Timico Limited

Managed Firewall: Dedicated

Timico’s Managed Firewall offers peace of mind around the deployment, configuration and maintenance of firewall infrastructure within a network. Timico will either deploy firewalls at your premises or host them in our Data centres, monitoring them to ensure they’re operating correctly and providing configuration and patch management remotely 24/7.

Features

• Proactive alerting and management
• Support from industry accredited NOC engineers
• 24x7 performance monitoring
• Robust Next Generation Firewalls
• Change management using industry standard SLA’S
• Flexible policies that enable full control of attack detection methods
• Deploy at your premises or host in our Data Centres

Benefits

• Reduces minimal downtime leading to faster resolution times
• Industry accredited NOC engineer support
• Security protection
• Fully managed firewall deployment
• Reduce IT time on firewall configurations/changes
• Support will be provided for the firewalls 24x7x365

£400.00 a person a day

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Framework

G-Cloud 12

Service ID

883113836623251

Contact

John Garton
07387 092775
john.garton@timico.co.uk

Service scope

• Service constraints: Support is limited to Cisco and Fortinet Firewall configurations
• System requirements:
  • Firewall licensing independently or as part of the Manage Service
  • Browser based portal access for support requests

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our service desk operates 24/7/365 and is available at weekends.Tickets raised into our service desk are triaged within 30 minutes. They are then dealt with in line with their priority level in line with our service promise and the Service Level Agreements (SLAs) put in place for that contract.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Onsite support is categorised into levels 1, 2 or 3. Technical expertise ranges from basic end user support through to deployment of hardware and configuration. Onsite support can be sold in bundles of day tickets or charged on a time and material basis. Timico also monitor, maintain and patch in line with our standard policies and your requirements. The relevant support is discussed at the time of solution design.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Within the solution design of the deployment of the service we will discuss the transition and deployment plan for your end users. Our support to end users can range from providing a phone number into our IT Helpdesk through to providing an onsite engineer to help on Go Live days with training end users.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: There are a variety of different options for this dependent on the solution that has been provided, and this requirement will be discussed and agreed with the buyer once notice of the contract has been given.
• End-of-contract process: An Exit Provision is built into the Service Provider Agreement. At the point a request to terminate the contract an exit plan will be agreed including the format and provision of data and any novation to an alternative supplier.

Using the service

• Web browser interface: Yes
• Using the web interface: Our Web Interface offers ITSM/ITIL interactions along with billing and performance information.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: No additional features to support accessibility standards at this time.
• Web interface accessibility testing: None to date.
• API: Yes
• What users can and can't do using the API: The API supports ITSM interaction with Webhooks and API calls.
• API automation tools: Other
• Other API automation tools: NA
• API documentation: Yes
• API documentation formats: HTML
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Resources for customers work on an allocation based method for RAM and disk as opposed to pooling. Resource pools are used for the prevention of resource exhaustion in other areas.
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email
  • Other

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Fortinet, FortiCare and FortiGuard UTM Protection

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: • Secure racks and/or cages;; • ISO27001 and PCI aligned Physical Security policy in all datacentres;; • Backups encrypted in transit and at rest to 256-Bit AES;; • Data encrypted at rest to FIPS-140-2 standard;; • ISO27001 aligned Media Handling and Disposal Policy in place.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up: Firewall Configuration and Rules
• Backup controls: Through Portal Service Requests
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: IPSEC or Private circuits (CAS-T) can be deployed in order to protect data in transit.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: Data is only encrypted within the customers environment or from endpoint to endpoint with the agreed encryption methods (IPSEC/CAS-T). Packets across our network are not encrypted, but seperated by MPLS label at layer three or VLAN segmentation within data centres. The network infrastructure has physical, configuration, and administrative security applied aligned to our security standards.

