G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

Similar documents
G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

G-Cloud Service Definition. Atos Security Professional Services SCS

G-Cloud Service Definition Canopy Big Data proof of concept Service SCS

G-Cloud 7 Service Definition. Atos Oracle Cloud ERP Implementation Services

G-Cloud Service Definition. Atos Data Quality Audit SCS

G-Cloud Service Definition. Atos Business Intelligence Dashboards and Analytics SCS

G-Cloud Service Definition. Atos Oracle Cloud ERP Implementation Services

G-Cloud Service Definition. Atos Rapid Pilot Mobile Application Development Service SCS

G-Cloud Service Definition. Atos Business Intelligence Dashboards and Analytics SCS

G-Cloud Service Definition. Atos SI Oracle CRM and CX Services

GPG13 Protective Monitoring. Service Definition

G-Cloud Service Definition Lotus Notes to Microsoft SharePoint Migration Discovery Service

PSN Protective Monitoring. Service Definition

G-Cloud Service Definition. Canopy Unmanaged Enterprise Private Cloud (IL3 Capable) IaaS

G-Cloud Service Definition. Atos Call Centre Services SCS

G-Cloud Service Definition. Atos Oracle Database Upgrade

Specialist Cloud Services. Acumin Cloud Security Resourcing

G-Cloud Service Definition. Atos Digital Marketing Specialist Cloud Services

Closing Wireless Loopholes for PCI Compliance and Security

G-Cloud Service Definition. Atos Software Development Services

G-Cloud Service Definition. Canopy Remote Backup for Cloud SaaS

G-CLOUD FRAMEWORK SERVICE DEFINITION. Kofax Model Office Bundle Proposal ISSUE 1

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

G-Cloud Service Description. Atos Microsoft Dynamics CRM on Demand

G-Cloud Framework. Page 1. Document for Service Definition Audit management System. In response to G Cloud 6 Requirements

Lot 1 Service Specification MANAGED SECURITY SERVICES

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

G-Cloud Service Definition. Atos Total Application Performance Management for Cloud SaaS

G-CLOUD 7 - VIRTUAL ASSET MANAGER (VAM) SPECIALIST CLOUD SERVICES (SCS)

G-Cloud Service Definition. Canopy Remote Backup for Cloud SaaS

G-Cloud Pricing. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

Growth Through Excellence

Software as a Service (SaaS) Online HR

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Service Definition Nine23 MDM

G-Cloud Service Definition. Atos Accredited Oracle Business Intelligence Solutions SCS

IPL Service Definition - Data Recovery, Conversion and Migration

A Decision Maker s Guide to Securing an IT Infrastructure

University of Sunderland Business Assurance PCI Security Policy

Service: Contract Management (Software as a Service)

Open Source Sales Force Automation (SFA) in the Cloud SaaS

Service Definition (Q-D1) Penetration Testing. Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

Lot 4 Service Specification BUSINESS PROCESS MANAGEMENT (BPM) PROFESSIONAL SERVICES

G-Cloud Service Definition. Canopy Enterprise Content Management for Cloud SaaS

IBM Web Server as a Service

Service Definition Document

Digital Forensics G-Cloud Service Definition

GPS G-Cloud Lot 4: Oracle Business Intelligence Cloud Consultancy Service Definition

MDM & ENTERPRISE MOBILITY SERVICE DESCRIPTION G-CLOUD 7 OCTOBER 3, 2015

SERVICE DEFINITION DOCUMENT MANAGEMENT IN THE CLOUD

Agilisys G-Cloud Service V

External Supplier Control Requirements

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION.

IPL Service Definition - Master Data Management for Cloud Related Services

Business Process Approval Workflow Manager. Services Definition Document

IBM G-Cloud Microsoft Windows Active Directory as a Service

Big Data Analytics Service Definition G-Cloud 7

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Ubertas Cloud Services: Service Definition

Cloud Brokerage. G-Cloud Service. Arcus Global

GFI White Paper PCI-DSS compliance and GFI Software products

G-Cloud Service Description. Atos: Cloud Professional Services: Requirements Specification

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Payment Card Industry Data Security Standard

Cyber Essentials Scheme

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Need to be PCI DSS compliant and reduce the risk of fraud?

