Commercial in Confidence Page 1 of 12

Safewall Bronze - Product Specification

1. Introduction

This document contains product information for the Safewall Bronze service. If you require more

detailed technical information, please contact your Account Manager.

2. Service Definition

2.1. Service Overview

Spark Digital’s Safewall Bronze service enables customers to outsource the management of their

firewalls to Spark Digital. Spark Digital uses specialist security experts, to manage the firewall

efficiently and to provide security to a level that would be difficult and expensive for customers to

replicate in-house. By outsourcing this function to Spark Digital, customers should be able to reduce

their operational investment in security and in-house IT departments and concentrate on core

business services.

The Safewall Bronze service is a combination of Cisco ASA and Juniper SRX technologies, and Spark

Digital’s support processes. The Safewall Bronze offering includes Cisco ASA and Juniper SRX

Firewall platforms, mature service management processes, 24x7 event management, 24 x 7 incident

management, and qualified security professionals performing scheduled checks and maintenance

activities.

2.2. Standard Service Features

The key features of the Safewall Bronze service are:

Commercial in Confidence Page 2 of 12

Spark Digital Design and Integration

Spark Digital consultants and/or design work locally with the customer to provision the security device

under management or for complex changes (mini-projects) required during the term of the Service

Schedule.

Security Operations Management

Qualified security professionals performing scheduled procedural checks and invoking the

required maintenance activities.

Scheduled backup of system configuration.

Defined mature Standard Operating Procedures.

Receiving security notifications from OEM suppliers.

Assessing and classifying security notifications to determine impacts and recommended actions.

Maintaining and managing security updates to the managed firewalls. Upgrades are classed as

Minor and Major, and performed in accordance with the Change Management process.

Change Request Management

Logging, categorising and prioritising Changes.

Managing Change Requests in accordance with the standard Change Control process, which has

specific authorisation, impact assessment and approval processes.

Implementing Change Requests.

Event Management

Defining and implementing triggers in monitoring systems that will generate Events.

Detecting and logging Events.

Initially classifying Events into information, warnings and critical Events.

Assessing Events to determine impacts and actions, including escalations as required.

Managing event related actions in accordance with predefined plans.

Incident management

Spark Digital’s Service Desk will log calls and escalate to Spark Digital’s Level 2 Security

Operations Centre (“SOC”). Level 2 SOC will validate, classify, categorise, prioritise, provide

updates, monitor and track reported Incidents through to closure.

Where the Level 2 SOC is unable to resolve Incidents at first point of contact, it will assign the

Incident to the Level 3 SOC and will monitor progress to resolution.

Undertake remote investigation, diagnosis and resolution (by workarounds and/or fixes) to restore

the Managed Infrastructure to normal operations.

Co-ordinate technicians to perform onsite warranty repair (including Return to Base) and/or

replacement.

Managing equipment stores, including spare units/parts, swap pools and loan equipment.

Commercial in Confidence Page 3 of 12

Co-ordination with vendors on warranty repairs, replacements and assistance on Incidents where

advanced technical support is required.

Customer Interfaces

The local customer interface is a read only interface which details information relating to the

firewall configuration, device logs and network statistics.

Documentation

Spark Digital ensures that the Firewall documentation created by implementation and migration

projects is kept up to date, together with any changes made to the systems and/or infrastructure.

Safewall Bronze service feature summary – Standard / Optional

Safewall - Bronze Service Options Standard Standard

Firewall Technology Cisco ASA Juniper SRX

System Functions Supported

Firewall Y Y

VPN Site to Site IPSec Y Y

Remote Access Client VPN Y Y

Clientless VPN - license Y Y, 5 concurrent

Clientless VPN – additional licenses Y Y

Web filtering N Optional license

Routing N Y

Deep Inspection/IPS N Optional license

Integrated Antivirus N Optional license

SPAM & Phishing blocking N Optional license

VLANs Y Y

Virtual contexts N Y

Customer Interface (read-only access) Y Y

Modules

ADSL N N

Wireless N N

Firewall Supply

Spark Digital owned Firewalls Y Y

Client owned Firewalls Y Y

Event Management

Management Connectivity, Firewall platform

performance and availability

Y Y

Security event management N N

Event correlation N N

Incident Management Y Y

Commercial in Confidence Page 4 of 12

Safewall - Bronze Service Options Standard Standard

Security Operations Management

Backing up system configuration Y Y

Vendor security update assessments and

implementation (where required)

