Schedule 3 - The SAAS Hosting Environment
XXX Recruitment Service
[Services Agreement and SLA]
30/07/2012
Abacus e-Media
14- 16 Regent Street
London
SW1Y 4PH
Tel: +44 (0)20 7766 9810
Email: info@abacusemedia.com
Abacus Software Ltd trading as Abacus e-Media No. 3387095
Registered office 14- 16 Regent Street, London SW1Y 4PH
Contact Information
Client Contact:
Abacus Contact:
Telephone:
E-mail:
Address:
Steve Feigen
0207 766 9810
Steve.feigen@abacusemedia.com
Abacus e-Media
14-16 Regent Street, London, SW1Y 4PH
Abacus e-Media – Portsmouth
4 Boyd Building,
The Admirals,
Gunwharf Quays,
Portsmouth
PO1 3AG
Contents
THIS AGREEMENT is made the day of
PARTIES:
(1) ABACUS SOFTWARE LIMITED whose registered office is at 14-16 Regent Street, London,
SW1 4PH (“Abacus”)
(2) XXX…. (“The Client”)
RECITALS:
(A) The Client wishes utilise the Abacus Recruit software service to host and support, as appropriate, the Client’s recruitment systems.
(B) Abacus agrees to move, host and support (as appropriate) the Client’s recruitment systems , to take all possible actions to ensure that not only are they always available for access but also that they are secure and can easily be updated by the Client; all upon the terms and conditions hereinafter contained.
NOW IT IS HEREBY AGREED as follows:
1. DEFINITIONS
In this Agreement (which expression shall be deemed to include the Schedules hereto), unless the context otherwise requires, the following expressions have the following meanings:
Abacus SAAS Network means the computer network located at the address specified in this
Agreement, the details of which are more specifically laid out in Schedule 4.
Business Day means a day other than a Saturday, Sunday or English Public Holiday.
Confidential Information has the meaning ascribed to it in clause 10.
Effective Date means the date upon which this Agreement shall become effective
Host Servers means the computer equipment described in the SAAS Hosting Description
Initial Period
Internet means a period of 3 years beginning on the Effective Date and ending on the second anniversary of such date. means the worldwide network of computers and networks communicating using a common protocol or protocols. means the services to be provided by Abacus under this Agreement Services
Websites means the xxx Recruitment Website and the administration web site used by staff to update and manage this, with all of the relevant components, including (but not limited to) http server, mail server, html pages and dynamic pages, as well as associated databases and processes.
Associated Documents
xxxx Recruit Update Proposal V3 xxxx Deliverables and Update Specification
2. SERVICES TO BE PROVIDED
In consideration of payment by the Client of the charges for the Services, Abacus hereby agrees to:
2.1 install, configure and allocate storage capacity on the Host Servers for the
Websites and move, install and maintain the Websites on the Host Servers (the
“Hosting Services”)
2.2 procure and maintain effective interactive access between the Internet and the
Websites (the “Internet Services”);
2.3 keep the Websites secure from unauthorised access and provide backup, recovery, reporting and other support services (the “Support Services”); and
2.4 install, support and upgrade the Recruit software as set out in the Proposal, which is Schedule 1, in accordance with the terms of this Agreement.
2.5 at Client’s request, provide any other related services; all upon the terms and conditions hereafter contained.
3. DURATION
This Agreement shall commence on the Effective Date, shall continue for the Initial
Period and shall remain in force thereafter unless and until terminated by either
Abacus or Client giving to the other not less than 3 months’ written notice of termination expiring on the last day of the Initial Period or at any time thereafter, but may be subject to earlier termination as provided elsewhere in this Agreement or by mutual consent. The Client must pay Abacus all charges due for the period up to the end of the notice period and any unpaid amounts owed to Abacus but if Client has paid Abacus any Service charges or rental monies in advance for the period after the end of the notice period, Abacus will repay Client such amounts.
4. THE SOFTWARE SERVICES
4.1 Abacus will provide the Service as set out in Schedule 1 , set up the Websites and FTP access and research and apply up-to-date security patches and virus identities, and ensure that the Service is available for access by web browsers over the Internet.
4.2 Abacus shall ensure that the Service is available to both staff and clients via the
Internet.
4.3 The Client may wish to offer services to other organisations through the
Websites and may do so on the bases of the additional charges set out in
Schedule 1.
4.4 Abacus agrees to give access to the Service at all times for the purpose of updating the Websites and for other reasonable purposes and Client agrees that those of its staff accessing the Host Servers shall use a predefined static IP address for such purpose.
4.5 For the avoidance of doubt, Abacus agrees that its obligations extend not only to hosting Client’s Websites and managing the software but also to the security of the data held on the Host Servers and data back-up. Abacus will use its best endeavours to protect the Service in general and the Websites in particular from unauthorised access and hacking, including implementing virus protection software and researching and applying security patches and virus identities as they are released, subscribing to hacking alert bulletin boards and the implementation of relevant application and operating system patches together with all necessary defensive procedures. Abacus shall also ensure that email does not relay through the Host Servers. Measures undertaken by
Abacus to provide a secure Websites environment are detailed in Schedule 5.
For the avoidance of doubt, Abacus acknowledges that much of the information and data held on the Websites is of a confidential or sensitive nature (such as the credit card details of individuals) and that keeping such data secure is a condition of this Agreement.
4.8 Unless otherwise agreed under separate development or other contacts, The
Client will be solely responsible for the data on the Websites.
5. THE INTERNET SERVICES
5.1 Abacus agrees to procure interactive access between the Internet and the
Websites (via the Abasoft Network) on a 24 hours a day, 7 days a week basis.
For this purpose, Abacus will maintain all relevant network supplier agreements. From time to time, the Host Servers will need to be taken down for routine maintenance and Abacus agrees to use its reasonable efforts to ensure that such non-availability will be as short as possible. Abacus shall have no liability to the Client in respect of such non-availability of Internet access except as stated below.
5.2 Abacus will log all Client’s calls to its Helpdesk (as hereinafter defined) notifying it of any interruptions in connection or other service problems and procure a response to Client within 4 hours of Client’s call. Subject to the terms of this Agreement, Abacus’s target level of interactive access between the
Internet and the Websites is 99%, 24 hours per day, 7 days a week.
5.3 Abacus shall arrange for the tracking and calculation of non-availability on a monthly basis Periods of non-availability beyond Abacus’s control or responsibility (including, but not limited to, power failures and breakdowns in any telecom service or equipment not owned or supplied by Abacus) will not be included.
5.5 Client can inspect Abacus’s calculations and service records, on reasonable notice, at any reasonable time. If Client reasonably believes that it is entitled to credit, which has not been given, Client may ask Abacus to require its auditors to determine the credit to which Client is entitled from Abacus’s records. If the amount of credit due to the Client is determined by the auditors to be more than originally credited by Abacus, then Abacus shall be liable for the costs of such audit inspection. If the amount is the same or less than that originally credited by Abacus, Client shall be liable for the costs of such audit inspection.
