Service definition

advertisement
Commercial-In-Confidence
G-CLOUD FRAMEWORK
SERVICE DEFINITION
Data Protection – Full Disk, Removable Media, File and Folder
and Cloud Encryption
Proposal
ISSUE 1
25/6/13
Table of Contents
1
SERVICE OVERVIEW & SOLUTION ............................................................................................. 3
2
INFORMATION ASSURANCE ........................................................................................................ 4
3
BACKUP/RESTORE AND DISASTER RECOVERY PROVISION ................................................. 5
4
ON-BOARDING AND OFF-BOARDING PROCESSES .................................................................. 5
4.1
On-Boarding ............................................................................................................................ 5
4.2
Off-Boarding ............................................................................................................................ 5
5
SOPHOS SECURITY ...................................................................................................................... 6
5.1
Secure Encrypted Connection from the Client to the Application ........................................... 6
6
PRICING ......................................................................................................................................... 6
7
SERVICE MANAGEMENT DETAILS .............................................................................................. 6
7.1
Technical Boundary ................................................................................................................. 6
7.2
Support Boundary ................................................................................................................... 6
7.3
User Authorization and Roles ................................................................................................. 6
7.4
General Support details .......................................................................................................... 6
8
SERVICE CONSTRAINTS .............................................................................................................. 8
8.1
Planned Maintenance ............................................................................................................. 8
8.2
Emergency Maintenance ........................................................................................................ 9
9
SERVICE LEVELS .......................................................................................................................... 9
9.1
Award of Service Credits: ...................................................................................................... 11
9.2
Payment of Service Credits: ................................................................................................. 12
10
Financial recompense ............................................................................................................... 12
11
TRAINING ..................................................................................................................................... 12
12
INVOICING PROCESS ............................................................................................................. 12
13
TERMINATION TERMS ............................................................................................................ 12
14
DATA EXTRACTION /REMOVAL CRITERIA ............................................................................ 13
14.1
Data standards in use ........................................................................................................... 13
14.2
Consumer generated data .................................................................................................... 13
14.3
Data extraction ...................................................................................................................... 13
14.4
Price of extraction ................................................................................................................. 13
14.5
Purge & destroy .................................................................................................................... 13
15
DATA PROCESSING AND STORAGE LOCATION(S) ............................................................. 13
16
DATA RESTORATION / SERVICE MIGRATION ....................................................................... 13
17
CUSTOMER RESPONSIBILITIES............................................................................................ 13
18
TECHNICAL REQUIREMENTS ................................................................................................ 13
19
BROWSERS ............................................................................................................................. 13
20
DETAILS OF ANY TRIAL SERVICE AVAILABLE ...................................................................... 14
1
SERVICE OVERVIEW & SOLUTION
Sophos Safeguard Enterprise provides an enterprise class encryption solution for customers.
Your users are everywhere – working from home, business partners, 3rd party locations, remote
offices or the main office. Only Sophos gives you industrial-strength encryption for your users’
computers, their shared folders, removable media and to the cloud.
Certifications
Common Criteria EAL 3+
Common Criteria EAL 4
Uses FIPS 140-2 validated cryptography
Safenet eToken and EnCase enabled
Data protection everywhere that’s easy to manage





Protects all of your devices from Windows and Mac desktops, laptops to removable media
and more
Allows authorized users to share data securely and easily
Automatically supports Opal self-encrypting drives, manages Bitlocker and applies software
encryption to your Windows 7, Windows Vista and Windows XP computers, and encrypts
Macs too
Uses Active Directory to import user and device information, synchronize and schedule tasks
Produces detailed logs and compliance reports on users and encrypted devices
SafeGuard Modules
Management Center





Manages encryption for hard disks, removable media, files saved to network file shares and to
the cloud—all from one console
Sets data security policies for groups and devices from a centralized, role-based management
console
Securely stores, exchanges and recovers keys across devices and operating systems with
our key management feature
Provides instant, detailed reports and audits to help you stay compliant
Reports on both Windows and Mac computers running SafeGuard
Full Disk Encryption (Device Encryption)









