Commercial-In-Confidence G-CLOUD FRAMEWORK SERVICE DEFINITION Data Protection – Full Disk, Removable Media, File and Folder and Cloud Encryption Proposal ISSUE 1 25/6/13 Table of Contents 1 SERVICE OVERVIEW & SOLUTION ............................................................................................. 3 2 INFORMATION ASSURANCE ........................................................................................................ 4 3 BACKUP/RESTORE AND DISASTER RECOVERY PROVISION ................................................. 5 4 ON-BOARDING AND OFF-BOARDING PROCESSES .................................................................. 5 4.1 On-Boarding ............................................................................................................................ 5 4.2 Off-Boarding ............................................................................................................................ 5 5 SOPHOS SECURITY ...................................................................................................................... 6 5.1 Secure Encrypted Connection from the Client to the Application ........................................... 6 6 PRICING ......................................................................................................................................... 6 7 SERVICE MANAGEMENT DETAILS .............................................................................................. 6 7.1 Technical Boundary ................................................................................................................. 6 7.2 Support Boundary ................................................................................................................... 6 7.3 User Authorization and Roles ................................................................................................. 6 7.4 General Support details .......................................................................................................... 6 8 SERVICE CONSTRAINTS .............................................................................................................. 8 8.1 Planned Maintenance ............................................................................................................. 8 8.2 Emergency Maintenance ........................................................................................................ 9 9 SERVICE LEVELS .......................................................................................................................... 9 9.1 Award of Service Credits: ...................................................................................................... 11 9.2 Payment of Service Credits: ................................................................................................. 12 10 Financial recompense ............................................................................................................... 12 11 TRAINING ..................................................................................................................................... 12 12 INVOICING PROCESS ............................................................................................................. 12 13 TERMINATION TERMS ............................................................................................................ 12 14 DATA EXTRACTION /REMOVAL CRITERIA ............................................................................ 13 14.1 Data standards in use ........................................................................................................... 13 14.2 Consumer generated data .................................................................................................... 13 14.3 Data extraction ...................................................................................................................... 13 14.4 Price of extraction ................................................................................................................. 13 14.5 Purge & destroy .................................................................................................................... 13 15 DATA PROCESSING AND STORAGE LOCATION(S) ............................................................. 13 16 DATA RESTORATION / SERVICE MIGRATION ....................................................................... 13 17 CUSTOMER RESPONSIBILITIES............................................................................................ 13 18 TECHNICAL REQUIREMENTS ................................................................................................ 13 19 BROWSERS ............................................................................................................................. 13 20 DETAILS OF ANY TRIAL SERVICE AVAILABLE ...................................................................... 