Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Transcription

1 Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC Cloud Service Terms governing the Customer s purchase of services identified in this Solution Pack. Managed Services Virtual Private Cloud Security Features, Release 9.4 ( Security Services ) Prerequisite Services Customer must purchase these Services prior to selecting the Services set out in this Solution Pack: Managed Services Virtual Private Cloud Service ( Managed VPC ) Mandatory Addenda Managed Services Acceptable Use Policy DXC Cloud Terms Glossary DXC Technology Page 1

2 Table of Contents 1. Statement of Work Introduction Scope of Service Description of Services Audit Assurance and Compliance Datacenter Security Encryption and Key Management Governance and Risk Management Identity and Access Management Infrastructure and Virtualization Security Security Incident Management, E-Discovery and Cloud Forensics Threat and Vulnerability Management Regulatory Compliance Managed VPC Continuity Service Security Supplement Service Levels Overview Service Levels and Credits Charges Security Service Related Charges Costs and Expenses 22 DXC Technology Page 2

3 1. Statement of Work 1.1 Introduction This Managed VPC Security Features Solution Pack shall apply to each Order placed under this Managed VPC Security Features Solution Pack and will remain in effect unless it is terminated or expires in accordance with the Governing Agreement. In the event of any conflict or inconsistency between this Managed VPC Security Features Solution Pack and the Managed VPC Solution Pack, this Managed VPC Security Features Solution Pack will prevail with respect to the subject matter of this Managed VPC Security Features Solution Pack. General descriptions or references to particular Security Services in this Managed VPC Security Features Solution Pack or elsewhere in the Agreement are subject to the more detailed descriptions below. Security Services are only available for purchase by Customers who have also purchased, and DXC will be obligated to provide Security Services only if Customer has purchased, Managed VPC Services as described in the Managed VPC Solution Pack. Security Service usage is limited to within the Customer s Managed VPC environment. Termination or suspension of all or any part of the Managed VPC Service for any reason shall automatically result in termination or suspension, respectively, of all (or in the event of a partial termination or suspension, the corresponding part) of the Security Services under this Managed VPC Security Features Solution Pack. 1.2 Scope of Service DXC will provide to Customer the Services described by this Statement of Work following submission of Orders. DXC will deliver Security Services on a Managed VPC infrastructure in accordance with the Managed VPC Solution Pack except where otherwise specified below. Security Service components noted as are included with Managed VPC Services at no additional Charge. Security Service components noted as an or al will be made available to the Customer at an additional Charge. Customer acknowledges that because Unmanaged Servers are under its control, security features for Unmanaged Servers are more limited than for Managed Servers. Customer will use the Managed Services Portal to order Managed VPC Security Services offered under the Governing Agreement. A complete list of orderable items available in the requested data center can be viewed in the Managed Services Portal. Any Services ordered by the Customer in the Managed Services Portal that are not within scope of the Solution Pack(s) signed by the Customer will result in need for the Customer to sign an additional Solution Pack. This additional Solution Pack must be signed by the Customer before the Customer Order can be fulfilled. 1.3 Description of Services Audit Assurance and Compliance Service Overview (Audit Assurance and Compliance) DXC Technology Page 3

4 This section describes the options available to receive information regarding security and compliance in the environment. Customer may conduct audits using the Customer Audit Days option described below only if the available reports do not sufficiently cover specific controls Responsibility Matrix (Audit Assurance and Compliance) The table below describes Security Service components for Audit Assurance and Compliance along with responsibilities related to these components. (a) Server Penetration Test Report (b) Infrastructure Penetration Test Report Review and approve (as appropriate) the properly completed and signed indemnification form. Complete and sign (and cause any 3rd party auditors to sign) the DXC supplied Penetration Test Indemnification Form and conduct or commission (from DXC or an independent 3rd party) a penetration test of the VPC servers. Provide relevant findings to DXC. Commission a penetration test from an independent 3rd party and provide an annual summary copy of the report to the Customer. One time charge per report when conducted or commissioned by DXC. Contact DXC Account Team to request this option. One report is issued globally for the Managed VPC Service. This report covers a representative sample of the VPC infrastructure and includes tests that attempt to break out of a VM, break out of a tenant compartment, break into the Managed VPC Management Infrastructure, and penetrate from the public Internet. Customer VPC servers (Managed and Unmanaged Servers) are not included in the scope. One time charge per report. There is no DXC Technology Page 4