Provides transparent full-disk encryption for laptops, desktop PCs and virtual desktop
Uses an AES256 bit FIPS 140-2 Cryptographic Engine
Automatically runs Opal self-encrypting drives when available
Manage Opal, BitLocker, Windows 7, Vista, XP and virtual desktops from one centralmanagement console
Fast-initial encryption algorithm to save you time when you first encrypt your hard drive
Provides recovery options for keys, data and forgotten passwords, even when the help desk
can't be reached
Uses your computers' multicore processor and our accelerated algorithm to encrypt and
decrypt data faster
Enables pre-boot user authentication using a password, token, smartcard, biometrics or key
ring
Provides single sign-on (SSO) for encryption and your operating system
Cloud Storage Encryption

Uses an AES256 bit FIPS 140-2 Cryptographic Engine





Centralized key management,
Easily share and recover encrypted files
Encrypts files uploaded to cloud storage solutions
Allows secure data sharing wherever users access files
Secure file readers available for iOS and Android devices
Removable / Optical Media (Data Exchange)










Uses an AES256 bit FIPS 140-2 Cryptographic Engine
Users can share encrypted data easily across your organization
Enable users to share encrypted files with business partners or colleagues, even with users
not using SafeGuard Enterprise
Removable media white listing to make encryption management easier and more flexible
Makes sure only certain users or groups are able to access data
Doesn’t require any interaction from your users
Centralizes key management
Completely transparent encryption means a simplified workflow.
Allows system administrators to manage the network without access to sensitive data on it
Simplified encryption policies allows you to add or remove users without any re-encryption
hassles
File Share (File and Folder Encryption)









Uses an AES256 bit FIPS 140-2 Cryptographic Engine
Users can share encrypted data easily across your organization
Enable users to access encrypted files on servers
Makes sure only certain users or groups are able to access data saves on servers
Doesn’t require any interaction from your users
Centralizes key management
Completely transparent encryption means a simplified workflow.
Allows system administrators to manage the network without access to sensitive data on it
Simplified encryption policies allows you to add or remove users without any re-encryption
hassles
SafeGuard Partner Connect








