Laserfiche WebLink
SOLICITATION # CH16012 <br />• All Virtustream employees use Mandatory Strong 2 factor authentication (2FA OTP) <br />Administrative Access to all systems. <br />• Dedicated VLAN network segmentation and dedicated Virtual Route Forwarding (VRF) are <br />used extensively to segregate environments and zones. <br />• Perimeter Firewalls are used to segment internal and external environments as well as <br />segregate security zones. Configuration, monitoring, auditing and logging are included. <br />• Virtual Machine -based Firewall and Intrusion Prevention System (IDS) is installed on every <br />virtual machine in the environment and is protected with Juniper's Security Gateway virtual <br />firewall application and monitored service. <br />Security Services that are standard components for Virtustream's management environment and <br />are Optional Services for client environments including the following: <br />• Managed Two -Factor Authentication ("21FA") is in use for all application systems. <br />• Intel TxT Enabled Servers and Trusted Boot/Bios monitoring with Attestation Server and OS <br />and VM support, including Geolocation and Geofencing according to NIST 7904 guidelines. <br />• Secure operating system (OS) builds based on DoD Secure Technology Implementation Guide <br />(STIG) guidelines are used to build Virtustream's Management and Administration Servers. <br />• Server/File Integrity Monitoring (FIM) is installed in the PCI and VFC clouds. <br />• Patching Regimen: Virtustream patches host servers, network devices, security devices, <br />servers and related services in the Management Network on a specified routine (monthly or <br />quarterly, depending on release schedules), or when there is a CERT or other authorized <br />source of patch that requires immediate attention. Based on urgency and risk of the issue we <br />will schedule the patch as appropriate and use change control. <br />• Scanning regimen: vulnerability scanning is done on a monthly basis with additional 3rd party <br />vulnerability scans done monthly. Additional scans are done when made aware of new <br />vulnerabilities. Issues are classified and addressed according to Risk Classifications and are <br />addressed with ITIL v3 change control processes. <br />• Managed IDS signatures are routinely updated and the logs are monitored. <br />• Anti -Virus is managed on all Management servers in Enterprise, PCI and, VFC clouds. <br />• Logging Service of all servers, network devices, and security devices to a centralized log server <br />system. <br />• Governance Risk Compliance: We use a complete Enterprise Risk Management toolset to <br />manage compliance reporting and continuous monitoring to all of our supported compliance <br />frameworks. <br />Virtustream's facility monitoring systems are complete as per specifications in NIST 800-53r3/4. We <br />use site assessment methodologies and checklists as detailed in NIST 800-42. Our systems and <br />facilities are monitored 24/7 for any exceptions or trends. Our tools, processes and CONUS <br />(Continental USA) personnel monitor network, power, cooling, humidity, water leakage, fire <br />suppression, power systems (utility power, UPS systems and generators) and site access. <br />Virtustream's Physical Access Control Security is designed to protect the confidentiality, integrity, <br />and availability ("CIA") of the cloud platform system and its data with the following security <br />components: <br />• Limited and controlled room access. <br />• Logged and monitored access of all access control events. <br />• Video surveillance and review of all access control events. <br />• Biometric access control required to gain access to the Data Center. <br />• US Data Center staff is limited only to US Citizens. <br />carahsoft <br />92 <br />carahsoft <br />