5 need to purchase more than one copy. Contact DXC Account Team to request this option. (c) ISAE 3402/SSAE16 SOC1 Type II Report Commission the report from an independent 3rd party for the Managed VPC infrastructure and provide a copy of the report to the Customer as and when available. One-time charge per report. Customer VPC servers (Managed and Unmanaged Servers) are not included in the scope. Contact DXC Account Team to request this option. (d) AT Section 101 SOC2 Report Commission the report from an independent 3rd party for the Managed VPC infrastructure and provide a copy of the report to the Customer as and when available. One-time charge per report. Customer VPC servers (Managed and Unmanaged Servers) are not included in the scope. Contact DXC Account Team to request this option. (e) Customer Audit Days Provide an audit coordinator and/or authorised escort. Use available audit reports to address as many audit needs as possible. For any remaining items, provide scope and request for audit access 22 business days in advance. Commission auditors (Customer or an independent 3rd party) to perform the audit. Provide relevant findings to DXC. Charge is per audit day plus expenses. One audit day is one business day in which access to DXC facilities or DXC personnel is required to respond to auditor questions or provide evidence of compliance to controls. Access to DXC facilities requires 22 business days prior notice. Access to DXC personnel requires 10 business days prior notice. DXC Technology Page 5

6 1.3.2 Datacenter Security Contact DXC Account Team to request this option. All Customer audits are subject to the requirements described in Section 1.7 (Customer Audits) of the Managed VPC Solution Pack Service Overview (Datacenter Security) This section describes the minimum basic controls in place at data centers hosting Managed VPC environments. Additional controls may exist and vary by location Responsibility Matrix (Datacenter Security) The table below describes Security Service components for Datacenter Security along with responsibilities related to these components. (a) Asset Management (b) Physical Security Perimeters (c) Secure Disposal of Media Maintain an inventory of physical assets in the DXC data center. Provide multiple physical perimeters with restricted access to sensitive areas of the DXC data center. Provide access controls employing electronic badges and a second factor (i.e. passcode or biometrics). Securely erase data before reuse of media and securely dispose of media that is physically decommissioned and not reused. DXC Technology Page 6

7 (d) Guards Provide 24x7 guards to patrol and monitor the DXC data center. (e) Video Surveillance (f) Redundant Infrastructure (g) Wireless Access Point Scanning Provide monitoring and recording of entry and exit points in and around the DXC data center. Provide redundant power to be available in the forms of multiple power feeds where possible and backup power in all locations. Perform quarterly scans to detect and remove unauthorised wireless access points allowing connectivity to the VPC infrastructure Encryption and Key Management Service Overview (Encryption and Key Management) This section describes the encryption related services currently available for Managed VPC Responsibility Matrix (Encryption and Key Management) The table below describes Security Service components for Encryption and Key Management along with responsibilities related to these components. (a) Encryption of Off-Site Backup Tapes Included when Customer purchases off-site backup services DXC Technology Page 7

8 Encrypt data backed up to tape for removal to off-site storage. as described in the Managed VPC Backup Solution Pack Governance and Risk Management Service Overview (Governance and Risk Management) This section describes services performed by DXC to manage risk within the Managed VPC delivery environment and to prevent configuration drift. There are no Customer deliverables or ordering options associated with any services listed below. DXC reserves the right to test or scan any Managed Server(s) for security issues at any time Responsibility Matrix (Governance and Risk Management) The table below describes Security Service components for Governance and Risk Management and responsibilities related to these components. (a) Annual Risk Assessment Conduct a risk assessment of the Managed VPC Service offering at least annually. (b) Security Policy Configure Customer VPC servers (Managed and Unmanaged Servers) and infrastructure with settings compliant to DXC policies. Never circumvent or disable DXC provided security settings, tools, or controls without DXC authorization. Determine the appropriate security policy for Customer Managed operating systems. DXC Technology Page 8

