The Department of Technology Services provides web URL filtering on the State’s Network. The Web URL Filter will restrict, monitor and log Internet usage of users on the State of Utah Network. The Web URL Filter assigns web sites to one of a number of predefined categories. Categories which are being blocked across all State of Utah networks are defined in the Enterprise Web Filter Policy 5000-0004. The restricted categories are subject to review and may be changed at any time. Exceptions may be granted upon request, based upon work requirements.

Support

Web Filtering	Support Hours	Days of Week
Web Filtering Exceptions or URL re-categorizations	8 am – 5 pm	Mon – Fri

• Web Filtering support and metrics will be based on the business support hours and the days of the week identified in this product description.  

Features Included

Palo Alto

• URL Filtering
• Blocking websites based on categorization of URL
• Category Based
• Enterprise Wide
• Exceptions Handled with AD for the UTAH Domain
• Enforcement of AD exception groups

Active Directory

• Identify Users
• Groups identify what a user can do based on membership to group
• Enforcement handled by Palo Alto

Exceptions

• Exceptions are granted on per user based on business requirements.
• Exceptions require approval by users manager and DTS Enterprise Information Security Office (EISO).

Features Not Included

Content Filtering

• Content Filtering is not provided by Web URL Filtering.

Custom Categories Per Agency

• The Web URL filter will use only the categories that will be used enterprise wide. A custom category is to create a defined category to meet the needs of the Enterprise, such as, Always Allow or Always Block.   This is needed when a state web site is categorized in a blocked category that the vendor will not re-categorized due to page content.  To request URL re-categorization, see Agency Responsibilities below.

Ordering and Provisioning

• Web URL Filtering is not a product that needs to be ordered. Web URL filtering is provided on all state networks.

• Exceptions are requested by having the user’s manager submit an email to webfiltering@utah.gov with justification. More information can be found in the DTS Web URL Standard and Process.

DTS Responsibilities

• DTS is responsible for providing Web URL filtering across the State’s Networks. Web URL filtering is provided by evaluating web URL’s and placing the URL into predefined categories. The restricted categories are subject to review and may be changed at any time.
• The EISO maintains a list of approved exceptions for users.

Agency Responsibilities

• Agency Management may request to have a website added or removed from a category (on the grounds that the website is incorrectly categorized, or website should be open to all customers) requires approval from the filtering vendor.
• Agency Management may also request to exempt an Agency employee from being blocked from a filtered category (customer has business reason for accessing website), requires approval from EISO.

Rates and Billing

• N/A

General Service Level and Metrics

• All technical incidents and service requests, and certain types of orders, related to products and services provided by DTS will be reported to the DTS Enterprise Service Desk or to specialized Help Desks that support State agencies or DTS divisions and regions.  All incidents and requests will be captured in the DTS Help Desk application. DTS staff will provide timely acknowledgement and resolution of technical incidents and service requests.

• DTS support staff, including staff directly assigned to the DTS Enterprise Service Desk, will exert all reasonable efforts to meet the Time to Initial Response (TIR) and Total Time to Resolution (TTR) targets set forth below.

• The DTS Enterprise Service Desk is accessible 24×7 by telephone at 801-538-3440 or 800-678-3440. Live chat and direct user reporting of incidents are also available on the DTS website at dts.utah.gov. Published “Business Hours” for the DTS Service Desk are 8:00 AM-5:00 PM, Monday-Friday. Hours of support/on-call coverage vary by agency/division/region and product.

Incident Response and Resolution Targets

Time to Initial Response Targets	% Tickets	Total Time to Resolution Targets	% Tickets
Low Priority – 1 Business hour	85%	Low priority –  6 Business hours	90%
Medium priority – 1 Business hour	85%	Medium priority –  4 Business hours	90%
High priority –   1 Clock hour	90%	High priority –  3 Clock hours	90%
Critical priority – 30 Clock minutes	95%	Critical priority –  3 Clock hours	90%

Customer Satisfaction Surveys and Reporting

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an on-line survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary.

Periodic reports will be created showing the level of satisfaction with resolution of incidents by specific support groups and the level of satisfaction of users by agency.

