround Times Category Target Response Time Target Workaround Time 1 Less than 1 Working Hour Less than 1 Working Day 2 Less than 1 Working Hour Less than 3 Working Days 3 Less than 1 Working Hour Less than 10 Working Days 4 Less than 1 Working Hour As Appropriate Escalation In the event that a Service Request is not provided within the relevant target time indicated in table SL3 above then the following escalation timings shall apply. For the purposes of this agreement, escalation shall mean the customer shall have the right to communicate with that person in relation to the provision of the Service Request. In the event that the identified individual is not available then the Service Provider shall use their reasonable endeavours to provide the customer with an alternate contact person. Table SL3 Category Service Delivery Manager Product Manager 1 Immediate Notification 1 Working Day 2 2 Working Days 5 Working Days 3 10 Working Days N/A 4 N/A N/A Security Flaws In the event that the Service Provider identifies security flaws in the software, the Service Provider shall categorise the security flaw in accordance with table SL4. Table SL4 Severity Description 1 Security vulnerability that allows Service Provider Diode or administration system to be compromised (e.g. attacker gains control of the Diode's host operating system).

Table SL4 Severity Description 2 Security vulnerability which means the Service Provider Diode fails to block data that should be blocked according to the configured policy (e.g. data type configured to be blocked is allowed to pass). 3 Security vulnerability which means the Diode fails to correctly identify the source or destination of data when applying policy (e.g. identity of originator of a signed message incorrectly identified resulting in loss of accountability). After categorising any emerging security flaw, the Service Provider shall follow the alerting and remediation process timings of table SL5. Alerting shall be to a customer nominated point of contact, using an agreed customer nominated communication means (e.g. secure email address). Table SL5 Alerting and Remediation Times Severity Target Alert Time Target Remediation Time 1 Less than 2 Working Days Less than 2 Working Days 2 Less than 2 Working Days Less than 5 Working Days 3 Less than 2 Working Days Less than 7 Working Days Should we fail to meet SLA terms within the defined timescales we will credit 1 days worth of File Transfer Diode Service charge. ORDERING AND INVOICE PROCESS Ordering can be carried out using the Framework Agreement Schedule 2 Order Form. Invoicing is monthly in arrears. Payment can be via the following methods: BACS or Cheque. SERVICE LEAD TIME We will initiate on-boarding on receipt of a purchase order in line with the Service Deployment Process identified in the On-Boarding section of this Service Definition Document. Timescales for implementation of the service will vary, depending on the size and complexity of the service deployment. Once a File Transfer Diode Service platform has been deployed, configured and tested under the scope of the initial charge, the live service will commence under the recurring service charge model. The service is based on a one month initial implementation period followed into live service from month two onwards.

TERMINATION COSTS We will charge a single day at our professional services rates (see Pricing) for off-boarding activities. BACKUP/RESTORE AND DISASTER RECOVERY With the exception of configuration and syslog data the File Transfer Diode Service is stateless. Backup of configuration and syslog data is a consumer responsibility. If required this can be provided at our professional services rates (see Pricing) or through the MDS Managed Guard service. DATA RESTORATION/SERVICE MIGRATION Data restoration is not included in the service. If required this can be provided at our professional services rates (see Pricing) or through the MDS Managed Guard service. Service migration is not included in the service. If required this can be provided at our professional services rates (see Pricing) or through the MDS Managed Guard service. CUSTOMER RESPONSIBILITIES The customer is responsible for: Provision of compute and storage infrastructure required to host the File Transfer Diode Service Responding to policy conflict alerts raised by the Diode service and considering if the set policy is correctly aligned to the business needs Completion of the Sales Order Form in line with the G-Cloud procurement process For tailored policy configuration services: Approval of the Statement of Work and System Design Document Engaging with, and specifying requirements for, the detailed configuration of the information exchange policy and reports that are required Providing appropriate and empowered attendees for scoping and review meetings The control and management of access and responsibilities for end users Ensuring that only appropriate data in line with the GSC Scheme (e.g. OFFICIAL or OFFICIAL- SENSITIVE) is accessible and presented to the platform. Where the customer chooses not to take up a third party day-to-day management service, or professional services management, they are also responsible for: Diode configuration back-up Syslog back-up Recovery from back-up

TECHNICAL REQUIREMENTS Appropriately specified host server(s) and client devices where required to include associated licence provision. RELATED SERVICES This service may be bought in conjunction with the following other MDS G-Cloud services: Secure Guard Management Managed Server Cloud Enablement Compute as a Service Application Management

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information