Y Y

Log file management – on device N Y

Local syslog feed Y Y

Log file backup N N

Log file management – external to device, archival and retention

N N

Change Request Management Y Y

Simple Changes (e.g. Rule) $120 $120

Complex Change $220 per hour $220 per hour

Upgrades

Minor Release Y Y

Major Release T&M T&M

Onsite Work T&M T&M

Management Link

Internet VPN (Default) Y Y

Dedicated Management Connectivity POA POA

Table 1 - Key: Y = Yes, N = No, T&M = Time and Materials, POA = Price On Application.

2.3. Service Options

Additional Optional Features are available as listed in Table 1.

2.4. Service Management

Spark Digital Service Desk Systems and Call Tracking

The Safewall Service Desk is available 24x7x365. Service Requests/MACs should be forwarded to

safewall.servicedesk@sparkdigital.co.nz and the Digital Safewall Service Desk can be contacted at

0800 4 SECURITY.

Spark Digital Service Delivery and Device Restoration

The Spark Digital service delivery team provides onsite restoration activities when necessary. For

equipment residing outside of New Zealand support is provided by Spark Digital support partners.

Secure Management Connectivity

Management is performed over an encrypted VPN tunnel via the customer’s existing internet

connection, or when other Spark Digital or Safecom services are also required (e.g. Mail Content

Filtering and Anti-Virus).

Commercial in Confidence Page 5 of 12

All management traffic uses strong encryption protocols to maintain privacy between the firewall

and the management systems.

2.5. Customer Responsibilities

There are certain aspects of the firewall system that the customer will retain responsibility for:

Pre Implementation

Provide input into the data gathering process. Pre-requisite work may be required to bring your

infrastructure up to an agreed level.

Security Policies

These belong to you and you retain the responsibility for the end-to-end security and firewall policies

in place for your organisation.

Customer Site Hardware & Software

The devices must remain under the supportable parameters of the managed Safewall Bronze service.

Other Network Devices

The Safewall Bronze service does not cover the management of any other network devices.

Internet Access & Usage

You will retain responsibility for internet access, bandwidth, usage and availability.

Authorized Support Contacts

For security reasons requests for assistance and fault reporting can only be accepted from your

authorised contacts. This will require you to provide an initial central point of contact within your own

organisation before contacting us for support. It is your responsibility to update this list and to inform

us of any changes.

Assistance provided by Spark Digital on any of the above may be considered outside of the service

offering and will be subject to the charge structure within the MAC process.

2.6. Service Implementation

Safewall Bronze service deployment and customer requirements

The Safewall Bronze service implementation team will work with you until the service is in place,

tested, commissioned and handed over to the Security Operations Centre.

Commercial in Confidence Page 6 of 12

Safewall Bronze

Service Implementation Team Customer Requirements

Pre-Sales

Scope pre-implementation work and estimate of

costs. This is normally a teleconference or site

visit and up to a maximum of two hours of free

work to define contractual requirements and the pre-implementation fees.

Customer provides accurate information on

network topology required for Policy creation.

Customer reviews Secure Business Internet

Service Schedule.

Customer enters into a Secure Business Internet

Service Schedule.

Installation and Implementation

Spark Digital Safewall Service Implementation

Team undertakes installation and implementation.

Customer assists Spark Digital Safewall Service

Implementation Team with installation

requirements as specified in the Technical

Specifications, the Test Plan and by the Spark

Digital Safewall Service Implementation Team specialists.

Planning

Create Technical Specification.

Define Preliminary Configuration.

Customer provides accurate information the

development of the Technical Specification,

including the initial Policy. If the initial Policy is not

available then professional ICT consulting services

will be required to develop it. A test plan is

developed to test the security device and the

Policy. Customer agrees and signs off the Policy and the Test Plan.

Policy Tuning

Finalise the Policy with Customer, including

minor Policy Changes (e.g. simple rule set

changes, IP addressing).

Modify the Technical Specification, if required.

Perform MAC’s to the Customer’s request and advise rework costs, if any.

Customer test of the Service through security

device using the Test Plan as above.

The Customer may request additional Policy

Changes and/or (MAC’s) to cover other non-minor

changes (e.g. Additional VPN’s or Network re-design).

