90 likes | 231 Views
Gartner G-Cloud Service Definition. Consulting for Cloud: Gartner Security & Risk Management — Cloud Security Due Diligence & Review. For further information on Gartner support for Cloud initiatives visit: http://www.gartner.com/technology/research/cloud-computing/services.jsp.
E N D
Gartner G-Cloud Service Definition Consulting for Cloud: Gartner Security & Risk Management — Cloud Security Due Diligence & Review For further information on Gartner support for Cloud initiatives visit: • http://www.gartner.com/technology/research/cloud-computing/services.jsp
Gartner Service Definition —Cloud Security Due Diligence & Review • Interviews schedule and minutes for a maximum of 25 interviews over 7 calendar days with key stakeholders to identify drivers and assess proposed workloads and existing Security governance, programmes and technologies. • Provide an initial draft Report with an Executive Summary describing key findings, risks and gaps. • Delivery of a Recommendations and Roadmap draft document and Workshop preparation. • Final Review including Gaps, Findings, Risks with actionable Recommendations and Roadmap. • Key Benefits • The Cloud Security Assessment provides the following benefits • Safer architectural and programme decisions that will reduce the risk to the business by remediating gaps in the security business processes and ways of working. • The methodology will allow security teams to rapidly assess risk and deploy appropriate controls supporting business unitsto make sound decisions and mitigate risks. • Identify a viable, secure Cloud architecture, including options and alternatives, for addressing the existing vulnerabilities as defined by the gaps between the current and desired-state. • Client outcomes will be based on industry best practices, industry trends, and how other public bodies work best to mitigate security risks when deploying Cloud services. Price • Gartner will charge a firm fixed price of £103,396 excl. VAT, incl. all expenses for this service. Service Description Gartner will provide a detailed security assessment of organisations Security and Risk Management Governance, Processes and Technologies related to outsourcing business processes or workflow into cloud solutions or services. It includes the measurement and prioritisation of gaps, risks and detailed level recommendations. We will also develop a security roadmap with vendor landscape recommendations which delivers actionable remediation to reduce the risk to the business. The methodology is designed for security teams to assess the suitability and attendant risks and recommended controls of outsourcing a workload into cloud services. This will be achieved with: • An assessment of the expectations the organisation has regarding application manageability, security, performance, reliability and risk management in the Cloud. • Communication of findings, risks and any gaps security programme implications, specifically as related to the proposed customer workloads to move workloads (or not) to the Cloud. • The development of detailed level recommendations and a roadmap for this environment, including governance, data protection, identity and access control and federation. Key Deliverables • Cloud Security Assessment that provides: • Kick-off meeting to set requirements, expectations, scope and schedule.
Gartner Service Definition — Cloud Security Due Diligence & Review • Week 6 to 7: Finalise & Present Cloud Security Assessment report • Final Report including Gaps, Findings, Risks and actionable Recommendations and Roadmap. • Present report to executive stakeholders. Gartner Project Team Roles Project Schedule • Gartner anticipates completion of this engagement within 7weeks • Client Project Team Roles • Project Sponsor • Project Manager • Key stakeholders, technical and business • Project Benefits • The client’s security team will be able to: • Rapidly assess risk and deploy appropriate controls to make sound decisions and mitigate risks. • Identify a strategic cloud architecture, including options and alternatives, for addressing the existing vulnerabilities as defined by the gaps between the current and desired-state; recommendations will be based on industry best practices, industry trends, and what other like-industry organisations are doing to deploy similar risk mitigations. Project Approach • Week 0: Project initiation & Plan for Cloud Security Assessment • Review project team structure and overall status and schedule team review sessions. • Week 1 to 4: Conduct Cloud Security Assessment • Request & provide deliverables to be reviewed. • Conduct interviews with key stakeholders, review appropriate deliverables and capture findings. • Week 5: Develop Cloud Security Assessment report • Develop an initial draft of Report with an Executive Summary describing key findings, risks and gaps and validate through a onsite Workshop.
