SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

Transcription

1 APPENDIX 2 SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION This document contains product information for the Safecom SecureWeb Custom service. If you require more detailed technical information, please contact your Client Manager. 2. SERVICE DEFINITION 2.1 Service Overview Safecom provides organisations with managed security services, which secure communications between them and the Internet, including web browsing, secure , and remote access. Safecom service comprises a suite of security focused in-cloud hosted solutions, delivered primary through Spark Digital s centralised security infrastructure, support and management systems. It provides effective, robust protection for the organisations around-the-clock, wherever in the world users are located. Safecom SecureWeb allows you to manage your people s access to websites by blocking viruses and malware, as well applying your business s acceptable use and other policies through flexible policy-enforcement options. Whether you want to block access to non-business sites or allow access with auditing for misuse, Safecom SecureWeb will protect your people and business from internet-borne threats. By analysing browsing and internet traffic, Safecom SecureWeb prevents people accessing disreputable sites and by scanning content, it prevents threats and viruses entering your network. The Safecom SecureWeb Custom offers a balanced range of standard and optional features, combining flexibility of active concurrent users and the scalability of malware protection. The service is able to optionally provide: Multisite Proxy Redundancy in Wellington and Auckland for clients wishing to have some geographic diversity with their upstream proxy connection, as well Content Caching, Own Access Logs and Unique IP Address Allocation for a better and safer end user experience. 2.2 Standard Service Features The key standard features of our SecureWeb Custom service are: Connection type to Spark Digital via Internet SecureWeb is accessed via the client Internet. Connection type to Spark Digital via WAN SecureWeb is accessed via the client WAN. Commercial in Confidence Page 1 of 8

2 2.3 Optional Service Features The key optional features of our SecureWeb Custom service to be selected from are: Content Caching Caching is enabled to ensure high performance of frequently accessed sites. Client-Initiated Failover Ability Provides the client with access to a secondary proxy platform in another geographic location. It offers an extra level of resilience achieved via the client s located & implemented, DNS-based failover. Own Access Logs Access logs will be filtered to exclusively contain the client s data, these are then made available via a secure download server for the client to download and manipulate at their leisure, with their reporting tool of choice. This is a chargeable option. Unique IP Address Allocation Ability to assign a unique Internet facing IP address to a particular client. 2.4 Service Management Safecom is managed and supported by the Security Operations Centre (SOC), 24 hours x 7 days per week, 365 days per year, and includes: A dedicated service support desk number 0800 SAFECOM ( ) is available to centralise all s. Requests may also be logged via Hosted.servicedesk@sparkdigital.co.nz Monitoring Safecom components to detect and monitor suspicious usage activity. Where required, managing any security events that occur by taking action such as blocking unauthorised traffic, tracing malicious activity and escalating illegal activity to the authorities. Configuring all Safecom components. Providing proactive support for alarm events. Providing second level support to clients. Providing access to online reports and any other monthly reports. Network management systems. Formal change control processes are used to manage changes. Problem management to ensure clients are aware of any current issues that may impact them. Commercial in Confidence Page 2 of 8

3 2.5 Service Implementation We will carry out the following implementation activities: Our Activities Technical Pre-Sales Client s Activities Scope pre-implementation work and estimate costs. Define contractual pre implementation fee. Additional design and consultation prior to implementation (client cost). Provide accurate information for Business and Technical requirements. Sign-off the Spark Digital s Safecom Service Schedule. Plan Work with the client to complete the Technical Specification for the required services. Complete Statement of Work. Provide input into the Technical Specification. Provide information relating to configuration to enable seamless access to Safecom services. Ensure skilled technical expertise available to assist the On Boarding team during the integration phases. Develop a test plan to set the criteria for successful implementation of all functionality. Agree and sign-off the Statement of Work. Configure and Test Provision Safecom network and firewall elements. Configure Safecom devices as per the agreed Technical Specification. Test with client to ensure all services and full connectivity is available. Configure any internal devices to allow required connectivity to Safecom services e.g. routers, servers, and workstations. Provide skills to diagnose integration issues that arise within the client s environment. Test all services according to test plan. Integration Completion Work with client to ensure all requirements in the Statement of Work are met. Sign off Safecom solution to acknowledge delivery of functionality as agreed. For any additional client requirements outside the contract, ensure a signed Contract Variation is received Handover to SOC (Security Operations Centre) Ensure client is aware that the services are in production and are aware of SOC s problem management and change control processes. Ensure support processes are communicated to all relevant internal parties. Commercial in Confidence Page 3 of 8