6. THE SUPPORT SERVICES
6.1 Abacus will provide hosting support on a 24 hour and 7 days a week basis and to provide software support for the service on business days between 0900 and
1800 hours (UK time), a helpdesk support service for reporting problems (the
“Helpdesk”). Abacus may supplement Helpdesk support with email, facsimile and web-based help where, in its opinion, this is appropriate.
6.2 Abacus will provide the following other Infrastructure Services as set out in the
SAAS Hosting Description which is Schedule 2 and 3 and according to the
SLA’s which are set out in Schedule 4.
6.3 Abacus will provide the following other Software Services:
6.3.1 If in the course of operation of the Software or any updates, new releases, modifications, or enhancements thereto implemented by
Abacus demonstrable defects shall become manifest Abacus shall remedy such defect or defects at no charge to the Client as soon as reasonably possible.
6.3.2 Abacus may from time to time release new versions of the software, and the Client recognises that it is to the benefit of both Abacus and its clients if all Clients are upgraded to the latest version of the Software in that support costs are reduced, and extra features provided and errors corrected will benefit the Clients subject to the new version or versions being functionally equal or superior to the versions to be replaced. New versions will be offered to clients without additional license fees.
6.3.3 Abacus will at their sole discretion study any requests for enhancements to the Software at the request of the Client. Abacus will at their sole discretion, at the request of the client implement software enhancements or modifications, to products where Abacus is the author of software, at
Abacus then prevailing rates for program amendments or for an agreed fixed price as appropriate.
7. DEVELOPMENT SERVICES
Abacus is able to provide other services related to the Websites, Hosting and Internet
Services, such as updating or changing the Websites, reviewing Client or third party prepared enhancements to The Site, changes, developments or additions to the
Software, search engine registrations, linking and banner advertising, training and general consultancy. Abacus shall provide such other services at its standard published rates for such services.
Changes to The Software will be made available to The Client.
The Client will be invited to be a proactive member of the Supplier User Group to propose and discuss potential changes or additions to the Recruit 5 software package.
No change will be forced on a Client without their agreement. The Client agrees that there can only be one version of The Software but any change which is detrimental to any Client will be provided on an optional basis, i.e. it will be deconfigurable through the standard configuration process.
The Client may request specific changes under the following terms.
"Change" shall mean any revision (including revision of any dates or alterations or additions to the Services or any part thereof) in the performance or delivery of the
Services that does not arise consequent upon a failure by Abacus properly to carry out his functions hereunder and shall be without prejudice to the generality of
Abacus’ obligations under this Agreement
The Authority may in writing set out a detailed description of the Change sought
("Change Request")
For each written Change Request Abacus shall prepare a proposal in writing within 30 days of the date of request (or sooner if the urgency of the situation so dictates) setting out the effect such Change will have on the Services and what adjustment if any will be required to the Payment and to any dates specified for performance or delivery of the Services or any part or aspect of them
Abacus shall satisfy the Authority as to the reasonableness of the proposal produced under paragraph 3 above within such period as may be mutually agreed
Abacus shall not and shall have no obligation to implement the Change or any part thereof unless and until the relevant proposal or any mutually agreed amended proposal has been accepted by the Authority in writing
Abacus shall not be entitled to any fee for the initial time spent in considering each
Change or in submitting any proposal unless the time spent exceeds two working days in total. Thereafter Abacus shall be entitled to such charge by way of additional fee if he has first provided the Authority with an estimate of the likely additional fee and the Authority has approved the same (such approval not to be unreasonably withheld or delayed)
No Change shall invalidate this Agreement. Any Change involving an increase or decrease in the fee and/or any dates specified for delivery of the Project or any part of it shall be deemed to have been made with effect from the date of the relevant Acceptance by the Authority as aforesaid
Regarding Software Acceptance it is agreed that on the delivery of software. the Supplier shall submit each Deliverable to the Client for testing on the
Client test system. the Client shall then review, evaluate and/or test, as the case may be, each of the Deliverables within 14 days. if the Client does not furnish a written notice to the Supplier specifying that a
Deliverable has failed to satisfy its Acceptance Criteria within 14 days, then the
Client will be deemed to have Accepted such Deliverable. if the Client agrees to Abacus making the Deliverables operationally live, the
Client will be deemed to have Accepted such Deliverable; if a Deliverable fails to satisfy its Acceptance Criteria, then the Client will notify
Abacus in writing specifying the respects in which such Deliverable does not conform. Abacus shall modify the Deliverable to so conform and the
Deliverable will be resubmitted for Acceptance by the Client. If, after not less that three repeated attempts, the Supplier is unable to remedy any nonconforming portion of any Deliverable, the Client may either: reject the Deliverable, terminate the Project Plan or this Agreement in accordance with Clause 17.1.1 and pursue all available remedies at law or in equity. Notwithstanding the foregoing, the Client shall be entitled to (or ask a third party to) rectify the deficient Deliverable itself at its cost (subject to the
Client’s right to seek payment or contribution from the Supplier pursuant to the dispute resolution procedure set forth in Clause 18); or accept the Deliverable as appropriate upon payment of a reduced fee as agreed by the Parties to reflect the variation in performance of the Deliverable.
8. CHARGES
The Charges are as set out in the Proposal which is schedule 1.
9. THE CLIENT’S OBLIGATIONS
Client agrees that it will:
9.1 be responsible for and provide and pay for all telephone services necessary to connect to the Websites and the telecommunications charges it incurs in accessing the Internet through the Websites.
9.2 comply with all relevant legislation and any reasonable instructions or directions issued by Abacus from time to time concerning access to the Internet.
9.3 conform to the protocols and standards published on the Internet from time to time and adopted by the majority of Internet users.
9.4 indemnify Abacus against any liability to third parties resulting from its use of the Internet.
9.5 keep any passwords issued by Abacus secure and confidential and take reasonable steps to ensure that they are only used by authorised persons within
Client’s organisation.
10. CONFIDENTIALITY
10.1 Confidential Information shall include all or any part of the following:
10.1.1 information relating to either party's operations, business plans, customers (and in particular credit card details of the Client’s customers), undisclosed products and prices or other information marked or stated to be "Confidential" at the time of disclosure (and where stated is subsequently confirmed in writing to be confidential) or by its nature has the necessary quality of confidence about it - all of which information is not readily ascertainable to persons not connected with one party or the other; or
10.1.2 any of the terms of this Agreement
10.2 Confidential information shall not include information which:-
10.2.1 is already known (without restriction) to the recipient party prior to the commencement of the negotiations leading to this Agreement as evidenced by its written records; or
10.2.2 is or becomes publicly known through no wrongful act of the recipient party; or
10.2.3 is rightfully received from a third party without similar restriction and without breach of any obligation of confidentiality; or
10.2.4 is independently developed by the recipient party without breach of this
Agreement; or
10.2.5 is furnished by one party to a third party without similar restriction on the third party; or
10.2.6 is approved for release by written authorisation of the furnishing party.
