safewall bronze - product specification 1. introduction 2 ... · 1. introduction this document...
TRANSCRIPT
Commercial in Confidence Page 1 of 12
Safewall Bronze - Product Specification
1. Introduction
This document contains product information for the Safewall Bronze service. If you require more
detailed technical information, please contact your Account Manager.
2. Service Definition
2.1. Service Overview
Spark Digital’s Safewall Bronze service enables customers to outsource the management of their
firewalls to Spark Digital. Spark Digital uses specialist security experts, to manage the firewall
efficiently and to provide security to a level that would be difficult and expensive for customers to
replicate in-house. By outsourcing this function to Spark Digital, customers should be able to reduce
their operational investment in security and in-house IT departments and concentrate on core
business services.
The Safewall Bronze service is a combination of Cisco ASA and Juniper SRX technologies, and Spark
Digital’s support processes. The Safewall Bronze offering includes Cisco ASA and Juniper SRX
Firewall platforms, mature service management processes, 24x7 event management, 24 x 7 incident
management, and qualified security professionals performing scheduled checks and maintenance
activities.
2.2. Standard Service Features
The key features of the Safewall Bronze service are:
Commercial in Confidence Page 2 of 12
Spark Digital Design and Integration
Spark Digital consultants and/or design work locally with the customer to provision the security device
under management or for complex changes (mini-projects) required during the term of the Service
Schedule.
Security Operations Management
Qualified security professionals performing scheduled procedural checks and invoking the
required maintenance activities.
Scheduled backup of system configuration.
Defined mature Standard Operating Procedures.
Receiving security notifications from OEM suppliers.
Assessing and classifying security notifications to determine impacts and recommended actions.
Maintaining and managing security updates to the managed firewalls. Upgrades are classed as
Minor and Major, and performed in accordance with the Change Management process.
Change Request Management
Logging, categorising and prioritising Changes.
Managing Change Requests in accordance with the standard Change Control process, which has
specific authorisation, impact assessment and approval processes.
Implementing Change Requests.
Event Management
Defining and implementing triggers in monitoring systems that will generate Events.
Detecting and logging Events.
Initially classifying Events into information, warnings and critical Events.
Assessing Events to determine impacts and actions, including escalations as required.
Managing event related actions in accordance with predefined plans.
Incident management
Spark Digital’s Service Desk will log calls and escalate to Spark Digital’s Level 2 Security
Operations Centre (“SOC”). Level 2 SOC will validate, classify, categorise, prioritise, provide
updates, monitor and track reported Incidents through to closure.
Where the Level 2 SOC is unable to resolve Incidents at first point of contact, it will assign the
Incident to the Level 3 SOC and will monitor progress to resolution.
Undertake remote investigation, diagnosis and resolution (by workarounds and/or fixes) to restore
the Managed Infrastructure to normal operations.
Co-ordinate technicians to perform onsite warranty repair (including Return to Base) and/or
replacement.
Managing equipment stores, including spare units/parts, swap pools and loan equipment.
Commercial in Confidence Page 3 of 12
Co-ordination with vendors on warranty repairs, replacements and assistance on Incidents where
advanced technical support is required.
Customer Interfaces
The local customer interface is a read only interface which details information relating to the
firewall configuration, device logs and network statistics.
Documentation
Spark Digital ensures that the Firewall documentation created by implementation and migration
projects is kept up to date, together with any changes made to the systems and/or infrastructure.
Safewall Bronze service feature summary – Standard / Optional
Safewall - Bronze Service Options Standard Standard
Firewall Technology Cisco ASA Juniper SRX
System Functions Supported
Firewall Y Y
VPN Site to Site IPSec Y Y
Remote Access Client VPN Y Y
Clientless VPN - license Y Y, 5 concurrent
Clientless VPN – additional licenses Y Y
Web filtering N Optional license
Routing N Y
Deep Inspection/IPS N Optional license
Integrated Antivirus N Optional license
SPAM & Phishing blocking N Optional license
VLANs Y Y
Virtual contexts N Y
Customer Interface (read-only access) Y Y
Modules
ADSL N N
Wireless N N
Firewall Supply
Spark Digital owned Firewalls Y Y
Client owned Firewalls Y Y
Event Management
Management Connectivity, Firewall platform
performance and availability
Y Y
Security event management N N
Event correlation N N
Incident Management Y Y
Commercial in Confidence Page 4 of 12
Safewall - Bronze Service Options Standard Standard
Security Operations Management
Backing up system configuration Y Y
Vendor security update assessments and
implementation (where required)
Y Y
Log file management – on device N Y
Local syslog feed Y Y
Log file backup N N
Log file management – external to device, archival and retention
N N
Change Request Management Y Y
Simple Changes (e.g. Rule) $120 $120
Complex Change $220 per hour $220 per hour
Upgrades
Minor Release Y Y
Major Release T&M T&M
Onsite Work T&M T&M
Management Link
Internet VPN (Default) Y Y
Dedicated Management Connectivity POA POA
Table 1 - Key: Y = Yes, N = No, T&M = Time and Materials, POA = Price On Application.