4 3. RESPONSIBILITIES 3.1 Service Boundaries The following service boundaries apply to Safecom SecureWeb: Internal Boundary the internal boundary is defined as the client facing WAN port that is the interface between the Client Network and the Essentials border. External Boundary the external boundary is defined as the Internet facing port that is the interface between the Spark Digital Service Delivery Platform and the Internet. Some examples of functions that fall outside of these service boundaries include: Configuration and support of Client Network components including mail servers, workstations, and network systems (routers, switches etc.). Configuration and support of Internet systems external to the Spark Digital Service Delivery Platform such as web sites, servers, search engines etc. On-site support this is not provided as part of Safecom services, but can be provided if required through the Spark Digital professional services group. 3.2 Client Responsibilities a) It is the Client s responsibility to: (i) comply with our Acceptable Use Policy (AUP) as set out at Appendix 1, when using the services. We may change the AUP from time to time as required to protect the integrity of the service, or ensure services can continue to be delivered to all of our clients. (ii) provide first level support for their users, to diagnose problems and provide assistance where required. If further assistance is required from Safecom support, this should be coordinated and managed through the client s first level support help desk. Safecom support is not able to provide direct support for end-users. (iii) define a security border for the Client Network. This defines what components of the Client Network are trusted. The security border is the edge of the Client Network, where all external un-trusted communication, including communication to suppliers, partners, external organisations, remote access connections or the Internet would occur. All un-trusted connections should be controlled by Safecom. (iv) perform detailed configuration and testing of client components outside of the service boundaries that is for all components within the trusted Client Network. (v) provide security within your security border, including but not limited to: physical security, including physical access to premises and access to computer systems. security for trusted servers, applications, desktop computing devices, notebook and other mobile or remote computing devices, including: o o o securing configurations and user authentication to servers, applications and other devices. virus scanning of all servers and workstations (as well as regularly updating virus definitions). strong encryption and password access to laptop and other mobile or remote computing devices. (vi) secure disposal of sensitive material, including password lists, computer configurations etc. Commercial in Confidence Page 4 of 8

5 (vii) user acceptance policies that are given to end-users, clearly defining the user s responsibilities (such as not divulging usernames and passwords) and how the services are to be used. It is important to cover issues such as privacy of and web content, which can be inspected and monitored using Spark Digital s Safecom service. (viii) provide appropriate disaster recovery planning within the Client Network. (ix) provide Client Network support personnel, including: an administrator or support person to communicate promptly with the Safecom helpdesk when issues arise. a technical resource that is able to work with the Safecom Implementation engineer and who is capable of performing the necessary tasks on the client s site for service implementations. The technical resource will ideally be a system administrator, who is technically skilled and understands IP routing. If the client does not have a suitable resource available, then this will impact proposed costs and time frames for implementation of the solution. (x) the Safecom service permits traffic to enter through Safecom security systems but by-pass Safecom's well-secured proxies and authentication systems. Destination devices within the Client network are not hidden behind Safecom s shared global source IP address. Address translation to a public IP address is used, but the address is exclusively used for the client s host server, which could assist potential hackers to locate it. (xi) client s devices are protected by Safecom s stateful hardened security systems, restricted port and IP parameters, and expert central management of rules that govern which pinholes are created. Safecom s intrusion detection systems monitor for suspicious traffic on the associated port and the firewall restricts the type of traffic permitted. This lowers the client s risk of an attack; however, permitting inbound traffic exposes specific client devices and applications. It is therefore, recommended that the client keep abreast of current known security issues for exposed applications and servers through this service. An example could be a host server exposing a custom website through Microsoft Internet Information Server (IIS). A new security issue may arise that permits attacks through the HTTP protocol to the host server. Until a patch is released and applied by the client, their host server running IIS will be vulnerable. Safecom s internal security model requires all devices that communicate externally to be hardened and monitored. In the case of restricted inbound access, the exposed host servers belong to the client and are not in Safecom s administrative or service boundary. The client must therefore, take responsibility for securing these devices, for example, removal of services not in use. The client acknowledges that lock-down is not in Safecom s direct control and as such, risks exist. (xii) servers and host systems that are accessible from this service should: be configured with hardened operating systems (e.g. services not in use are removed and security patches loaded). If possible, the system should be dedicated to external access and should not be used for internal resources. be kept up to date with the latest vendor supplied security patches provided for the operating system and applications. If these systems are not kept up to date with security patches and updates, there is a significant risk that they could still be compromised through the Safecom Restricted Inbound service. be kept up to date with antivirus software and updates. be located in a separate network zone or segmented from the rest of the client s internal network. This is to ensure that the impact of any possible compromise of a server is limited and does not affect the rest of the client s internal network. A design engineer can assist if the client requires a Safecom DMZ port where the client s servers are isolated from their internal network by Safecom Firewalls. have server logs checked regularly for suspicious activity. Commercial in Confidence Page 5 of 8