CASSIDIAN CYBERSECURITY SECURITY OPERATIONS CENTRE SERVICES

How To Help Your Business Succeed

Nine Steps to Smart Security for Small Businesses

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

G Cloud III Framework Lot 4 (SCS) Project Management

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Service Definition (Q-D1) Vulnerability Scan (LITE Test) Overview of Service. Functional and non-functional Detail. Q-D1: Service Definition

PCI DSS COMPLIANCE DATA

Firewall Administration and Management

ICT and Information Security Resources

SERVICE DEFINITION CYBER SECURITY SERVICES CONTENTS

PAAS Public Sector Managed Services

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

SmartImpact MS Dynamics CRM. Support Service Definition

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

74% 96 Action Items. Compliance

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

IBM G-Cloud Application Systems Management as a Service

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Transcription:

G-Cloud Service Definition Atos Information Security Wireless Scanning Service

Keeping your wireless networks secure Atos Information Security Wireless Scanning Service The Atos Wireless Scanning Service uses state of the art technology, combined with analysis by certified security professionals to safeguard systems and valuable data from unauthorised access, loss and corruption over wireless networks. This on site scanning service searches for and identifies rogue and vulnerable wireless network access points that could threaten the security of the organisations infrastructure and data. The scan analysis and report identifies the actions for remediation. Atos Information Security Wireless Scanning Service Flexible service The service can be applied to single and multiple sites on a monthly or quarterly scanning schedule. Additional scans can be ordered. Managed service The service is managed and overseen by SSCP and CISSP qualified staff. On site scanning specialists are trained at the Atos Cyber Security Academy in partnership with University of Derby. Easy to budget Simple modular price table with separation of setup, scanning and reporting costs make it easy to budget for the service. High risk sites can be scheduled for more frequent scanning. Assists with compliance requirements e.g. PCI DSS The service identifies rogue (unmanaged unsecured) wireless access points and verifies whether the wireless access points discovered comply with the organisation s access control policies that determine compliance. The service is evidence of the network management process and the scan reports verify the network management policy is being fulfilled. What is it? The Atos Wireless Scanning Service searches for and identifies vulnerable wireless network entry points using the latest hacker toolkits so that weaknesses can be remedied and the risk of exploitation reduced. The service includes site scanning, data analysis by certified security professionals and vulnerability reporting. An insecure wireless network presents a significant risk for the loss of confidential data and for unauthorised access to services. Insecure wireless networks are an easily exploited entry point into an organisations technology estate. Furthermore wireless network vulnerabilities are often exploitable from outside the organisations buildings and site boundary. ii

Data and/or service loss is a vulnerability that requires the utmost attention, regular wireless audits help ensure secure procedures are in place to manage the wireless networks and monitor compliance. PCI DSS compliance for Cardholder Data Environments (CDE) recognises the potential weakness of wireless networks. The Atos Wireless Scanning Service helps fulfil the requirement for organisations to check and remove unauthorised wireless devices from the CDE and verify the management of the wireless access points against the security policy. The service: Scans wireless networks for weak points Discovers malicious rogue access points Works across ITIL functions, Towers and Accounts Integrates with needs of Security and Risk Management Scan data analysis is overseen by SSCP and CISSP qualified staff Recommends best levels of protection and encryption for access points Assists with compliance requirements for security policies and PCI DSS. What makes us unique? The scan results are interpreted and analysed by certified security specialists, SSCP and CISSP. It is more than just an automated scan. The report provides remediation guidance to the organisation. Atos service staff conducting the site scans are accredited in the Atos Cyber Security Academy in conjunction with Derby University. Consequently, they are trained and aware of the security procedures, risks and threats which may be presented to them on site. The service is delivered using a custom platform developed and updated by Atos research and development team using the latest hacker toolkits. This ensures the wireless network is evaluated against the current exploits available. The Service includes: Service Delivery Agreement (SDA) that includes the agreed scanning schedule sites and scan locations within a site. Regular scans and scan reports according to the schedule defined in SDA. Options for extended reporting and additional scans. Any organisation: wanting to secure its network infrastructure against wireless intrusions Needing wireless network scanning to verify compliance against the organisation s security policy statements on wireless network infrastructure. Needing to demonstrate compliance with the wireless network regulations for PCI DSS for Cardholder Data Environment (CDE). iii

iv

Contents 1. Introduction... 1 1.1 Service summary... 1 1.2 How this solution can be used... 1 2. Service overview... 2 2.1 Service Roadmap... 3 3. Information assurance... 4 4. Backup/restore and disaster recovery... 5 5. On-boarding and off-boarding... 6 6. Pricing... 7 7. Service management... 9 8. Service constraints... 10 9. Service levels... 11 10. Financial recompense... 12 11. Training... 13 12. Ordering and invoicing process... 14 13. Termination terms... 15 13.1 By consumers (i.e. consumption)... 15 13.2 By the Supplier (removal of the G-Cloud Service)... 15 14. Data restoration / service migration... 16 15. Consumer responsibilities... 17 16. Technical requirements... 18 17. Trial service... 19 18. Glossary of Terms... 20 v

