CDW Limited

CDW SailPoint Access Risk Management

SailPoint Access Risk Management within SailPoint’s Identity Platform provides unified
access risk analysis. The result is streamlined GRC processes that are completely cloud
and totally automated.

Features

• Comprehensive, seamless GRC and identity protection
• Identity security unified with highly detailed access controls
• The deepest level of analysis to identify risk in systems
• Risk simulation that spots SoD violations before provisioning
• Automation of periodic access reviews and emergency access management
• A cloud-based system that’s easy to implement, use, and scale
• Advanced and automated access reviews
• Fully automated emergency access workflows
• Easily build in security throughout the role lifecycle
• Speed up compliance processes and avoid errors

Benefits

• Fewer audit deficiencies and avoidance of compliance violations
• No costly upgrades and maintenance
• Controls that can be deployed easily
• Decide if a potential user has risks before granting access
• Reduction in audit deficiencies and lower audit costs
• Audit-ready reports

£50,000 a unit

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@uk.cdw.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

463599795267431

Contact

Andy Wood
0161 837 7744
tenders@uk.cdw.com

Service scope

• Service constraints: IdentityNow is deployed in Amazon Web Services (AWS). Hosted data resides in one of several AWS regions, the location of which is determined by the customer. Customers may elect to have their data hosted in the UK, the EU in Frankfurt, Germany or in the US in Oregon or Virginia.
• System requirements:
  • Web Browsers: Firefox, Internet Explorer, Microsoft Edge, Chrome or Safari
  • Hypervisor for Virtual Appliances housing our connectivity layer
  • SaaS solution. Other components are managed in AWS by SailPoint

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: “Business Hours” 8am-6pm local time, Monday to Friday, except local public holidays for non-severity 1 cases. For all severity 1 cases: 7 days a week at 24 hours a day coverage. Severity 1 - Response time one hour; Severity 2 - Response time two hours; Severity 3 - Response time eight hours; Severity 4 - Response time 12 hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: SailPoint offers Premium support for IdentityNow SaaS. Premium support provides 24x7 support for severity 1 issues.; ; Support and maintenance includes:; (a) Telephone or electronic support in order to help Customer locate and correct problems with the SaaS Services. ; (b) Bug fixes and code corrections to correct malfunctions in order to bring such SaaS Services into substantial conformity with the operating specifications contained in the Documentation.; (c) All extensions, enhancements and other changes that SailPoint, at its sole discretion, makes or adds to the SaaS Services and which SailPoint furnishes, without charge, to all other subscribers of the SaaS Services.; (d) Up to five (5) dedicated contacts designated by Customer in writing that will have access to support services.; (e) Access to Compass, SailPoint’s customer and partner portal, which includes discussion forums, technical information, latest company and product information, webinars, and product downloads. It also provides collaborative forums, which allow interaction between customers and SailPoint subject matter experts.; (f) Appointment of a Customer Success Manager to serve as your primary point of contact and advocate within SailPoint.; ; SailPoint also offer professional services that can be provided onsite or remotely. Professional services are not included, but are available at an additional cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: SailPoint provides professional services, which is especially recommended during the initial phase of deployment and can work directly with the customer, or via one of our partners. ; ; Comprehensive documentation is provided by SailPoint to cover all aspects of IdentityNow functionality. All IdentityNow documentation is provided online via the Compass web portal and includes technical white papers, implementation guidance, IdentityNow wiki, and other documentation. Compass also includes a User Forum where clients can ask specific questions and get answers from our technical support staff and other clients.; ; SailPoint offers instructor-led Administrator and Implementation training sessions that are tailored to each customer’s deployment and cover topics such as: ; ·Introduction to IdentityNow; ·Setup; ·Data Aggregation and Correlation; ·Implementation Guidelines; ·Access Certification; ·Password Management ; ·Troubleshooting
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: IdentityNow has API’s and reports which the users can use to export their data as needed. If the user wants SailPoint's assistance in the export process, they can purchase services hours to have SailPoint Professional Services assist in the process.
• End-of-contract process: Upon termination of the SaaS Agreement or expiration of the Subscription Term, SailPoint shall immediately cease providing the SaaS Services and all usage rights granted under this SaaS Agreement shall terminate.; ; The contract (SaaS subscription) includes access to the service and customer support for the service. All professional services are additional costs and this would include any transitional professional services required at the end of the contract.