9 (c) Server Policy Compliance Scanning Conduct compliance scans on any Managed Server(s) without notice. (d) Server Policy Compliance Scanning Reports Provide access to Server Policy Compliance Scanning Reports on VPC servers in the Customer s VPC compartment. Identify Customer VPC servers (Managed and Unmanaged Servers) to be included in the scanning report. Recurring monthly Charge per server. Orderable through Managed Services Portal. Scanning may occur on any frequency deemed appropriate by the Customer, as frequently as weekly. Select servers may be scanned more frequently than weekly in troubleshooting circumstances, but not as a routine Identity and Access Management Service Overview (Identity and Access Management) This section outlines the controls in place for account management, access management, and authentication. Administrative access to Managed Servers is subject to DXC control with only temporary access provided to the Customer during which period the server s availability SLAs will be suspended. DXC support personnel will not have access to Unmanaged Servers, so it is the Customer s responsibility to manage access to those servers Responsibility Matrix (Identity and Access Management) The table below describes Security Service components for Identity and Access Management along with responsibilities related to these components. (a) DXC Administrative Access Cause all DXC support personnel to securely authenticate with an individually identifiable access method and a minimum of 2-factor authentication before DXC Technology Page 9

10 accessing the Customer s VPC compartment. (b) Customer Administrative Access Upon request from an authorised requester, allow temporary administrative access to Managed Servers. Provide a permanent administrative account for Unmanaged Servers. (c) Role d Access Control Determine DXC support personnel access based upon job role and subject to an authorised approver. (d) Password Controls Configure password controls on Customer VPC servers (Managed and Unmanaged Servers) and infrastructure to comply with current DXC password policies. (e) User Access Authorization Require and record authorization for Managed VPC provisioned access credentials. (f) User Access Reviews Conduct quarterly reviews of all elevated access permissions to VPC DXC Technology Page 10

11 systems for DXC personnel. (g) User Access Revocation Remove access for DXC personnel whose access is no longer appropriate. Remove access for Customer personnel as directed by authorised requester. Notify DXC of any Customer user access which is no longer required. (h) Accountability Ensure DXC user accounts are traceable to an individual and are not shared. Assume responsibility for any actions performed by Customer employees. (i) Multi-Factor Authentication on the Managed Services Portal Cause the Managed Services Portal to be federated with Authentication Authority for two factors of authentication for all accounts before access is granted to the Managed Services Portal. If Customer does not provide their own 2 nd factor service for Managed Services Portal authentication, DXC will supply a 2 nd factor service for up to five Customer users at no charge. Identify and supply an LDAP or AD compatible If the Customer does not have an LDAP or AD compatible Authentication Authority for 1 st factor authentication, this can be purchased as a service from DXC. DXC Technology Page 11

12 Authentication Authority for 1 st factor authentication to be federated with the Managed Services Portal for authenticating Customer users with a username and password. Identify and supply a RADIUS compatible Authentication Authority for 2 nd factor authentication to be federated with the Managed Services Portal or purchase the service from DXC. Cause all Customer users of the Managed Services Portal to maintain reasonably secure password credentials (keep credentials secret and use industry standard complexity requirements) Infrastructure and Virtualization Security Service Overview (Infrastructure and Virtualization Security) This section describes services related to infrastructure and virtualization security Responsibility Matrix (Infrastructure and Virtualization Security) The table below describes Security Service components for Infrastructure and Virtualization Security along with responsibilities related to these components. (a) Time Synchronization of Management Infrastructure Cause all Managed VPC infrastructure systems to synchronize with a central and consistent time source. DXC Technology Page 12

13 (b) Customer Dedicated Virtual Firewall Cause virtual firewall instance to be dedicated to Customer and configure rules into and out of the Customer compartment as directed by the Customer and as required by DXC to provide the contracted support. Notify DXC of any changes to the firewall rules as required by the Customer or use a DXC provided interface to apply such rules. (c) Customer Segregation Multiple firewalls are configured to prevent routing between Customer compartment and other tenant compartments. (d) OS Hardening Configure Managed VPC operating systems to then current pre-hardened DXC Gold Images. (e) Virtual Server Access Configure virtualization layer so that access through the virtualization layer to Virtual Server operating systems is not allowed. Access Virtual Server operating systems as required from Customer compartments via jump servers. DXC Technology Page 13

