G Cloud III Framework Lot 4 (SCS) CHECK Accredited Penetration Testing Services
Contents Executive Summary 3 CHECK Accredited Penetration Testing Services 4 Why Deloitte? 5 Package Cost 7 Contact 9 Service Definition (a) to (p) 10
Executive Summary CHECK ACCREDITED PENETRATION TESTING SERVICES Deloitte provides a CESG approved IT Health CHECK penetration testing service, specifically designed to assess and report on vulnerabilities and cyber threats faced by public-service systems. Our team helps executives, business and technical leaders to understand where and how their organisations need to adjust their security in a proportionate and effective manner.. Deloitte G-Cloud III CHECK Accredited Penetration Testing Services 3
1. CHECK Accredited Penetration Testing Services SERVICE OVERVIEW Deloitte can provide Government (central, national and local) and NDPBs with effective and businessorientated vulnerability management services. We have held the CESG Green status rating for over a decade, and are qualified to conduct vulnerability assessments and IT Health Checks for systems holding protectively marked material from IL1 to IL5. Our accredited advisors can assist with all stages of the vulnerability and penetration testing lifecycle. With over 35 offices around the UK, Deloitte s services are accessible to all public sector clients. We operate List X facilities accredited to receive, process and store material protectively marked material up to and including IL5. Our staff hold UK security clearances, including SC and DV. Our DV-cleared staff can work with material up to and including IL5 at appropriate locations. Deloitte can access the latest publications from CESG, and is one of the active participants within the Security Research Information Exchange forum for researching and sharing attacks and vulnerabilities. Deloitte is a founding member of the CREST and IISP organisations and we are corporate members of the Cloud Security Alliance. CHECK PENETRATION TESTING SERVICES We use the CHECK Scheme, CESG and CREST guidelines as the basis for all the penetration testing we do, supplemented by technology specific standards such as OWASP and NIST. Our service includes the following tests: External and internal penetration; Web and thick-client applications; Wireless and mobile device; System, application and network security diagnostic assessment; and.malware and source code analysis. Each IT Health Check includes: Scoping, planning resulting in detailed information for the systems to be tested; Assessment and testing - resulting in on-going communication of risks to plan any remedial actions; and Reporting with full detail of weaknesses found, risks, and recommendations. It also includes an executive report with key risk areas and options for correction. During the Health Check if any critical findings are identified they will be raised immediately with the nominated contact. All data will be handled in line with Government guidelines. Note that all testing is subject to prior approval and authorisation to test from all parties in order to be compliant with relevant legislation.. KEY BENEFITS Our services are distinguished by: Our global knowledge base of various vulnerabilities, attack methods, and exploits, which was developed internally and is updated on a weekly basis; Providing our consultants with detailed best practice methodologies, toolsets and approaches such as non-intrusive and intrusive tests; and All CHECK reports go to CESG for quality assurance purposes. We can operate and quote for the provision of an on-going managed service if required. 4 Deloitte G-Cloud III CHECK Accredited Penetration Testing Services
2. Why Deloitte? Deloitte LLP ( Deloitte ) is a leading professional services firm, employing 13,600 staff across 20 locations in the UK. Our Public Sector community includes over 630 experienced specialists in central civil government, health, transport, defence and local and regional government, some of whom have previously worked at senior level. In addition, we have over 200 staff who can work in both the public and private sectors, enabling transfer of experience and best practice between the sectors and vice versa. As a Big Four professional services firm, we are well positioned to draw upon skills across a wide range of service offerings to deliver Cloud-based services. We work across the public sector as a trusted advisor and as a supplier of leading edge technology services. This includes an extensive portfolio of Specialist Cloud Services available as packages and tailored offerings. Our public sector team plays an active role in the development of methodologies, value propositions and points of view to assist our public sector clients. This includes the growing use of Cloud for provision and assembly of IT services. We conduct research in areas that are of current and emerging interest to our clients, identifying best practice and new developments in the UK and internationally. In this section we outline some of the elements which differentiate us in the marketplace. Professional Standards As a leading supplier, Deloitte operates to high standards of professionalism: We recruit highly capable staff and maintain effectiveness through training, performance management and continuous professional development issues. We have over 300 staff with PRINCE2 or similar PIM qualifications Our Focus on delivery includes regular contact with client management and frequent progress updates when issues can be identified at an early stage to enable easier risk mitigation and help avoid escalation Deloitte is reliable to work with and sets out to deliver the services needed. Our high reputation in the market is based on our commitment to deliver even in difficult circumstances, while building trusted relationships with our clients We actively promote sustainability within our supply chain and have a strong commitment to equality, diversity and corporate responsibility. Our firm is accredited to ISO14001, the international environmental management standard, and CAESAR (Corporate Assessment of Environmental, Social and Economic Responsibility). Deloitte across the UK is certified to ISO27001, the international