2.3. Service Options
Additional Optional Features are available as listed in Table 1.
2.4. Service Management
Spark Digital Service Desk Systems and Call Tracking
The Safewall Service Desk is available 24x7x365. Service Requests/MACs should be forwarded to
[email protected] and the Digital Safewall Service Desk can be contacted at
0800 4 SECURITY.
Spark Digital Service Delivery and Device Restoration
The Spark Digital service delivery team provides onsite restoration activities when necessary. For
equipment residing outside of New Zealand support is provided by Spark Digital support partners.
Secure Management Connectivity
Management is performed over an encrypted VPN tunnel via the customer’s existing internet
connection, or when other Spark Digital or Safecom services are also required (e.g. Mail Content
Filtering and Anti-Virus).
Commercial in Confidence Page 5 of 12
All management traffic uses strong encryption protocols to maintain privacy between the firewall
and the management systems.
2.5. Customer Responsibilities
There are certain aspects of the firewall system that the customer will retain responsibility for:
Pre Implementation
Provide input into the data gathering process. Pre-requisite work may be required to bring your
infrastructure up to an agreed level.
Security Policies
These belong to you and you retain the responsibility for the end-to-end security and firewall policies
in place for your organisation.
Customer Site Hardware & Software
The devices must remain under the supportable parameters of the managed Safewall Bronze service.
Other Network Devices
The Safewall Bronze service does not cover the management of any other network devices.
Internet Access & Usage
You will retain responsibility for internet access, bandwidth, usage and availability.
Authorized Support Contacts
For security reasons requests for assistance and fault reporting can only be accepted from your
authorised contacts. This will require you to provide an initial central point of contact within your own
organisation before contacting us for support. It is your responsibility to update this list and to inform
us of any changes.
Assistance provided by Spark Digital on any of the above may be considered outside of the service
offering and will be subject to the charge structure within the MAC process.
2.6. Service Implementation
Safewall Bronze service deployment and customer requirements
The Safewall Bronze service implementation team will work with you until the service is in place,
tested, commissioned and handed over to the Security Operations Centre.
Commercial in Confidence Page 6 of 12
Safewall Bronze
Service Implementation Team Customer Requirements
Pre-Sales
Scope pre-implementation work and estimate of
costs. This is normally a teleconference or site
visit and up to a maximum of two hours of free
work to define contractual requirements and the pre-implementation fees.
Customer provides accurate information on
network topology required for Policy creation.
Customer reviews Secure Business Internet
Service Schedule.
Customer enters into a Secure Business Internet
Service Schedule.
Installation and Implementation
Spark Digital Safewall Service Implementation
Team undertakes installation and implementation.
Customer assists Spark Digital Safewall Service
Implementation Team with installation
requirements as specified in the Technical
Specifications, the Test Plan and by the Spark
Digital Safewall Service Implementation Team specialists.
Planning
Create Technical Specification.
Define Preliminary Configuration.
Customer provides accurate information the
development of the Technical Specification,
including the initial Policy. If the initial Policy is not
available then professional ICT consulting services
will be required to develop it. A test plan is
developed to test the security device and the
Policy. Customer agrees and signs off the Policy and the Test Plan.
Policy Tuning
Finalise the Policy with Customer, including
minor Policy Changes (e.g. simple rule set
changes, IP addressing).
Modify the Technical Specification, if required.
Perform MAC’s to the Customer’s request and advise rework costs, if any.
Customer test of the Service through security
device using the Test Plan as above.