Customer Satisfaction Targets

Metric Description	Target
Average level of satisfaction with resolution efforts	> 4.5 on a scale of 0 – 5
Percentage of respondents satisfied or better with service received	93% of respondents satisfied

 

The Department of Technology Services (DTS) operates a Wide Area Network (WAN) for all State of Utah Executive Branch agencies. DTS also provides WAN services for other State and non-State government entities (cities and counties). The State WAN provides gateway services to the public Internet and functions as a private fault tolerant network, connecting facilities in geographic locations statewide.

DTS will place and install all hardware, software, and facilities necessary to connect a non-State agency to the State WAN. Network Services include IP addressing, Domain Name System (DNS), Internet access, Web content filtering, security products (firewalls), virtual private network (VPN) termination and intrusion prevention systems (IPS), and the necessary tools and staff to support these services. Services are provided in a bundled product offering (see product features below).

DTS operates on a cost recovery basis and is therefore unable to quote one price that applies to all potential customers. Variables such as geographic location and transport requirements affect customer connectivity costs; connectivity costs are different for every customer.

Product Features and Descriptions

Wide Area Network

High availability to multiple locations.

Fault tolerant network with redundant paths from data centers to geographic hubs; these diverse paths are provided by the DTS network microwave services.

Specific infrastructure information may be obtained from the DTS Communications Planning Group.

General Functions and Duties

This product provides for network consulting, planning, and engineering. Services include the deployment of network products, operational support of network products, network tuning, and network diagramming; however, services do not include the acquisition or maintenance cost of other network based multi-media products.

Connection

Network utilization monitoring and bandwidth management.

Last mile connection from remote facilities to geographic hubs.

Wide Area Network Security

Firewall services between the Internet and the State WAN.

Backbone intrusion monitoring and management.

Access Control Lists (ACLs) for local LAN segments, where technically feasible. Note: Logging ACLs on router access lists is not provided to customers.

Packet screening to prevent IP spoofing from external networks.

IP Addressing

Manage address blocks.

Manage subnets, VLANs, and public/private IP assignments.

DNS Service

Manage host, MX, alias, and PTR records.

Host newly registered DNS domains and manage DNS records.

Delegate sub-domains per agency request.

Manage changes to DNS entries.

Provide instructions for registering new DNS names.

Internet Access

Content filtering, which blocks inappropriate or unauthorized access.

Redundant access paths.

Customer-specific filtering is available on request and requires customer       identification through the State authoritative directory: Utah Master Directory. To request UMD access, please use the following URL: http://login2.utah.gov/user  (select: register here).

VPN Sessions

DTS will provide secure VPN access into the State network from the Internet; pre-authorization is required. See VPN product information.

Network Operations and Monitoring

DTS Network Operations is a 24×7 service. Customers may contact the DTS Customer Service Center to report network problems by calling 801-538-3440 or 800-678-3440.

Other Features

Enterprise Security

Enterprise Security services are available upon request. Please refer to Enterprise Services on the DTS web site.

Features Not Included

Agency-Specific Solutions

DTS will assess and engineer appropriate network bandwidth by working with agency requirements.

DTS can provide unique WAN services, at an additional negotiated cost, if it is beyond a reasonable expectation.

Acquisition and/or maintenance costs of network based multi-media products (see Product Features: General Functions and Duties).

ACL logging is not provided to customers (see Product Features: WAN Security).

Email

Google provides state email enterprise services for Executive Branch agencies. Non-state entities may take advantage of the State contract and be supported directly by the provider.

Ordering and Provisioning

To inquire or order WAN services, please contact the DTS Customer Service Center by calling 801-538-3440 or 800-678-3440.

DTS Responsibilities

• Provide network maintenance to the customer’s demarcation point.
• Coordinate and notify customers of planned maintenance and outages.
• Assess and engineer appropriate network bandwidth by working with the customer’s business requirements.
• Maintain the integrity and security of the State WAN and Local Area Networks by shutting down ports that have been penetrated, or otherwise violate network security policies.
• Conduct periodic device count audits, in accordance with the network device definition and published guidelines.
• Conduct periodic Special Billing Agreement audits and update agreements as applicable.