1. Introduction Atos provides a wide range of world class security solutions that help customers save money whilst simultaneously increasing security. Atos Information Security Wireless Scanning Service is one such service. The service is delivered by trained certified security specialists using our custom scanning platform. 1.1 Service summary The Atos Wireless Scanning Service uses leading technology and best practices to safeguard systems and valuable data from unauthorised access, loss and corruption over wireless networks. Atos deploy a custom scanning platform, which uses a software portfolio that can be found in both off the shelf and professional hacker s toolkits. The scanners gather comprehensive endpoint and network intelligence from the target network. Atos applies advanced analytics to identify and prioritize the vulnerabilities that pose the most risk to business critical systems and the state of compliancy. The result is actionable information that enables IT security teams to focus on the tasks that will most quickly and effectively reduce unnecessary residual risks. Successful remediation helps the organisation to stay compliant with internal security policy, government legislation and industry regulations. Wireless scanning is a mandatory condition for the PCI-DSS regulation, exclusively requirement 11.1, Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. 1.2 How this solution can be used It is recognised that every IT system has weak points, which can be exploited. These can be caused by weak encryption, malicious internal staff, poor network and system configuration and lack of best practices. One major result of these weak points is the loss of important or confidential data and services. Insecure wireless networks can also be used as an entry point into a customer s technology estate(s). Data and/or service loss is a vulnerability that requires the utmost attention, regular wireless audits can help to ensure secure procedures are in place to prevent this. PCI compliance is required for any customer that handles, or processes card holder data. The service: Scans wireless networks for weak points Discovers malicious rogue access points Works across ITIL functions, Towers and Accounts Integrates with needs of Security and Risk Management Recommends best levels of encryption for access points Assists with compliance requirements for example PCI DSS. 1

2. Service overview The Atos Wireless Scanning Service is delivered as a single deployment. A standalone platform is used to probe a client s network, identifying any potential rogue access points broadcasting within the network. The service mirrors potential threats a hacker would take to gain access to an identified network. This is a mandatory requirement for any PCI DSS compliant Customers and needs to conducted on a quarterly basis. This is to ensure that no leakage of data is occurring within the estate. To do this, the scanning platform is directed to assess all possible access points that are broadcasting within a target network. By assessing each access point the scanning platform displays key values on the discovered Access Point. These values include: BSSID this is the MAC address that identifies the manufacturer of the device Channel the channel that the detected access point is broadcasting on. Privacy this value shows the level of security on the detected device Null/Open values show no security is present on the device WEP values show a weak level of security is present on the device WPA/WPA2 values show a strong level of security on the device (dependent upon configuration) Power this displays the strength of the signal for the device. Higher values indicate the device is broadcasting in close proximity to the scanning platform. Any values lower than -40 indicate the access point is broadcasting away from the scanned network ESSID this is the naming convention for the wireless network. Once a scan has been successfully completed, a report is generated, detailing the findings from the scan. Investigations are made from these gathered results, to determine if any detected devices could be potential rogue access points within the network. The report is then made readily available to all relevant stakeholders for the account, to remedy any recommendations made within the report. The service is delivered in modules to allow service configuration to meet the customer s specific needs: Mandatory/optional Modules Mandatory modules Basic Wireless Scanning Service (1 variant) Standard Service Requests for the Basic Service Optional modules Service Setup (New Customer) Service Setup (Additional Scanner) Consultancy and Technical Support Extended Service Reporting Standard Service Requests for the Optional Modules 2