14 1 SERVICE OVERVIEW & SOLUTION Sophos Safeguard Enterprise provides an enterprise class encryption solution for customers. Your users are everywhere – working from home, business partners, 3rd party locations, remote offices or the main office. Only Sophos gives you industrial-strength encryption for your users’ computers, their shared folders, removable media and to the cloud. Certifications Common Criteria EAL 3+ Common Criteria EAL 4 Uses FIPS 140-2 validated cryptography Safenet eToken and EnCase enabled Data protection everywhere that’s easy to manage Protects all of your devices from Windows and Mac desktops, laptops to removable media and more Allows authorized users to share data securely and easily Automatically supports Opal self-encrypting drives, manages Bitlocker and applies software encryption to your Windows 7, Windows Vista and Windows XP computers, and encrypts Macs too Uses Active Directory to import user and device information, synchronize and schedule tasks Produces detailed logs and compliance reports on users and encrypted devices SafeGuard Modules Management Center Manages encryption for hard disks, removable media, files saved to network file shares and to the cloud—all from one console Sets data security policies for groups and devices from a centralized, role-based management console Securely stores, exchanges and recovers keys across devices and operating systems with our key management feature Provides instant, detailed reports and audits to help you stay compliant Reports on both Windows and Mac computers running SafeGuard Full Disk Encryption (Device Encryption) Provides transparent full-disk encryption for laptops, desktop PCs and virtual desktop Uses an AES256 bit FIPS 140-2 Cryptographic Engine Automatically runs Opal self-encrypting drives when available Manage Opal, BitLocker, Windows 7, Vista, XP and virtual desktops from one centralmanagement console Fast-initial encryption algorithm to save you time when you first encrypt your hard drive Provides recovery options for keys, data and forgotten passwords, even when the help desk can't be reached Uses your computers' multicore processor and our accelerated algorithm to encrypt and decrypt data faster Enables pre-boot user authentication using a password, token, smartcard, biometrics or key ring Provides single sign-on (SSO) for encryption and your operating system Cloud Storage Encryption Uses an AES256 bit FIPS 140-2 Cryptographic Engine Centralized key management, Easily share and recover encrypted files Encrypts files uploaded to cloud storage solutions Allows secure data sharing wherever users access files Secure file readers available for iOS and Android devices Removable / Optical Media (Data Exchange) Uses an AES256 bit FIPS 140-2 Cryptographic Engine Users can share encrypted data easily across your organization Enable users to share encrypted files with business partners or colleagues, even with users not using SafeGuard Enterprise Removable media white listing to make encryption management easier and more flexible Makes sure only certain users or groups are able to access data Doesn’t require any interaction from your users Centralizes key management Completely transparent encryption means a simplified workflow. Allows system administrators to manage the network without access to sensitive data on it Simplified encryption policies allows you to add or remove users without any re-encryption hassles File Share (File and Folder Encryption) Uses an AES256 bit FIPS 140-2 Cryptographic Engine Users can share encrypted data easily across your organization Enable users to access encrypted files on servers Makes sure only certain users or groups are able to access data saves on servers Doesn’t require any interaction from your users Centralizes key management Completely transparent encryption means a simplified workflow. Allows system administrators to manage the network without access to sensitive data on it Simplified encryption policies allows you to add or remove users without any re-encryption hassles SafeGuard Partner Connect 2 Protects company confidentiality with a flexible and easy-to-manage solution that enforces consistent data security policies Offers ease of administration with the help of the cross-platform management console Assures compliance with centralized log reports for audit and legal requirements Provides full transparency of data protection across all parts of the enterprise infrastructure Features automated and simplified BitLocker usage, as well as key backup and emergency mechanisms for easy recovery Lets you centrally administer BitLocker security policies Enforces consistent security policies even in mixed BitLocker (Windows Vista, Windows 7 and Windows 8 [in Q4 2013]) and non-BitLocker (Windows XP and Windows 2000) environments and Full disk encryption on Mac OSX Provides easy recovery with central key backup and emergency mechanisms INFORMATION ASSURANCE Certifications Common Criteria EAL 3+ Common Criteria EAL 4 Uses FIPS 140-2 validated cryptography UK HMG CPA program started for SafeGuard Disk Ecryption 3 BACKUP/RESTORE AND DISASTER RECOVERY PROVISION Sophos Safeguard Enterprise is installed within a customer’s environment typically on Physical or Virtual Windows Servers. Extensive product documentation is held within the Documentation and Knowledgebase support sections on the Sophos.com website Safeguard Enterprise - http://www.sophos.com/en-us/support/documentation/safeguardenterprise.aspx# SQL Database Best Practice - http://www.sophos.com/en-us/support/knowledgebase/113001.aspx See sgn_6 recovery.pdf for more details on recovery Sophos recommend engaging with partner or Sophos Professional Services for complex environments 4 ON-BOARDING AND OFF-BOARDING PROCESSES 4.1 On-Boarding New Sophos customers will receive a license schedule which contains all the updating / licencing information required to download, install and update Sophos solutions for the period of the license. Most Sophos licenses are sold as subscriptions typically for 1, 2, 3 and 5 year periods. However some solutions including Safeguard can be purchased as a perpetual license with a