2
Protects company confidentiality with a flexible and easy-to-manage solution that enforces
consistent data security policies
Offers ease of administration with the help of the cross-platform management console
Assures compliance with centralized log reports for audit and legal requirements
Provides full transparency of data protection across all parts of the enterprise infrastructure
Features automated and simplified BitLocker usage, as well as key backup and emergency
mechanisms for easy recovery
Lets you centrally administer BitLocker security policies
Enforces consistent security policies even in mixed BitLocker (Windows Vista, Windows 7 and
Windows 8 [in Q4 2013]) and non-BitLocker (Windows XP and Windows 2000) environments
and Full disk encryption on Mac OSX
Provides easy recovery with central key backup and emergency mechanisms
INFORMATION ASSURANCE
Certifications
Common Criteria EAL 3+
Common Criteria EAL 4
Uses FIPS 140-2 validated cryptography
UK HMG CPA program started for SafeGuard Disk Ecryption
3 BACKUP/RESTORE AND DISASTER RECOVERY PROVISION
Sophos Safeguard Enterprise is installed within a customer’s environment typically on Physical or
Virtual Windows Servers.
Extensive product documentation is held within the Documentation and Knowledgebase support
sections on the Sophos.com website
Safeguard Enterprise - http://www.sophos.com/en-us/support/documentation/safeguardenterprise.aspx#
SQL Database Best Practice - http://www.sophos.com/en-us/support/knowledgebase/113001.aspx
See sgn_6 recovery.pdf for more details on recovery
Sophos recommend engaging with partner or Sophos Professional Services for complex
environments
4 ON-BOARDING AND OFF-BOARDING PROCESSES
4.1 On-Boarding
New Sophos customers will receive a license schedule which contains all the updating / licencing
information required to download, install and update Sophos solutions for the period of the license.
Most Sophos licenses are sold as subscriptions typically for 1, 2, 3 and 5 year periods. However
some solutions including Safeguard can be purchased as a perpetual license with a maintenance
renewal.
Sophos solutions are generally installed within the customers own environment on their own server
infrastructure. These servers are either physical or virtual running Windows OS.
To download Sophos software a “MySophos” will need to be created on the Sophos.com website.
When created this My Sophos account will ask for various details about the license which will then
provide the creator with the ability to download licenced software and updates for the period of the
license.
The Sophos web site also includes all support documentation and knowledgebase articles, plus a
Getting Started section which provides import information relating to system requirements or hints and
tips for successful installations http://www.sophos.com/en-us/support/resource-centers/gettingstarted.aspx we also have a Youtube channel http://www.youtube.com/user/SophosGlobalSupport
Sophos would recommend Partner or Sophos Professional Services to help customers get up and
running quicker. Depending on the exact requirements and scope, this could take the form of a
remote session, server install and training or full installation and competitive AV product removal.
All customers are entitled to 24x7 Technical support directly from Sophos via phone, web and email.
4.2 Off-Boarding
For software purchased via Subscription, if the subscription ends then all updates will cease and the
software must be uninstalled from all devices using the software.
For software purchased via Perpetual, then the customer owns the software – but access to support
or maintenance releases will be blocked unless the on-going maintenance payment is made.
5 SOPHOS SECURITY
As noted above, Sophos solutions are generally installed within the customers own environment on
their own server infrastructure – therefore Sophos and Sophos employees do not have any access to
this infrastructure.
To protect customer data within the Sophos solutions, many of our products include role based
administration and auditing of events – such as log on / off / policy change etc.. This ensures that the
data integrity is maintained and if policy configuration is changed then this event is logged.
5.1 Secure Encrypted Connection from the Client to the Application
The connection between the SafeGuard Enterprise Server and the SafeGuard Enterprise managed
computer may either be secured by SSL (443) or by SafeGuard specific encryption (80). The
advantage of SSL is that it is a standard protocol and therefore a faster connection can be achieved
as with using SafeGuard transport encryption.
Note: We strongly recommend that you use SSL encrypted communication in this case, except for
demo or test setups. If, for some reason, this is not possible and SafeGuard specific encryption is
used, there is an upper limit of 1000 clients that connect to a single server instance.
Before activating SSL in SafeGuard Enterprise, a working SSL environment needs to be set up.
6 PRICING
Include table of pricing for this service – TBC asap, price lists are being changed at the moment
7 SERVICE MANAGEMENT DETAILS
7.1 Technical Boundary
As noted above, Sophos solutions are installed within the customers own environment on their own
physical or virtual server infrastructure – therefore Sophos and Sophos employees do not have any
direct access to this infrastructure.
Sophos Safeguard solution utilize IIS and SQL for backend database functionality
7.2 Support Boundary
All customers are entitled to 24x7 Technical support directly from Sophos via phone, web and email. If
Enhanced support (Premium or Platinum) are purchased these do offer a legally agreed Remote
Access agreement to provide support direct access to the infrastructure to help troubleshoot and
resolve issues.
7.3 User Authorization and Roles
Define segregation of responsibilities and entitlements to manage services and authentication of
those entitlements (e.g. encryption, ID’s Passwords, limitation of access and control
7.4 General Support details
At Sophos we take support seriously, making sure you can quickly get the expert help you need.
Many of our products come with 24/7 support and upgrades as standard and for those that don’t you
can simply choose the level of support your business needs.
Depending on the package you choose you’ll get access to engineers directly for one-to-one support
by email or telephone, or simply access our comprehensive, searchable, web-based support
knowledgebase. And our support is proactive making sure you hear about the latest product news and
general information on security threats and protection strategies. You’ll get help with installing,
configuring and upgrading our products and resolving any technical issues. And we don’t place limits
on how much help you can get, raise as many support incidents as you need to - if you’ve got a
problem we want to fix it.
Sophos Technical Support is delivered through three packages: Standard, Premium and Platinum.
Each package ensures you get the most out of your investment and that you remain protected against
increasingly complex and evolving threats. With Premium and Platinum support you can benefit from
features like formal service level agreements with target response and escalation times, and a
technical account manager to oversee all support activity.
We’re a member of TSANet (www.tsanet.org), the worldwide vendor-neutral support alliance. This
means that we can work directly with other vendors to help solve problems that involve their
technologies.
The SCP standard makes us part of a community of companies giving the very best service. Sharing
best practices and working actively together to make technical support better for everyone.
http://www.sophos.com/en-us/medialibrary/PDFs/Support/sophos_support_spc_certification_en.pdf
Key benefits



