Specialist Cloud Services Acumin Cloud Security Resourcing DOCUMENT: FRAMEWORK: STATUS Cloud Security Resourcing Service Definition G-Cloud Released VERSION: 1.0 CLASSIFICATION: CloudStore Acumin Consulting Ltd. Tel: 020 7987 3838 P a g e 1
Copyright 2013 Acumin Consulting Ltd All Rights Reserved Neither this document, nor any part of the contents of this document may be reproduced or distributed in any form or by any means without the prior written permission of Acumin Consulting Ltd. The Information contained in this document is intended for the sole use of the personnel of Acumin Consulting Ltd, such other persons named as recipients, or persons named on a circulation list. Acumin Consulting Ltd drawings, pictures or documents remain the property of Acumin Consulting Ltd at all times, and may contain information of a privileged and confidential nature. Should any person receive this document in error, please notify Acumin Consulting Ltd immediately. Contact: Acumin Consulting Ltd Suite 22 Beaufort Court, Admirals Way, London. E14 9XL 020 7987 3838 info@acumin.co.uk Acumin Consulting Ltd. Tel: 020 7987 3838 P a g e 2
Contents 1. Service Overview... 4 Fig. 1 Cloud Security Job Roles... 4 2. Why Choose Acumin?... 6 Scalability and Flexibility... 6 Quality and Alignment... 6 Industry Commitment... 6 3. Pricing... 7 Fig 2. Specific Cloud Security Services Day Rate Card... 7 Standards for Consultancy Day Rate cards... 7 4. Additional Items... 8 Information Assurance... 8 On-boarding and Off-boarding processes/scope... 8 Service Management... 8 Service Constraints... 8 Service Levels (e.g. performance, availability, support hours, severity definitions etc.)... 8 Financial recompense model for not meeting service levels... 8 Training... 8 Ordering and invoicing process... 8 Termination terms... 8 Data restoration / service migration... 8 Consumer responsibilities... 8 Technical requirements... 8 Acumin Consulting Ltd. Tel: 020 7987 3838 P a g e 3
1. Service Overview Information Assurance Data Risk and Compliance Cloud Security Architecture Business Continuity Acumin provide a cost effective, scalable and measureable resource pool of the very best Information Security and Cyber Security consultants in the UK who can provide high-level advisory, through to technical implementations services to safeguard the data you store, use and manage with Cloud based Solutions. Security and Compliance are the top concern when using Cloud solutions and we specifically focus on resourcing these skills and have done so for 15 years. With G-Cloud, we can now bring our skills and expertise directly to the UK Public Sector, offering you substantial cost savings and a professional approach. Through the G-Cloud framework, we provide skills that align to the Cloud Security Alliance s (CSA) own key principles to help ensure Data Compliance, Availability, Secure Access to Data and to mitigate risks of Data Leaks when operating in a Cloud environment. See below for specific description of Profession and Job role resourced for under these services. Fig. 1 Cloud Security Job Roles CSA Key Principal Professional description Specific Job Roles Cloud Computing Architectural Framework Compliance and Audits Ensuring the fundamental Architectural Security controls are in place, matched against potentially different risks than traditional IT solutions Achieving, maintaining and proving compliance when using Cloud Solutions. How to comply with both internal and external policies and regulations. How to successfully prove compliance when audited. Enterprise Security Architect ISO27002 Lead Auditor CLAS Consultant IS Accreditor Data Privacy Officer PCI Consultant (QSA) Incident Response and Remediation Legal and e-discovery Application Security Identity & Access Management (IDM) Identifying and assessing the technical threats associated with Cloud Computing. Ensuring that the Cloud Provider monitors and highlights possible incidents, responds accordingly and makes continual improvements. Ensuring the Organisation and its Cloud Provider adheres to legal requirements such as Data Privacy and Information and Computer Systems requirements. E-discovery - capability to investigate any possible breach and gather evidence accordingly. Ensure the Cloud solutions applications are secure and scalable. Also ensuring the in house applications are robust and securely integrated into the Cloud Solution when required Ensuring the identities of users and the access to data they are trusted with is allocated accordingly in the Cloud. Can the provider effectively map and synchronise with an organisations existing IDM solution Threat and Incident Response Analyst Network Forensics Analyst e-discovery Analyst Data Protection Advisor Security Architect - Web Application Penetration Tester - Web Application Access Control / Security Operations Analyst IDM Consultant Acumin Consulting Ltd. Tel: 020 7987 3838 P a g e 4
Fig 1. Cloud Security Job Roles continued CSA Key Principal Professional description Specific Job Roles Encryption & Key Management Assessment of the need to encrypt specific data and the control of that data with the Cloud Solution provider. PKI Consultant Traditional Security Governance and Enterprise Risk Management Business Continuity and Disaster Recovery Addressing overall security policy and operational security process associated with the changing landscape of using Cloud Solutions. High-level risk management and review of Enterprise Risk Frameworks and Architectures How an organisation assesses and governs risk when using Cloud Solutions on an Enterprise level. Implementing possible changes to an organisations Enterprise Governance frameworks to mitigate the organisations possible exposure to legal and regulatory risks associated with Cloud Computing Ensuring the Organisation has robust Business Continuity and contingency plans in place and that the availability of critical information and systems is maintained. Ensure that the Cloud Providers Data Centres resilience plans are tested regularly and align with SLA s etc. Security Architect IT Security Manager Information Governance Manager Data Classification Officer Information Risk Manager Security Programme Manager Business Continuity Analyst Business Continuity Consultant Acumin Consulting Ltd. Tel: 020 7987 3838 P a g e 5
