Support

Contents:

• Reporting issues for support

Support process

1. If you have a Premium/Enterprise support agreement and the issue is critical/severe, you should escalate to your primary or secondary contact once the issue has been logged (via the ticketing system).

2. CheckSec Support will review and triage the issue, with responses given within the agreed support response times.

   1. Further information may be requested, such as logs files, browser debug data, etc.

   2. In the scenario of more complex issues, a remote debugging may be suggested (if possible). CheckSec can support Hipchat, WebEx, Skype (For Business) and Google Hangouts for remote debugging purposes.

3. A resolution (workaround or hotfix) will be provided within the agreed response time.

A hotfix is an interim software update that is provided to address a specific issue, and does not require updating the full environment. These types of patches are usually less impacting than a full upgrade between releases.

Recording issues/bugs

All issues must first be recorded via the support ticket system. In general, the support ticket system should be used for tracking issues. Forums are available for general questions, feature requests, etc.

The support ticket system is available at:

https://support.checksec.com

For guidelines on reporting issues and bugs, please see:

Reporting issues for support

Support Hours

CheckSec provides support during the following times:

Support level	Support hours
Standard	09:00 - 17:00 GMT (BST), Monday to Friday
Premium/Enterprise	07:00 - 19:00 GMT (BST), Monday to Friday.

Exceptional out-of-hours support may be granted to Premium/Enterprise clients for support during specific activities, such as planned upgrades. Please contact your account manager to discuss such requirements.

Critical Level 1 issues affecting our Premium/Enterprise users can be escalated via their account manager between 07:00 GMT (BST) and 21:00 GMT (BST).

Service Level Agreement

We’re committed to responding to all requests in a timely manner. However, some requests are more important than others. Specifically, any critical (Level 1) and serious (Level 2) issues that affect our users ability to get their job done are given priority. The following table summarises CheckSec’s service levels and response times, within the defined Support Hours as stated above.

Key:

Level of severity

The severity of the issue, used to determine appropriate response times.

Description

A summary description of the severity level.

Characteristics

Typical characteristics of an incident at a given severity level. This is for guiding purposes. CheckSec will determine the severity during triage - if it is unclear at the time of reporting.

First response

This is defined as the maximum amount of time it will take CheckSec to respond to your query. Note that response times are based on the severity level, and some response times may not be guaranteed.

Workaround/Resolution

This is the defined period for providing a suitable workaround/resolution to the issue (aka response to resolution). Workarounds and resolutions will be offered on a case by case basis, but the aim will be to ensure that Canopy can be made usable within the guaranteed workaround/resolution response time - where applicable. Temporary resolutions may be provided in the case where executing a full resolution may require a more significant amount of time.

Level of severity	Description	Characteristics	Standard	Premium/Enterprise
Level 1 - Critical	Critical business impact: A critical issue affecting production systems that is critically impacting business operations. A large number of users impacted; no workaround procedural available.	Canopy is not available (due to a Canopy specific bug). By “not available”, we mean that the service is not loading/accessible (under normal circumstances), users cannot login via any of the supported authentication mechanisms or some other issue that generally prevents users logging into the system. Critical functionality is not available, e.g. report generation, adding projects/phases/findings/assets. Significant, unrecoverable, data loss or corruption. Significant number of users affected.	First response: < 4 business hours Workaround/Resolution: Next business day	First response: < 1 business hour Workaround/Resolution: < 24 hours
Level 2 - Major	Major business impact: A major issue affecting production systems that is significantly impacting business operations. A large number of users impacted; partial/full procedural workaround available.	Significant performance impact under normal operating conditions. Important functionality not available, e.g. managing templates, methodologies. Low number of users affected.	First response: < 4 hours Workaround/Resolution: 1-2 business days	First response: < 2 hours Workaround/Resolution: < 24 hours
Level 3 - Minor	Minor business impact: Issue causing a partial or non-serious loss of functionality on production system. A small number of users are affected.	Minor performance impact under normal operating conditions. Minor impact to functionality. Low number of users affected.	First response: Next business day Workaround/Resolution: 10 business days or next release	First response: Next business day Workaround/Resolution: 5 business days or next release
Level 4 - Negligible	Negligible business impact: Issue occurring on production systems that has no significant operational impact (e.g. cosmetic issues) or has a full workaround. Also considered at this level: issues affecting non-production systems (e.g. dev/test), questions, comments, feature requests, documentation issues and any other non-impacting issue.	Incorrect behaviour of the application, with no significant impact on business operations (e.g. incorrectly set up templates). Other requests.	First response: No guaranteed response time Workaround/Resolution: No agreed time, issues will be rolled into planned releases	First response: Next business day Workaround/Resolution: No agreed time, issues will be rolled into planned releases

As agreed with the client.

CheckSec is not responsible for operational issues affecting the hardware and operating system that Canopy is installed on. Users are expected to configure Canopy in the correct and supported way; and to ensure good “house keeping” to maintain a stable environment for Canopy to operate within.

Escalation (Premium/Enterprise)

For critical/major issues, once the issue has been recorded in the ticketing system, you should escalate to your primary or secondary point of contact.

Supported releases

Canopy releases are issued on an approximately 4-6 week development cycle. This may vary depending on specific objectives and customer requirements. Significant feature releases will typically be released quarterly. However, release schedules will be determined on a case by case basis, and will be based on ensuring stability and delivering what our users require in the most expedient time possible.

For critical and major issues, hot fixes will be released for all supported versions of Canopy based on the response times.

Each release of Canopy is based on an MAJOR.MINOR.PATCH release system, as explained below:

Release	Description
Major	A major release will mean a significant change to Canopy, which is likely to include significant changes in the systems behaviour. Major releases are linked to longer term objectives and are likely to result in breaking of backwards compatibility.
Minor	A minor release will incorporate important new features. We aim to include important new features on a frequent basis (typically four times per year). However, the feature release cycle is dependent on user demands, and as such it may fluctuate. Backwards compatibility may be broken - where possible, we will try to minimise this.
Patch	Patch releases contain mostly bug fixes and small improvements. However, occasionally we will include minor new features. Backwards compatibility will not be affected during patch releases.

We aim to have approximately 4 feature releases per year, however, such release schedules may fluctuate due to planning and user feedback.

Maintenance on previous releases will only be guaranteed to address issues that are deemed as critical and major. New feature development and minor/negligible bugs and improvements will only occur on the current MAJOR.MINOR release, unless otherwise stated by CheckSec.

Premium support and releases

Official support for significant Canopy feature releases (MAJOR.MINOR) will be offered for 12 months from the release date of the next release for Premium users. For example, if you are currently on X.0.5 and X.1.0 is released today, maintenance support for release X.0 would continue for another 12 months from that point.

Standard support and releases

For our Standard users, we aim to support the current and previous release of Canopy. For transitions between MAJOR releases (e.g. from 3.x to 4.x), we will provide 6 months of support for the previous latest MAJOR.MINOR release of Canopy prior to the new MAJOR release.

Supported operating environments

For information on supported operating environments, see Supported operating systems.

Canopy templates depend on a Microsoft Office (Word) plugin. This utilises the Word content control framework, and as such Word on Windows is required. We support Word 2010, 2013 and 2016.

Security vulnerabilities and disclosure policy

Our customers can use the ticketing system to record security issues. For non-customers, please feel free to email us at team@checksec.com.

We treat all serious security issues as Level 1 severities and aim to respond within 1 hour (during normal operating hours).

We are happy to work with you on disclosing security issues publicly. We aim to provide as much transparency as possible to our customers on security issues.