Customer Responsibilities

• Contact the DTS Customer Service Center to report network problems by calling 801-538-3440 or 800-678-3440.
• Comply with State acceptable use policies: http://www.rules.utah.gov/publicat/code/r895/r895-007.htm.
• Provide DTS router access lists.
• Consult the assigned Network Planner when planning facility moves.
• Pay for equipment installed by DTS and the replacement costs of any equipment that becomes obsolete. The equipment will remain under the ownership and management of DTS.
• Notify the assigned Network Planner when planning to deploy applications that might affect network traffic.
• Provide adequate space, power, cooling, etc. for State network equipment at each customer facility.
• Provide physical security in facility locations that house State network equipment.
• Provide the DTS assigned Network Planner a local contact at each facility that is capable of assisting with troubleshooting the customer’s WAN connection.
• Comply with State security policies and standards; and adhere to additional network policies and standards as drafted and approved by DTS (see: DTS Policies and Procedures).
• Adhere to State Acceptable Use Policy: http://www.rules.utah.gov/publicat/code/r895/r895-007.htm.
• Prohibit open “rogue” Access Points in the network.
• Coordinate extended network services to additional facilities with DTS WAN Planner.

The Department of Technology Services (DTS) operates a State Wide Area Network (WAN) as well as the State Local Area Networks (LAN) for all State of Utah Executive Branch agencies. DTS also provides WAN services for State and other government agencies with enterprise-wide, intra-state network services.

The State WAN provides gateway services to the public Internet and functions as a private fault tolerant network, connecting facilities in geographic locations statewide.

In FY2009, WAN and LAN services merged into Network Services, delivering jack-to-jack connectivity to agency customers, using a single rate.

Network Services include IP addressing, Domain Name System (DNS), primary domain email service, Internet access, web content filtering, security products such as firewalls, VPN termination and intrusion prevention systems (IPS), and the necessary tools and staff to support these services. Network Services will provide limited wireless connectivity for agencies.

Features and Descriptions

Wide Area Network

• High availability to multiple locations.
• Fault tolerant network with redundant paths from data centers to geographic hubs; these diverse paths are provided by the DTS network microwave services.

Local Area Network

Consistent connectivity from all end-points using best practices.

General Functions and Duties

This product provides for network consulting, planning and engineering. Services include the deployment of network products, operational support of network products, network tuning, and network diagramming; however, services do not include the acquisition or maintenance cost of other network based multi-media products.

Connection

• Network utilization monitoring and bandwidth management.
• Last mile connection from remote facilities to geographic hubs.
• Ethernet service connectivity to the Intermediate Distribution Frame (IDF) except where Local Area Support is provided.
• Connections at campus sites, designed on a case-by-case basis to provide the most appropriate service that meets campus customers’ needs.

Device

• A network device is any object that transmits information across any portion of the state owned network, including wireless devices.
• State employees paying the monthly network service fee for desktop or laptop purposes may use a mobile device, such as an iPad, without incurring additional network fees (mobile device support fee is applicable); however, employees may not avoid the network service fee by opting for a mobile device only or by “Bringing Your Own Device”(BYOD)—the approved network service fee is applicable in these scenarios.
• Devices supporting the network infrastructure are excluded.

Security

• Firewall services between the Internet and the state WAN.
• Backbone intrusion monitoring and management.
• Access Control Lists (ACLs) for local LAN segments, where technically feasible.
• Note: Logging on router access lists is not provided to customers.
• Packet screening to prevent IP spoofing from external networks.

IP Addressing

• Manage address blocks.
• Manage subnets, VLANs and public/private IP assignments.

DNS Service

• Manage host, MX, alias and PTR records.
• Host newly registered DNS domains and manage DNS records.
• Delegate sub-domains per agency request.
• Manage changes to DNS entries.
• Provide instructions for registering new DNS names.

Email Services

Services provided via Google.