10.3 10.3.1 Both parties shall use the same standard of care as they use for their own trade secret information (and at least reasonable care) not to disclose the
Confidential Information to any other person, firm, company or organisation (other than their own employees having a need to know and consultants provided they are bound by a written agreement to protect the Confidential Information); and
10.3.2 Each party will use all reasonable endeavours to prevent persons (except persons authorised by each party) from having access to such
Confidential Information; and
10.3.3 Neither party will copy or reproduce or cause to be copied or reproduced by any means whatsoever the whole or any part of the
Confidential Information for any unauthorised purpose; and
10.3.4 Each party shall promptly return or destroy (and certify that such destruction has taken place) all such Confidential Information and any copies, whether authorised or not, to the other upon the other's request at any time; and
10.3.5 Should one party be compelled by law or be required to act in compliance with the legal requirement of a governmental agency to disclose the Confidential Information that party shall provide the other with reasonable notice of any disclosure and comply with any reasonable instructions as to such disclosure; and
10.3.6 In the case of accidental or inadvertent disclosure, by a party, that party shall take reasonable steps to prevent misuse or further disclosure.
10.4 Notwithstanding anything elsewhere in this Agreement, the provisions of this clause shall survive the termination or expiry of this Agreement.
11. LIABILITY
11.1
Each party shall indemnify the other and keep the other fully and effectively indemnified against any loss of or damage to any property or injury to or death of any person caused by any negligent act or omission or wilful misconduct of it or by any breach of its contractual obligations arising out of this Agreement.
11.2 Except in respect of injury to or death of any person caused by negligence (for which no limit applies) the liability of each party under clause 11.1 above in respect of each event or series of connected events shall not exceed the total charges payable by the Client under this Agreement in the year in which the incident giving rise to liability occurred 11.3 Notwithstanding anything else contained in this Agreement, neither party shall be liable to the other for any indirect or consequential loss arising from negligence, breach of contract or howsoever.
12. TERMINATION
Notwithstanding anything else contained herein, this Agreement may be terminated:
12.1 by either of the parties pursuant to Clause 3.
12.2 by Abacus on giving 30 days notice in writing to the Client if the Client shall fail to pay any sum (other than a sum disputed in good faith and provided that the Client pays any undisputed amount) due under the terms of this
Agreement otherwise than as a consequence of any default on the part of
Abacus and has failed to remedy that default within 7 days of receiving written notification from Abacus so to do.
12.3 By Client, for any reason, during the Initial Period, on payment of the Early
Termination Charge, specified in Schedule 1.
12.3 by either party forthwith on written notice if:
12.3.1 the other commits any material or persistent breach of any term of this
Agreement and (in the case of a breach capable of being remedied) shall have failed, within 30 days after the receipt of a request in writing from the other so to do, to remedy such breach; or
12.3.2 the other shall have bankruptcy or insolvency proceedings brought against it or shall have receiver or administrative receiver appointed over it or over any part of its undertaking or assets or shall pass a resolution for winding up (otherwise than for the purpose of a bona fide scheme of solvent amalgamation or reconstruction) or a court of competent jurisdiction shall made an order to that effect or if either party shall enter into any voluntary arrangement with its creditors or shall become subject to an administration order; or
12.3.3 the other party is in delay in the performance of its obligations, as more specifically laid out in clause 14.2.
13. EFFECT OF TERMINATION
On termination of this Agreement:
13.1 All rights and obligations of the parties under this Agreement shall automatically terminate except:
13.1.1 for rights of action accruing prior to termination and any obligations which expressly or by implication are intended to survive termination
13.1.2 that the terms of the Agreement shall remain in full force and effect for obligations required to be performed by either party before termination but which remain unperformed at the time of termination.
13.2 Abacus shall provide all necessary support as requested by the Client in order for the Client to move the Websites to another host provider at Abacus’s then current rate for systems support, on a time and materials basis.
14. FORCE MAJEURE
14.1 Neither party shall be liable for any delay in performing any of its obligations under this Agreement if the delay is caused by circumstances beyond its
reasonable control. The delaying party shall be entitled to a reasonable extension of time for the performance of such obligations.
14.2 If and when the period of incapacity exceeds 90 days, then the party not in delay shall have the option of terminating this Agreement forthwith, pursuant to clause 12.3.3.
15. WAIVER
No waiver of any term is valid unless it is in writing and signed by an authorised person of the party charged with the waiver. A waiver is valid for the specific situation for which it was sought. All remedies provided for in this Agreement are cumulative and in addition to and not in lieu of any other remedies available to either party at law in equity or otherwise.
16. ENTIRE AGREEMENT
This Agreement supersedes all prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between Abacus and the
Client relating to the subject matter hereof. No addition to or modification of this
Agreement shall be binding upon the parties unless made by a written instrument signed by a duly authorised representative of each of the parties.
17. DATA PROTECTION
Each party shall comply with its obligations under the Data Protection Act 1998 ("the
Act") and any other statutory obligation in relation to the performance of its obligations under this Agreement and shall provide each other with such information as the other may require to satisfy itself that the other is complying with such obligations including but not limited to a copy of the other's registration and/or notification under the Act. Each party agrees to indemnify the other in respect of any unauthorised disclosure by it.
18. ASSIGNMENT
Neither party shall assign or otherwise transfer this Agreement or any of its rights or obligations hereunder whether in whole or in part without the prior written consent of the other, which shall not be unreasonably withheld.
19. NOTICES
19.1 Unless expressly stated otherwise elsewhere in this Agreement, all notices which are required to be given shall be in writing and shall be sent to the address of the recipient set out in the Agreement.
19.2 Any such notice may be delivered personally or by first class prepaid letter, facsimile transmission or electronic mail and shall be deemed to have been served, if by hand when delivered, if by post 48 hours after posting, if by facsimile transmission or electronic mail, when despatched.
19.3 Any notice which affects the validity or existence of this Agreement shall be delivered personally or sent by recorded delivery first class letter post only
20. ILLEGALITY OR SEVERANCE
If any provision of this Agreement is held by any competent authority to be invalid or unenforceable in whole or in part, the validity of the other provisions of this
Agreement and the remainder of the provisions in question shall not be affected thereby.
21. LAW AND JURISDICTION
This Agreement shall be governed by and construed in accordance with the laws of
England shall be subject to the exclusive jurisdiction of the English Courts.
