IBM Penetration Testing Services Service Definition IBM Penetration Testing Services 1
1. Summary 1.1 Service Description IBM offers a comprehensive set of Security Assessment and Penetration Testing services, providing services for organisations aligned with multiple market sectors and of various sizes. All IBM Security Services engagements are aligned to an agreed scope which defines the specific (and measurable) outcomes for all activities conducted within the assessment. As security threats evolve and new technologies emerge, data privacy and security must keep pace failure to protect critical assets can result in financial costs and damage to an organisation and its reputation. The role of security assessment (which includes penetration testing), is to provide an empirical assessment of security controls implemented within the target system. Importantly this allows developers, administrators and risk owners to develop an evidence-led view of security; based on the output provided by a technical security assessment. Our Penetration Testing services use highly experienced and qualified staff, registered with established and respected industry bodies (such as the TigerScheme and EC Council). At IBM, we offer a comprehensive penetration testing package that begins with controlled exercises to simulate covert and hostile attacks; it ends with specific guidance and recommendations for reducing risk and increasing compliance. Our service can provide: Network Discovery and Reconnaissance for extensive inspection of connected hosts and services; Perimeter and Internal Vulnerability Assessment for controlled exploitation of key vulnerabilities; Exploitation and Pivoting attempting to further penetrate the network and breach valuable or confidential data; Analysis and Remediation for detailed reports on findings and actionable recommendations; Research and Insight for on-demand access to global threat analysis service, including X-Force reports. IBM Penetration Testing Services 2
1.2 Service Characteristics Lot IBM G-Cloud Penetration Testing Services Applicability Contract Duration Contract Price Lead time to start Related Lot(s) /Offering(s) Any organisation that wishes to take measures to secure its business or client data against loss in the event of system outage or theft. Flexible to be agreed in the Call-Off Order Variable based on time and materials depending on agreeing, with the Contracting Authority, the resources required for the Call-Off Order, based on the IBM SFIA rate table. The price will be subject to VAT and out of pocket expenses incurred outside the M25. 2 weeks IBM Hosted Vulnerability Management (VMS) Cloud Security Assessment Risk Assessment & Accreditation Information Assurance Service 1.3 Why IBM IBM is a well-established, highly experienced Technology company with a strong practice of experienced information security professionals. Security represents one of IBM s Top 5 Strategic Initiatives established by and with the commitment of our Chairman and CEO Ginni Rometty, our Board of Directors and our Senior Executive team. This commitment ensures priority access to capital. Our mission is to serve as the trusted security advisor to corporations, institutions and governments around the world and offer our clients the most complete portfolio of end-to-end security capabilities available in the industry. To do this, IBM s has invested billions of dollars to date in order to: acquire some of the most sought-after security assets in the industry, build the most advanced network of global security operations centers, enhance our footprint of global research and development centers to innovate new security solutions, expand our global talent, and, most importantly, to create an integrated security intelligence network using next generation analytics. An important aspect of the IBM approach is integration with the client; in this way we seek to understand the context of our client s needs and to place them at the centre of our work. Our ability to deliver truly end-toend solutions means we operate at all levels across an organisation, placing our focus on identifying and solving the complex and evolving security challenges of our clients. In parallel with the work we undertake with our clients, IBM invests heavily in the defence and protection of its own assets; we use the experience and empirical learning this IBM Penetration Testing Services 3