Availability and resilience

• Guaranteed availability: Timico’s Manged Firewall is available in three Service Levels, Foundation, Advanced and Premier. The service level agreements depend on the level of support each customer wishes to be provided, and can be tailored to their exact requirements. Please see full details of the service levels available within the full service description attached for this product.
• Approach to resilience: Our Data Centre has been externally audited by the UKAS accreditation body, ISOQAR, and has achieved ISO 27001 certification. An important part of the audit deals with the Data Centre's physical, logical access and environmental security. Any system containing sensitive data is protected by a firewall and all suspicious activity recorded and reviewed by monitoring systems. Regular audits of security logs are undertaken, with strict system access policies in place to ensure staff have appropriate access relevant to their role. The Timico Data Centre Facility is designed in such a way to ensure maximum availability in the event of a power failure. We have multiple redundant systems in place (n+n) providing a resilient service. Should the need arise, with adequate fuel being available, the facility could run on backup generators indefinitely. All customer hardware is supported by redundant UPS systems which are in turn backed up by the generators. Timico also have the facility to utilise portable generators in the event we are unable to operate on the onsite generators. All customer and core hardware is located within our Data centre environment.
• Outage reporting: Timico's monitoring and management suite, proactively manage event and performance information and perform triaged and escalation of events to incidents within our ITSM where our NOC are notified.; ; Once an incident is confirmed, this is available within the Dashboard on our portal, consumable via the API and email alerts are generated.; ; On wider outages, we operation a status page and generate email alerts to subscribed users.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
• Other user authentication: All customers are required to complete a customer contact list with associated levels of authorisation. The customer is in control of this list, with only key contacts able to make changes. Where customers call by telephone from an unknown number or request major Changes, Timico have a secure password agreed with each customer in advance to authenticate that user.; Controls in place include:; • Two factor authentication for user access;; • TLS 1.2 based traffic;; • HTTPS enforced on ITSM portal;; • Role based access controls.; • Active monitoring of authentication activity.
• Access restrictions in management interfaces and support channels: All customers are required to complete a customer contact list with associated levels of authorisation. The customer is in control of this list, with only key contacts able to make changes. Where customers call by telephone from an unknown number or request major Changes, Timico have a secure password agreed with each customer in advance to authenticate that user.; Controls in place include:; • Two factor authentication for user access;; • TLS 1.2 based traffic;; • HTTPS enforced on ITSM portal;; • Role based access controls.; • Active monitoring of authentication activity.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
• Description of management access authentication: All customers are required to complete a customer contact list with associated levels of authorisation. The customer is in control of this list, with only key contacts able to make changes. Where customers call by telephone from an unknown number or request major Changes, Timico have a secure password agreed with each customer in advance to authenticate that user.; Controls in place include:; • Two factor authentication for user access;; • TLS 1.2 based traffic;; • HTTPS enforced on ITSM portal;; • Role based access controls.; • Active monitoring of authentication activity.
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Approachable Certification
• ISO/IEC 27001 accreditation date: April 2020
• What the ISO/IEC 27001 doesn’t cover: The scope of our ISO 27001 accreditation applies to all aspects of the work conducted by Timico Limited as a managed cloud services provider at its Headquarters and Data Centre in Newark, Nottinghamshire and its Telford, Winnersh and London Offices.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Teamwork IMS Ltd
• PCI DSS accreditation date: 26/02/2020
• What the PCI DSS doesn’t cover: Timico's PCI DSS Certification does not cover our customer's own media (containing CHD) if used. Timico does not have any contact with customer's hardcopy media in relation to cardholder data that the customer might store, process or transmit. Timico also does not have access to a customer's cardholder data, and hence do not share cardholders data with any parties.
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Security is part of our culture. We maintain a Security Manual detailing the policies and procedures we adhere to as a company both systems and personally. We maintain a rota of security meetings and reviews to discuss the policy or specific requirements. we are happy to share the Security Manual at the point of engaging with you. We are a registered ISO: 27001 company, confirming our ability to produce a framework of policies and procedures that match the essential information risk management processes, including legal, physical and technical controls. In order to maintain essential security regulations, we ensure compliance through all of our business processes. This allows us to deliver products and services to you with the confidence all your business data and processes are secure, with no room for error. With specific reference to security for our Data Centre, this was built with resilience and N+1 or N+N in mind. The facility sits behind security enforcement and an access-controlled gate. Our reception is a managed full-time, with CCTV systems running throughout the facility 24/7. Biometric access controls give us the confidence that our data centre is secure, and we operate a strict access policy to prevent any unauthorised visits.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The primary objective of our Configuration and Change Management (and part of our ISO9001 and ISO27001 processes) is to enable changes to be made with minimal or no disruption to the services we provide. The goals of the this policy include a standard process for requesting, planning, approving, communicating, implementing and reporting changes to services. Policies are in place to perform risk and impact assessments against Confidentiality, Integrity and Availability are carried out and documented prior to any change.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Timico's Patch Management Policy provides the processes and guidelines necessary to maintain the integrity of systems and data by applying the latest Operating System security updates/patches in a timely manner, and establish a baseline methodology and time frame for confirming patch-management compliance. Timico will monitor the deployment of patches and investigate any issues during this process. Management of critical patching are dealt with as a security incident. Devices accessible from the Timico network receive critical security patches during the next maintenance window, no later than 30 days following release by the vendor or as determined by the incident.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Timico's Managed Monitoring Policy defines which systems and services are monitored and provides the processes and guidelines necessary to monitor and alert for events requiring escalation or remediation. Timico manages a number of tools and systems to enable the monitoring, and the threshold (the monitoring parameters/polling frequencies and monitoring theshholds and limits for when an alert or notification is raised) the collectors or agents will work to is defined within the Service Description for each product, with resolutions to incidents being provided in line with the SLAs associated with each service.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: A detailed/documented incident process is included within our Information Security Manual, and forms part of our ISO 9001/27001 certifications. Any incident is logged in our ServiceNow platform, where all updates are added, with the incident flag selected. As soon as the incident is logged, the relevant people will then: -; ▪ Assess the Incident and its seriousness; ▪ Ensure communications take place with those affected ; ▪ Develop tactics for containing the Incident, so any damage does not spread; ▪ Ensure analysis takes place to help ascertain its root cause(s); ▪ Ensure correctives actions are implemented, and aim to prevent recurrence

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: Tenants are grouped into logical units or folders for administrative purposes.; ; Within the infrastructure, layer two separation exists to segregate local traffic and layers three to seven are controlled by dedicated security appliances.; ; Resources within the hypervisor, are segregated by the hypervisor.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: A detailed report on the efficiency of our Data Centres can be provided upon request.

Pricing

• Price: £400.00 a person a day
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A free trial may be available for this service - subject to the requirements and the actual solution required, and subject to agreement by both parties.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF