Download
complete service offering 
1. Description of Service
The- Information Technology Division (ITD) provides firewall protection services for the Commonwealth's assets and resources. Remote firewalls support customer hosted applications requiring remote firewall protection utilizing MAGNet services. Secure remote device managed firewalls are used when a customer requires remote vendor access to equipment or devices located at the customer site. By using these protection services, ITD provides customers secure access while protecting the Commonwealth's assets and resources.
The Remote Firewall service includes:
- Provision and configure a remote firewall
- Establish a firewall perimeter with failover capability in MAGNet connections to DMZ's and to the internet as a whole
- Monitor and change firewall rules when needed
Remote Device Managed Firewall service includes:
- Provision and configure a firewall edge for remote customer locations
- Provide secure connections for customer vendors to access their devices remotely
- Monitor and change firewall rules when needed
Magnet Security Protection:
Securing MAGNet through managed enterprise firewalls and Internet Gateway services has been a standard service offering (previously included in ITD's Network Services and network rates) that supports resources and infrastructure including:
- Managed firewalls that ensure access control and secured authorized use of MAGNet.
- Gateway services that provide a protection layer for all mail passing through the network. All mail is filtered, scanned, and if necessary blocked by reliable and highly available anti-virus, spam and content filtering solutions.
In FY12, ITD has unbundled these services from Network and created a new service offering called MAGNet Security Port Protection. Costs for supporting this service are now included in rate code SU060 as a port charge. This port charge is applied to any device that accesses MAGNet via WAN and Campus connections, XDMZ's and hardware supporting UNIX hosting systems.
PCI Requirements:
The Information Technology Division (ITD) is primarily involved and responsible for ensuring that it is in compliance with the Data Security Standard (DSS). The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment. For purposes of PCI compliance, there are three steps:
- Assess
- Remediate, and
- Report
ITD as defined by PCI-SSC is a Service Provider. This is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. ITD acts as a central IT service organization (e.g. network, hardware, and application services and hosting) for Commonwealth state agencies.
Beginning in FY12, ITD will be utilizing the services of a PCI-SSC Qualified Security Assessor (QSA) to provide an on-site PCI-DSS validation. The validation will result in the QSA issuing a Report on Compliance (ROC) to ITD. PCI attestation/validation is not part of ITD's standard service offering and not included in ITD's chargeback rates. Customers requiring these services will be direct charged the costs ITD incurs to meet PCI requirements. Please see
(What is PCI)
for additional information on PCI requirements.
Support services include:
- A Service Account Manager to answer any questions or concerns regarding ITD Services.
- Services offered through our Operations Office; including Change Management and customer access to incident management via email, phone (CommonHelp)
- The online COMiT service management portal
2. Service Targets
Service Requirement | Description |
|---|---|
| Service Availability | Service availability hours are 24x7 |
| Infrastructure Component Availability for Remote Firewalls | All firewall components are available 24x7 excluding planned maintenance. |
| Infrastructure Component Availability for Remote Device Managed Firewalls | These firewalls are preconfigured and sent to the agency as a plug-and-play device. Hardware replace should be performed the next day. The agency has the option to purchase a preconfigured spare that they can swap out and send ITD the failed device. |
| Security Availability for Remote Firewalls | The ITD IP Security equipment will be available and capable of forwarding IP packets 99.999% of the time, as averaged over a calendar month. The ITD IP Security includes ITD owned and controlled security devices located in the Chelsea/Boston Data Center and remote agency locations. The ITD Security availability does not include local loop, Customer Premise, Equipment, Customer's Local Area Network (LAN), scheduled maintenance events, customer caused outages/disruptions or interconnection connectivity within other Internet Service Provider (ISP) networks. |
| Security Latency for Remote Firewalls | This is included in ITD's network core service. |
| Planned Maintenance for Remote Firewalls | This requires a weekly 1-2 hour window between 7:00 am-5:00 pm Monday through Friday excluding holidays. Ad-hoc maintenance is scheduled through change control and customers are notified though part of the change control process. |
| Request Fulfillment* | Staff will respond to service requests 7:00 am - 5:00 pm Monday through Friday excluding holidays. Customers can make requests through E2E. Emergency requests are approved by authorized customer contacts and must be opened as incidents to ensure they are acted on immediately out of normal business hours. |
| Incident Management* | ITD Service Management Office has standard processes to manage incidents, requests and changes. Outages or urgent issues should be reported by phone to receive the quickest response 1-866-888-2808. |
*Incidents, requests, or changes that are outside the scope of the defined service description or normal service hours will be direct charged to the customer.