Customer agrees and signs off the Policy with

Policy Changes.

Transfer to Security Operations Centre

Transfer to the Security Operations Centre for

24x7 business as usual (BAU) management.

Spark Digital initiates the Security Operations

Centre welcome call.

Billing commences, including any applicable installation and implementation MAC fees.

Customer signs off the Safewall Bronze installation

and implementation.

Customer reviews support documentation and

updates internal procedures as required.

Commercial in Confidence Page 7 of 12

2.7. Service Boundaries

Customer end internet access, bandwidth and management of this connection is not part of the

standard Safewall Bronze service. Customer devices, other than the security device(s), will not be

managed or monitored as part of the Safewall Bronze service.

3. Service Targets

This section lists the following:

Functional performance targets – performance targets of the Safewall Bronze service itself.

Service delivery performance targets – performance targets for Spark Digital’s delivery of the

Safewall Bronze service.

Provisioning/change performance targets – performance targets for Spark Digital’s

implementation of and changes to the Safewall Bronze service.

The standard service levels listed in this section apply equally to all sites unless otherwise specified in

the service targets below. If customer requires higher service levels than the standard service targets,

these are available as defined in the service target options set out in Section 3.2. Service target

options can be selectively applied to sites nominated by the customer, with the standard service

targets applying to the remaining sites.

3.1. Functional Performance Targets

Service Attribute Attribute Definition

Performance Target Exclusions and Notes

Service

response and restoration

The elapsed time,

during Normal Service

Hours, from when Spark

Digital has diagnosed a

hardware failure and

notification that the

Service is restored to the defined levels.

Response and

restoration

24x7x4 hours

Within 50 Km of:

Auckland, Wellington, Christchurch,

Hamilton, Dunedin, Whangarei,

Rotorua, Tauranga, Palmerston

North, Hastings, New Plymouth, Gisborne, Nelson, Invercargill.

24x7x6 hours Outside the 24x7x4 locations NZ wide.

Outside of NZ Dependant on Spark Digital Partner

support package available. Detailed in the Service Schedule.

Centrally

resolved restoration

For Faults that can be

resolved centrally from the SOC Service desk

The elapsed time

between Call Reception

or Alarm Notification and

notification that service

is restored to the defined levels.

Severity 1 within

4 hours

Severity 2 within

8 hours

Severity 3 within 48 hours

Severity 4 as

Agreed

Excluding Hardware and Onsite

components

Commercial in Confidence Page 8 of 12

Service

Attribute Attribute Definition

Performance

Target Exclusions and Notes

Standard

Maintenance Window

The period when routine

maintenance can be

undertaken on the

security device and

Management Systems.

Between 2am to

7am Sunday

Or by arrangement.

3.2. Service Delivery Performance Targets

# Severity Severity Definition

1 Critical Requires immediate corrective action.

Problems that render systems and/or critical functionality unusable.

2 High Requires prompt corrective action.

Problems severely affecting system usage and service levels to end-users which

present a high threat.

3 Medium Requires managed restoration.

Problems that do not significantly impair the functioning of the system and do not

significantly affect service to the end user.

4 Low Requires managed restoration.

Problems with no impact to system functionality or service to end-users.

Service

Attribute Attribute Definition

Performance

Target Exclusions and Notes

Call

Reception The elapsed time for

Spark Digital answering

incoming telephone calls from Customers.

Call Response:

Within 20 seconds

During Normal Service Hours.

The Safewall Service Desk can be

contacted at 0800 NZSECURE.

Alarm

Notification The elapsed time

between a service-

impacting alarm occurs

and the Customer being

notified that it has

occurred and is being

investigated.

Within 30

minutes of alarm occurrence

During Normal Service Hours.

Initial

Restoration

Update

The elapsed time

between Call Reception

or alarm occurrence and

the Customer being

notified that initial

diagnosis is completed.

Within 60 minutes

During Normal Service Hours.

An estimated restore time will be

provided, if known.

Progress Updates

Updates on the status of

service restoration

activity.

Hourly for Severity 1

Or as otherwise agreed.

Commercial in Confidence Page 9 of 12

Service

Attribute Attribute Definition

Performance

Target Exclusions and Notes

Billing

Enquiry Response

The elapsed time

between Call Reception

of a billing enquiry and

response to the

Customer.