Internet Access

• Content filtering and block inappropriate or unauthorized access.
• Customer-specific filtering is available, on request.

VPN Sessions

DTS will provide secure VPN access into the state network from the Internet; pre-authorization is required.

Wireless Services

Effective Nov. 1, 2017, DTS will provide the following wireless services. For small office buildings (under 30 employees), DTS will provide up to four (4) access points for wireless coverage.  For medium size buildings containing more than 30 and up to approximately 100 employees, DTS will provide up to 12 wireless access points.  For large buildings containing over 100 employees, DTS will provide up to 20 wireless access points.  For multi-agency buildings, wireless access points will be assigned proportionately per number of employees each agency has in the building.

DTS reserves the right to determine the optimal number of wireless access points to install within the recommended standards. Agencies will not automatically qualify for the maximum amount.

Requests for additional wireless access points beyond the standard will require a business justification and will be reviewed on a case-by-case basis.

Requests for all wireless installations should be completed via the online form on DTS’ website. Requests for exceptions outside of the standard offering above can be submitted via the same form. (With the justification for non-standard exception filled in).

For those agencies wishing to purchase additional access points, beyond the standard, a request can be made via the same online form with the authorization for additional charges completed.*

*Charges for additional access points, beyond the standard, will be billed via an SBA and will include: 

•  The cost of the Access point(s).
•  Any additional hardware and wiring required to accommodate those access     points.
•  Yearly maintenance cost.
•  Replacement cost.  (At 5 years or at the request of the customer).
•  Associated labor for installations and replacements.

Features Not Included

Additional Firewalls or Security

DTS can help evaluate and develop a solution for additional security requirements that may require an additional negotiated cost or be dependent on available funding.

Cabling

For local area support, this product does not include the cost of supplying, installing, or upgrading the agency’s infrastructure cabling.

Wiring and Cable Design

A DTS wiring specialist will review customer requests and will engineer a solution or plan using the latest technology in accordance with code, and industry best standards and practices. Services based on available resources. See DTS Consulting Rate below under Rates and Billing.

Agency-Specific Solutions

• DTS will assess and engineer appropriate network bandwidth by working with agency requirements.
• DTS can provide unique WAN or LAN connections, at an additional negotiated cost if it is beyond a reasonable expectation.

Router Access List Logging

DTS can help agencies design a logging server solution.

Telecommuter Access

DTS offers VPN and other telecommuter products for remote access to the WAN.

DTS Responsibilities

• Provide jack-to-jack network maintenance; however, facility cabling is the responsibility of the agency.
• Coordinate customer notification of planned maintenance and outages.
• Assess and engineer appropriate network bandwidth by working with agency business requirements.
• Provide network service in an efficient and economical manner—to include using bandwidth monitoring statistics to justify enhancements.
• Maintain the integrity and security of the State WAN and Local Area Networks by shutting down ports that have been penetrated, or otherwise violate network security policies.
• Conduct periodic device count audits, in accordance with the network device definition and published guidelines.
• Conduct periodic Special Billing Agreement (SBA) audits and updating agreements as applicable.
• Network Solutions Engineer and technical support staff must document the firewall configurations so that agencies that need access to applications have access—i.e., enabling state interoperability.

Agency Responsibilities

• Comply with the state Acceptable Use Policy: http://dts.utah.gov/policies/documents/1000-0003acceptableuse.pdf
• Provide security requirements.
• Consult assigned Network Solutions Engineer when planning facility moves.
• Notify assigned Network Solutions Engineer when planning to deploy applications that might affect network traffic.
• Provide adequate space, power, cooling, etc. for state network equipment at each agency facility.
• Provide physical security in facility locations that house state network equipment.
• DTS customers should provide the assigned Network Solutions Engineer a local contact at each facility that is capable of assisting with troubleshooting customer concerns; this is often a DTS employee.
• Comply with state security policies.
• Agencies are responsible for reviewing their Network Bill from DTS in a timely manner for accuracy.