EXECUTED under hand in two originals the day and year below written
SIGNED for and on behalf of
ABACUS SOFTWARE LIMITED
Name
)
)
Position
Date
SIGNED for and on behalf of
The Client
Name
)
)
Position
Date
Schedule 1 – The Deliverables
The Proposal Document - xxxx Recruit Update Proposal V3 – is attached
The Definition of Deliverables - xxxx Deliverables and Update Specification – is attached
The Pricing Document – Pricing for xxxx – is attached
Schedule 2 - Recruit 5.0 SAAS Architecture
Introduction
The Software as a Service or “Cloud” model is becoming increasingly accepted as the preferred method for providing software applications.
There is typically one admin application for all customers which serves data for specific modules.
Each client uses this module from their own discreet administration web site with its own security and permissions, and each client will have its own separate database.
Each customer will have its own website application (used by jobseekers), which may be customized by designers.
To achieve this, the model must support multiple web servers and multiple database instances, so the new customer may be added easily to the system (in current system that is a complete new installation). Two main layers are identified here: application layer (multiple web servers) and data storage layer (multiple database instances).
Application Layer
The layer consists of several load balanced servers. Each server hosts one or more frontend application (depends on how much visitors is expected) and one backend application. The backend application may be load balanced, or may point to the same code base (needs discussion regarding this). There will be just one code base for the admin application, but the clients may have one or more modules enabled or disabled, which depends on the configuration.
The application layer will consist of 2 tiers: frontend and backend application (which are hosted under IIS) and shared across the web servers. Web applications will communicate with Data Storage Layer.
Data Storage Layer
The data storage layer is a set of different databases hosted on several servers.
The entry point is the Storage Controller (SC), which communicate with the Storage Controller Database (SCDB).
SCDB stores the information of the data storage infrastructure (how many databases there are, which client is using which database, how databases are organised into groups and finally how the user repository is organised
– this will be explained later).
Storage Controller have caching capabilities - the data will be stored in the Storage Cache, so to get the information about data storage layer infrastructure, the Storage Controller will not query the Common Storage every time it needs that information. The cache will be rebuilt on demand, i.e. when a new customer is added to the system.
Each application instance communicates with the Storage Controller, and after that with appropriate database.
Each client has its own database - this is called the Client Area database (CA). Splitting this into several CA databases will improve the performance, as all the queries are run against lower number of records. Also, there is no risk that one client may see the data from other customer. And finally, this will simplify the maintenance.
To support a partnership module (where partners may share user jobs and logins), it is proposed that Client
Areas are organised into groups. This will allow the clients to share users with other clients. The set of groups which shares the same users are organised into User Repositories (UR), which represents shared applicants database (user shared area). It is possible that one Client Area is belonging to more than one group, which means Client A may share the users with Client B and Client C, but that Client B and Client C do not share anything.
If there are no shared users (the client do not share the users to another client), the user data will be stored in the User Repository, which will allow that the client may start to share them at any time.
Finally, there will be a Search Repository, which will perform the indexing of jobs, or whatever needs to be indexed. This repository will be a read only area.
The model is illustrated in the diagram below.
Application layer Data Storage
Storage Controller Area
BACKEND
Web Server 1
FRONTEND
Storage Controller
Controller
Common
Storage
C.A.1
BACKEND
Web Server 2
FRONTEND
C
O
M
M
O
N
F
I
L
E
Storage cache
C.A.2
C.A.3
G
R
O
U
P
1
User
Repository
1
(U.R.)
.....
R
A
G
E
S
T
O
C.A.4
C.A.5
C.A.6
G
R
O
U
P
3
G
R
O
U
P
2
User
Repository
2
(U.R.)
BACKEND
Web Server n
FRONTEND
Search repository
Client Area
Each C.A. represents one
Client Database
User Repository
(Shared Area)
Represents one shared applicants database Jobs index
Schedule 3 - The SAAS Hosting Environment
Introduction
The primary Abacus hosting platform runs in a virtualised environment at the tier one data centre at
Telehouse West in London Docklands, with a disaster recovery facility at Blue Square in Maidenhead.
Management of the key virtualisation environment are handled by our partners Cloud Computing
Centre (CCC), one of the few VMware VIP Gold status partners.
All Abacus hosting is installed on this 24/7 environment.
The key benefits are:
Both centres are secure multi-service data centres with extensive built-resilience in terms of both power and bandwidth.
Telehouse West is at the heart of UK Internet connectivity.
By duplicating resources over the two centres we can provide uptime targets of 100%.
The additional cost is more than balanced in the savings made by minimising the requirement for dedicated standby servers.
A virtualisation approach underpins both the resilience and the cost savings so that a highly robust environment is available at significantly less cost than would have been possible even two years ago. It is also scalable to meet organic growth or the demands of new sites.
Finally Abacus, which is already supporting the application software, provides the front line hosting support, managing security and software updates, which means that only one organisation is responsible for keeping the sites in action.
The Partners
Abacus
Abacus provides its hosting in a virtualised environment using heavy duty tier 1 data centres run by its specialist infrastructure partners to provide the underlying infrastructure and 24/7 support services at
Telehouse West and Blue Square.
Abacus is the contact point for all clients, although in specific circumstances out of working hours clients could contact the data centre support staff.
The Abacus hosting support team provides the services which require a good understanding of the underlying applications and functionality, and which involve communication with our clients, for example:
Security Management and Updates – commonly the dates for planned downtime must be agreed with Clients and there are often overlaps with Client networks and the underlying application software which have to be taken into account.
Core software updates – Microsoft and other core software suppliers periodically release new versions of their operating products, but as these products underpin the Client applications, the timing of upgrades must be managed by staff with an understanding of the application environment. Abacus would never implement a major upgrade without first testing its effect on the applications reliant on it.
DNS management – Abacus would manage the domain, IP and mail addressing issues, and is better equipped to respond to client requirements for user level changes.
Set up of application level monitoring and alarm systems – Abacus can build application specific monitoring into the hosting environment to ensure that if specific servers or tasks fail, appropriate action can be taken, in many cases outside of office hours.
Abacus works closely with CCC to quantify and manage virtualised hosting requirements.
CCC
As stated CCC is most importantly a VMware partner with VIP Gold status & VAC, but in addition it is a
Microsoft (Gold Partner Status), Cisco (Premier Partner Status) and works with EMC, Computer
Associates, Network Associates, Hewlett Packard, Lucent, BlueCoat, LSI Logics and Checkpoint.
Through Abacus CCC currently provides all web hosting for clients like Newsquest and Centaur, but probably more noteworthy is the fact that Centaur have recently moved all internal office and administration systems into the CCC hosted environment, access being provided through fast WAN
connections. It is noteworthy that Centaur believe they gain better performance and resilience for the critical in-house systems than they could achieve by hosting internally.
Abacus has negotiated a number of key additional services through CCC.
Most importantly, the standard 24/7 hosting support is extended to cover a whole range of system and software vulnerabilities.