security management standard. We operate robust processes for safeguarding customer data and for confidentiality of information. We are registered under the Data Protection Act and have safeguards in place to protect the data of our own personnel or any personal data with which we are entrusted by clients We have processes in place to preserve the integrity and independence of the services we provide. For example, bids are subject to conflict checks to avoid conflicts of interest, all Deloitte staff are required to complete Anti-Bribery and Anti-Money Laundering training, partners and staff are subject to independence checks and there are frequent internal audits and compliance checks Quality on every engagement is managed through a Quality Management Plan and partner sign off of deliverables on all engagements. Technology Consulting services are accredited to ISO9001, the international quality standard, which includes acting on customer feedback and continuous improvement plans Where we use subcontractors, we seek out capable Small and Medium Sized Enterprises (SMEs) for their specialist skills, innovation and value. Subcontractors work within our engagement and staff management processes to provide a seamless service to clients. As members of the Chartered Institute for IT (BCS), our Technology practice and individual members are bound to its Code of Practice and Code of Conduct which defines good practice for ICT and technology consultancy. We are also registered with the TickIT scheme We are a Green classified CESG approved company and have a number of CHECK Team Leaders and CLAS / CCP consultants. Security The majority of our public sector team are vetted to Baseline Personnel Security Standard or cleared to National Security Vetting SC level. In total, this is over 1,000 people with some form of security vetting. Deloitte is a List X company. We employ a full time Security Controller and Security Team to manage security clearances, advise on development of Security Management Plans and manage Our project management methodology, which is aligned with PRINCE 2, provides compliance with security processes. mechanisms for managing all aspects of engagements, including project risks and 5 Deloitte G-Cloud III CHECK Accredited Penetration Testing Services
We have comprehensive Business Continuity Plans in place in all locations. Staff are equipped to work remotely if client sites or Deloitte sites are inaccessible. Responsible Business At Deloitte Responsible Business is not just a strap line. We appreciate that our everyday business activities affect wider society through our actions and through the actions of those with whom we do business. Our approach to Corporate Responsibility is fully integrated with our business strategy; as such we are fully committed to addressing requirements from the Social Value Act. In the last year we launched our inaugural Impact Report (http://www.deloitte.co.uk/impact/), replacing our traditional annual report and providing the platform through which we will measure our impact and contribution to society into the longer term. Geographical Coverage Deloitte has 20 office locations throughout the UK, plus offices in Guernsey, Jersey and the Isle of Man. We also have a National Solutions Centre which is based in Belfast and provides software engineering capabilities for our clients. the outcomes the client requires at the lowest price we can offer, using innovation and quality management to manage down costs and deliver value We usually offer milestone billing as an additional benefit to clients so that payment can be linked with completion of agreed deliverables. On the G-Cloud III framework we have provided discounts for higher volumes of work. Innovation and Continuous Improvement Deloitte understands the importance of innovation to public sector clients in their endeavours to reduce costs and ensure better outcomes. Deloitte approaches public sector engagements from the standpoint of delivering tangible or measureable outcomes and effective use of resources. Cloud provides a major opportunity to challenge existing provision of IT in the organisation, and improve working practices, service levels and reduce operating costs. We are willing to challenge current ways of working in the public sector and to harness technology and lean thinking to produce satisfactory outcomes that deliver the client s objectives at lower cost. We seek to ensure that our people, methods, infrastructure and working practices deliver high quality services to our clients and an environment where our staff can work effectively. We recognise that this is only possible if our working procedures, methods and tools, staff skills and training continue to improve. We undertake a number of activities to set objectives for key processes, measure performance against these objectives and assess and adjust our operational and engagement procedures to sustain improvement. Capability Transfer Deloitte usually provides some capability, knowledge or skills transfer on most engagements. We can also work in such a way that capability transfer is at the heart of the engagement. Examples include: Training client staff for team roles at the outset of an engagement to reduce costs and provide for continuity of skills after we exit from the client Value for Money (VFM) As a leading supplier of Cloud services to the public sector, we understand the importance of demonstrating the value we offer. Deloitte provides value for money by providing a sound balance of price and quality: We do not sacrifice quality for lower prices or cut corners, but rather we seek to provide Deloitte G-Cloud III CHECK Accredited Penetration Testing Services 6 Providing only those services which a client cannot provide for themselves and avoid practices such as staff substitution as much as possible Delivering comprehensive capability transfer so that client staff are able to take over fully the operation or extension of a service or continue to manage a change programme from their own resources. We also have a programme of secondments both to and from the public sector, which enhances our industry insight while strengthening our relationship with public sector.
