Jisc Services Ltd

Managed Website Protection

The Jisc Managed Website Protection service is based on a choice of Imperva Cloud WAF or Fortinet FortiWeb WAF, providing a cloud-based service that makes your websites safer, faster and more reliable. The service guards against DDoS attacks and protects against data breaches resulting from malicious cyber-attacks and vulnerability exploits.


  • Comprehensive protection against any type of DDoS attack
  • Enterprise grade Web Application Firewall (WAF)
  • Application-aware CDN & content caching
  • Intelligent application-level load balancing
  • Real-time monitoring & alerts
  • Advanced bot mitigation
  • BGP routing-based infrastructure protection
  • Advanced mitigation of layer attacks
  • Comprehensive protection and defense against cyber attacks
  • Choice of Imperva Cloud WAF or Fortinet FortiWeb WAF


  • Automatic detection and immediate triggering
  • Transparent mitigation with less than 0.01% false positives
  • No hardware or software installations needed
  • No code changes or complex integrations are needed
  • Prevents access to malicious and unwanted visitors to your website
  • Defends against web threats and vulnerabilities including OWASP top10
  • Apply your organization’s security policy within the WAF
  • Accelerate web site page rendering and minimize latency
  • Guarantee optimal resource utilization
  • Routing changes are immediate and across-the-board for all users


£5,000 to £500,000 a licence a year

Service documents


G-Cloud 12

Service ID

2 5 2 5 9 6 1 4 9 3 4 7 8 2 1


Jisc Services Ltd Jisc helpdesk
Telephone: 03003002212
Email: help@jisc.ac.uk

Service scope

Software add-on or extension
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints
The service can be tied down to a UK POP, however it is more effective when deployed using all our worldwide POP's.
System requirements
  • Imperva Cloud WAF is activated by a simple DNS change
  • Fortinet FortiWeb is activated by a simple DNS change

User support

Email or online ticketing support
Email or online ticketing
Support response times
30 mins
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
All support requests are allowed through the chat interface.
Web chat accessibility testing
Onsite support
Yes, at extra cost
Support levels
We provide a single support level. For details and costs, please see the service definition and pricing documents in our listing. All our managed services are supported by a team of cloud support engineers, backed up by specialist subject matter experts covering fields including networking, security and applications.
Support available to third parties

Onboarding and offboarding

Getting started
We provide a default scanning configuration which users can customise once the service is running.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
No data is stored persistently as part of this service.
End-of-contract process
A termination plan will be produced and agreed with the customer. The key part of this is updating the customer's DNS settings.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Service accessed via a smart phone
Service interface
What users can and can't do using the API
Imperva and Fortinet provide customers and partners with the ability to manage accounts and sites via an API.
API documentation
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Customisation available
Description of customisation
Users can customise the service by raising service requests in the support portal.


Independence of resources
Our global network consists of 40 data centers with over 4 Tbps capacity designed purely to protect your websites.


Service usage metrics
Metrics types
Service usage metrics
Metrics types
Metrics include: Website Traffic Human visits Bot visits Threats Bandwidth Status Application attacks Countries Hits per second Bits per second Daily Hits Threat type Attack Countries
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Imperva and Fortinet

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
Other data at rest protection approach
We do not hold customer data
Data sanitisation process
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Productized SIEM Integration Provides centralized management of Incapsula data within existing security systems and workflows (SIEM systems) Includes a log collector, and pre-made dashboards for easy implementation Supported systems include: Splunk, McAfee, Qradar, and ArcSight
Data export formats
Other data export formats
Data import formats
Other data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
Private network or public sector network
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Imperva and Fortinet commit to an annual uptime of 99.999%.
Approach to resilience
Available on request
Outage reporting
Email alerts

Identity and authentication

User authentication needed
Access restrictions in management interfaces and support channels
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Certification International
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Our certificate covers the information security of the technology solutions, covering the network, premises and supply chain management, supporting all of our cloud and hosting services, cloud-based application development, identity and access management, license negotiation and professional services offerings provided to customers.
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
11 August 2015
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
All Jisc cloud solutions are covered.
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Jisc is certified as compliant with ISO27001:2005 (Certificate CI/12868IS) by a UKAS accredited certifying body. Services that we have designed, implemented and operate have been subject to risk assessment including ITHCs and penetration testing by independent CHECK providers. We are able to supply our Information Security Policy subject to a non-disclosure agreement being put in place with the receiving party.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Jisc is committed to ITIL aligned Change and Configuration Management for effective management and control of its infrastructure. Jisc's management tool incorporates an automated Change Management Database (CMDB) at the heart of its operation, with all service support and delivery modules linked to the CMDB to ensure a complete and accurate view of customer estates. A CAB team exists within the services department and liaises closely with all other teams to ensure changes are successful and our infrastructure is maintained and accurately modelled within the CMDB.
Vulnerability management type
Vulnerability management approach
We rely on vendor support services to ensure we are operating in line with the latest recommendations and are made aware of any potential vulnerabilities by them.
Protective monitoring type
Protective monitoring approach
Jisc relie of Imperva and Fortinet to undertake protective monitoring activities and to inform us of incidents.
Incident management type
Incident management approach
Our ITIL-aligned Incident Management process ensures that we respond to any reported faults and sets out target resolution times to ensure that these are fixed within agreed timeframes. Customers can report incidents via phone, email or our portal. Our Incident Management process ensures that we respond to any reported faults and sets out target resolution times to ensure that these are fixed within agreed timeframes. For Major Incidents, once the Incident has been resolved, the Incident Manager will ensure an Incident Review Meeting is held and a Major Incident Report is created and distributed.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£5,000 to £500,000 a licence a year
Discount for educational organisations
Free trial available

Service documents