14 1.3.7 Security Incident Management, E-Discovery and Cloud Forensics Service Overview (Security Incident Management, E-Discovery and Cloud Forensics) This section describes services related to management of security incidents and events Responsibility Matrix (Security Incident Management, E-Discovery and Cloud Forensics) The table below describes Security Service components for Security Incident Management, E-Discovery and Cloud Forensics along with responsibilities related to these components. (a) Security Incident Management (b) E-Discovery & Cloud Forensics (c) Evidence Gathering for Customer Employ 24x7 monitoring and triage of securityrelated events with escalation for resolution and/or Incident management. Notify the designated Customer contact of any material security Incidents directly impacting the Customer. Manage Customer security incidents. Notify the designated DXC contact of any material security incidents directly impacting the VPC environment. Designate Customer contact to receive notification of material security incidents Provide E-Discovery & Cloud Forensics services under direction of the Customer. Subscribe to or purchase ad-hoc services if or as desired. Provide copies of data or evidence appropriate for Subscription or ad-hoc services available Contact DXC Account Team to request quotation. This service is provided from a separate DXC organization to provide a level of separation. Contact DXC Account Team to request quotation. DXC Technology Page 14

15 Managed Incidents chain of custody requirements as required. Protect the availability and confidentiality of the data of other customers. Provide DXC with detailed requests for data gathering if and when required Threat and Vulnerability Management Service Overview (Threat and Vulnerability Management) This section describes services related to the discovery and management of malicious code and vulnerabilities. DXC reserves the right to scan any Customer VPC servers (Managed and Unmanaged Servers) for security issues and vulnerabilities at any time Responsibility Matrix (Threat and Vulnerability Management) The table below describes Security Service components for Threat and Vulnerability Management along with responsibilities related to these components. (a) Antivirus Software on Windows Cause antivirus software to be installed and maintained on all Managed Servers using Windows OS. Configure signature updates to occur continuously or daily. Install and manage antivirus software on all Unmanaged Servers using Windows OS. (b) Antivirus Software on Linux Cause antivirus software to be installed and maintained on designated Managed Servers using Linux OS. Configure signature updates to occur continuously or daily. Recurring monthly Charge per server Orderable through Managed Services Portal. The agent scans for Windows virus signatures on the Linux managed volumes. DXC Technology Page 15

16 (c) Patch Management Cause patches for Managed VPC operating systems to be tested and installed on a regular cycle and as deemed appropriate by DXC. Avoid unnecessary deferrals of patching for Customer VPC servers (Managed and Unmanaged Servers). Cause patches for Unmanaged Servers operating systems to be installed within a reasonable time. (d) Vulnerability Scanning Conduct vulnerability scans on any Customer VPC servers (Managed and Unmanaged Servers) without notice or restriction. (e) Vulnerability Scanning Reports Provide access to vulnerability scanning reports on servers in the Customer s VPC compartment. Identify servers to be included in the scanning report. Recurring monthly Charge per server Orderable through Managed Services Portal. Scanning may occur on any frequency deemed appropriate by the Customer, as frequently as weekly. Select servers may be scanned more frequently than weekly in troubleshooting circumstances, but not as a routine. DXC Technology Page 16

17 (f) External Vulnerability Scanning Reports Provide Customer a selfservice vulnerability scan of public facing IP addresses using a scanner on the public Internet. Deliver an external vulnerability scan report. One time Charge per server per scan Orderable through Managed Services Portal. Scanning may occur on any frequency deemed appropriate by the Customer. Scanning is fully automated Regulatory Compliance Service Overview (Regulatory Compliance) This section describes features and services not mentioned elsewhere that are important for various compliance requirements Responsibility Matrix (Regulatory Compliance) The table below describes Security Service components for Regulatory Compliance along with responsibilities related to these components. (a) HIPAA Conduct infrastructure, operating system, and server management in a manner compliant with HIPAA requirements. Available at no additional cost to Customer. Identify and provide or purchase security options as required to meet HIPAA requirements (if any) applicable to the Customer Managed VPC Continuity Service Security Supplement Service Overview (Managed VPC Continuity - Security Supplement) This section describes the additional layers of security that apply when select disaster recovery services described in the Managed Virtual Private Cloud Continuity ( Managed VPC Continuity ) Solution Pack are purchased by the Customer for Managed Servers in conjunction with Managed VPC Services. These Managed VPC Continuity security service component s will apply in the event of a conflict with any or al security services components stated elsewhere in this Managed VPC Security Features Solution Pack. DXC Technology Page 17