Lets you access help 24/7 via phone, web or email
Provides assistance in your language
Works with other vendors on cross-platform issues
Please find an overview of our Standard, Premium and Platinum support levels below
http://www.sophos.com/en-us/support/technical-support/support-packages.aspx
Please note that if required, Sophos can provide SC and DV cleared support engineers to Premium
and Platinum customers.
All Sophos documentation can be found here http://www.sophos.com/enus/support/documentation.aspx
8 SERVICE CONSTRAINTS
8.1 Planned Maintenance
Sophos solutions are generally installed within the customers own environment on their own physical
or virtual server infrastructure.
To upgrade versions of Sophos solutions we provide an easy to follow upgrade centre
http://www.sophos.com/en-us/support/resource-centers/upgrade-center.aspx
As an example to upgrade from SGN 5.x to 6.x requires
Upgrade of .Net Framework to version 4
Take the IIS servers offline
Close all SGN Management Centres
Backup the SQL database
Put DB into Single User Mode
Run upgrade SQL script
Put DB into Multi User Mode
Upgrade One Management Centre installations
Start upgrade Management Centre
Upgrade SGN Server(s)
Upgrade remaining SGN Management Centres
Create new Client Configuration package for deployment to new clients
Deployed updated client msi to install over existing msi (no need to decrypt and re-encrypt)
8.2 Emergency Maintenance
9 SERVICE LEVELS
Sophos Technical Support is delivered through three packages: Standard, Premium and Platinum.
Each package ensures you get the most out of your investment and that you remain protected against
increasingly complex and evolving threats. With Premium and Platinum support you can benefit from
features like formal service level agreements with target response and escalation times, and a
technical account manager to oversee all support activity.
Response
Our technical support responds to every support incident you submit. You will receive an acknowledgement
that we have registered the support incident has been, assigned a Severity and allocated to a support
engineer. Response times are measured from the time a customer support incident is received by Sophos
Technical Support to the time a response is provided.
Severity levels
All support incidents you submit are assigned a Severity by Sophos based on the information you provide.
In the event that insufficient information is provided for Sophos support engineers to determine the
Severity, a default of Medium Severity is assigned to the incident. The assigned Severity may be adjusted
upon receipt of further incident details from the customer.
The Severity levels that may be assigned are defined below
Critical
A Critical Severity is assigned to a Sophos product problem causing a complete loss of service. Work
cannot continue at all and operation is mission-critical to the customer’s business. No acceptable
workaround to the problem exists.
High
A High Severity is assigned to a Sophos product problem causing a significant loss of service and no
acceptable workaround is available. The problem adversely impacts customer business, but operation can
continue in a restricted fashion or be alternatively routed.
Medium
A Medium Severity is assigned to a Sophos product problem causing no loss, or only very minor loss in
service. The impact is an inconvenience, which does not impede operation or customer business.
All incidents initiated by email will be assigned Medium Severity in the first instance, except those of a Low
Severity level, as defined in the next column.
Low
A Low Severity is assigned to a question concerning the operation of a Sophos product, or a suggested
change to a product or to the product documentation.
ESCALATION PROCEDURES
To provide timely and effective resolution, all submitted incidents are subject to the following escalation
procedures, according to their Severity and the support service provided.
Critical severity escalation
Standard Support
Hours 0 – 24: Sophos support engineers are involved as required to troubleshoot and resolve the problem
Hour 24: Problem is escalated to Sophos support management. Product experts—including product and
development management—are involved as required
Premium Support
Hours 0 – 2: Sophos support engineers are involved and are actively working on resolution
Hour 2: Problem is escalated to Sophos support management. Product experts—including product and
development management—are involved as required
Platinum Support
Hours 0 – 2: Sophos support engineers are involved and are actively working on resolution
Hour 2: Problem is escalated to Sophos support management. Product experts—including product and
development management—are involved as required
Hour 8: Sophos executive management is involved in the escalation. A management and technical expert
escalation team is put together to address and defuse the emergency situation effectively
High severity escalation
Standard Support
As required: We escalate the problem to Sophos support management. Product experts— including
product and development management—are involved as required
Premium and Platinum Support
Hours 0 – 72: Sophos support engineers will work on the incident to provide a resolution to the problem
Hour 72: The customer may request escalation of the incident to Sophos support management. At this
time, Sophos will establish a plan to employ all reasonable efforts to correct the problem within a timeframe