Important characteristics: The entire network infrastructure is analysed scrupulously, ensuring all key areas are covered by the service The entire wireless network infrastructure is covered, during the scanning process The service will identify weak security methods used on access points across all the scanned networks The Atos security team continuously research and develop improve the underlying product Delivered by dedicated Security Operational Centres with trained, certified industry experts providing the wireless scan, analysis and response services Atos service staff accredited in the Atos Cyber Security Academy in conjunction with Derby University A standardised approach for verifying PCI DSS compliance of wireless access points. Benefits: A standardised scanning process leading to great reduction of data loss for the customer and to the business Increasing the levels of network access point encryption to further protect customers against data loss A standardised method of PCI DSS compliance as this requires Wi-Fi networks to be scanned quarterly A simple and cheap process to protect customers from malicious attacks. 2.1 Service Roadmap The wireless scanning platform is a product developed and customised by Atos. The platform is kept up to date with open source and hacker tools that are widely available on the internet and are found in the toolkits of individuals who intend to cause malicious damage or attempt to compromise a target. The solution benefits from a constant development programme to take in to account the constant changes and challenges within this environment. Atos use a large number of products and toolkits to provide our clients with the confidence that our services protect their valuable networks and infrastructures. 3

3. Information assurance The standard product is available at Impact Level 0 (IL0). The service can be run at higher Impact Levels up to Impact Level 5 (IL5) if required subject to a formal accreditation. 4

4. Backup/restore and disaster recovery Data from the wireless scan is downloaded from the custom platform and stored securely. In the event of the scanning platform failing a new platform will be built from a master build image. Collected scan data is stored in Atos UK data centres with DR capability. 5

5. On-boarding and off-boarding On-boarding On-boarding the service is simple. Prior to conducting the wireless scan the Atos security specialists will discuss the customer s needs of the scan to determine the site coverage, scanning schedule and the type of reporting required. For orders of a regular scan service we create a Service Delivery Agreement defining the service and points of escalation to be used for the duration of the service. Off-boarding Should the customer decide to de-commission the wireless scanning service, all future scans are cancelled and the customer will receive a copy of the data collected in the scanning activities conducted to that date, all data held by Atos will then be destroyed. Costs for off-boarding will be charged against any residual service charge. 6

6. Pricing The service is priced according to time and material spent on mandatory modules and a selection of optional modules. Modules Frequency Type Mandatory: Basic Wireless Scanning Service (1 variant) Monthly / Quarterly See below Standard Service Requests for the Basic Wireless Scanning Service Monthly / Quarterly See below Optional: Consultancy and Technical Support On demand Rates as per SFIA rate card - Atos Extended Service Reporting On demand Rates as per SFIA rate card - Atos Standard Service Requests for the Optional Modules On demand Rates as per SFIA rate card - Atos Ad-hoc request for scan on existing scope & measurement (scan on demand) On demand Rates as per SFIA rate card - Atos Adjust scan schedule On demand subject to resource availability Rates as per SFIA rate card - Atos The basic wireless scanning components of the service are priced according to number of scans performed. The pricing elements of the basic scanning service are listed in the table below. Basic Wireless Scanning Pricing Service Delivery Agreement, (one off cost for each customer order received) Fixed price element for each site visit for each scan (time traveling, setup and site research) Package Price for 6 scans (i.e. 6 different locations of scanning platform within a single site). Note that scans are sold in packages of 6 scans. Therefore 7 scans will require purchase of two scan packages. First Report Subsequent Reports Price 990 per order 990 per visit 495 per package of 6 scans 990- for 1 st report 495 per report 7

Travel and Subsistence for site visits Payable at the Customer s standard T&S rate. Mileage for site visits Payable at the Customer s standard T&S rate Professional Indemnity Insurance included in service rate. Example pricing: Customer has a single site with one building (approx. 30m by 60m) with 2 floors. Customer requests floor scan and perimeter scan for PCI-DSS compliance. The service is required for 12 months with 5 scans in that period, one scan immediately and then one scan every 3 months until month 12. Item Price Setup service: (Service Delivery Agreement and setting up account) 990 Site visits (5 visits over 12 months), 5x 990 4950 Each visit performs 2 scans per floor and 2 perimeter scans, total of 6 scans per visit to site, 5 site visits, 5x 495 Reports First report, 990 Subsequent reports, 495, 4 reports in 12 months, 4x 495 Total price of 12 month service (not including travel, subsistence and mileage for site visits) 2,475 2,970 11,385 8

7. Service management The service is typically available during standard Working Hours/Days Monday to Friday 09:00 to 17:30 excluding public holidays. Reports from the wireless scans are communicated within 5 days of the scan completion. 9

8. Service constraints In order for the wireless scan to be conducted the Customer will need to: Give authorisation for the scan to proceed Give access to the perimeter of scanned estate Give access inside the scanned estate if that is within scope of the scan The service only provides information of the vulnerabilities discovered, remediation remains a customer responsibility or that of the customer s service providers. 10