18 Responsibility Matrix (Managed VPC Continuity - Security Supplement) The table below describes Security Service components for Managed VPC Continuity along with responsibilities related to these components. (a) Physical Security Perimeters (b) Perimeter Network Intrusion Prevention System (NIPS) (c) DXC Administrative Access (d) Customer Dedicated Virtual Firewall Provide multiple physical perimeters with restricted access to sensitive areas of the DXC data center. Provide access controls employing electronic badges and a second factor authentication (i.e. passcode or biometrics). Place Network Intrusion Prevention Sensors (NIPS) on the perimeter of the infrastructure to filter all inbound traffic. Maintain and tune the NIPS filters as deemed appropriate by DXC. Cause all DXC support personnel to securely authenticate with an individually identifiable access method and a minimum of 2-factor authentication before accessing the Customer s VPC compartment. Cause virtual firewall instance to be dedicated to Customer and configure rules into and out of the Customer compartment as directed by the Customer and as required by DXC to Standard feature when purchasing Managed VPC Continuity Service Standard feature when purchasing Managed VPC Continuity Service Standard feature when purchasing Managed VPC Continuity Service Standard feature when purchasing Managed VPC Continuity Service DXC Technology Page 18

19 provide the contracted support. Notify DXC of any changes to the firewall rules as required by the Customer or use a DXC provided interface to apply such rules. (e) Customer Segregation Configure multiple firewalls to prevent routing between Customer compartment and other tenant compartments. Standard feature when purchasing Managed VPC Continuity Service (f) Virtual Server Access Configure virtualization layer so that access through the virtualization layer to Virtual Server operating systems is not allowed. Access Virtual Server operating systems as required from Customer compartments via jump servers. Standard feature when purchasing Managed VPC Continuity Service (g) Encryption in Transit Provide an encryption capability for Customer use when transmitting Customer Data over the public Internet. Standard feature when purchasing Managed VPC Continuity Service (h) Secure Data Deletion Subject SAN-attached discs to a three (3) pass wipe process when removing from operational use. Standard feature when purchasing Managed VPC Continuity Service DXC Technology Page 19

20 DXC Technology Page 20

21 2. Service Levels 2.1 Overview This section describes Service Levels for the Security Services, the manner in which they are measured and reported, and the consequences of Faults. 2.2 Service Levels and Credits Security Services are included in Managed VPC Service Levels and Service Credit calculations specified in the Managed VPC Solution Pack. No additional Service Levels apply to al Security Services specified in this Managed VPC Security Features Solution Pack unless otherwise noted in the section of the relevant table. DXC Technology Page 21

22 3. Charges The following terms apply in addition to those set forth in the Managed VPC Solution Pack. 3.1 Security Service Related Charges Customer agrees to pay one-time Charges and recurring service Charges applicable to Security Services expressly as documented in approved Order(s). 3.2 Costs and Expenses DXC Charges include the services expressly described by Section 1, Statement of Work of this Managed VPC Security Features Solution Pack. Customer remains responsible for all of its other costs and expenses related to receipt and use of the Security Services, including those related to Managed VPC Services. DXC Technology Page 22

23 Solution Pack Revision History Offering: Managed Services Virtual Private Cloud Security Features Solution Pack Version# Offering Release# Revision Date Section Reference(s) Description of Change V1.0 R Dec V1.1 R Dec-2016 All Conversion from Hewlett Packard Enterprise to Enterprise Services, LLC as contracting party. V2.0 R Apr-2017 All (a) Conversion from Enterprise Services LLC to DXC Technology V2.1 R Jun V2.2 R Sep All (b) Applied updates from Cloud Terms Glossary (c) Removed Perimeter Network Intrusion Prevention System Protection as a Managed VPC Feature for all new business. To be replaced with an improved service option in a future release. DXC Technology Page 23