brings to provide effective solutions for others in addressing the constantly changing landscape of information security threats and risks. Key aspects of IBM s security capabilities are: Dedicated penetration testers, certified to Industry standards including the TigerScheme and EC Council Certified Ethical Hacker (CEH); As a List X organisation IBM has a full time List-X Security Controller with access to the full Security Policy Framework. We work closely with Security Authorities to implement physical and personnel security as well as information security. As a result of this our CLAS consultants are able to advise on vetting and physical security matters, undertaking a Security Assessment for Protectively Marked Assets (SAPMA) where appropriate; Our approach to documenting and delivering information security controls, processes and procedures consistently is in accord with ISO27001/2. We have extended this with technical standards for implementation and configuration of security functions, based on our extensive experience of deploying solutions in high assurance environments. This approach, together with other applicable industry standards, including ISO/IEC27003, ISO/IEC 27005, SAS70, COBIT and ITIL, provides a unique integrated management system that fully meets specific security requirements; IBM has provided Assurance for a number of significant clients, including various levels of Government, so our consultants draw on a wealth of experience and are skilled at providing a custom-designed service. 1.4 Contact Contact Name Brian McGlone Title IBM UK Cloud Alliances Executive Address PO Box 41 North Harbour Portsmouth Hants, PO6 3AU Contact Email brian.mcglone@uk.ibm.com Contact Phone 07764290413 IBM Penetration Testing Services 4
2. Delivery 2.1 Context In an age where information is abundant and widely dispersed, growing threats from Cyber Security underline the necessity for organisations to implement measures that protect their sensitive data. The IBM service discussed herein focuses on building assurance of the technical controls an organisation implements to counter these threats. 2.2 What we will deliver IBM works closely with organizations to fully understand the context of the system under review; this is based on a set of comprehensive assessment activities that include all aspects of the solution architecture including technical measures, people and processes. This analysis seeks to determine the most appropriate information security controls, preventative controls and assurance activities for the system under test. IBM operates a single, consistent Security Assessment methodology for all cloud security engagements this is based on three fundamental phases: 1. Discovery; 2. Vulnerability Assessment; and 3. Penetration Testing. These phases are interlocked, such that each informs and guides the next, allowing for escalation and progression through the target system. Some of the aspects that we offer as part of our solutions are listed below: Network Discovery and reconnaissance Perimeter and internal probing Remote exploitation Analysis and remediation Research & insight In parallel with the security assessment activities, IBM Security Services hosts a range of information security professionals that span the strata of information security specialisms. The penetration testing services discussed herein can be blended with other Information Assurance services, providing an effective end-to-end service and Consulting model including wider services such as: Risk Management and Accreditation as a Service; IBM Penetration Testing Services 5
Information Assurance as a Service; Security in the Software Development Lifecycle (SSDLC). IBM places significant emphasis on the definition of Information Security controls that are practical, achievable and measurable in their effect. This includes forming a strategic view of the types of controls that will be required in the long-term; particularly when considering advanced and complex threats that evolve over time. 2.3 Commercials This will be a Time and Materials contract. However, following the first phase of work, there could be the opportunity to discuss the initial quote into either a Fixed Price or Risk/Reward based contract in order to provide increased flexibility for your organisation. Initial work will be carried out under the Strategy and Architecture category of the IBM SFIA rate table unless agreed otherwise. Follow on work will be under the appropriate category(ies) of the IBM SFIA rate table. The scope of work will be set out in the Call Off Order Form and agreed by both parties. Follow on services to enable you to complete implementation of cloud services can be provided by IBM. Details should be agreed via the Call-Off Order and priced using the IBM SFIA rate card. 2.4 Key Points Other key points to note are as follows: This offering is subject to availability of IBM resources. The Charges for this Service are on the basis that no Parent Company Guarantee is required. If one is required and agreed to by IBM then the Charges will be revised accordingly. For Fixed Price offerings, Travel and Subsistence (T&S) costs are included for work within the M25. For work outside the M25, T&S will be payable using the Contracting Body s standard T&S rates. The pricing and terms on individual call-off orders should be handled as commercially sensitive by the Contracting Body. Security standards will be agreed between IBM and the Contracting Body, and if necessary IBM will ask the Contracting Body to issue a Security Aspects letter as well as a scope document, including a Computer Misuse waiver, which should be signed. IBM Penetration Testing Services 6
The work is subject to IBM s Terms of Business, which are attached separately to this catalogue item. IBM Penetration Testing Services 7