agreed upon between the customer and Sophos management
Medium severity escalation
In the event that a Medium Severity incident with a Sophos product worsens, or is not resolved within 30
days, customers may request that the submitted support incident be reclassified with a higher Severity.
Premium and Platinum Support
In the event that a Medium Severity incident is not resolved within 1 week, the problem will be escalated to
Sophos support management.
For more details please see “Sophos Global Support Services Definitions.pdf”
9.1 Award of Service Credits:
All security vendors offer Service Level Agreements (SLAs) with targets they promise to meet.
At Sophos we offer more than just a promise. With a proven track record in providing the
highest level of support, our Premium and Platinum support packages include a penaltybacked SLA that gives customers Support Credits if we fail to meet the defined response time
targets.
Support Credits can be redeemed when purchasing Sophos Professional Services or as money
back.
The table below shows the amount of Support Credits that can be earned, which is dependent
upon the customer’s support level (Premium or Platinum) and the severity of the support
incident.
9.2 Payment of Service Credits:
Support Credits are described in 9.1 above and can be redeemed when purchasing Sophos
Professional Services or as money back – they are only applicable on our SLA backed services
– premium and platinum support.
Claiming credits
-
A claim must be made within seven calendar days of Sophos Technical Support failing to
meet its response time
-
A claim must include the Sophos assigned ticket number, and be provided in writing
-
Only one claim for Support Credits can be made for any single support incident
-
Support Credits must be redeemed within six months of being awarded
-
Claims can be made through the local Sophos Account Manager
-
Support Credits are only available to customers with Premium or Platinum support
contracts.
10
Financial recompense
The only recompense stated is against the enhanced services described in section 9.
11
TRAINING
We've been at the forefront of safer computing for more than a decade. Our highly acclaimed, handson training is designed to keep you secure in today's increasingly connected world. Sophos HQ in
Oxfordshire includes training facilities to train and enable both end users and partners.
Our training courses, run by knowledgeable professionals, offer comprehensive practical experience.
We even include the use of computers, with one PC provided per attendee.
Sophos provide courses for all of our solutions; please see http://www.sophos.com/en-us/aboutus/training/locations/uk-abingdon-training-ctr.aspx for more details.
Sophos Professional Services can also be used to train IT teams as part of a scoped deployment
project.
Some Sophos Partners can also offer training for end users and IT Administrators.
12
INVOICING PROCESS
Although Sophos has a direct relationship with our customers all quoting and ordering is via our
Channel Partners. These are typically your existing IT Partner or VAR, but for new customers we also
have a partner locator tool http://www.sophos.com/en-us/partners/partnerlocator.aspx
13
TERMINATION TERMS
All Legal License Agreements can be found here - http://www.sophos.com/en-us/legal.aspx
End User License Agreement - http://www.sophos.com/en-us/legal/sophos-end-user-licenseagreement.aspx
The customer acknowledges that it has purchased the Services for the Minimum Period and any
Renewal Term(s)), as defined in the Certificate or Order Summary.
14
DATA EXTRACTION /REMOVAL CRITERIA
14.1 Data standards in use
Define data standards/formats in use when managing, manipulating, or enrichning data/datasets.
Include scope of data types used – e.g. structured/unstructured data.
14.2 Consumer generated data
Define commitments for return of consumer generated data
14.3 Data extraction
Define formats/standards employed as examples of their use in your services
14.4 Price of extraction
Describe any impact on service costs associated with accessing existing data for the purpose of
managing or using within new services
14.5 Purge & destroy
Declare commitments for purging/deleting/destroying data and the extent to which that removal takes
place – e.g. media, storage, computers etc.
15
DATA PROCESSING AND STORAGE LOCATION(S)
Define locations for storage of data, management of that data, and any communications/transfer to
data outside the territory of operation.
16
DATA RESTORATION / SERVICE MIGRATION
Define obligations to restore data/migrate services in event of a material degredation in service,
including planned/unplanned outages.
17
CUSTOMER RESPONSIBILITIES
http://www.sophos.com/en-us/legal/sophos-end-user-license-agreement.aspx - this is the Sophos End
User Licence Agreement in which all responsibilities and clauses are laid out.
18
TECHNICAL REQUIREMENTS
All System Requirements can be found here http://www.sophos.com/enus/support/knowledgebase/118646.aspx
Sophos Disk encryption for Mac System Requirements - http://www.sophos.com/enus/support/knowledgebase/118648.aspx
19
BROWSERS
Not applicable. SGN Management Centre is a windows application.
20
DETAILS OF ANY TRIAL SERVICE AVAILABLE
Many of Sophos solutions and suites are available for free trials we recommend you contact your IT
Partner or Sophos directly so we can best assist during any trials.
Download