Cybersecurity - Managed Security Service (MSS) Portal
Capgemini MSS Portal is a multi-tenant portal that can be used to view different clients and business divisions from a single view covering security controls both in and outside the cloud. This portal is scalable for alerting and clients.
- Incident management
- Problem management
- Change management
- Vulnerability Management
- Knowledge management
- SLA management
- Performance and availability management
- Integrated into a SIEM (Security Information and Event Management)
- Provides single view for holistic security incidents
- Provides centralized security activity reporting
- Provides centralized security service level reporting
- Provides centralized run book and knowledge management
- Can reduce mean time to Respond
- Can be provided as Hosted as a Service
£3832.50 per unit per month
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
- Modern Slavery statement
Capgemini UK plc
+44(0)370 904 4858
|Service constraints||Any constraints will be identified through discussion with the buyer.|
|System requirements||The system requirements depend on the delivery model chosen.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||We aim to acknowledge receipt of questions within one day. Resolution times will be according to the SLA for the service.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
A technical account manager or equivalent is available to act as a point of contact in respect of the service 9 to 5 (UK time), Monday to Friday.
Longer hours are optionally supported unless already provided for in the offer.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||We help users make use of our services through training and documentation as appropriate on a case by case basis.|
|Other documentation formats||Contact Capgemini directly, if documentation is required in other formats|
|End-of-contract data extraction||Arrangements for Buyer data to be extracted can be agreed at the start of each contract, and the execution of such arrangements can be completed as part of the contract close down procedures.|
At the end of the contract, Capgemini can review with the Buyer:
that contractual obligations have been met,
that invoices have been raised and paid,
that no outstanding, documented issues remain (unless agreed otherwise),
that access rights have been terminated and user IDs deleted and
that data had been backed up and recovered as appropriate
Using the service
|Web browser interface||Yes|
|Using the web interface||
All user portal functions described in the service definition are available through the web interface.
Setup and administrative functions are only available to Capgemini administrators.
|Web interface accessibility standard||None or don’t know|
|How the web interface is accessible||Please contact Capgemini directly for information about web chat accessibility|
|Web interface accessibility testing||Please contact Capgemini directly for information about web chat accessibility.|
|Command line interface||No|
|Independence of resources||The BAU part of the service is scaled for agreed activities. During exceptional demand, e.g. security incidents, BAU activities may take longer to execute, however additional resources can be deployed to address shortfalls.|
|Infrastructure or application metrics||Yes|
|Other metrics||Contact Capgemini directly for details of any other metrics required|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||Less than once a year|
|Penetration testing approach||In-house|
|Protecting data at rest||
|Other data at rest protection approach||Please contact Capgemini directly, if other data protection arrangements are required.|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||A third-party destruction service|
Backup and recovery
|Backup and recovery||No|
|Data protection between buyer and supplier networks||
|Other protection between networks||Please contact Capgemini directly, if other data protection arrangements are required.|
|Data protection within supplier network||Other|
|Other protection within supplier network||Please contact Capgemini directly, if other data protection arrangements are required.|
Availability and resilience
|Guaranteed availability||The service levels, availability levels and any associated service credits will be detailed in the Supplier Terms and the Service Definition.|
|Approach to resilience||Please contact Capgemini directly for this information.|
|Outage reporting||We will use the means defined in the service definition, or as agreed during project initiation or the next earliest opportunity.|
Identity and authentication
|Access restrictions in management interfaces and support channels||
Remote support access by Capgemini personnel to the buyer’s network, systems and applications is provided via a secure, standard, two tiered Citrix implementation with Transport Layer Security. Tier One is located in the Capgemini Data Centres.
Because the Client Access Point is located on the buyer’s network, the buyer must provide Capgemini personnel credentials and user accounts, in order to access systems or applications on their network. The buyer’s existing security systems, policies and procedures inherently apply. The buyer must provide a file share for Capgemini so that none of their data leave their network.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
|Devices users manage the service through||Dedicated device over multiple services or networks|
Audit information for users
|Access to user activity audit information||No audit information available|
|Access to supplier activity audit information||You control when users can access audit information|
|How long supplier audit data is stored for||Between 1 month and 6 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||04/09/2015|
|What the ISO/IEC 27001 doesn’t cover||Please contact Capgemini directly for information regarding ISO/IEC27001 certification.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||Capgemini follows its own information security policy, which is referenced against ISO27001:2013 - Information Technology - Security Techniques - Information Security Management Systems - Requirements, ISO 27002:2013 - Information Technology - Security Techniques - Code of Practice for Information Security Controls, and the Information Security Forum - Standard of Good Practice (2014).|
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||Capgemini 's configuration and change management processes are set out in its ‘Unified Project Method’ (UPM), but can be adapted to comply with specific requirements by agreement with individual Buyers (tailored services may attract additional charges).|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Scanning subscriptions and schedules are created to meet buyer’s requirements for vulnerability discovery.
Assets are prioritized based on their business criticality.
Vulnerability Analysis is completed against the vulnerability scanning raw output and used to produce detailed and targeted reporting at a low level for technical delivery teams and a high level for management view of risk surfaces.
Technical reports help technology support teams to calibrate patching cycles to ensure allow vulnerabilities found are remediated effectively by potential risk priority. Capgemini manages the information ingestion and assists in remediation activity planning across parties.
Rescans are subsequently undertaken to verify closed vulnerabilities.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
(1) We can identify potential compromises through a variety of means including SIEM, user reports and vulnerability scanning.
(2) Potential compromises and events of interest are triaged by our Security Operations Centre and investigated to eliminate false positives. Confirmed events are then treated as security incidents according to their assessed severity.
(3) Timescales depend on the detection route and complexity following triage analysis.
If further information required please contact Capgemini directly.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||Capgemini 's incident management processes are set out in its ‘Unified Service Method’ (USM), but can be adapted to comply with specific requirements by agreement with individual Buyers (tailored services may attract additional charges).|
|Approach to secure software development best practice||Supplier-defined process|
Separation between users
|Virtualisation technology used to keep applications and users sharing the same infrastructure apart||No|
|Description of energy efficient datacentres||
Capgemnini is a registered participant to the European Code
of Conduct on Data Centres and all datacentres are operated under the certified ISO14001 Environmental Management System which includes the target to improve data centre energy efficiency and reduce the average PUE ratio to 1.5 by 2020.
|Price||£3832.50 per unit per month|
|Discount for educational organisations||No|
|Free trial available||No|