For all key environments, Abacus set up specific monitoring alerts using GFI Max. These stretch from checking disk capacity and availability to web access, to monitoring specific services and jobs, so that in most cases, even software issues will be identified outside of working hours.
To support this Abacus provide CCC’s out-of-hours team with a run book of instructions for dealing with problems identified through the alerts.
As a final line of defence, Abacus employs expert development resource in the US West Coast time zone, to provide deep level backup for the CCC out of hours team.
Telehouse West Data Centre
The platform would be located in one of the most sophisticated international telecommunications hubs in the world, Telehouse West is one of the most modern centres in Europe and is amongst the safest and most secure place in the world to house your valuable systems and data.
Experienced, track record, high-level security and power resilience combine to create the perfect operational environment for the kind of continued, trouble-free service your business requires to thrive online.
Key benefits of Telehouse West include:
Multiple external power feeds to each server at Telehouse West are supported by an uninterrupted power supply and generator backup support, as well as an additional power support facility. This is maintained on a regular basis to deliver seamless performance, whatever the circumstance. Plus, monthly power failure tests are conducted to ensure the integrity of the backup systems.
Environmental sensors continuously report back to the state-of-the-art management systems, enabling abnormalities such as fire and water leakages to be detected immediately, thus facilitating instant rectification.
The two data centres cover a total area of 14,310m2. Raised flooring allows the provision of power and data cabling between racks and to telecommunications suppliers. The facilities also operate computerised building management systems that monitor and remotely operate sensors covering electrical, mechanical, fire detection and water leakage systems.
Telehouse West security is extensive, employing fully trained and vetted security guards, sophisticated on-site intrusion detection equipment and internal and external CCTV surveillance. Plus, it also has an "intelligent" access control system and full height pedestrian turnstiles.
An advanced FM200 fire detection system is in operation plus the use of dry fill sprinkler systems and Argonite, between the two sites; and a chilled water system is installed for cooling the Metro data site.
The communications links are supported by a comprehensive support, monitoring and management package, which enables 24 hour monitoring of all hardware, software and network elements including:
Event reporting and analysis
Response to systems alerts
Customer notification of system alert
BlueSquare
BlueSquare is the secondary data centre and provides business continuity for Abacus hosted sites. It includes four tier 1 data centres in Maidenhead. Each data centre is 24/7 365 days per year and each have the following infrastructure:
2 megawatt on-site substation
Diverse power feeds to substation
FG Wilson 2.2 megawatt generator connected via C&N ATS systems
Two main fibre duct points into building, and ducts to BlueSquare 1
N+1 PowerWave UPS system
N+1 Airedale Air Handling system
~22°C +/- 2°C data floor temperature
Dual 16 Amp feed per equipment rack available
24x7 secure entry via swipe card system, with 6-layer entry
Data centre located inside its own secure compound, with 3-metre fencing and electric entry, including anti-tailgate systems
NOC engineers available 24x7 for remote hands service
Engineer build rooms
430mm raised heavy duty flooring
20GBit resilient Ethernet ring available to all customers, linking BlueSquare to London
Docklands facilities, with 50ms self-healing capacity
They specialise in providing the underlying infrastructure for disaster recovery platforms and as such are an ideal partner in this scenario.
Virtualization
Virtualization essentially lets one computer do the job of multiple computers, by sharing the resources of a single computer across multiple environments. Virtual servers and virtual desktops let you host multiple operating systems and multiple applications locally and in remote locations, freeing you from physical and geographical limitations. In addition to energy savings and lower capital expenses due to more efficient use of your hardware resources, you get high availability of resources, better desktop management, increased security, and improved disaster recovery processes when you build a virtual infrastructure.
The introduction of virtualization technology presents a number of opportunities for driving capital and operational efficiency. Using software like Vmware, hosting centres can better manage IT capacity and provide better service levels. The secret is the virtual infrastructure.
In essence, a virtual infrastructure is a dynamic mapping of physical resources to business needs.
While a virtual machine represents the physical resources of a single computer, a virtual infrastructure represents the physical resources of the entire IT environment, aggregating x86 computers and their attached network and storage into a unified pool of IT resources.
Structurally, a virtual infrastructure consists of the following components:
Single-node hypervisors to enable full virtualization of each x86 computer.
A set of virtualization-based distributed system infrastructure services such as resource management to optimize available resources among virtual machines.
Automation solutions that provide special capabilities to optimize a particular IT process such as provisioning or disaster recovery.
By decoupling the entire software environment from its underlying hardware infrastructure, virtualization enables the aggregation of multiple servers, storage infrastructure and networks into shared pools of resources that can be delivered dynamically, securely and reliably to applications as needed. This pioneering approach enables hosting organizations to build a computing infrastructure with high levels of utilization, availability, automation and flexibility using building blocks of inexpensive industry-standard servers.
This means that you only need pay for the amount of resources (CPU, Disk, and Memory) required to support your application, not the amount that may be provided within each server. It also offers new and less expensive disaster recovery options.
Hosting Resilience
System resilience is required in a number of areas.
The data centres need to provide:
Duplicated power sources, in addition to on site generators (and in this case on site substations)
Duplicated network capacity, with different ISP sourced bandwidth into every building
Duplicated network equipment, in case of equipment failure
Duplication servers and storage area networks (SAN) in case of system failure
Some form of data backup mechanism to ensure that all data is replicated
Offsite facilities should ideally support:
An equivalent server and SAN infrastructure, to which the Client can move if the main data centre fails for any reason
Copies of system and application data, available at all times for access from those servers
The diagram overleaf illustrates the resilience model proposed to ensure that in the unlikely occurrence of a major outage, resources will be available for rapid and effective Disaster Recovery.
It illustrates the infrastructure resilience available across the data centres as also the specific duplication of data and systems. Our commitment is this.
The virtualisation mechanism ensures that any hardware failure other than of the data storage, i.e. of the SAN, would be automatically recognised by the VM engine and the functions on that hardware would be automatically switched to another server. Therefore so long as the Telehouse West server farm remains available, hardware resilience is guaranteed.
The system data is stored on two different SAN’s at Telehouse West, each of which is RAID based and so resilient, and in the event of a problem on one SAN, the web server will automatically switch to the second. It is therefore very unlikely that while Telehouse West is available, there will ever be a loss of current data.
However in addition once each day the data is copied from the master Telehouse West SAN to a third SAN at Blue Square in Maidenhead or to Telecity. This data is then available should
Telehouse West become totally unavailable, although it could be up to 24 hours out of date.
In addition an identical replica of the hardware and operating and application software is permanently installed at the standby data centre at Blue Square. If the Telehouse West facility is for whatever reason unavailable (fire, power outage, etc) then the network address of the site is switched to point to this centre and the system will start running on the standby systems, using the standby SAN. This switch should take less than one hour.