Using the service

• Web browser interface: Yes
• Using the web interface: IdentityNow allows you to easily control user access to all systems and applications, enhance audit response and increase your operational efficiency.
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: Through the world wide web
• API: Yes
• What users can and can't do using the API: SailPoint offers a fully functioning, versioned API. ; ; The IdentityNow Platform APIs allow you to build your own applications, web sites, and tools that take advantage of IdentityNow's data, features, and flows. The APIs follow a familiar RESTful standard, using query and path parameters, request/response headers, and JSON request/response bodies.
• API automation tools:
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
  • Other
• Other API automation tools:
  • Any automation tool that want to request data or perform
  • Actions that can connect through OAUTH2 using API
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: As a true SaaS solution, IdentityNow is able to dynamically scale immediately, as needed, to meet customer needs.
• Usage notifications: No

Analytics

• Infrastructure or application metrics: Yes
• Metrics types: HTTP request and response status
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: SailPoint

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Customer data at rest is encrypted with the AES256 algorithm by using the AWS Key Management Service (KMS).; ; IdentityNow utilizes its patented zero knowledge encryption to provide multiple layers of encryption on all critical data stored in the IdentityNow cloud database.
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up: All customer data
• Backup controls: Done by AWS
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: The SaaS Services will achieve System Availability of at least 99.9% during each calendar month of the Subscription Term. “System Availability” means the number of minutes in a month that the key components of the SaaS Services in a Customer production environment are operational as a percentage of the total number of minutes in such month, excluding downtime resulting from (a) scheduled maintenance, (b) events of Force Majeure, (c) malicious attacks on the system, (d) issues associated with the Customer’s computing devices, local area networks or internet service provider connections, or (e) inability to deliver services because of acts or omissions of Customer or any Identity Cube user. ; ; If SailPoint fails to meet System Availability in an individual month, upon written request by Customer within 30 days after the end of the month, SailPoint will issue a credit in Customer’s next invoice in an amount equal to ten percent (10%) of the monthly fee for the affected SaaS Services for each 1% loss of System Availability below stated SLA per SaaS Service, up to a maximum of fifty percent (50%) of the Customer’s monthly fee for the affected SaaS Services.
• Approach to resilience: SailPoint’s IdentityNow solution is provided utilizing Amazon Web Services with each primary hosting location providing full redundancy of hardware, software, and network infrastructure across three AWS Availability Zones. SailPoint provides fully automated failover and advanced backup and recovery measures to ensure that IAM services are available for operation and use. Additionally, controls are in place to provide quick restoration capabilities from backup, in the event that a site or overall service experiences a critical failure.
• Outage reporting: IdentityNow is a pure SaaS solution and IdentityNow service components are monitored by SailPoint DevOps personnel. There is a public status dashboard, http://status.identitynow.com/.; ; For issues broadly impacting all customers, notice and updates would be posted to the Compass portal. You can elect to receive email notification when such notices are posted to Compass. For serious issues, your customer success manager will reach out to you via email and/or phone. SailPoint Assigns a Customer Success Manager to every client. The Customer Success Manager serves as your primary point of contact and your advocate within SailPoint.

Identity and authentication

• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: SailPoint applies the principle of least privileged access. Employees are granted access based on pre-approved roles and job descriptions, which are reviewed and re-certified at least annually.; ; In IdentityNow, administrative access is restricted to DevOps. We utilize a support account, which is separate from customer access accounts. Access to the production environment by SailPoint DevOps personnel requires remote access into the EC2 environment (operated by AWS) which is restricted through the use of a Secure Shell (SSH) connection from the SailPoint corporate IP address and two-factor authentication. ; ; In the IdentityNow UI, access is role based.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Coalfire
• ISO/IEC 27001 accreditation date: Not provided
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SOC Type II

