Jisc Services Ltd

Web application firewall (WAF)

The Jisc Web Application Firewall (WAF) service is based on Fortinet's FortiWeb WAF, providing a cloud-based service that makes your websites safer, faster and more reliable. The service guards against DDoS attacks and protects against data breaches resulting from malicious cyber-attacks and vulnerability exploits.

Features

• Comprehensive protection against any type of DDoS attack
• Enterprise grade Web Application Firewall (WAF)
• Application-aware CDN & content caching
• Intelligent application-level load balancing
• Real-time monitoring & alerts
• Advanced bot mitigation
• Advanced mitigation of layer attacks
• Comprehensive protection and defense against cyber attacks
• Based on the Fortinet FortiWeb WAF

Benefits

• Automatic detection and immediate triggering
• Transparent mitigation with less than 0.01% false positives
• No hardware or software installations needed
• No code changes or complex integrations are needed
• Prevents access to malicious and unwanted visitors to your website
• Defends against web threats and vulnerabilities including OWASP top10
• Apply your organization’s security policy within the WAF
• Accelerate web site page rendering and minimize latency
• Guarantee optimal resource utilization
• Routing changes are immediate and across-the-board for all users

£5,000 to £500,000 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid.support@jisc.ac.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

669498288457033

Contact

Bid Support
03003002212
bid.support@jisc.ac.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: None
• System requirements:
  • Fortinet FortiWeb is activated by a simple DNS change
  • Firewall changes required

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: P1 Target response 30 Mins P2 Target response 2 hours P3 Target response 4 hours Out of hours - Target response 30 Mins (P1 only) P1 incidents Service component failed or severely impaired resulting in serious business-wide impact or multiple users/services impacted. P2 incidents Service component impaired resulting in a loss of functionality, or loss of access to a single or subset of users, but work can continue in an impaired manner. P3 incidents Incident with minor or no direct impediments on the customer’s business and/or is not time sensitive
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: Jisc's Managed Service Gold tier support package - for further information, see Jisc's Managed Cloud Service.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a default scanning configuration which users can customise once the service is running.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: No data is stored persistently as part of this service.
• End-of-contract process: A termination plan will be produced and agreed with the customer. The key part of this is updating the customer's DNS settings.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: No

Scaling

• Independence of resources: Our global network consists of 40 data centers with over 4 Tbps capacity designed purely to protect your websites.

Analytics

• Service usage metrics: Yes
• Metrics types: Service usage metrics; Yes; Metrics types; Metrics include: Bot visits, Threats Bandwidth Status, Application attacks, Countries, Hits per second, Bits per second, Daily Hits, Threat type, Attack Countries
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Fortinet

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Never
• Protecting data at rest: Other
• Other data at rest protection approach: We do not hold customer data.
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: N/a
• Data export formats: Other
• Other data export formats:
  • Can export to a SIEM
  • PDF reports
  • Email alerts
• Data import formats: Other
• Other data import formats: N/a

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Fortinet commits to an annual uptime of 99.999%.
• Approach to resilience: Available on request
• Outage reporting: Email alerts.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: N/a
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Lloyds Register
• ISO/IEC 27001 accreditation date: 23 June 2019
• What the ISO/IEC 27001 doesn’t cover: All Jisc activities related to the provision of this service are covered.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: CREST

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Jisc is certified as compliant with ISO27001:2005 (Certificate CI/12868IS) by a UKAS accredited certifying body. Services that we have designed, implemented and operate have been subject to risk assessment including ITHCs and penetration testing by independent CHECK providers. We are able to supply our Information Security Policy subject to a non-disclosure agreement being put in place with the receiving party.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Jisc is committed to ITIL aligned Change and Configuration Management for effective management and control of its infrastructure. Jisc's management tool incorporates an automated Change Management Database (CMDB) at the heart of its operation, with all service support and delivery modules linked to the CMDB to ensure a complete and accurate view of customer estates. A CAB team exists within the services department and liaises closely with all other teams to ensure changes are successful and our infrastructure is maintained and accurately modelled within the CMDB.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: We rely on vendor support services to ensure we are operating in line with the latest recommendations and are made aware of any potential vulnerabilities by them.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Jisc relie of Imperva and Fortinet to undertake protective monitoring activities and to inform us of incidents.
• Incident management type: Undisclosed
• Incident management approach: Our ITIL-aligned Incident Management process ensures that we respond to any reported faults and sets out target resolution times to ensure that these are fixed within agreed timeframes. Customers can report incidents via phone, email or our portal. Our Incident Management process ensures that we respond to any reported faults and sets out target resolution times to ensure that these are fixed within agreed timeframes. For Major Incidents, once the Incident has been resolved, the Incident Manager will ensure an Incident Review Meeting is held and a Major Incident Report is created and distributed.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  As part of our core strategy for 2022-2025 the theme ‘Be a force for good’ recognises sustainability as an organisational imperative. Committed to achieving Net Zero emissions by 2040, 10 years ahead of government target, we plan to cut our emissions by over half by 2030 and be net zero across our remaining scope three emissions (net zero plus) by at least 2050. We have a Net Zero Roadmap outlining how we will reduce emissions and our plans for future projects.; Below are some examples of what we have done:; ; Lowered our carbon footprint by: reducing the size of our estate, motion-controlled lighting to save electricity in our Bristol office, as well as generating electricity through solar power. ; ; Reduced travel emissions by: a hybrid working model, introduction of a staff electric car scheme, alongside an existing cycle to work scheme. ; ; An Environmental Policy outlining our commitment to continually improve our environmental performance: We are developing an environmental management system to ISO14001, this will guide action across key areas, such as consumption, waste, biodiversity, travel.; ; Started to embed sustainability into our procurement processes: We will introduce a Sustainable Procurement Policy to drive this further.; ; Sustainable Jisc Events: Jisc’s Digifest event offered a meat free menu, estimated to have saved 6.4 tonnes of carbon. Catering was locally sourced, and any food waste was disposed through anaerobic digestion. We encouraged exhibitors to use digital messaging, reducing printed materials. Our event app reduced the amount of printing required, and any required event printing is now FSC certified and fully recyclable. ; ; Reuse or recycle old IT equipment: Wiped and sold for reuse old IT equipment, and recycled equipment not suitable for reuse, resulting in zero waste to landfill. In 2022/23 we recycled over 370 pieces of IT equipment.

  Covid-19 recovery

  Providing our people with the flexibility they need to balance their personal lives and do well at work, Jisc offers a range of ways of working, including flexible hours and working from home. We have adopted a hybrid working model for most roles. Flexible working eliminates the limitations posed by geographical location and personal circumstances. To support their home working environment, remote workers are provided with an allowance for equipment and advice and training on DSE.; For the benefit of people and community, everyone at Jisc can make a difference, with up to three paid volunteering days per year. In 2022/23 29% of our staff took a volunteering day. Colleagues used 321 volunteering days across the year for the benefit of people and community. Examples include, foodbanks, animal sanctuaries, helping children to learn to read, litter picking, giving blood.

  Tackling economic inequality

  We are an accredited Living Wage Employer. Jisc meets the standards set by Citizens UK and the Living Wage Foundation by signing the ‘UK Living Wage Employer' licence agreement. This agreement confirms that Jisc pay the Real Living Wage as a minimum. We also ensure that people in our supply chain delivering goods and services are paid the National Living Wage as a minimum.; Jisc is committed to the development of our people, and encourage they use 10% of their time on development. To help our people to upskill and achieve, they have access to a huge variety of learning resources including access to the full LinkedIn Learning catalogue. Where a qualification is directly linked to career progression, Jisc contribute or cover the full cost of the training. ; Jisc provide their employees with a number of benefits. For example, our Pay Framework gives a fair, flexible and transparent pay structure to work within. Our employee Healthcare cash plan allows members to claim back everyday healthcare costs, like dental or eye care. ; Apprenticeships provide an amazing opportunity to boost the skills of the local community and beyond. We are extremely proud of our apprenticeship scheme at Jisc, which cover legals, marketing, network engineering, procurement, HR and finance. Our scheme celebrates diversity, and we know that it is critical to our success. We work hard to make sure we’re inclusive and welcome all applicants who share our values and want to join us in our mission to improve lives through digital transformation.

  Equal opportunity

  One of Jisc’s guiding principles ‘Always Inclusive’ reflects our commitment to equity, diversity and inclusion (EDI). ; Our EDI policy outlines our commitment to de-constructing systemic racism and other barriers which have historically affected under-represented groups in the workplace. We strive to be an organisation where everyone here is able to be their authentic self and recognise the benefits of diversity with regards to innovation, team performance and organisation-wide productivity. ; We engage with external partners such as the Black Leadership Group and Emerge. Emerge are co-designing on the delivery of our Conscious Inclusion of Leaders Programme. In 2023 we launched a new Board and Committee diversity policy. The Board believes a mix of skills, knowledge and experience with different perspectives and insights builds a strong foundation for well-informed decision-making and as a consequence, better performance of Jisc in support of its stakeholders. ; Our EDI steering group meets quarterly to address inclusion-related topics from our employee networks, including the faith and LGBTQIA+ networks. We provide EDI training through our leadership program and have conducted anti-racism masterclasses for staff. Our recruitment team has also received inclusion-focused personal development and assists hiring managers in refining their practices.; We won’t accept modern slavery, forced labour or any human trafficking anywhere within our operations or supply chain. Our Modern Slavery working group assess risk areas, implement improvements and monitor progress against our Modern Slavery objectives and policy. Staff are educated on how to report modern slavery in the workplace and what signs to look for. ; Currently four of nine of our executive leadership team are women, including our CEO. According to benchmarking we carry out as part of our commitment to the Tech Talent Charter, we are above the national average for employing women in tech roles, having 31% taken by women against 28% nationally.

  Wellbeing

  The health and wellbeing of our staff is crucial to us. In 2023 we introduced a new benefits package for staff including an employer paid healthcare cash plan, an electric car scheme and the opportunity to buy additional annual leave. We offer a cycle to work scheme and an employee assistance programme for advice on a range of legal, financial, physical, emotional and mental health issues. We value good work/life balance and work flexibly. We also offer a generous leave entitlement, enhanced sick policy and enhanced maternity, paternity and adoption leave in addition to statutory entitlement, and shared parental leave. ; Trained to support our staff, we have 41 (April 2024) mental health first aiders easily assessable to our people across our geographical locations. Promoting and delivering wellbeing initiatives within Jisc, some of our mental health first aiders are also wellbeing champions. ; Providing staff with education, support and tools to help them live a happier and healthier life, they have access to a Wellbeing centre through our Jisc reward scheme, where they can access a range of resources to support wellbeing.; Our employee assistance programme provides staff and their immediate family access to confidential advice on a number of topics covering physical, mental, financial advice and is accessible through various mediums. ; Volunteering has been shown to improve mental health, by giving a sense of purpose and reducing stress and anxiety. Our staff can use up to three days volunteering per year. Through our volunteering network, staff share their experiences with others.

Pricing

• Price: £5,000 to £500,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: 60 days access to full FortiWeb service.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid.support@jisc.ac.uk. Tell them what format you need. It will help if you say what assistive technology you use.