maintenance renewal. Sophos solutions are generally installed within the customers own environment on their own server infrastructure. These servers are either physical or virtual running Windows OS. To download Sophos software a “MySophos” will need to be created on the Sophos.com website. When created this My Sophos account will ask for various details about the license which will then provide the creator with the ability to download licenced software and updates for the period of the license. The Sophos web site also includes all support documentation and knowledgebase articles, plus a Getting Started section which provides import information relating to system requirements or hints and tips for successful installations http://www.sophos.com/en-us/support/resource-centers/gettingstarted.aspx we also have a Youtube channel http://www.youtube.com/user/SophosGlobalSupport Sophos would recommend Partner or Sophos Professional Services to help customers get up and running quicker. Depending on the exact requirements and scope, this could take the form of a remote session, server install and training or full installation and competitive AV product removal. All customers are entitled to 24x7 Technical support directly from Sophos via phone, web and email. 4.2 Off-Boarding For software purchased via Subscription, if the subscription ends then all updates will cease and the software must be uninstalled from all devices using the software. For software purchased via Perpetual, then the customer owns the software – but access to support or maintenance releases will be blocked unless the on-going maintenance payment is made. 5 SOPHOS SECURITY As noted above, Sophos solutions are generally installed within the customers own environment on their own server infrastructure – therefore Sophos and Sophos employees do not have any access to this infrastructure. To protect customer data within the Sophos solutions, many of our products include role based administration and auditing of events – such as log on / off / policy change etc.. This ensures that the data integrity is maintained and if policy configuration is changed then this event is logged. 5.1 Secure Encrypted Connection from the Client to the Application The connection between the SafeGuard Enterprise Server and the SafeGuard Enterprise managed computer may either be secured by SSL (443) or by SafeGuard specific encryption (80). The advantage of SSL is that it is a standard protocol and therefore a faster connection can be achieved as with using SafeGuard transport encryption. Note: We strongly recommend that you use SSL encrypted communication in this case, except for demo or test setups. If, for some reason, this is not possible and SafeGuard specific encryption is used, there is an upper limit of 1000 clients that connect to a single server instance. Before activating SSL in SafeGuard Enterprise, a working SSL environment needs to be set up. 6 PRICING Include table of pricing for this service – TBC asap, price lists are being changed at the moment 7 SERVICE MANAGEMENT DETAILS 7.1 Technical Boundary As noted above, Sophos solutions are installed within the customers own environment on their own physical or virtual server infrastructure – therefore Sophos and Sophos employees do not have any direct access to this infrastructure. Sophos Safeguard solution utilize IIS and SQL for backend database functionality 7.2 Support Boundary All customers are entitled to 24x7 Technical support directly from Sophos via phone, web and email. If Enhanced support (Premium or Platinum) are purchased these do offer a legally agreed Remote Access agreement to provide support direct access to the infrastructure to help troubleshoot and resolve issues. 7.3 User Authorization and Roles Define segregation of responsibilities and entitlements to manage services and authentication of those entitlements (e.g. encryption, ID’s Passwords, limitation of access and control 7.4 General Support details At Sophos we take support seriously, making sure you can quickly get the expert help you need. Many of our products come with 24/7 support and upgrades as standard and for those that don’t you can simply choose the level of support your business needs. Depending on the package you choose you’ll get access to engineers directly for one-to-one support by email or telephone, or simply access our comprehensive, searchable, web-based support knowledgebase. And our support is proactive making sure you hear about the latest product news and general information on security threats and protection strategies. You’ll get help with installing, configuring and upgrading our products and resolving any technical issues. And we don’t place limits on how much help you can get, raise as many support incidents as you need to - if you’ve got a problem we want to fix it. Sophos Technical Support is delivered through three packages: Standard, Premium and Platinum. Each package ensures you get the most out of your investment and that you remain protected against increasingly complex and evolving threats. With Premium and Platinum support you can benefit from features like formal service level agreements with target response and escalation times, and a technical account manager to oversee all support activity. We’re a member of TSANet (www.tsanet.org), the worldwide vendor-neutral support alliance. This means that we can work directly with other vendors to help solve problems that involve their technologies. The SCP standard makes us part of a community of companies giving the very best service. Sharing best practices and working actively together to make technical support better for everyone. http://www.sophos.com/en-us/medialibrary/PDFs/Support/sophos_support_spc_certification_en.pdf Key benefits Lets you access help 24/7 via phone, web or email Provides assistance in your language Works with other vendors on cross-platform issues Please find an overview of our Standard, Premium and Platinum support levels below http://www.sophos.com/en-us/support/technical-support/support-packages.aspx Please note that if required, Sophos can provide SC and DV cleared support engineers to Premium and Platinum customers. All Sophos documentation can be found here http://www.sophos.com/enus/support/documentation.aspx 8 SERVICE CONSTRAINTS 8.1 Planned Maintenance Sophos solutions are generally installed within the customers own environment on their own physical or virtual server infrastructure. To upgrade versions of Sophos solutions we provide an easy to follow upgrade centre http://www.sophos.com/en-us/support/resource-centers/upgrade-center.aspx As an example to upgrade from SGN 5.x to 6.x requires Upgrade of .Net Framework to version 4 Take the IIS servers offline Close all SGN Management Centres Backup the SQL database Put DB into Single User Mode Run upgrade SQL script Put DB into Multi User Mode Upgrade One Management Centre installations Start upgrade Management Centre Upgrade SGN Server(s) Upgrade remaining SGN Management Centres Create new Client Configuration package for deployment to new clients Deployed updated client msi to install over existing msi (no need to decrypt and re-encrypt) 8.2 Emergency Maintenance 9 SERVICE LEVELS Sophos Technical Support is delivered through three packages: Standard, Premium and Platinum. Each package ensures you get the most out of your investment and that you remain protected against increasingly complex and evolving threats. With Premium and Platinum support you can benefit from features like formal service level agreements with target response and escalation times, and a technical account manager to oversee all support activity. Response Our technical support responds to every support incident you submit. You will receive an acknowledgement that we have registered the support incident has been, assigned a Severity and allocated to a support engineer. Response times are measured from the time a customer support incident is received by Sophos Technical Support to the time a response is provided. Severity levels All support incidents you submit are assigned a Severity by Sophos based on the information you provide. In the event that insufficient information is provided for Sophos support engineers to determine the Severity, a default of Medium Severity is assigned to the incident. The assigned Severity may be adjusted upon receipt of further incident details from the customer. The Severity levels that may be assigned are defined below Critical A Critical Severity is assigned to a Sophos product problem causing a complete loss of service. Work cannot continue at all and operation is mission-critical to the customer’s business. No acceptable workaround to the problem exists. High A High Severity is assigned to a Sophos product problem causing a significant loss of service and no acceptable workaround is available. The problem adversely impacts customer business, but operation can continue in a restricted fashion or be alternatively routed. Medium A Medium Severity is assigned to a Sophos product problem causing no loss, or only very minor loss in service. The impact is an inconvenience, which does not impede operation or customer business. All incidents initiated by email will be assigned Medium Severity in the first instance, except those of a Low Severity level, as defined in the next column. Low A Low Severity is assigned to a question concerning the operation of a Sophos product, or a suggested change to a product or to the product documentation. ESCALATION PROCEDURES To provide timely and effective resolution, all submitted incidents are subject to the following escalation procedures, according to their Severity and the support service provided. Critical severity escalation Standard Support Hours 0 – 24: Sophos support engineers are involved as required to troubleshoot and resolve the problem Hour 24: Problem is escalated to Sophos support management. Product experts—including product and development management—are involved as required Premium Support Hours 0 – 2: Sophos support engineers are involved and are actively working on resolution Hour 2: Problem is escalated to Sophos support management. Product experts—including product and development management—are involved as required Platinum Support Hours 0 – 2: Sophos support engineers are involved and are actively working on resolution Hour 2: Problem is escalated to Sophos support management. Product experts—including product and development management—are involved as required Hour 8: Sophos executive management is involved in the escalation. A management and technical expert escalation team is put together to address and defuse the emergency situation effectively High severity escalation Standard Support As required: We escalate the problem to Sophos support management. Product experts— including product and development management—are involved as required Premium and Platinum Support Hours 0 – 72: Sophos support engineers will work on the incident to provide a resolution to the problem Hour 72: The customer may request escalation of the incident to Sophos support management. At this time, Sophos will establish a plan to employ all reasonable efforts to correct the problem within a timeframe agreed upon between the customer and Sophos management Medium severity escalation In the event that a Medium Severity incident with a Sophos product worsens, or is not resolved within 30 days, customers may request that the submitted support incident be reclassified with a higher Severity. Premium and Platinum Support In the event that a Medium Severity incident is not resolved within 1 week, the problem will be escalated to Sophos support management. For more details please see “Sophos Global Support Services Definitions.pdf” 9.1 Award of Service Credits: All security vendors offer Service Level Agreements (SLAs) with targets they promise to meet. At Sophos we offer more than just a promise. With a proven track record in providing the highest level of support, our Premium and Platinum support packages include a penaltybacked SLA that gives customers Support Credits if we fail to meet the defined response time targets. Support Credits can be redeemed when purchasing Sophos Professional Services or as money back. The table below shows the amount of Support Credits that can be earned, which is dependent upon the customer’s support level (Premium or Platinum) and the severity of the support incident. 9.2 Payment of Service Credits: Support Credits are described in 9.1 above and can be redeemed when purchasing Sophos Professional Services or as money back – they are only applicable on our SLA backed services – premium and platinum support. Claiming credits - A claim must be made within seven calendar days of Sophos Technical Support failing to meet its response time - A claim must include the Sophos assigned ticket number, and be provided in writing - Only one claim for Support Credits can be made for any single support incident - Support Credits must be redeemed within six months of being awarded - Claims can be made through the local Sophos Account Manager - Support Credits are only available to customers with Premium or Platinum support contracts. 10 Financial recompense The only recompense stated is against the enhanced services described in section 9. 11 TRAINING We've been at the forefront of safer computing for more than a decade. Our highly acclaimed, handson training is designed to keep you secure in today's increasingly connected world. Sophos HQ in Oxfordshire includes training facilities to train and enable both end users and partners. Our training courses, run by knowledgeable professionals, offer comprehensive practical experience. We even include the use of computers, with one PC provided per attendee. Sophos provide courses for all of our solutions; please see http://www.sophos.com/en-us/aboutus/training/locations/uk-abingdon-training-ctr.aspx for more details. Sophos Professional Services can also be used to train IT teams as part of a scoped deployment project. Some Sophos Partners can also offer training for end users and IT Administrators. 12 INVOICING PROCESS Although Sophos has a direct relationship with our customers all quoting and ordering is via our Channel Partners. These are typically your existing IT Partner or VAR, but for new customers we also have a partner locator tool http://www.sophos.com/en-us/partners/partnerlocator.aspx 13 TERMINATION TERMS All Legal License Agreements can be found here - http://www.sophos.com/en-us/legal.aspx End User License Agreement - http://www.sophos.com/en-us/legal/sophos-end-user-licenseagreement.aspx The customer acknowledges that it has purchased the Services for the Minimum Period and any Renewal Term(s)), as defined in the Certificate or Order Summary. 14 DATA EXTRACTION /REMOVAL CRITERIA 14.1 Data standards in use Define data standards/formats in use when managing, manipulating, or enrichning data/datasets. Include scope of data types used – e.g. structured/unstructured data. 14.2 Consumer generated data Define commitments for return of consumer generated data 14.3 Data extraction Define formats/standards employed as examples of their use in your services 14.4 Price of extraction Describe any impact on service costs associated with accessing existing data for the purpose of managing or using within new services 14.5 Purge & destroy Declare commitments for purging/deleting/destroying data and the extent to which that removal takes place – e.g. media, storage, computers etc. 15 DATA PROCESSING AND STORAGE LOCATION(S) Define locations for storage of data, management of that data, and any communications/transfer to data outside the territory of operation. 16 DATA RESTORATION / SERVICE MIGRATION Define obligations to restore data/migrate services in event of a material degredation in service, including planned/unplanned outages. 17 CUSTOMER RESPONSIBILITIES http://www.sophos.com/en-us/legal/sophos-end-user-license-agreement.aspx - this is the Sophos End User Licence Agreement in which all responsibilities and clauses are laid out. 18 TECHNICAL REQUIREMENTS All System Requirements can be found here http://www.sophos.com/enus/support/knowledgebase/118646.aspx Sophos Disk encryption for Mac System Requirements - http://www.sophos.com/enus/support/knowledgebase/118648.aspx 19 BROWSERS Not applicable. SGN Management Centre is a windows application. 20 DETAILS OF ANY TRIAL SERVICE AVAILABLE Many of Sophos solutions and suites are available for free trials we recommend you contact your IT Partner or Sophos directly so we can best assist during any trials.