2. Why Choose Acumin? Scalability and Flexibility Acumin has been providing specifically, and only, Information Security and Cyber Security staff for over 15 years. Acumin holds a database over 25,000 UK Information Security professionals, of which over 3,500 are contractors. Those resourced for this framework are experienced Data Compliance, Security Management and Technical Security Associates who are selected to help you make the right decisions when selecting, implementing and using Cloud based solutions. Quality and Alignment All of the Associates we resource under this service are all familiar with the UK Security Policy Framework (SPF) and many of them are Acumin Approved Associates, meaning they have either worked on assignments for us, previously or been through a quality validation process. Over 80% of the Associates we resource are reused by Acumin after their initial contracts and invariably, a large amount are SC and/or DV cleared for Central Government assignments. Many of our Associates have designed the security architectures that lie at the heart of many Government developed and commercial Cloud based solutions and have inputted directly into the development of the Cloud Security Alliance UK Chapter s best practice guide. Industry Commitment As a company, Acumin partners with ISC2, CREST and the IISP to ensure our involvement directly in the development of the skills required by the UK Governments IA and Cyber Security requirements and regularly host Industry events such as our very own RANT (Risk and Network Threat Forum http://rantconference.com). Acumin Consulting Ltd. Tel: 020 7987 3838 P a g e 6
3. Pricing Fig 2. Specific Cloud Security Services Day Rate Card CSA Key Principal Cloud Computing Architectural Framework Compliance and Audits Incident Response and remediation Legal and e-discovery Application Security Identity & Access Management (IDM) Specific Job Roles per Associate/Day Enterprise Security Architect 950 ISO27002 Lead Auditor 600 CLAS Consultant 720 IS Accreditor 575 Data Privacy Officer 650 PCI Consultant (QSA) 690 Threat and Incident Response Analyst 720 Network Forensics Analyst 720 e-discovery Analyst 650 Data Protection Advisor 650 Security Architect - Web Application 890 Penetration Tester - Web Application 750 Access Control/Security Operations Analyst 450 IDM Consultant 750 Encryption & Key Management PKI Consultant 750 Security Architect 850 Traditional Security IT Security Manager 800 Governance and enterprise risk management Business Continuity and Disaster Recovery Information Governance Manager 750 Data Classification Officer 650 Information Risk Manager 820 Security Programme Manager 950 Business Continuity Analyst 450 Business Continuity Consultant 690 Standards for Consultancy Day Rate cards Consultant s Working Day 8 hours exclusive of travel and lunch. Working Week Monday to Friday excluding national holidays Office Hours - 09:00 17:00 Monday to Friday Travel and Subsistence Included in day rate within M25. Payable at department s standard T&S rates outside M25. Mileage As above Professional Indemnity Insurance included in day rate. The above pricing can also be accessed via the SFIA matrix provided with the tender documents. Acumin Consulting Ltd. Tel: 020 7987 3838 P a g e 7
4. Additional Items Information Assurance Acumin s Cloud Security Resource Services are not covered by Business Impact Level (BIL) accreditation. However, our Associates are all familiar with BIL and the overall UK Security Policy Framework (SPF) should guidance be required. On-boarding and Off-boarding processes/scope N/A for Acumin s Specialist Cloud Services Service Management N/A for Acumin s Specialist Cloud Services. Service Constraints Acumins Specialist Cloud Services for Cloud Security have no service constraints. Our terms offer substitute Associates and between 7-30 day termination of specific assignments depending on the scope of work. Service Levels (e.g. performance, availability, support hours, severity definitions etc.) N/A for Acumin s Specialist Cloud Services Financial recompense model for not meeting service levels N/A for Acumin s Specialist Cloud Services, although only work verified against any SLA s defined in the Statement of Work (SoW) for each assignment is billable. Training Acumin does not offer training in the services we provide. However, we can provide Associates to train on such items as Security Awareness and ISO27002 best practice. Ordering and invoicing process Ordering is by agreement of scope of work, duration, day rate and start date. Invoicing is based on the consumption of associate days per month, on an accrual basis we do not ask for upfront commitment fee. Invoices are sent monthly, per assignment, payable 30 days from invoice. Termination terms Termination is covered on an assignment basis and is outlined in each Statement of Work standard is 14 days, but flexible depending on duration of work required. Data restoration / service migration N/A for Acumin s Specialist Cloud Services Consumer responsibilities These are outlined in the terms and conditions and include the provision of a suitable and safe environment to conduct the assignment. They may also include, from time-to-time, the need for a secure facility for data handling depending on the assignment. Technical requirements N/A for Acumin s Specialist Cloud Services Contact: Chris Batten or Scott West on 020 7987 3838 or email gcloud@acumin.co.uk for a free consultation Acumin Consulting Ltd. Tel: 020 7987 3838 P a g e 8