3. Package Cost PRICING MODEL Deloitte offers a competitive pricing model for clients on the G-Cloud Framework. Deloitte is pleased to offer levels of discount predicated on the value of spend. We can also offer separate discount packages for the purchase of multiple service offerings at the same time. For each service we have provided sample tiered prices with an indicator of the scale of the service delivered. We can tailor the scale and depth of service to meet individual requirements. Tier Price Notes Tier 1 4,600 Tier 2 11,500 Tier 3 19,550 See table below for scale of service provided The table below illustrates the scale of service for each tier. SERVICE TITLE Tier 1 Maximum Hosts / IPs / Pages Tier 2 Maximum Hosts / IPs / Pages Operating System Configuration (Build) Review 2 10 20 Tier 3 Maximum Notes Hosts / IPs / Pages Each tier based on number of hosts (i.e. 2, 10, 20). Review of MS Windows Operating System (OS) builds, including assessment with infrastructure assessment of the host(s). Firewall/Switch Configuration (Ruleset) Review 2 10 20 Each tier based on number of hosts (i.e. 2, 10, 20). Scale includes average of 30 rules per configuration and one configuration per host. Infrastructure Vulnerability Assessment Database Security Configuration Review Wireless Network Security (Per SSID) Web Application Testing (Per Application) 20 200 400 2 10 20 1 5 10 5 25 50 Each tier based on number of hosts or IPs (i.e. 2, 10, 20). Assessment includes use of tools as well as manual confirmation of false positives. Each tier based on number of databases (i.e. 2, 10, 20). Assessment includes the use of a database review tool as well as manual confirmation of false positives. Each tier based on number (i.e. 2, 10, 20) of SSIDs (unique broadcast identities) and an average of four access points per SSID. Each tier based on number of active web pages (i.e. 5, 25, 50). Assessment includes the use of tools as well as in depth manual assessment of the application. Deloitte G-Cloud III CHECK Accredited Penetration Testing Services 7
SERVICE TITLE Infrastructure Penetration Testing (Internal) Tier 1 Maximum Hosts / IPs / Pages Tier 2 Maximum Hosts / IPs / Pages 8 30 65 Tier 3 Maximum Notes Hosts / IPs / Pages Each tier based on number of hosts (i.e. 8, 35, 65). Includes vulnerability assessment as well as analysis of unknown ports, potential exploits and in depth manual assessment of the associated infrastructure. Infrastructure Penetration Testing (External) 20 100 200 Each tier based on number of hosts (i.e. 20, 100, 200). Includes vulnerability assessment as well as analysis of unknown ports, potential exploits and in depth manual assessment of the associated infrastructure. War Dialling 100 500 1000 Each tier based on number of numbers dialled (i.e. 100, 500, 1000). Approximately 100 numbers per elapsed day. We also offer a blended rate for a daily Full Time Equivalent, to compliment the above services. The blended rate reflects the mixture of experience, skills and capability to be provided: setting strategy, influencing, advising, enabling, applying and assisting. JOB DESCRIPTION TYPICAL LENGTH OF CONSULTING EXPERIENCE PER ANNUM CONSULTING DAILY RATE PER RESOURCE P.A. ( 0-250K) ADDITIONAL DISCOUNTED RATE FOR ENGAGEMENTS P.A. ( 250K - 1M) ADDITIONAL DISCOUNTED RATE FOR ENGAGEMENTS P.A. ( 1M+) BLENDED RATE 1,150 950 750 Deloitte is pleased to offer levels of discount predicated on the value of spend. We will also consider additional discounts for the purchase of multiple service offerings at the same time. Please speak with our Service Offering Leads for more detail. 8 Deloitte G-Cloud III CHECK Accredited Penetration Testing Services
4. Contact Please contact our team below if you wish to discuss this Service Offering in more detail. TO DISCUSS SERVICES TO ORDER SERVICES James Nunn-Price To discuss an Order Partner, UK Cyber Lead Public Sector Sales Team 0207 303 8708 0207 303 0913 jnunnprice@deloitte.co.uk ukdeloittetenders@deloitte.co.uk Gary McCloskey G-Cloud Security Lead To send an Order Public Sector Sales Team 07880 002201 0207 303 0913 gmccloskey@deloitte.co.uk ukdeloittetenders@deloitte.co.uk Jez Back How to use G-Cloud G-Cloud Lead & Cloud Technology Lead Public Sector Sales Team 07825111921 0207 303 0913 jeback@deloitte.co.uk ukdeloittetenders@deloitte.co.uk Deloitte G-Cloud III CHECK Accredited Penetration Testing Services 9