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The Company maintains IT Security policies which define IT security protocols in order to help minimize security risks. The policies (including incident response, change management, data handling, DR/Backup) are available on the Company’s intranet and are reviewed annually. ; ; All SailPoint employees complete online computer-based security awareness training annually. The computer-based training covers traditional security awareness topics, including physical, email and mobile device security. The training also includes anti-phishing simulated attacks throughout the year and training designed to improve employees' recognition of baits and traps commonly found in phishing emails and spear phishing attacks. Employees learn to identify and avoid manipulative content, malicious and disguised links, dangerous attachments, inappropriate data requests, and other threats.; ; Additional training is provided at the departmental level as appropriate for each role. All members of the engineering team are provided education about developing and testing secure applications including the Open Web Application Security Project (OWASP) Guide to Building Secure Web Applications and Web Services, the most current documents from the OWASP Top Ten Project, Essential Skills for Secure Programmers Using Java/JavaEE from the Secure Programming Council, and SANS’ Top 25 Programming Errors.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: For SailPoint SaaS the Agile method is used for software development.Software development processes are ever changing and looking to improve. These changes often include adjustments to the definitions of terms used. At times certain terms are co-opted and the definition evolves with the industry. The term Software Development Lifecycle falls into this category. SDLC at one time described a specific process of varying staging of analysis, development, integration, testing, and so forth. Other methodologies have been developed over time to improve the process of delivering software.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: SailPoint completes both internal automated vulnerability scans, which are executed during regular verification cycles as part of each weekly release, and external penetration tests conducted by a third-party firm. ; ; AWS performs regular vulnerability scans on the host operating system, web application, and databases in the AWS environment using a variety of tools. ; ; SailPoint subscribes to vendor notification services with notifications of newly released patches and updates. Patches reviewed by SailPoint and deemed to be “Critical” are applied within 30 days of release. SailPoint generally upgrades IdentityNow on a weekly basis but can apply a patch within 24 hours if warranted.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: SailPoint leverages Amazon Web Services (AWS) to host IdentityNow. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. AWS security monitoring tools help identify several types of denial of service (DoS) attacks, including distributed, flooding, and software/logic attacks. ; ; SailPoint uses a variety of tools to monitor the availability of the IdentityNow production environments for its clients, including alerts from AWS. These tools send alerts to the SailPoint DevOps team that trigger follow-up procedures.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Customers should report any issues with the IdentityNow service to SailPoint support via the Compass portal, email or telephone. ; ; SailPoint maintains a Security Incident Response Policy and Procedure, which specify the steps and roles and responsibilities should such an incident occur. These policies address remediation and follow-through to ensure the issue is understood and fully addressed.; ; As it relates to a security issue with a SailPoint product or service broadly impacting all customers, notice and updates would be posted to the Compass portal. For serious issues, your customer success manager will reach out via email and/or phone.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Amazon DC

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  CDW is committed to fighting climate change and protecting the environment. CDW has made a commitment to achieve Net Zero emissions by 2040, 10 years earlier than mandated by the UK government. To achieve this, CDW has implemented (and continues to implement) initiatives to reduce our emissions and carbon footprint, all of which are underpinned by CDW’s ISO14001 certified Environmental Management System (EMS) and our beGreen program.; ; CDW’s distribution centre and our flagship offices hold ISO 14001 environmental management certifications, with our UK distribution centre also holding REGO energy certifications. In parallel with our EMS and beGreen program, CDW has invested in and implemented a range of initiatives to help tackle our contribution towards climate change across our operational activities. These initiatives include (but are not limited to):; ; -Solar panel usage. As a result, in 2021, we were able to achieve 100% renewable energy sourcing for CDW-owned buildings.; -Energy-efficient lighting solutions, including indoor and outdoor LED lighting.; -Motion sensor lighting and conveyor systems that turn off in response to inactivity.; -Water consumption solutions, including rainwater harvesting efforts.; -“Smart” HVAC systems that adjust according to business hours and seasonal temperatures.; -A ‘Pin to Print’ program enabling enhanced print queue management to reduce wasted print jobs; -A goal to achieve 100% renewable energy sourcing for electricity by 2027. In 2021, 98% of electricity consumed in the UK was from renewable sources.; ; Additionally, at our distribution centres, we have recycled:; ; -2,966 tons of packaging material; -9,794 tons of cardboard; -636 tons of paper; -Thousands of wood and plastic pallets; ; Furthermore, at a coworker level, CDW has established a ‘WE GET Our Environment’ Business Resource Group and an Environment Committee with the purpose of increasing awareness of the environmental and social strategy, and to empower coworkers to get involved in environmental initiatives.