9. Service levels The standard service level is: Service measure Typical service level Service Availability 95% Service Availability Window Support Availability Window (second line) Support Language Report generation 09:00-17:00 Mon-Fri Business Days 5*9 hours: Business Days, 08:00-17:00 h English Inform stakeholders that a report is readily available within 5 days after scan has been conducted 11

10. Financial recompense To minimise the cost to users, Atos does not provide service credits for use of the service. All Atos services are provided on a reasonable endeavours basis. Please refer to the standard terms and conditions documents. In accordance with the guidance within the GPS G-Cloud Framework Terms and Conditions, the Customer may terminate the contract at any time, without cause, by giving at least thirty (30) Working Days prior notice in writing. The Call Off Contract terms and conditions and the Atos terms will define the circumstances where a refund of any pre-paid service charges may be available 12

11. Training No training is required to benefit from this service although the scan report should be communicated to security and infrastructure specialists in the customer organisation or that of the service providers to remedy the vulnerabilities. Our security specialists will discuss the coverage and benefit from the various scan options prior to scanning the estate. If training and guidance to customer staff and providers is required it can be provided at the rates defined in our Atos Information Security Professional Services SFIA Rate Card - Atos that was submitted as part of our G-Cloud submission. Please get in touch for details (gcloud@atos.net). 13

12. Ordering and invoicing process Ordering this product is a straightforward process. Please forward your requirements to the email address GCloud@atos.net Atos will prepare a quotation and agree that quotation with you, including any volume discounts that may be applicable. Once the quotation is agreed, Atos will issue the customer with the necessary documentation (as required by the G-Cloud Framework) and ask for the customer to provide Atos with a purchase order. Once received, the customer services will be configured to the requirements as per the original quotation. For new customers, additional new supplier forms may to be completed. Invoices will be issued to the customer and Shared Services (quoting the purchase order number) for the services procured. On a monthly basis, Atos will also complete the mandated management information reports to Government Procurement Services detailing the spend that the customer has placed with us. Cabinet Office publishes a summary of this monthly management information at: <http://gcloud.civilservice.gov.uk/about/sales-information/> 14

13. Termination terms 13.1 By consumers (i.e. consumption) Termination shall be in accordance with: The G-Cloud Framework terms and conditions Any terms agreed within the Call Off Contract under section 10.2 of the Order Form (termination without cause) where the Government Procurement Service (GPS) guidance states At least thirty (30) Working Days in accordance with Clause CO-9.2 of the Call-Off Contract Our Supplier Terms for this Service as listed on the G-Cloud CloudStore. By default we ask for at least thirty (30) Working Days prior written notice of termination as per the guidance within the GPS G-Cloud Framework Terms and Conditions. 13.2 By the Supplier (removal of the G-Cloud Service) Atos commits to continue to provide the service for the duration of the Call Off Contract subject to the terms and conditions of the G-Cloud Framework and our Supplier Terms. 15

14. Data restoration / service migration Not applicable as there is no data to restore and no service to migrate. 16

15. Consumer responsibilities The principal consumer responsibilities are: The consumer will provide all required authorisation for access (escorted or un-escorted) to the Customer Sites. Where access disputes arise, the consumer will mediate the dispute and inform the Atos security team of the outcome The consumer will ensure that the Security Specialist conducting the scan has full or escorted access to all areas of the customer sites to ensure that all devices are traced The consumer will provide all possible assistance to allow the Atos security teams to operate at the specified sites The consumer will escalate and manage the actions required to deal with any unauthorised or insecure wireless access points discovered. 17

16. Technical requirements Technical requirements will be discussed and agreed with customer and their representatives prior to the first scan. 18

17. Trial service There is no trial service. 19

18. Glossary of Terms Term 2FA ASAC-S CDE GPS IL LDAP OATH PCI DSS RADIUS RSA SAML SMS SSL SSO TCO VPN Explanation Two Factor Authentication Atos Secure Authentication for Cloud SafeNet Cardholder Data Environment (PCI DSS term) Government Procurement Service Impact Level Lightweight Directory Access Protocol Open Authentication an open source standard Payment Card Industry Data Security Standard Remote Authentication Dial-In User Service Product Vendor Security Assertion Mark-up Language Short Message Service Secure Socket Layer Single Sign On Total Cost of Ownership Virtual Private Network 20

21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information