The DR architecture is illustrated below but includes:
1.
Cisco and Juniper ‘J’ Class Enterprise Router/Firewalls provide diverse Tier 1 Telco (x 4) connectivity to the CCC Data Centre infrastructure, ensuring “always available” routed links between Primary, Secondary and Back –Up Data Centres.
2.
Cisco Switch Clusters provide clustered access from routed connections to the Blade Server
Farms
3.
The Physical Server Farm provides a shared resource of CPU, Memory and NIC adapters.
VMware automatically provides dynamic balancing of the computing resources across resource pools (server farm). VMware also provides intelligent resource allocation based on pre-defined rules. This also enables the ability to add hardware dynamically to add to the resource pool when necessary. The physical servers can be likened to a cluster, covering for the failure of processing units, whereupon VMware VMotion / HA will migrate servers to unaffected processor units.
4.
Another array of Cisco Switch Clusters provides routable access + “NIC Teaming” to the Server farm resource of the Virtualised SAN environment.
5.
The Virtualised Servers and Firewalls (3a) reside on iSCSI and Fibre Channel SAN Disk Arrays.
SAN to SAN replication is provided offering a fail-over between Data Centre’s (DC’s). The SANs are replicated overnight to the Back-Up Data Centre. The standard overnight replication can be upgraded to provide increased options, which offers live replication up to every fifteen minutes.
6.
The standard overnight replication can be upgraded to provide
7.
Agreed storage can be copied to lower cost NAS Disk Arrays (6) for Data Repository, back up retention and restore request via a web based agent.
The SAN technology offers:
EqualLogic iSCSI SANs provide virtualised peer storage architecture, and EMC Fibre
Channel technology further provides high performance, gigabit additional SNAP Shot utilities. VMware management tools further enhance the available technology.
Raided Hot Swap Disk Arrays
2
3
4
5
3a
6
Dual redundant storage processors
Dual redundant power supplies
Dual Fibre / IP channel controllers / switches (Multipathing)
In summary the DR / HA environment provides fail over and high availability between Physical,
Virtual, Communications and Data Centers offering a true Enterprise DR / HA environment.
Additional data resilience within this environment is provided as part of the service including a file level backup on a 7 day rotation cycle as a default, with an additional monthly backup.
The rotation cycle can be modified to whatever is requested and is determined by the backend DB settings which are set by CCC on a contractual basis rather than physical storage limitations.
CCC perform off site - san data replication every hour and have a 48 instance copy so equates to 2 days worth.
1
Primary Data Centre
Diverse IP Transit
TELCO
POP
Enterprise Routing to all Data Centres
Back-Up Data Centre
Cisco Switch Cluster Cisco Switch Cluster
Juniper
J Class
Routers / Firewall
ESG Dark Fibre
Server Farm
Cisco Switch Cluster
+ Nick Teaming optional replication schedules available
Cisco Switch Cluster
+ Nick Teaming
Virtual Firewalls / Servers
I SCSI / Fibre SANs
Dark Fibre
SAN Overnight Replication
Chessington NOC
Dark Fibre
Virtual Firewalls / Servers
I SCSI / Fibre SANs
NAS Data Vault NAS Data Vault
50MB IP Transit
(Murphx)
TELEHOUSE
(C4L)
TELECITY REDBUS
1GB VLAN (Management)
20MB IP Transit
(C4L)
(Murphx)
100MB VLAN (client traffic)
BGP
Routers
Juniper
Firewalls
BGP
Routers
Juniper
Firewalls
MAIDENHEAD
(C4L) 20MB V
LAN (IP
Transit
)
Virtual Server Farm
EMC CX300
(Processing SAN)
NAS (using VCB & Vranger)
(C4L
)
100
MB V
LAN
(SA
NCO
PY &
FTP
)
Virtual Server Farm
EMC CX300
(Processing SAN)
EMC CX500
(Replication SAN)
In summary the service includes:
ISO27001 conformance via Tier 3+ Multiple Data Centres
ISO 9600 conformance via Tier 3+ Multiple Data Centres
ISO14000 conformance via Tier 3+ Multiple Data Centres
PCI Compliancy via Tier 3+ Multiple Data Centres
CBR compliance via Tier 3+ Multiple Data Centres
One Hour replication of the complete V-LAN (virtual switch, firewall, servers and data) to
Secondary Back data centres (DC), in the event of a disaster at Primary DC complete DC restore within four hours.
Individual V-Lans, servers etc. can be reproduced in minutes..
Multiple Telco connectivity (x4) to DC’s
Privately owned 20GB dark Fibre between DC’s for replication, not requiring Telco
connections.
Each 1Gb of contracted SAN storage represents 3Gb of actual storage I our environment.
Security and Performance
The hosting environment is an ISO 27001 certified environment and so information security is at the heart of the network. The service utilises Trend virus and anti-penetration software, and Abacus makes daily updates to reflect new information on new threats.
Penetration Testing
Abacus commissions SECforce to carry out the penetration testing set out in Appendix 5. This is contracted on an ongoing basis.
Initial Stress Testing
Abacus undertakes stress testing using:
Microsoft Web Capacity Analysis Tool
The IIS 6.0 Resource Kit Tools include WCAT 5.2. To download the IIS 6.0 Resource Kit Tools, visit the following Microsoft Web site: o http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73b628-ade629c89499&DisplayLang=en
The IIS 7.0 Web Capacity Analysis tool can be downloaded from the following Microsoft Web site: o http://www.iis.net/downloads/default.aspx?tabid=34&i=1466&g=6
Ongoing Performance Testing
Thereafter Abacus are employing Site Confidence to monitor performance on an ongoing 24/7 basis.
Site Confidence reproduces the actions of users outside of the firewall, and reports on the performance of the key metrics, such as page display and database reaction. Abacus has provided
URL’s which represent the most common user actions. In our experience Site Confidence gives a comprehensive view of site web performance, enabling Abacus to spot trends and bottle necks, and effectively plan resources for the future. Access to historic data also enables us to make decisions on the state of your services.
Monitoring/Run Book
Where it is critical that a site remains in service or is brought back to service after a failure in the shortest possible time, Abacus can offer an optional monitoring regime using the GFI Max alerting product, and an emergency out of hours response service based on a pre-agreed run book.
Problems which affect a service include:
Hardware Failures
Network Failures
Operating Software Service Failures
Application Software Failures
Abacus will configure alerts which are specific to the client, but will report when the service fails to respond in an acceptable manner to external browser actions.
Abacus will configure GFI Max to respond when predefined services fail, for example when disks near capacity or when servers fail to respond (for example mail servers, which would not be apparent to browser based testing), or when hardware elements fail, although generally back up units immediately take over the function.
The alerts are sent to the emergency centre, to the CCC hosting centre and to Abacus (within working hours).