5. Service Definition (e.) customer, and Deloitte will include details in the Cloud Services Agreement at Schedule 2 Services Definition Part 4 Service Levels. Pricing (including unit prices, volume discounts (if any), data extraction etc.); (a.) (b.) (c.) (d.) An overview of the G-Cloud Service (functional, non-functional); See sections 4 and 5 of the service description. Information assurance Impact Level (IL) at which the G-Cloud Service is accredited to hold and process information; Information assurance level(s) relevant to the services are included elsewhere in this service description. Deloitte LLP ( Deloitte ) is certified under ISO 27001 across the business by default for IL2. We operate an Information Security Management System which complies with the requirements of ISO/IEC 27001:200. Our Certificate No: IS 554408. Staff in our Public Sector practice have Baseline Personnel Security Standard clearance. We can also provide staff cleared to National Security Vetting (NSV) levels. Deloitte holds List X status which enables practitioners to work on a number of classified or protectively marked projects for the MoD and other government clients, equivalent to IL5. To achieve this, the Firm has accredited facilities within which suitably cleared project teams can work on sensitive material. These facilities at dedicated Deloitte sites provide teams with the capability to hold, process and store protectively marked material up to and including SECRET / IL5. Details of the level of backup/restore and disaster recovery that will be provided; As a firm, Deloitte has plans, processes and systems in place that form our Business Continuity and Resilience programme. We have a policy for testing and exercising our business continuity and resilience arrangements, and regularly review, update and test at appropriate levels and frequencies. Any requirement for backup/restore and disaster recovery would be discussed and agreed with the customer prior to an order being placed. The requirement would be documented in the Order Form by the customer, and included by Deloitte in the Cloud Services Agreement at Schedule 2 Services Definition Part 4 Service Levels. On-boarding and Off-boarding processes/scope etc.; We will discuss and agree with customers the appropriate approach for their situation and reach agreement on the most suitable On-boarding and exit processes/scope prior to an order being placed. The requirements should be documented in the Order Form by the See SFIA rate card and Pricing Model where appropriate. 10 Deloitte G-Cloud III CHECK Accredited Penetration Testing Services (f.) (g.) (h.) (i.) Service management details; As Platinum members of the Chartered Institute for IT, we follow a number of BS15000/ BS20000 related IT Service Management procedures and Software Testing standards (IEEE 829). We hold IT Infrastructure Library (ITIL) Foundation and Practitioner Certification in IT Service Management. Many staff have PRINCE 2 Methodology Foundation and Practitioner Accreditation. Service constraints (e.g. maintenance windows, level of customisation permitted, schedule for deprecation of functionality/features etc.); We will discuss and agree the necessary service constraints and reach agreement on the most suitable approach prior to an order being placed. The service constraints should be documented in the Order Form by the customer, and Deloitte will include details in the Cloud Services Agreement at Schedule 2 Services Definition Part 4 Service Levels. Customisation is permitted and customisation requirements will be discussed with customers prior to ordering. Service Levels (e.g. performance, availability, support hours, severity definitions etc.); The Deloitte Business Management System, which encompasses our National and Regionally based Consulting Practice, satisfies the requirements of BS EN ISO 9001:2008, against which it is independently assessed by the British Standards Institution (BSi). Our Consulting Practice has been registered with BSi since 1986, when our software group was amongst the first organisations to obtain BS 5750 registration. The Consulting Practice of Deloitte in the UK is also registered with the TickIT scheme. TickIT provides for the certification of software developers against ISO 9001 by accredited assessors. We can provide a wide range of service levels and options to customers. We will work proactively with customers to discuss and agree appropriate service levels and reach agreement prior to an order being placed. The service levels should be documented in the Order Form by the customer, and Deloitte will include details in the Cloud Services Agreement at Schedule 2 Services Definition Part 4 Service Levels. Financial recompense model for not meeting service levels; As one of the leading providers of professional and consulting services in the UK it is our aim to perform in line with our customer s expectations. Our quality assurance and risk