6 4. SERVICE TARGETS This section lists the following: Incident Priority Matrix impact and urgency criterion tables. Functional performance targets performance targets of the service itself. Service delivery performance targets performance targets for Spark Digital s delivery of the service. Provisioning/change performance targets performance targets for Spark Digital s implementation of and changes to the service. 4.1 Incident Priority Matrix Incident priority is determined from a combination of Impact and Urgency, as described below. Impact is the effect of the Incident on the client s business, measured by the number of the client s users and the extent of the Client s ICT Infrastructure that is affected. Urgency indicates the speed of action required, the degree to which the business can bear a delay in resolution and the availability of a Workaround or Fix. Priority considers impact and urgency. Priority = Impact & Urgency Impact Urgency P1 P1 P2 P2 2 P1 P2 P2 P3 3 P2 P2 P3 P3 4 P2 P3 P3 P4 Impact Description 1 - Enterprise Impact to all users at multiple client sites Impact to a critical site, system or service 2 - Site/Dept Impact to all users at a single client site Impact to all users in one department 3 - Multiple Users Impact to multiple users at several sites Impact to multiple users at one site 4 - One User Impact to a single user Impact occurred once only Urgency Description 1 - Critical Will have serious impact on client business if not resolved within P1 target timeframe 2 - High Will have serious impact on client business if not resolved within P2 target timeframe 3 - Average Will have serious impact on client business if not resolved within P3 target timeframe 4 - Low Will not have serious impact on client business Commercial in Confidence Page 6 of 8

7 4.2 Functional Performance Targets Service Attribute Attribute Definition Performance Target Maintenance Window The period when routine maintenance can be undertaken on the Service Delivery Platform. The weekly maintenance window for the platform is between 2:00 a.m. to 7:00 a.m. Sunday (NZST). Note: Service Delivery Platform (SDP) is the Spark Digital s cloud delivery fabric comprising a set of components that provide a services delivery architecture, such as service creation, session control, and protocols for cloud-enabled services. 4.3 Service Delivery Performance Targets Service Attribute Attribute Definition Performance Target Alarm Notification Billing Enquiry Response Call Reception Planned Outage Notification Initial Restoration Update Service Restoration Progress Update The elapsed time between a serviceimpacting alarm occurrence and the client being notified that it has occurred and is being investigated or has been resolved. The elapsed time between Spark Digital receiving a billing enquiry and Spark Digital providing a response to the enquiry. The elapsed time for the Safecom helpdesk to answer incoming telephone calls from clients to 0800 SAFECOM ( ). Elapsed time between advising client of a planned outage and the planned outage commencement. The elapsed time between Call Reception or alarm occurrence and the client being notified that initial diagnosis is completed. Frequency of updates to the client on the status of service restoration activity. Within 30 minutes of alarm occurrence. Single account, with account arrears less than 90 days: Within 48 hours. Multiple accounts, or account arrears more than 90 days: By agreement. 80% of calls are answered within 20 seconds during Call Reception Hours. Planned outages during Maintenance Window: within 5 Business Days. Planned outages outside of Maintenance Window: within 10 Business Days. Emergency planned outages: as much notice as possible. Within 60 minutes. An estimated restore time will be provided, if known. Priority 1: hourly during Service Restoration Hours unless otherwise agreed. Commercial in Confidence Page 7 of 8

8 Service Attribute Attribute Definition Performance Target Return to Operation (Remote) The elapsed time between call reception or alarm occurrence and confirmation to the client that service has been restored where service restoration is able to effected remotely. Priority 1: within 4 Service Restoration Hours. Priority 2: within 8 Service Restoration Hours. Priority 3: within 48 Service Restoration Hours. Priority 4: as agreed with client. Notes: 1. Call Reception Hours are 24x7 incl. public holidays. 2. Service Restoration Hours are 24x7 incl. public holidays. 3. Business Day Hours are 7am 7pm Mon to Fri, excl. public holidays. 4.4 Provisioning/Change Targets Service Attribute Attribute Definition Performance Target Assessment of initial Assessment Completion Advice of Delivery Timeframe Advice of Ready for Testing Closure Provisioning Targets Change to Scope / Add Service Notes: The elapsed time from receipt of a and confirmation of the class of to the client. The elapsed time between a Service Request being received and advice of an initial assessment. If possible, an expected delivery date/time for the change will be confirmed. The elapsed time between a Change Request being received and assessed as being Simple, Complex or a Project, and advising the expected delivery date for the change. The elapsed time between the change being completed and advising that it is ready for testing by the client. The elapsed time between advising that a change is ready for testing by the client and the change request being closed. The deliverables and timeframes are to be agreed between both parties and written into the Statement of Work. Adjust and agree timeframes and deliverables in the Statement of Work, or initiate a Contract Variation and new Statement of Work where required. 1. Call Reception Hours are 24x7 incl. public holidays. 2. Service Fulfilment Hours are 24x7 incl. public holidays. Within 2 Service Fulfilment Hours. Within 48 hours. As agreed in discussion with requestor. Within 24 hours. After 5 days. Meet timeframes for deliverables as agreed in the Statement of Work. Meet timeframes for deliverables as agreed in the Statement of Work. Commercial in Confidence Page 8 of 8