Jisc Services Ltd

Managed Website Protection

The Jisc Managed Website Protection service is based on a choice of Imperva Cloud WAF or Fortinet FortiWeb WAF, providing a cloud-based service that makes your websites safer, faster and more reliable. The service guards against DDoS attacks and protects against data breaches resulting from malicious cyber-attacks and vulnerability exploits.

Features

• Comprehensive protection against any type of DDoS attack
• Enterprise grade Web Application Firewall (WAF)
• Application-aware CDN & content caching
• Intelligent application-level load balancing
• Real-time monitoring & alerts
• Advanced bot mitigation
• BGP routing-based infrastructure protection
• Advanced mitigation of layer attacks
• Comprehensive protection and defense against cyber attacks
• Choice of Imperva Cloud WAF or Fortinet FortiWeb WAF

Benefits

• Automatic detection and immediate triggering
• Transparent mitigation with less than 0.01% false positives
• No hardware or software installations needed
• No code changes or complex integrations are needed
• Prevents access to malicious and unwanted visitors to your website
• Defends against web threats and vulnerabilities including OWASP top10
• Apply your organization’s security policy within the WAF
• Accelerate web site page rendering and minimize latency
• Guarantee optimal resource utilization
• Routing changes are immediate and across-the-board for all users

£5,000 to £500,000 a licence a year

Service documents

• Pricing document (pdf)
• Skills Framework for the Information Age rate card (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)

Framework

G-Cloud 12

Service ID

252596149347821

Contact

Jisc Services Ltd

Jisc helpdesk

03003002212

help@jisc.ac.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: The service can be tied down to a UK POP, however it is more effective when deployed using all our worldwide POP's.
• System requirements:
  • Imperva Cloud WAF is activated by a simple DNS change
  • Fortinet FortiWeb is activated by a simple DNS change

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 30 mins
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: All support requests are allowed through the chat interface.
• Web chat accessibility testing: None
• Onsite support: Yes, at extra cost
• Support levels: We provide a single support level. For details and costs, please see the service definition and pricing documents in our listing. All our managed services are supported by a team of cloud support engineers, backed up by specialist subject matter experts covering fields including networking, security and applications.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a default scanning configuration which users can customise once the service is running.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: No data is stored persistently as part of this service.
• End-of-contract process: A termination plan will be produced and agreed with the customer. The key part of this is updating the customer's DNS settings.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Service accessed via a smart phone
• Service interface: No
• API: Yes
• What users can and can't do using the API: Imperva and Fortinet provide customers and partners with the ability to manage accounts and sites via an API.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Users can customise the service by raising service requests in the support portal.

Scaling

• Independence of resources: Our global network consists of 40 data centers with over 4 Tbps capacity designed purely to protect your websites.

Analytics

• Service usage metrics: Yes
• Metrics types: Service usage metrics; Yes; Metrics types; Metrics include: Website Traffic Human visits Bot visits Threats Bandwidth Status Application attacks Countries Hits per second Bits per second Daily Hits Threat type Attack Countries
• Reporting types:
  • API access
  • Real-time dashboards

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Imperva and Fortinet

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest: Other
• Other data at rest protection approach: We do not hold customer data
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Productized SIEM Integration Provides centralized management of Incapsula data within existing security systems and workflows (SIEM systems) Includes a log collector, and pre-made dashboards for easy implementation Supported systems include: Splunk, McAfee, Qradar, and ArcSight
• Data export formats: Other
• Other data export formats: SIEM API
• Data import formats: Other
• Other data import formats: N/a

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Imperva and Fortinet commit to an annual uptime of 99.999%.
• Approach to resilience: Available on request
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: Username/password.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Certification International
• ISO/IEC 27001 accreditation date: 10/05/2018
• What the ISO/IEC 27001 doesn’t cover: Our certificate covers the information security of the technology solutions, covering the network, premises and supply chain management, supporting all of our cloud and hosting services, cloud-based application development, identity and access management, license negotiation and professional services offerings provided to customers.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 11 August 2015
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: All Jisc cloud solutions are covered.
• PCI certification: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Jisc is certified as compliant with ISO27001:2005 (Certificate CI/12868IS) by a UKAS accredited certifying body. Services that we have designed, implemented and operate have been subject to risk assessment including ITHCs and penetration testing by independent CHECK providers. We are able to supply our Information Security Policy subject to a non-disclosure agreement being put in place with the receiving party.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Jisc is committed to ITIL aligned Change and Configuration Management for effective management and control of its infrastructure. Jisc's management tool incorporates an automated Change Management Database (CMDB) at the heart of its operation, with all service support and delivery modules linked to the CMDB to ensure a complete and accurate view of customer estates. A CAB team exists within the services department and liaises closely with all other teams to ensure changes are successful and our infrastructure is maintained and accurately modelled within the CMDB.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: We rely on vendor support services to ensure we are operating in line with the latest recommendations and are made aware of any potential vulnerabilities by them.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Jisc relie of Imperva and Fortinet to undertake protective monitoring activities and to inform us of incidents.
• Incident management type: Undisclosed
• Incident management approach: Our ITIL-aligned Incident Management process ensures that we respond to any reported faults and sets out target resolution times to ensure that these are fixed within agreed timeframes. Customers can report incidents via phone, email or our portal. Our Incident Management process ensures that we respond to any reported faults and sets out target resolution times to ensure that these are fixed within agreed timeframes. For Major Incidents, once the Incident has been resolved, the Incident Manager will ensure an Incident Review Meeting is held and a Major Incident Report is created and distributed.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £5,000 to £500,000 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document (pdf)
• Skills Framework for the Information Age rate card (pdf)
• Service definition document (pdf)
• Terms and conditions (pdf)