  Equal opportunity

  CDW is committed to creating a working environment for coworkers dedicated to inclusion, diversity and equal opportunities, as detailed in our CDW Way Code, which teaches all CDW coworkers to:; ; -Always do their best to make everyone at CDW feel welcome; -Treat other coworkers with respect and dignity; -Maintain an inclusive workplace in which all coworkers can demonstrate their full potential; -Respect the unique attributes and perspectives of every coworker; ; CDW provides equal treatment and opportunity without regard to:; ; -Race; -Skin colour; -Religion; -National origin; -Gender; -Sexual orientation; -Gender identity; -Disability; -Age; ; Our commitment to equality is underpinned by six Business Resource Groups (BRGs). BRGs ensure all coworkers have a voice, build awareness, and provide support to similar groups in their communities. The BRGs include:; ; -Armed Forces Network; -Black Coworker Network; -Disability Support Network; -PRIDE+; -United Support Network; -Women’s International Network; ; CDW coworkers are empowered to reach their highest potential, and we are focused on providing them with a wide variety of tools and development opportunities to help them achieve their career aspirations at CDW, regardless of origin, background or situation. Within our learning culture, all coworkers are surrounded by comprehensive resources and support, ongoing education and skills training, and robust advancement opportunities. We offer a variety of programs to help current and future leaders build diverse teams and to help diverse coworkers develop their leadership skills so they can continue to advance in the organisation.; ; Our commitment to equal opportunities and diversity is demonstrable across our organisation. As an example, CDW’s CEO and President, Chris Leahy, is female and CDW’s Executive Committee consists of 50% female and 50% male coworkers, with 42% coming from multi ethnic backgrounds.; ; CDW is also committed to reducing the gender pay gap and produces an annual gender pay gap report - https://www.uk.cdw.com/site-tools/pay-gap-report/.

  Wellbeing

  CDW is committed to providing coworkers and their families with the knowledge necessary to make the best health and wellness choices for themselves and their families. ; ; Our approach to wellness is designed to help coworkers be safe, healthy and successful. We understand that managing work and personal life is a balancing act of shifting priorities and so we offer a variety of benefits that supports a coworker’s physical, financial, emotional and social ; wellbeing, including access to telemedicine, a suite of family benefits and a variety of wellness incentives and programs.; ; CDW provides coworkers with an Employee Assistance Program, which offers confidential, individualised coaching to help coworkers achieve personal or professional goals. It also features enhancements for crisis care, 24/7 phone support and an emergency referral system.; ; Ongoing coworker engagement is fostered through regular communications events, including: ; ; -Monthly wellness e-newsletters promoting benefits available to coworkers; -Workshops and activities focused on timely topics; -Various campaigns to raise awareness for meaningful topics throughout the year, including mental health, emotional wellbeing and heart-mind gratitude; ; As a further example of our commitment, in response to the COVID-19 pandemic, our Coworker Services team implemented “coworker calls” - informal, but regular check-ins to ensure all coworkers are caring for their mental health and receiving the support they need.; ; CDW also established ‘The CDW Community’, an initiative set up to provide coworkers with activities that they could participate in to keep them physically and mentally active, and to give them a platform for social engagement with other coworkers during a time where many were feeling isolated.; ; Following its success during COVID, the CDW Community initiative has remained operational as we exit the pandemic, continuing to provide CDW coworkers with activities and resources centric to physical and mental wellbeing, as well as sessions to support a healthy family life.

Pricing

• Price: £50,000 a unit
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@uk.cdw.com. Tell them what format you need. It will help if you say what assistive technology you use.