Within 48

Normal Service Hours.

Single account, with account arrears

less than 90 days.

By agreement. Multiple accounts, or account arrears

more than 90 days.

3.3. Provisioning/Change Targets

Service Attribute Attribute Definition

Performance Target Exclusions and Notes

Policy

Change

Requests

(MAC’s)

The elapsed time

between a Change

Request being received

and acknowledgement of receipt.

Within 2 Normal

Service Hours

Received at admin-

secure@spark.co.nz

The elapsed time

between a Change

Request being received

and advice of an initial

assessment.

Within 48

Normal Service Hours

Received at admin-

secure@spark.co.nz

If possible an expected delivery

date/time for the change will be

confirmed.

The elapsed time

between a Change

Request being

completed and advising

that it is ready for testing by the Customer.

Within 24

Normal Service Hours

Planned

Outage

Notification -

weekly

Notice of any

maintenance that could

cause a service outage

to Customer.

Weekly Maintenance Window:

5 days

Not all maintenance will necessarily

cause an outage to a Customer.

Outside Weekly

Maintenance Window:

10 days

Not all maintenance will necessarily

cause an outage to a Customer.

Emergency

Maintenance

As much notice as possible will be

given where emergency maintenance is required.

Commercial in Confidence Page 10 of 12

4. Standard Fees And Invoicing

4.1. Invoicing

Customer Fees may include one or more of the following:

Installation Fees

Implementation fees are invoiced in arrears and cover items such as installation, configuration, testing,

activation and handover.

Project Management Fees

Project Management fees are invoiced in arrears and cover items such as organising customer and

third party resources and equipment, achieving project budgets, timeframes and deliverables, and

minimising project risk.

Monthly Fees

Monthly fees are invoiced in advance and cover the provision and management of the Safewall

Bronze services included in the customer’s Service Schedule. Fixed monthly fees are applicable from

the date that Spark Digital advises the customer that the service is capable of being used between the

designated service delivery points. Spark Digital is not responsible for the customer’s non-use of the

service due to implementation delays beyond the service delivery points.

Variable Fees

Any applicable variable fees, for example associated with time, volume or usage, are normally

invoiced monthly in arrears.

Miscellaneous Fees

One-time fees are typically invoiced monthly in arrears and apply to e.g. new installations, relocations,

and configuration changes requested by the customer.

Agreement Variation

Changes that alter monthly billing fees or require additional service installation fees will require an

agreement variation in writing which is signed by the Customer and Spark Digital.

4.2. Moves Adds and Changes (MACs)

Simple MAC – Single Change

A simple MAC is a modification to an existing policy and is specific to the Customer and the Safewall

Service currently subscribed to. A simple MAC does not require detailed investigation or analysis by

Spark Digital and does not change the underlying Safewall network or Safewall security configuration

(e.g. modifying an existing Security Device Policy). A simple MAC is considered to be non-urgent and

the timeframe for completion of the work is to be agreed between the Safewall support group and the

Customer. Urgent simple MAC requests are considered to be complex MACs.

Complex MACs:

Spark Digital and the customer will treat complex MACs as a project for which a timetable and charges

will be agreed.

Commercial in Confidence Page 11 of 12

Complex MAC requests normally require detailed investigation or design work to implement. Complex

MAC requests will be analysed for security and operational impact and will only affect the Customers

existing Safewall Service. The fees and timeframe for completion will be agreed between the Security

Operations Centre and the Customer before implementation.

All Complex MACs are reviewed before being accepted for implementation. Any request which Spark

Digital considers to be outside the above MAC definitions will be treated as an ad hoc implementation

project and will be handled by a Terms of Reference document to be agreed with the Customer.

All MACs will be carried out at Spark Digital's discretion during the agreed service hours. There is an

additional charge for implementing MACs at a specific time requested by the customer.

Description Fee

Simple MAC (Configuration Change) – up to 30 mins $120 per change

Complex MAC (Per Hour) – Time and Materials $220 per hour

Commercial in Confidence Page 12 of 12

APPENDIX 2

Safewall Equipment

The Safewall Equipment (Hardware and Software) delivered as part of this Service is listed below:

1) Item 1

2) Item 2

<<NOTE TO ACCOUNT MANAGER: Copy and paste equipment list here if it is to be attached to this

Service Schedule, otherwise delete this Appendix. >>