Abacus has put in place a run book for the CCC emergency team with instructions for dealing with all but the most complex software generated problems.
Hardware and network faults are handled in concert by CCC and the data centre managers, and faulty components are replaced. If servers need to be re-started they can also fulfil this role.
Operating system failures are handled by Abacus in working hours and by the emergency team outside working hours. Generally this will require the restarting of a job or server or a reboot.
Application software failures will generally only occur when the system is first installed or a new version loaded. In both cases Abacus or CCC will have developers on call to dial in a correct any error.
Schedule 4 - Service Level Agreement
Definitions
In this Service Level Agreement (“SLA”) the following expressions shall have the following meanings:
“Charges” The value (or pro rata value where the period of time does not equal the Measurement
Period) in monetary terms paid for delivery of the Services;
"Company" means Abacus Software Limited trading as Abacus e-Media and also where the context permits its assigns and any subcontractor for the Company;
"Customer" means the person firm or company with whom a software services agreement is made by the Company whether directly or indirectly through an agent or factor who is acting for or instructed by or whose actions are ratified by such person firm or company;
"Escalation" means the process of raising awareness that an Incident response time has been exceeded or is about to be exceeded to the Customer and the Company;
“Incident” means an unexpected and/or unwanted event that stops a user performing a previously available function or activity;
“Incident Commencement” the time at which an Incident is acknowledged by the Company after being reported by the Customer;
"Measurement Period" one (1) calendar month;
"Service" means the services to be provided by the Company to the Customer under the terms of the
DCS Agreement and "Services" shall be construed accordingly;
“Service Availability” the period of time that the service is actually available to the customer;
“Service Availability Target” the period of time expressed as a percentage of the maximum theoretical time during which the Service could be available;
“Service Credits” credit notes due to the Customer as a result of Service downtime;
“3 rd
Party” a software vendor, service provider, hardware vendor that is not affiliated to the Company.
Service Availability
The Company’s performance targets aim to achieve the Service Availability Target as a minimum against Services in terms of the percentage time available over a Measurement Period. Service
Availability and Service Availability Targets are documented per Service or set of Services as a whole as defined in the Company’s service descriptions and/or Customer Support Services Agreement.
The Service Availability Target will be 99.8% for the following during any Measurement Period:
The service infrastructure including network and backbone
The core Recruit software supporting the administration and management of vacancies
The base job site web pages excluding any customised components
As part of the SLA Abacus will commission SECFORCE or other appropriate organisation to undertake
Penetration Testing on an ongoing basis and will commit to implement any tasks recommended as a result of those reports.
Abacus will also provide the relevant virus protection software and will continue to provide the services described in the SAAS Infrastructure section above.
Service Availability will be calculated on the following basis:
Service Availability calculation shall only include periods of unavailability where the cause of any failure is the sole and direct responsibility of the Company and/or its appointed subcontractors.
Service Availability calculations shall not include Scheduled Service Time.
• Service Availability calculations shall only include Incidents, where those Incidents have had downtime in excess of 30 minutes. If in any one day, the sum of downtime from all incidents is in excess of 30 minutes, the sum of all downtime for that day will be included in availability calculations for the SLA measurement period.
Service Credits shall be accrued monthly in arrears and will be paid in accordance with the Company’s refund payments policy below.
The Company’s responsibility ends at the perimeter of the Company’s Network and with the software components described above.
Service Availability will be monitored & measured by the Company and Service Availability Target achievement or otherwise will be detailed as part of the reporting arrangements. Where the Service
Availability Target is not achieved the sole remedy of the Customer is to request Service Credits.
Incident Priority Definitions
Severity Codes
The following characteristics are used to identify the severity of a problem report:
* Availability of the service to public users
* Availability of the service to admin users
* Where relevant, the number of clients affected
* Whether workarounds are available
* Acceptable resolution time
It is not necessary (nor is it likely) to have perfect match of each characteristic to categorize a problem report at a particular severity level. A given problem must be judged against each of the characteristics to make an overall assessment of which severity level best describes the problem. The Company and the Customer will jointly determine the initial severity rating for a call. The Company may then negotiate with the Customer to modify this severity after the report is elevated to them.
The characteristics below do not cover work requests. Severity levels for work requests may carry a different set of characteristics and weightings. Work requests are not covered as part of this service level agreement.
Business
exposure
Number of
Clients
Affected
Severity 1
(Critical)
The service is unavailable to or unusable by public users.
The infrastructure failure affects a large number of clients.
Severity 2
(High)
The service is unavailable or unusable by admin users.
Severity 3
(Medium)
Severity 4
(Low)
The service has problems The service has which are inconveniencing a minor or cosmetic issues.. number of public or admin users
The infrastructure failure affects a large number of clients.
The infrastructure failure The infrastructure affects a small number of clients. failure may only affect one or two clients.
Work
around
(carries the heaviest weighting of the characteristi cs for
Severity 1 and 2)
There is no acceptable workaround to the problem (i.e., the job cannot be performed in any other way).
There is an acceptable There may or may not and implemented workaround to the be an acceptable workaround to the problem. problem (i.e., the job can be performed in some other way).
There is likely an acceptable workaround to the problem.
Response
Time
Within four hours Within 1 week.
Incident Completion
An Incident is completed when it is resolved either by the Company or collectively with associated partners. The Company is responsible for the updating of the associated Incident management system with the accurate time of Service restoration and/or completion time.
Escalation Policy
Where an Incident cannot be resolved in the first instance, it will be escalated for resolution as follows:
Escalation #1 to Support Manager
Escalation #2 to a Project Director
Escalation #3 to the Managing Director
Escalation is an internal function to raise awareness of a particular Incident within the Company. The
Customer cannot request Escalation of an Incident. All contact regarding an Incident is to be made via the service desk; the Customer shall not automatically have direct contact with the Escalation contacts detailed above.
SLA Exclusions
This Service Level Agreement will not apply where an Incident is due to it being:
A cause beyond the Company’s reasonable control;
A suspension of the Service in accordance with the Service Agreement;
A fault on the Customer's network or own equipment configuration;
An Incident caused within the Customer’s own infrastructures or configuration of said infrastructures causing the suspension of the Service and/or hardware failure;
A fault/bug in the Customer’s software such as firmware, operating system, infrastructure software or the Customer’s own infrastructures or configuration of said infrastructures causing suspension of the Services and/or hardware failure;
Incidents caused by any 3rd Party, where the 3rd Party is not appointed or under the direct control of the Company;
Scheduled or notified downtime;
Disabling of any monitoring traps, management agents, default user accounts or any other tools used by the Company to monitor the Service by the Customer;
Failure to notify the Company of remote hands or access requests, which in turn cause a
Service outage;
Any Incidents caused by the Customer’s own management of the Service;
Downtime caused by 3rd Party not appointed by or under the direct control of the Company;
Downtime due to Force Majeure or other reasons not within the responsibility of the
Company;
3rd Party network issues or suspensions;
Downtime caused by the Customer accessing the Service over the internet, where the downtime is directly attributable to the public network itself.