3. Service Reporting
Currently, there are no reports available for this service.
4. Service Requests
| COMiT Service Requests* | Description | Lead Time-Business Days |
| Enterprise Firewall: Open a New Firewall Port | This request is to open a new port within ITD's Enterprise Firewalls. | 10 Days |
Agency Located Firewall: Request New Agency Firewall | This request is to deploy a new firewall at an agency site. These firewalls ensure that only authorized ports and protocols are allowed within an agency hosted DMZ. | 10 Days |
Agency Located Firewall: Deactivate an Agency Firewall | This request is to deactivate a firewall located at an agency site. | 10 Days |
| Agency Located Firewall: Request Access or Read Only Permissions | This request is to allow limited 'read only' access to an agency firewall. | 10 Days |
| Agency Located Firewall: Request New Host or Server | This request is to add a new server or application to an agency located firewall. | 10 Days |
| Agency Located Firewall: Modify Host or Server | This request is to modify an existing server or application in an agency located firewall. | 10 Days |
| DNS Services; Request a new DNS entry | This request is for a new DNS entry. | 10 Days |
| DNS Services; Modify a DNS entry | This request is to change a DNS entry. | 10 Days |
| DNS Services; Delete a DNS entry | This request is to delete a DNS entry. | 10 Days |
| IP Addressing: New range of IP addresses | This is a request is for new Commonwealth TCP/IP address space. | 10 Days |
| PCI Services | In order to request PCI Services, customers should work with their Service Account Managers | Depends on complexity of request, may require a project |
*For new service requests only. To manage existing requests, please log into COMiT.
Request fulfillment happens as part of a process with change control. If an emergency change is needed then an emergency change control ticket is opened and the CAB is convened. Non-emergency tickets are brought before the CAB every Thursday and depending on the ticket, are acted upon during the next window.
5. Customer Responsibilities
The customer is responsible for opening change orders to initiate the changes needed to be made. The ITD Security Office will then open change control tickets, examine the request for policy violations, and then plan and schedule the change needed.
For your convenience, you may also view a detailed list of customer responsibilities.
6. Chargeback Rate Information
For more information on Chargeback, including an overview of the program as well as current and previous fiscal year rates, please visit our Chargeback Services webpage.
Cost Framework: Firewall Protection Services
Direct Costs:
Customer Specific - Costs Directly Charged to Customers | |||
|---|---|---|---|
| No. | Description | Cost | Assumptions /Comments |
| 1 | AMS USPS Developer's Kit (Part #2595248) 64 Bit Upgrade (3 mos. Oct-Dec, 2010) for testing purposes only (Future support will be covered under BI000932)- | $4,031 |
|
| Assuria for GIC's ApplinX Application | $145 | ||
| VLA AntiVirus Scan for NewMMIS (Beginning in FY12, moved from Unit 3103) | $12,167 | ||
| Total Costs Directly Charged to Customers | $16,343 | ||
Direct Dedicated Resources:
Salaries (AA) and Fringe (DD) Costs, Contract Support (HH/U05) | |||
|---|---|---|---|
| No. | Description | Cost | Assumptions /Comments |
| 2a | Salaries (AA) and Fringe (DD) Costs, Contract Support (HH/U05) | $145,348 | 1.60 FTEs |
| Salaries (AA) and Fringe (DD) Costs, Contract Support (HH/U05) | $320,074 | 4.10 FTEs | |
| Salaries (AA) and Fringe (DD) Costs, Contract Support (HH/U05) | $20,607 | .20 FTEs | |
| Total Salaries (AA) and Fringe (DD) Costs, Contract Support (HH/U05) | $486,029 | ||
Hardware/Software/Contracts (UU, LL, etc.) | |||
|---|---|---|---|
| No. | Description | Cost | Assumptions /Comments |
| 2b | Agilysys-(2) IBM X3650 M2 Servers for DR-firewall related- | $102 | |
| Agilysys-Command Center Secure Gateway E1 Appliance & License for BOHE Project (Beginning in FY12, moved from Unit 2501)- | $1,430 | ||
