IBM Hosted Application
Scanning
1. Summary
1.1 Service Description
IBM Hosted Application Security Services – Production Application Scanning Service (called “Services”) is designed for IBM to provide the Services Recipient with the ability to initiate and perform application scans of production environments. The Service provides access to a hosted and managed IBM environment and includes training of your personnel to help them understand the features of the Service. Scans of customer environments are performed either by IBM or by the Services Recipient depending on the details of the customer order.
The Services are intended to be leveraged to assess the security posture of an application that is in a production environment and can be assessed using non-intrusive application checks.
The size of an application directly affects the time required to properly assess the security posture of the application. For this reason, applications to be scanned under the IBM Hosted Application Security Services – Production Application Scanning are classified by application size:
• Level 1 – Small (page count <1000) • Level 2 – Large (page count >1000)
The upper limit on the number of pages of a Level 2 application is 10,000. An application that exceeds that limit shall be considered 2 applications. Please note that form filling and login are not supported for either application size.
1.2 Service Characteristics
Lot Hosted Application Scanning
Applicability Any private or public sector organisation with applications that require security scanning.
Contract Duration Flexible – to be agreed in the Call-Off Order
Contract Price Variable based on time and materials depending on agreeing, with the Contracting Authority, the resources required for the
Related Lot(s) /Offering(s)
IBM Hosted Vulnerability Management ‘VMS’
1.3 Why IBM
• IBM is able to provide a solution that uses a blend of both its products and experience to provide a holistic approach to managing operational security risks within any system environment. Our solution is flexible that it can be integrated with existing or non-IBM solutions. We provide experienced staff to support and monitor operational environments and who can interpret system threats and support customers where incidents arise.
• IBM has been a member of the CESG Listed Adviser Scheme (CLAS) since 2002 and currently employs a total of 11 CLAS consultants as well as high quality independent contractors. In addition to CLAS, our consultants hold qualifications such as CISSP, CISM, CISA, IISP, ISO27001 Lead Auditor & Implementer, CSSLP, CRISC, Certified Data Protection Practitioner, CEH and Tiger Scheme as well as IBM Certification at Experienced and Expert levels as Security Consultants and Security Architects.
• As a List X organisation IBM has a full time List-X Security Controller with access to the full Security Policy Framework. We work closely with the security authorities to implement physical and personnel security as well as information security. As a result of this our CLAS consultants are able to advise on vetting and physical security matters, undertaking a Security Assessment for Protectively Marked Assets (SAPMA) where appropriate.
• Our approach to documenting and delivering information security controls, processes and procedures consistently is in accord with ISO/IEC27002:2005. We have extended this with technical standards for implementation and configuration of security functions, based on our extensive experience of deploying solutions in high assurance environments. This approach, together with other applicable industry standards, including ISO/IEC27003, ISO/IEC 27005, SAS70, COBIT and ITIL, provides a unique integrated management system that fully meets specific security requirements. This approach was used to great effect on recent projects including IABS for the UKBA which was accredited for live operations in February 2012. Accreditation included signing the GSI Code of Connection and interconnecting with POISE (Home Office IT system) and the UKBA Warnings Index.
1.4 Contact
Contact Name Steve Cliff
Title IBM UK Cloud Alliances Executive Address PO Box 41
North Harbour Portsmouth Hants, PO6 3AU Contact Email [email protected]
Contact Phone 07710 035877
http://www-935.ibm.com/services/uk/en/it-services/security-and-privacy-services.html?lnk=mseIS-secu-uken
2.
Delivery
2.1 Context
Scanning allows for a thorough assessment of the quality of the security surrounding an organisation’s applications, enabling vulnerabilities to be identified swiftly and the gaps filled by counteractive measures. This facilitates the safeguarding of any business or personal confidential data present on these applications.
2.2
What we will deliver
IBM offers both the tools and the expertise to provide thorough, directed, automated application scanning to assess the vulnerabilities of its clients’ Web-based applications. Depending on the terms of the agreement, the client organisation can either opt for a comprehensive, professional scanning service, with IBM resources performing the scans, or else purchase the tools and knowledge to enable their own employees to do so. The Service can offer the following measurable features, gauged using Service Level Agreements:
• IBM Scanning Platform availability – 99.9%
• IBM Managed Security Services (MSS) Portal Availability – 99.9% • Authorised Security Contacts – 3 users
• Scan Initiation Response – 1 or 2 business days • Critical Priority Issue Alert Notification – 60 minutes • Scan Review Initiation – 1 business day
• False Positive Rate – 0%
• Request to Re-Scan – Execute – 1 or 2 business days • Response to Inquiry – 4 business hours
The Service features here described are dependent on the availability and supportability of the products and product features being utilised. Even in the case of supported products, not all product features may be supported. Information on supported features is available from IBM upon request. This includes both IBM-provided and non-IBM-provided hardware, software, and firmware. The Services will be provided using IBM AppScan Enterprise Edition Software (the “Scanning Software”).
IBM Hosted Application Security Services are delivered by resources located in IBM facilities. The Scanning Platform is available 24 hours/day, 7 days/week; however, access to Application Security Analysts for Services is provided during normal business hours,
2.3 Commercials
This will be a Time and Materials contract however, following the first phase of the work, there could be the opportunity to discuss the conversion of the initial quote into either a Fixed Price or Risk/Reward based contract in order to provide increased flexibility for the customer.
Initial work will be carried out under the Strategy and Architecture category of the IBM SFIA rate table unless agreed otherwise.
Follow on work will be under the appropriate category(ies) of the IBM SFIA rate table. The scope of work will be set out in the Call Off Order Form and agreed by both parties. Follow on services to enable you to complete implementation of cloud services can be provided by IBM. Details should be agreed via the Call-Off Order and priced using the IBM SFIA rate card.
2.4 Key Points
Other key points to note are as follows:
• This offering is subject to availability of IBM resources.
• The Charges for this Service are on the basis that no Parent Company Guarantee is required. If one is required and agreed to by IBM then the Charges will be revised accordingly.
• For Fixed Price offerings, Travel and Subsistence (T&S) costs are included for work within the M25. For work outside the M25, T&S will be payable using the Contracting Body’s standard T&S rates.
• The pricing and terms on individual call-off orders should be handled as commercially sensitive by the Contracting Body.
• Where work is of a sensitive and secure nature, security standards will be agreed between IBM and the Contracting Body, and if necessary IBM will ask the Contracting Body to issue a Security Aspects letter.
• Whilst we do not propose to handle or have access to any personal data, we will suggest and agree alternative approaches such as the use of anonymised data for