The Customer may request additional Policy
Changes and/or (MAC’s) to cover other non-minor
changes (e.g. Additional VPN’s or Network re-design).
Customer agrees and signs off the Policy with
Policy Changes.
Transfer to Security Operations Centre
Transfer to the Security Operations Centre for
24x7 business as usual (BAU) management.
Spark Digital initiates the Security Operations
Centre welcome call.
Billing commences, including any applicable installation and implementation MAC fees.
Customer signs off the Safewall Bronze installation
and implementation.
Customer reviews support documentation and
updates internal procedures as required.
Commercial in Confidence Page 7 of 12
2.7. Service Boundaries
Customer end internet access, bandwidth and management of this connection is not part of the
standard Safewall Bronze service. Customer devices, other than the security device(s), will not be
managed or monitored as part of the Safewall Bronze service.
3. Service Targets
This section lists the following:
Functional performance targets – performance targets of the Safewall Bronze service itself.
Service delivery performance targets – performance targets for Spark Digital’s delivery of the
Safewall Bronze service.
Provisioning/change performance targets – performance targets for Spark Digital’s
implementation of and changes to the Safewall Bronze service.
The standard service levels listed in this section apply equally to all sites unless otherwise specified in
the service targets below. If customer requires higher service levels than the standard service targets,
these are available as defined in the service target options set out in Section 3.2. Service target
options can be selectively applied to sites nominated by the customer, with the standard service
targets applying to the remaining sites.
3.1. Functional Performance Targets
Service Attribute Attribute Definition
Performance Target Exclusions and Notes
Service
response and restoration
The elapsed time,
during Normal Service
Hours, from when Spark
Digital has diagnosed a
hardware failure and
notification that the
Service is restored to the defined levels.
Response and
restoration
24x7x4 hours
Within 50 Km of:
Auckland, Wellington, Christchurch,
Hamilton, Dunedin, Whangarei,
Rotorua, Tauranga, Palmerston
North, Hastings, New Plymouth, Gisborne, Nelson, Invercargill.
24x7x6 hours Outside the 24x7x4 locations NZ wide.
Outside of NZ Dependant on Spark Digital Partner
support package available. Detailed in the Service Schedule.
Centrally
resolved restoration
For Faults that can be
resolved centrally from the SOC Service desk
The elapsed time
between Call Reception
or Alarm Notification and
notification that service
is restored to the defined levels.
Severity 1 within
4 hours
Severity 2 within
8 hours
Severity 3 within 48 hours
Severity 4 as
Agreed
Excluding Hardware and Onsite
components
Commercial in Confidence Page 8 of 12
Service
Attribute Attribute Definition
Performance
Target Exclusions and Notes
Standard
Maintenance Window
The period when routine
maintenance can be
undertaken on the
security device and
Management Systems.
Between 2am to
7am Sunday
Or by arrangement.
3.2. Service Delivery Performance Targets
# Severity Severity Definition
1 Critical Requires immediate corrective action.
Problems that render systems and/or critical functionality unusable.
2 High Requires prompt corrective action.
Problems severely affecting system usage and service levels to end-users which
present a high threat.
3 Medium Requires managed restoration.
Problems that do not significantly impair the functioning of the system and do not
significantly affect service to the end user.
4 Low Requires managed restoration.
Problems with no impact to system functionality or service to end-users.
Service
Attribute Attribute Definition
Performance
Target Exclusions and Notes
Call
Reception The elapsed time for
Spark Digital answering
incoming telephone calls from Customers.
Call Response:
Within 20 seconds
During Normal Service Hours.
The Safewall Service Desk can be
contacted at 0800 NZSECURE.
Alarm
Notification The elapsed time
between a service-
impacting alarm occurs
and the Customer being
notified that it has
occurred and is being
investigated.
Within 30
minutes of alarm occurrence
During Normal Service Hours.
Initial
Restoration
Update
The elapsed time
between Call Reception
or alarm occurrence and
the Customer being
notified that initial
diagnosis is completed.
Within 60 minutes
During Normal Service Hours.
An estimated restore time will be
provided, if known.
Progress Updates
Updates on the status of
service restoration
activity.
Hourly for Severity 1
Or as otherwise agreed.
Commercial in Confidence Page 9 of 12
Service
Attribute Attribute Definition
Performance
Target Exclusions and Notes
Billing
Enquiry Response
The elapsed time
between Call Reception
of a billing enquiry and
response to the
Customer.
Within 48
Normal Service Hours.
Single account, with account arrears
less than 90 days.
By agreement. Multiple accounts, or account arrears
more than 90 days.
3.3. Provisioning/Change Targets
Service Attribute Attribute Definition
Performance Target Exclusions and Notes
Policy
Change
Requests
(MAC’s)
The elapsed time
between a Change
Request being received
and acknowledgement of receipt.
Within 2 Normal
Service Hours
Received at admin-
The elapsed time
between a Change
Request being received
and advice of an initial
assessment.
Within 48
Normal Service Hours
Received at admin-
If possible an expected delivery
date/time for the change will be
confirmed.
The elapsed time
between a Change
Request being
completed and advising
that it is ready for testing by the Customer.
Within 24
Normal Service Hours
Planned
Outage
Notification -
weekly
Notice of any
maintenance that could
cause a service outage
to Customer.
Weekly Maintenance Window:
5 days
Not all maintenance will necessarily
cause an outage to a Customer.
Outside Weekly
Maintenance Window:
10 days
Not all maintenance will necessarily
cause an outage to a Customer.
Emergency
Maintenance
As much notice as possible will be
given where emergency maintenance is required.
Commercial in Confidence Page 10 of 12
4. Standard Fees And Invoicing
4.1. Invoicing
Customer Fees may include one or more of the following:
Installation Fees
Implementation fees are invoiced in arrears and cover items such as installation, configuration, testing,
activation and handover.
Project Management Fees
Project Management fees are invoiced in arrears and cover items such as organising customer and
third party resources and equipment, achieving project budgets, timeframes and deliverables, and
minimising project risk.
Monthly Fees
Monthly fees are invoiced in advance and cover the provision and management of the Safewall
Bronze services included in the customer’s Service Schedule. Fixed monthly fees are applicable from
the date that Spark Digital advises the customer that the service is capable of being used between the
designated service delivery points. Spark Digital is not responsible for the customer’s non-use of the
service due to implementation delays beyond the service delivery points.
Variable Fees
Any applicable variable fees, for example associated with time, volume or usage, are normally
invoiced monthly in arrears.
Miscellaneous Fees
One-time fees are typically invoiced monthly in arrears and apply to e.g. new installations, relocations,
and configuration changes requested by the customer.
Agreement Variation
Changes that alter monthly billing fees or require additional service installation fees will require an
agreement variation in writing which is signed by the Customer and Spark Digital.
4.2. Moves Adds and Changes (MACs)
Simple MAC – Single Change
A simple MAC is a modification to an existing policy and is specific to the Customer and the Safewall
Service currently subscribed to. A simple MAC does not require detailed investigation or analysis by
Spark Digital and does not change the underlying Safewall network or Safewall security configuration
(e.g. modifying an existing Security Device Policy). A simple MAC is considered to be non-urgent and
the timeframe for completion of the work is to be agreed between the Safewall support group and the
Customer. Urgent simple MAC requests are considered to be complex MACs.
Complex MACs:
Spark Digital and the customer will treat complex MACs as a project for which a timetable and charges
will be agreed.
Commercial in Confidence Page 11 of 12
Complex MAC requests normally require detailed investigation or design work to implement. Complex
MAC requests will be analysed for security and operational impact and will only affect the Customers
existing Safewall Service. The fees and timeframe for completion will be agreed between the Security
Operations Centre and the Customer before implementation.
All Complex MACs are reviewed before being accepted for implementation. Any request which Spark
Digital considers to be outside the above MAC definitions will be treated as an ad hoc implementation
project and will be handled by a Terms of Reference document to be agreed with the Customer.
All MACs will be carried out at Spark Digital's discretion during the agreed service hours. There is an
additional charge for implementing MACs at a specific time requested by the customer.
Description Fee
Simple MAC (Configuration Change) – up to 30 mins $120 per change
Complex MAC (Per Hour) – Time and Materials $220 per hour
Commercial in Confidence Page 12 of 12
APPENDIX 2
Safewall Equipment
The Safewall Equipment (Hardware and Software) delivered as part of this Service is listed below:
1) Item 1
2) Item 2
<<NOTE TO ACCOUNT MANAGER: Copy and paste equipment list here if it is to be attached to this
Service Schedule, otherwise delete this Appendix. >>