Akibia (Aquila Technologies)-InfoBlox 550-A- | $2,570 | ||
| Dell Software-Assuria Auditor for ARRA Project- | $137 | ||
| Dell Software-Assuria Auditor for RHE Linux | $5,122 | ||
| Dell Software-Assuria Auditor for RHE Linux for VG3 Project | $1,655 | ||
| Dell Software-Assuria to support IB155 48 hr. recovery project | $80 | ||
| Dell Software-Avocent Console Software-DSView3 (Master Key Codes: 7DZ7A-Q2Z73-B2KUH- 7WQ6U)- | $3,905 | ||
| Dell Software-Exceed/Hummingbird (#G58277, #G58252, #G58376)- | $1,592 | ||
| Dell Software-Lyris Listmanager 6.0 #52-1881658 (In FY07, funded under Unit 2420) (Beginning in FY12, moved from Unit 2653) (Eff. FY13, per security, should be in Unit 7750) | $2,801 | ||
| Dell Software-RDELTA | $2,675 | ||
| Dell Software-Splunk Software | $5,495 | ||
| ePlus -Cisco 2960 Switches 24 port | $144 | ||
| ePlus -Cisco 2960 Switches 48 port | $338 | ||
| ePlus -Cisco 3560 Switches 24 port | $422 | ||
| ePlus -Cisco 3560 Switches 24 port for end-of-life firewalls | $116 | ||
| IBM-IBM X3650 Server for Data Center Consolidation - EHS Pilot | $66 | ||
| IntraSystems, Inc.-Assuria Auditor (System Scanner) (Beginning in FY11, BI000704 covered under BI000540)- | $27,298 | ||
| IntraSystems, Inc.-Assuria Auditor for CPF Project | $716 | ||
| IntraSystems, Inc.-Checkpoint Software Maint and Nokia Equpment Maint Tier 1 Tech support 7x24 (Beginning in FY09 reduced outyears by $28,053 and added to Unit 4400) | $581,326 | ||
| IntraSystems, Inc.-Juniper for End-of-Life Firewalls | $77,156 | ||
| IntraSystems, Inc.-Qradar/ICX (In FY08, transferred to Unit 2224) (Eff. FY13, includes BI706 and BI851)- | $112,336 | ||
| IntraSystems, Inc.-RSA SecurID SID700 w/2yr. secureID Authenticator (Item #S-SID700-6-60-24-50)- | $811 | ||
| IntraSystems, Inc.-RSA SecurID SID700 w/3yr. secureID Authenticator (Item #SID-6-60-36-10)- | $204 | ||
| IntraSystems, Inc.-TripWire for Vulnerability Monitoring | $6,675 | ||
| IntraSystems, Inc.-Tuffin for IPS Appliances | $51,199 | ||
| IntraSystems, Inc.-WYSE HW for IPS Project #2934 | $234 | ||
| SHI-Assuria System Scanner SW to support the BlackBerry Upgrade Project | $184 | ||
| Depreciation - FIREWALL PROTECTION SERVICES | $493,246 | ||
| Depreciation - NETWORK SECURITY | $46,190 | ||
| Other Costs, Re-classifications, Adjustments | $3 | ||
| Total Hardware/Software/Contracts (UU, LL, etc.) | $1,426,228 | ||
Indirect Costs:
Allocated Shared Resources | |||
|---|---|---|---|
| No. | Description | Cost | Assumptions /Comments |
| 3 | Allocated Shared Resources | $108,644 |
|
| Total Allocated Costs | $108,644 | ||
Allocated Costs:
Allocated Costs Not Specific to Service | |||
|---|---|---|---|
| No. | Description | Cost | Assumptions /Comments |
| 5 | Allocated Costs Not Specific to Service- Email Gateway | $3,915 |
|
| Allocated Costs Not Specific to Service- Network Security | $55,387 | ||
| Allocated Costs Not Specific to Service- Firewall Protection Services | $514,523 | ||
| Total Allocated Costs Not Specific to Service | $573,825 | ||
Adjustments:
Less: Customer Specific - Costs Directly Charged to Customers | |||
|---|---|---|---|
| No. | Description | Cost | Assumptions /Comments |
| 6 | Less: Customer Specific - Costs Directly Charged to Customers | ($16,343) | |
| Total Less: Customer Specific - Costs Directly Charged to Customers | ($16,343) | ||
Total expenses for Firewall Protection Services | $2,594,726 |
Rates pertaining to this service offering include:
Rate Code | Title | Billable Unit | Planned FY2013 Units | Cost | FY 2013 Rate |
|---|---|---|---|---|---|
| SU060 | Security Magnet Security Protection Port Charge | Each Port/Month | 4,608 | $2,420,678 | $201 |
| SU040 | Security Remote Device Support | Device/Month | 0 | $11,088 | $77 |
| SU020 | Security Remote Firewall Support | Firewall/Month | 144 | $162,960 | $970 |
Download the
cost framework for Security Protection Services 
Download a
complete listing of all chargeback rates 
Updated December 13, 2012
Published August 14, 2009
Created April 10, 2009: Information provided by the Security Office