management procedures are designed to focus on the customer so that engagements have the appropriate quality checks and review points. include details in the Cloud Services Agreement at Schedule 2 Services Definition Part 2 Ordered Services. (j.) Training; (p.) Details of any trial service available. Generally speaking customers do not require training to use our services. Should there be a specific training requirement, we will discuss it with you prior to placing an order. Many of our services include capability transfer as routine. Should you need capability transfer, please discuss it with us prior to placing the order. Where applicable we would be pleased to discuss your requirement and the possibility of trial services in more detail. Please see [part X] above for contact names, telephone numbers and email addresses. Deloitte can provide a range of training options which may include Train the Trainer or a comprehensive roll-out to end users. We will work proactively with customers to establish the training requirement and reach agreement on the most suitable approach prior to an order being placed. The training requirement should be documented in the Order Form by the customer, and Deloitte will include details in the Cloud Services Agreement at Schedule 2 Services Definition Part 2 Ordered Services. (k.) Ordering and invoicing process; Please see Clause 8 of the Deloitte Cloud Services Agreement in the attachments area. (l.) Termination terms: i. By consumers (i.e. consumption); and ii. By the Supplier (removal of the G-Cloud Service); Please see Clause 16 of the Deloitte Cloud Services Agreement in the attachments area. (m.) Data restoration / service migration; We will discuss with customers any data restoration / service migration requirements and reach agreement on the most suitable approach prior to an order being placed. The requirements should be documented in the Order Form by the customer, and Deloitte will include details in the Cloud Services Agreement at Schedule 2 Services Definition Part 2 Ordered Services. (n.) Consumer responsibilities; We will discuss consumer responsibilities prior to an order being placed. Responsibilities should be documented in the Order Form by the customer, and Deloitte will include details in the Cloud Services Agreement at Schedule 3 Client Obligations. (o.) Technical requirements (service dependencies and detailed technical interfaces, e.g. client side requirements, bandwidth/latency requirements etc.); and We will discuss any technical requirements prior to an order being placed. The requirements should be documented in the Order Form by the customer, and Deloitte will Deloitte G-Cloud III CHECK Accredited Penetration Testing Services 11
Important notice This document is not an offer and cannot be accepted. Should you wish to obtain our services, please contact us on 0207 303 0913 or email us at ukdeloittetenders@deloitte.co.uk to discuss your requirements and how we may meet them. Following these discussions and our internal acceptance procedures, we would then enter into a direct order with you in accordance with these Framework terms to confirm our appointment. The information contained in this document has been compiled by Deloitte LLP and includes material which may have been obtained from information provided by various sources and discussions with management but has not been verified or audited. This document also contains confidential material proprietary to Deloitte LLP. Except in the general context of evaluating our capabilities, no reliance may be placed for any purposes whatsoever on the contents of this document or on its completeness. No representation or warranty, express or implied, is given and no responsibility or liability is or will be accepted by or on behalf of Deloitte LLP or by any of its partners, members, employees, agents or any other person as to the accuracy, completeness or correctness of the information contained in this document or any other oral information made available and any such liability is expressly disclaimed. This document and its contents are confidential and may not be reproduced, redistributed or passed on, directly or indirectly, to any other person in whole or in part without our prior written consent. This document is not an offer and is not intended to be contractually binding. Should this proposal be acceptable to you, and following the conclusion of our internal acceptance procedures, we would be pleased to discuss terms and conditions with you prior to our appointment. In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. 2013 Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom