Gartner G-Cloud Service Definition Cloud Consulting: Cloud Security Assessment & Validation For further information on Gartner support for Cloud initiatives visit: http://www.gartner.com/technology/research/cloud-computing/services.jsp This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorised recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner Service Definition — Cloud Security Assessment & Validation Service Description Key Deliverables (Cont) Gartner will provide facilitated interactive planning sessions to help clients understand the security issues, benefits, costs, risks and vendor landscape for clients considering moving infrastructure components and services to the Cloud. These sessions have been developed to assist clients who are tasked with architecting, recommending, or implementing an organisation’s data security strategy in the Cloud. It will answer the following questions? ■ ■ ■ ■ ■ ■ ■ Key Benefits What are the security implications for your data — both at rest and in transit? What applications are supported and what service levels are appropriate and who are the leading vendors? Rethinking security programmes and processes (monitoring audit, investigations, policy) when moving Services to the Cloud Identity management, authentication, authorisation, and federation Interactive planning sessions which explores the client’s security options with the client in order to: ■ ■ This workshop was developed over many years of in-depth research and consulting. It exploits Gartner frameworks to provide independent and detailed analysis of the feasibility, value and risks for your cloud planning activities. ■ Key Deliverables ■ Gartner will charge a firm fixed price of £32,081 excl. VAT, incl. all expenses for this service Kick-off meeting to set requirements, expectations, scope and schedule A maximum of four interviews with client stakeholders to gather information required to tailor the Workshop © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Drive consensus toward a feasible Cloud security strategy for the organisation with a high level actionable action plan Identify at a high level potential gaps between your business current state and desired state with respect to Cloud security readiness based on the explored workloads considered in the sessions Identify Cloud Security issues clearly and determine how to prepare for possible migration to Cloud services in an orderly, well-thought-out approach that does not put the organisation at undue risk Price Cloud Readiness Interactive Planning Session that provides: ■ Two day interactive planning session Relevant Gartner research and examples High-level conceptual architecture and strategy report detailing conclusions, points for development and an action plan for moving forward 1 Gartner Service Definition — Cloud Security Assessment & Validation Deliverables ■ Cloud Readiness Interactive Planning Sessions that provide: – Kick-off meeting to set requirements, expectations, scope and schedule — with a maximum of four interviews with client stakeholders to gather information required to tailor the Workshop – Two day interactive planning session: • Day 1: Structured Training Format — Security Strategies for Cloud Computing • Day 2: Assess and develop strategies: - Participants describe their environments via 20 minute ‘mini presentations’ to the group - Gartner facilitates the develop a high-level conceptual architecture and strategy — if jointly deemed feasible ■ Workshop materials with supporting analysis, research, and other relevant work products ■ Workshop Report detailing Workshop conclusions, high-level conceptual architecture and strategy develop and an action plan for moving forward © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 2 Gartner Service Definition — Cloud Security Assessment & Validation Gartner Project Team Roles ■ Gartner anticipates completion of this engagement within two weeks Head count Duration Per SFIA level 6 1 2 Client Project Team Roles Associate Director Per SFIA level 4/5 1 8 ■ Project Sponsor Senior Consultant Per SFIA level 3 1 9 ■ Project Manager Staff Director Day rate (as per rate card) Project Schedule Project Approach ■ Key stakeholders ■ Project Benefits Week 1: Project initiation ■ Conduct 4 key stakeholder interviews ■ Send a self survey with key stakeholders to scheduled workshop participants in order to capture a snapshot of the organizations overall IT infrastructure and key applications in order to tailor the Workshop ■ ■ Intensive planning session which explores security options with the client team in helping to: ■ Drive consensus toward a feasible cloud security strategy for the client with a high level action plan ■ Identify at a high level potential gaps between the client’s current and desired state with respect to cloud security readiness based on the workloads considered in the workshop Tailor the Workshop for the client focus areas with relevant Gartner Security and Risk Management Research, Market clocks, Hype Cycles and Cloud Vendor Research Week 2: Workshop Delivery ■ Delivery a two day scheduled session on-site ■ Develop Report conclusions, high-level conceptual architecture and strategy develop options and the action plan ■ Present report to executive stakeholders © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. ■ Identify Cloud Security issues clearly, and determine how to prepare for possible migration to cloud services in an orderly, well-thought-out strategy that does not put the organisation at undue risk 3 Gartner Service Definition — Cloud Security Assessment & Validation Reasons Why Others Use Gartner Prerequisites ■ Gartner created the IT Research industry 32 years ago, and our reputation speaks for itself. Gartner Research is the only IT research informed by both the technology end user and provider’s perspectives. We use our research as the basis for our Consulting solutions, methodologies and tools; and, we leverage our research and our industry-leading analysts, as needed, throughout our Consulting engagements. So, when our clients buy Gartner Consulting, they are buying Gartner Research ■ Gartner will only provide the stated service if the client cloud transformation project in question is officially approved to commence and has officially commenced Any Additional Information ■ There is no additional information related to this service ■ Articulating a clear ICT Value Proposition that is framed such that cloud opportunities are highlighted appropriately is a foundational pillar in approving and executing change. Without evidence to secure informed consent to an updated ICT Value Proposition there is a danger that Cloud opportunities are missed, or pursued for inappropriate reasons ■ A clear view of what changes to make to ensure the organisation is better able to recognise, evaluate, decide and execute on Cloud initiatives (and the rationale for making such changes) © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 4 Gartner Service Definition — Cloud Security Assessment & Validation ■ With the exception of meetings and workshops, Gartner work will be performed at Gartner locations Assumptions ■ The client will designate a project manager as primary point of contact who will work closely with Gartner as needed and will: (a) approve priorities/task plans/schedules; (b) facilitate scheduling of interviews with personnel; (c) notify Gartner in writing of project issues and assist in their resolution ■ Offices, phones, printing/copying and Internet access will be available to Gartner at client locations ■ Gartner will use Microsoft Office for the production of any engagement documentation ■ Any requests for additional information and/or deliverables(beyond the details described in this service definition) that are made will be considered a change in scope and will be handled accordingly (see Changes to Scope). This does not apply to clarification questions ■ Client will review and approve documents within five business days. If no formal approval/rejection is received within that time, the deliverable is considered accepted ■ Client personnel will be made available per the schedule agreed in the kickoff meeting Changes to Scope ■ The due diligence (as-is) data are reasonably available via interviews and documentation review ■ The scope of the engagement is defined herein. All client requests for changes must be set forth and explained in writing. As soon as practicable, Gartner shall advise of the cost/schedule implications of requested changes and any other necessary details to allow both parties to decide whether to proceed with the requested changes. The parties shall agree in writing upon any requested changes prior to Gartner commencing work ■ Client provides timely access to personnel to be interviewed. These personnel will be able to answer questions, provide documentation and attend sessions ■ Project pricing assumes that Gartner will conduct 3 remote interviews and 1 workshops (2 days) over a period of 3 days and that the client will arrange all sessions with the client’s personnel ■ As used herein, “changes” are defined as work activities or work products not originally planned for or specifically defined by this service definition ■ All data collection/interviews/workshops will take place via phone or in person as agreed at the project kickoff © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 5 Gartner Service Definition — Cloud Security Assessment & Validation Information Assurance Backup Restore and Disaster Recovery ■ Gartner possesses analysts and consultants with various security clearances, or we will, within reason, acquire those clearances as the client demands ■ The Gartner service under discussion does not require Gartner to manage or store any critical client data. Therefore, as there is no risk to the client and no break in service that will affect the client experience, there is no applicable policy needed in relation to this specific issue ■ Gartner associates are bound by very specific rules around client confidentiality and security given that our clients reveal to us their greatest challenges and difficulties in order that we can help and support them most effectively Service Migration ■ There is no need for a Service Migration plan given the nature of the service under discussion. The client is able to complete and conclude the service without any ongoing process being required for transfer of service or information to an alternative provider or successor. At the conclusion of the service described all deliverables and any supporting information is handed over to the client Data Restoration ■ No client data is retained by Gartner as part of the client’s access to this service and therefore there is no data restoration process related to this service © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 6 Gartner Service Definition — Cloud Security Assessment & Validation Onboarding Offboarding ■ Gartner does not offer onboarding services, however, Gartner will hold a kickoff meeting with the client to ensure understanding of the engagement objectives, scope, schedule, and milestones, roles, responsibilities and required resources for Gartner and the client. Gartner will also discuss anticipated risks and mitigation plans, based on lessons learned from past experience. Gartner will gather any relevant background material from the client ■ Gartner does not offer offboarding services, however, Gartner will close down the engagement, upon conclusion, ensuring all necessary skills and information are transferred appropriately and in a timely manner to the client © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 7 Gartner Service Definition — Cloud Security Assessment & Validation Pricing Ordering and Invoicing Process ■ Gartner will charge a firm fixed price of £32,081 excl. VAT, incl. all expenses for this service ■ Gartner will bill for 100% of the professional fees at contract signing Financial Recompense Model ■ All invoices are payable net 30 days from date of invoice. While Gartner does not itemise billing for professional services, Gartner agrees and will comply with any reasonable requests for records substantiating our invoices ■ If a Service does not meet the specifications set out in the applicable Service Description, the breach will be handled in accordance with the Liability and Termination terms set out in the Call-Off Agreement Termination Terms (by Consumer/by the Supplier) ■ Services may be terminated without cause by the Customer on at least thirty (30) Working Days notice © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 8 Gartner Service Definition — Cloud Security Assessment & Validation Service Management Service Constraints ■ This is not applicable to this service. The service will be managed as described under the Statement of Work component of this Service Definition ■ This is not applicable to this service Service Levels ■ This is not applicable to this service © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 9 Gartner Service Definition — Cloud Security Assessment & Validation Training Trial Service ■ Gartner will provide Cloud Security Strategy and general project management coaching to the client's cloud transformation project manager ■ Gartner does not offer a trial service option in relation to this service Consumer Responsibilities ■ Gartner will require access to: Technical Requirements ■ Provision of the necessary resources, systems and documentation for review – Any information requested (some may be potentially sensitive) regarding the cloud transformation project electronically and/or in paper format ■ Responsible for managing logistics on client’s site for the duration of the engagement – Organizations overall IT Security infrastructure and key applications information electronically and/or in paper format ■ Assign a client Project Manager to work as a single point contact between the Gartner team and the client ■ Identify the right people for the interviews/workshops, schedule and communicate the intent of the engagement ■ Provide facilities for workshops and Gartner workspace ■ Collate and send all relevant data prior to the meeting ■ Ensure attendance at kickoff meeting and any subsequent interviews and meetings by Project Sponsor, Project Manager and other key stakeholders, as determined prior, during and post kickoff © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. 10