The accumulated time from Incident Commencement to resolution shall exclude:
Any time where the Company is awaiting information from the Customer or awaiting
Customer confirmation that the Service has been restored (please note it is the Company’s policy to suspend or close a call where the Company has not received a response with information within 72 hours of request by the Company) and;
Where a 3 rd
Party is not appointed or under the direct control of the Company, any time where the Company is awaiting response/action from a 3rd Party or awaiting 3rd Party confirmation that the Service has been restored.
Scheduled Service Time
All Services are scheduled to be available 24 hours per day, 7 days a week. From time to time it will be necessary for the Company to schedule maintenance tasks, which may cause a disruption to the
Service. The Company will use reasonable endeavors to provide a minimum of 72 hours’ notice before conducting such planned Service affecting maintenance but does not guarantee it will always be able to do so.
Operating systems support is available Monday to Friday between the hours 9.00 and 17.30 (Bank
Holidays excepted), unless otherwise agreed and contracted for.
In order to perform scheduled routine maintenance, software and hardware upgrades, etc., a system downtime ("Maintenance Window") is reserved. This Maintenance Window will be from 9pm to
Midnight Monday to Sunday. When it is reasonably practical to do so, the Company will schedule any
Service affecting maintenance activity to fall within a Maintenance Window.
Any requested maintenance by a 3 rd
Party should normally be performed during the same maintenance window; however the Company cannot provide a guarantee if a 3 rd
Party schedules maintenance outside of the Company’s reasonable control.
Emergency maintenance, updates, etc will be scheduled on a case by case basis, in the case of emergency maintenance it may not be practicable to provide any prior notice.
Reporting Arrangements
Monthly reports will be provided by the Company to the Customer covering the following areas:
What service outages have occurred during the period including:
.
•Description of any outage;
.
.
•Dates and times of occurrence and rectification;
•Actions to be taken to ensure SLA targets are met.
Service Credits
Service Credits shall be accrued in each Measurement Period where the Company fails to achieve the
Service Availability Target. Service Credits shall not be accrued for failure to meet incident management performance targets.
The Company will issue a credit note equivalent to 5% of the prorated Charges for each 60 minutes of down time, up to a maximum of 50% of the prorated Charges for the affected Service.
Refund Payments
Once verified by the Company, credits will be issued to the Customer by means of a reduction in the
Charges on the next invoice.
Making a Claim
The Customer must notify the Company in writing of any dispute concerning any amount refunded, or not refunded (as the case may be), within 1 calendar month of the date of notification and sent by post to:
For the Attention of Customer Services
Abacus e-Media
14-16 Regent Street
London
SW1Y 4PH
The Company shall be responsible for managing and reporting outages and periods of non availability and shall advise when an outage has been resolved. The Company shall credit all service credits to the
Customer’s account and net off against the next invoice.
Schedule 5 – secforce Pen Testing
Introduction
Abacus e-Media has commissioned SECforce to undertake external penetration testing on their data centre infrastructure. We attach their most recent report to this document. The environment in scope comprises the following components:
AD SaaS Web servers running MS IIS
1 MS SQL 2008R2 Database servers
1 utility servers
IP range 95.131.218.32/29
Note: The illustration shown above is for representation purposes only and is based on information received to date.
External Security
The initial security assessment included the Abacus e-Media external infrastructure. The purpose of the test is to identify if and how an attacker can gain access to sensitive systems and data from the
Internet. Infrastructure in scope:
The penetration test targets the IP addresses specified in scope.
The external penetration test is a structured approach that emulates a ‘hacker’ looking to gain unauthorised access to the targeted infrastructure from outside the organization, typically via the internet.
The test is conducted from a zero knowledge ‘black box’ perspective. This means that no initial information will be supplied to SECFORCE prior to testing. Additionally, if deemed necessary, testing will also be done from an authorised user perspective.
The infrastructure testing of the servers will closely follow the SECFORCE Infrastructure Testing
Methodology (Appendix A), a well tested methodology which greatly increases and ensures the thoroughness of the assessment.
Various testing techniques will be used. SECFORCE will ensure no disruptive or destructive testing will be undertaken. SECFORCE will report on any application or service identified as susceptible to such an attack.
During and on completion of the test we will provide periodic reporting of issues and concerns.
Ongoing support advice to highlight potential business risks during the course of the test
The resulting report including:
Executive summary which focuses on high risk findings and their impact to the business.
Technical report with risk-rated findings and recommendations, which identifies the high/medium/low issues to easily mitigate the risk in an optimum manner.
Technical summary which summarises the findings and recommendations.
The SAAS Environment
This is the security assessment of the service and its hosting environment including Abacus e-Media client’s external web applications. The purpose of the test is to identify if and how an attacker can gain access to sensitive systems and data from the Internet.
The web application penetration test uses a structured approach that emulates a ‘hacker’ looking to gain unauthorised access to the targeted infrastructure from outside the organization, typically via the internet.
The test is conducted from a zero knowledge ‘black box’ perspective. This means that no initial information will be supplied to SECFORCE prior to testing. Additionally, if deemed necessary, testing will also be done from an authorised user perspective.
The infrastructure testing of the servers closely follows the SECFORCE Infrastructure Testing
Methodology (Appendix A), a well tested methodology which greatly increases and ensures the thoroughness of the assessment.
The application testing follows OWASP methodology and will cover, among other things, the OWASP
TOP 10 issues.
Various testing techniques are used. SECFORCE reports on any application or service identified as susceptible to such an attack.
During and on completion of the test they provide periodic reporting of issues and concerns.
Ongoing support advice to highlight potential business risks during the course of the test
The reports provided include:
Executive summary which focuses on high risk findings and their impact to the business.
Technical report with risk-rated findings and recommendations, which identifies the high/medium/low issues to easily mitigate the risk in an optimum manner.
Technical summary which summarises the findings and recommendations.
There is a requirement to fully understand the findings and recommendations following the delivery of the report. SECFORCE provide an onsite debrief at the end of the technical engagement and recommendations and best practices. Up to half day debrief.
Post Action Assessment
There is a requirement to ensure that the risk mitigating actions have been implemented properly. The aim of the retest is to identify whether the recommendations suggested in the report have been actioned successfully. To do this SECFORCE conduct a penetration retest targeting all the infrastructure specified in scope and the findings identified in the first stage of testing.
A retest is a penetration test scheduled for delivery after the recommendations are implemented.
The retest will confirm that the mitigating actions have been implemented successfully and the risk to the business has been effectively reduced.
During and on completion of the retest we will provide periodic reporting of issues and concerns.
Ongoing support advice to highlight potential business risks during the course of the retest.