Gartner Service Definition —Cloud Security Due Diligence & Review Assumptions • The client will designate a project manager as primary point of contact who will work closely with Gartner as needed and will: (a) approve priorities/task plans/schedules; (b) facilitate scheduling of interviews with personnel; (c) notify Gartner in writing of project issues and assist in their resolution. • Client will review and approve documents within five business days. If no formal approval/rejection is received within that time, the deliverable is considered accepted. • Client personnel will be made available per the schedule agreed in the kickoff meeting. • The due diligence (as‑is) data are reasonably available via interviews and documentation review. • Client provides timely access to personnel to be interviewed. These personnel will be able to answer questions, provide documentation and attend sessions. • Project pricing assumes that Gartner will conduct 20 interviews and 2 workshops over a period of 20 days and that the client will arrange all sessions with the client’s personnel. • All data collection/interviews/workshops will take place via phone or in person as agreed at the project kickoff. • With the exception of meetings and workshops, Gartner work will be performed at Gartner locations. • Offices, phones, printing/copying and Internet access will be available to Gartner at client locations. • Gartner will use Microsoft Office for the production of any engagement documentation • Any requests for additional information and/or deliverables(beyond the details described in this service definition) that are made will be considered a change in scope and will be handled accordingly (see Changes to Scope). This does not apply to clarification questions. Changes to Scope • The scope of the engagement is defined herein. All client requests for changes must be set forth and explained in writing. As soon as practicable, Gartner shall advise of the cost/schedule implications of requested changes and any other necessary details to allow both parties to decide whether to proceed with the requested changes. The parties shall agree in writing upon any requested changes prior to Gartner commencing work. • As used herein, “changes” are defined as work activities or work products not originally planned for or specifically defined by this service definition.
Gartner Service Definition —Cloud Security Due Diligence & Review Information Assurance • Gartner possesses analysts and consultants with various security clearances, or we will, within reason, acquire those clearances as the client demands. • Gartner associates are bound by very specific rules around client confidentiality and security given that our clients reveal to us their greatest challenges and difficulties in order that we can help and support them most effectively. Backup Restore and Disaster Recovery • The Gartner service under discussion does not require Gartner to manage or store any critical client data. Therefore, as there is no risk to the client and no break in service that will affect the client experience, there is no applicable policy needed in relation to this specific issue. Data Restoration • No client data is retained by Gartner as part of the client’s access to this service and therefore there is no data restoration process related to this service. Service Migration • There is no need for a Service Migration plan given the nature of the service under discussion. The client is able to complete and conclude the service without any ongoing process being required for transfer of service or information to an alternative provider or successor. At the conclusion of the service described all deliverables and any supporting information is handed over to the client.
Gartner Service Definition —Cloud Security Due Diligence & Review Onboarding • Gartner does not offer onboarding services, however, Gartner will hold a kickoff meeting with the client to ensure understanding of the engagement objectives, scope, schedule, and milestones, roles, responsibilities and required resources for Gartner and the client. Gartner will also discuss anticipated risks and mitigation plans, based on lessons learned from past experience. Gartner will gather any relevant background material from the client. Offboarding • Gartner does not offer offboarding services, however, Gartner will close down the engagement , upon conclusion, ensuring all necessary skills and information are transferred appropriately and in a timely manner to the client.
Gartner Service Definition —Cloud Security Due Diligence & Review Pricing • Gartner will charge a firm fixed price of £103,396 excl. VAT, incl. all expenses for this service. Ordering and Invoicing Process • Gartner will bill for 100% of the professional fees at contract signing. • All invoices are payable net 30 days from date of invoice. While Gartner does not itemise billing for professional services, Gartner agrees and will comply with any reasonable requests for records substantiating our invoices. Financial Recompense Model • In the event that a Service does not meet the specifications set out in the applicable Service Description, the breach will be handled in accordance with the Liability and Termination terms set out in the Call-Off Agreement. Termination Terms (by Consumer / by the Supplier) • Services may be terminated without cause by the Customer on at least thirty (30) Working Days’ notice.
Gartner Service Definition —Cloud Security Due Diligence & Review Service Management • This is not applicable to this service. The service will be managed as described under the Statement of Work component of this Service Definition. Service Constraints • This is not applicable to this service. Service Levels • This is not applicable to this service.
Gartner Service Definition —Cloud Security Due Diligence & Review Training • Gartner will provide Cloud Security Strategy and general project management coaching to the client's cloud transformation project manager. Trial Service • Gartner does not offer a trial service option in relation to this service. Consumer Responsibilities • Provision of the necessary resources, systems and documentation for review • Responsible for managing logistics on client’s site for the duration of the engagement • Assign a client Project Manager to work as a single point contact between the Gartner team and the client • Identify the right people for the interviews/ workshops, schedule and communicate the intent of the engagement • Provide facilities for workshops and Gartner Work Space • Collate and send all relevant data prior to the meeting • Ensure attendance at kickoff meeting and any subsequent interviews and meetings by Project Sponsor, Project Manager and other key stakeholders, as determined prior, during and post kickoff Technical Requirements • Gartner will require access to: • Any information requested (some may be potentially sensitive) regarding the cloud transformation project electronically and /or in paper format • Organizations overall IT Security infrastructure and key applications information electronically and/or in paper format