General Service Levels and Metrics

All technical incidents and service requests, and certain types of orders, related to products and services provided by DTS will be reported to the DTS Enterprise Service Desk or to specialized Help Desks that support State agencies or DTS divisions and regions. All incidents and requests will be captured in the DTS ServiceNow application. DTS staff will provide timely acknowledgement and resolution of technical incidents and service requests.

DTS support staff, including staff directly assigned to the DTS Enterprise Service Desk, will exert all reasonable efforts to meet the Time to Initial Response (TIR) and Total Time to Resolution (TTR) targets set forth below.

The DTS Enterprise Service Desk is accessible 24×7 by telephone at 801-538-3440 or 800-678-3440. Live chat and direct user reporting of incidents are also available on the DTS website at dts.utah.gov. Published “Business Hours” for the DTS Service Desk are 7:00 AM-6:00 PM, Monday-Friday. Hours of support/on-call coverage vary by agency/division/region and product.

Incident Response and Resolution Targets

Time to Initial Response Targets	% Tickets	Total Time to Resolution Targets	% Tickets
Low Priority – 1 Business hour	85%	Low priority –  6 Business hours	90%
Medium priority – 1 Business hour	85%	Medium priority –  4 Business hours	90%
High priority –   1 Clock hour	90%	High priority –  3 Clock hours	90%
Critical priority – 30 Clock minutes	95%	Critical priority –  3 Clock hours	90%

Customer Satisfaction Surveys and Reporting

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an on-line survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary.

Periodic reports will be created showing the level of satisfaction with resolution of incidents by specific support groups and the level of satisfaction of users by agency.

Customer Satisfaction Targets

Metric Description	Target
Average level of satisfaction with resolution efforts	> 4.5 on a scale of 0 – 5
Percentage of respondents satisfied or better with service received	93% of respondents satisfied

A Virtual Private Network (VPN) enables remote users to communicate confidentially over a public network – i.e., between a public Internet connection and the State of Utah network.

DTS provides two methods for State employees to connect to the state network:

Web VPN

provides a convenient solution for State employees who occasionally work off-site, and, for those who access state IT resources from public facilities or kiosks. This option also provides temporary access to restricted State applications for vendors or contractors. Web VPN uses SSL (Secure Sockets Layer) to secure traffic between a remote computer and restricted State IT resources.

VPN Client

provides a robust solution for power users who work off-site on a regular basis. It provides the same level of access to State IT resources as if the users were connected at their offices. The VPN Client is desktop software that secures traffic between a remote computer and restricted State IT resources—all data traffic is encrypted.

VPN Features

Secure Connection

Remote Access VPN establishes a virtual private network (VPN) that enables remote users to communicate confidentially over a public network—i.e., from public Internet connections.

Data Encryption

User credentials and all data traffic are encrypted in compliance with IPSEC standards.

User Authentication

Users are allowed access to restricted state IT resources only if they can verify identification at login.

Unauthorized users are not permitted access.

Authentication Directory

Each user is authenticated to the Utah Master Directory (UMD).

DTS maintains the UMD.

ASA

Adaptive Security Appliances (ASAs) provide redundant, scalable network devices that perform end-point security for remote-user configurations. DTS operates and maintains the ASAs.

Solution for Infrequent or Temporary Off-site Users

Authorized access to restricted State IT resources for State employees who occasionally work off-site.

Temporary authorized access to restricted State applications for vendors, contractors and other State business partners.

Features Not Included

Remote Access Connection

The customer must have a remote access connection—e.g.,

commercial DSL, cable modem service, public kiosk service, etc.

Internet Service

The user must have Internet service on his or her remote access connection.

Ordering and Provisioning

To order the Remote Access VPN product, please refer to the product request form on the  DTS web site.

Note: CenturyLink FTTN and Independent Telcos providing DSL require VPN services.

DTS Responsibilities

• DTS will deliver the product described in this product description.
• DTS will provide instructions for product use.
• DTS will operate and maintain Adaptive Security Appliances (ASAs)
• To ensure the security of State information technology resources, DTS may block telecommuters’ access to the State Network when troubleshooting security intrusions.
• DTS will enforce the VPN, State Information Security and Appropriate Use policies.
• VPN Client: DTS will provide instructions for installing and configuring the VPN Client software.

Agency Responsibilities

• The customer will adhere to their agency’s policies and procedures in submitting online orders that have been properly approved.
• The customer will obtain a remote access connection—e.g., commercial DSL or cable modem.
• The customer must have a Utah Master Directory (UMD) account.
• Non-state employee customers must be sponsored by a State of Utah agency.

Web VPN:

• The LAN Administrator assigned to the customer’s agency will support the applications required by the VPN user.
• The customer’s Web browser must support SSL.

VPN Client:

• The LAN Administrator assigned to the customer’s agency will set up the customer’s computer with software required to access the agency LAN and other business software required by the VPN user.
• The LAN Administrator assigned to the customer’s agency will assist the customer with installing and configuring the VPN Client software as requested.
• VPN customers will comply with the State Acceptable Use Policy, the State Information Security Policy and the VPN Policy.

System Requirements

• Windows 2000, Windows XP or Windows 7; Linux, Apple Mac and native iPad/iPhone.
• Web VPN: DTS-supported Web browser such as MS Internet Explorer, Netscape, and Firefox.
• Web browser must be SSL compliant.

LAN-to-LAN VPN provides a secure and encrypted network connection for business transactions conducted between users and systems on one LAN to users, systems, and applications located on another LAN.

LAN-to-LAN VPN is a service for State agencies that need secure and encrypted access to business applications located on another network—e.g., a federal agency application or an application on another State agency’s subnet.

LAN-to-LAN VPN service provides agency LAN administrators or security staff the ability to dedicate long-term access to specific restricted services for a group of users—e.g., a business to business Extranet.

LAN-to-LAN VPN Product Features

Secure Business to Business Transactions

Dedicated long-term access for a group of users (or servers) on one LAN to specific restricted services located on another LAN.

Secure Connection

A Virtual Private Network (VPN) between two LANs internal or external to the state Wide Area Network.

Configuration

DTS staff work personally with the LAN Administrator assigned to an agency to configure the LAN-to-LAN VPN to meet specific business requirements.

ASA

Adaptive Security Appliances (ASAs) provide redundant, scalable network devices that perform end-point security for LAN to LAN configurations. DTS operates and maintains the ASAs.

Product Benefits

Security:

Many State agency businesses require access to applications maintained by other organizations located on external networks or subnets. Those organizations often require secure access to their network to reduce risk to their IT resources. LAN-to-LAN VPN configures a secure gateway to those business applications.

Ease of use:

Once the LAN-to-LAN VPN is set up, users don’t have to do anything—the service is transparent.

Business effectiveness:

State agencies can conduct requisite business transactions on other agencies’ or businesses’ secure networks.

Ordering and Provisioning

To order the Remote Access VPN product, please refer to the product request form on the  DTS web site.

DTS Responsibilities

• DTS will work with the customer or the LAN Administrator assigned to the customer agency to obtain the parameters required to set up and test the requested LAN-to-LAN VPN.
• DTS will provide instructions for product use.
• DTS will operate and maintain Adaptive Security Appliance (ASA).
• To ensure the security of State information technology resources, DTS may block access to any State network node when trouble-shooting security intrusions.
• DTS will enforce State Information Security, and Appropriate Use policies.

Agency Responsibilities

• The customer will adhere to their Agency’s policies and procedures in submitting orders that have been properly approved.
• The customer agency will submit LAN-to-LAN VPN request to DTS through the DTS website.
• Customer will complete the online request form including: Customer Contact information; IP Addresses; Internet Key Exchanges (IKE) and Internet Protocol Security (IPSEC) information.
• The customer or the LAN Administrator assigned to the customer’s agency will work with DTS Network Operations to provide network parameters required to set up and test the requested LAN-to-LAN VPN.
• The customer or the LAN Administrator assigned to the customer’s agency will support the end-users’ access to the business-related application or network on the far end of the LAN-to-LAN VPN.
• Customers will comply with the State Acceptable Use Policy, the State Information Security Policy.

System Requirements

End nodes must be IPSEC devices.