Secure Remote
Access Service
(IL2 & IL3)
Contents
Service Definition ... 3
An Overview of the Managed Remote Access Service ... 3
Key Service Attributes ... 4
Information assurance ... 4
Details of the level of backup/restore and disaster recovery that will be provided ... 5
On-boarding and Off-boarding processes/scope ... 5
Pricing (including unit prices, volume discounts (if any), data extraction) ... 8
Service management details ... 8
Service constraints ... 9
Service Roadmap ... 9
Service Levels (e.g. performance, availability, support hours and severity definitions) ... 11
Financial recompense model for not meeting service levels ... 13
Training ... 13
Ordering and invoicing process ... 13
Termination terms ... 14
Data restoration / service migration ... 14
Consumer responsibilities ... 14
Technical requirements ... 14
Details of any trial service available. ... 15
Information Principles for the UK Public Sector ... 16
Government ICT Strategy and Greening Government ICT Strategy ... 17
European Green Datacentre of the Year 2011 ... 17
Green Power ... 18
Recycling ... 18
Service Definition
This is the minimum set of information that is expected in a service definition (suppliers may choose not to provide these aspects of a service, but do need to be clear in their service definition that they don’t).
An Overview of the Managed Remote Access Service
SCC offer a number of cloud services from our award winning data centre in Birmingham, based on Secure Multi Tenanted Cloud (SMTC) platforms dedicated to Government organisations, each separately accommodating IL0, IL2 and IL3 security levels. This specific service provides IL3 Security within a secure Remote Access Service:
L2 & IL3 access to SMTC for Independent Software Vendors (ISVs)
IL2 & IL3 access to SMTC for SMTC tenants (at the individual consumer level)
Vendor support to the Platform for patching and service deployment
Application Support to the Platform for ISVs
Portal based secure access to pre-defined applications. Consisiting of: o Emailo Intranet o File Services
o Remote Desktop Protocol
o Secure Internet browsing (via the GCF)
Based on a standardised laptop encompassing; a hardened Operating System, hard disk encryption; strong two-factor authentication and a secure SSL VPNKey Service Attributes
Service Name Secure Remote Access Service
Service Layer SaaS
Cloud Deployment Model Private
This service shall be delivered from an infrastructure platform that is private, in the context of it being available to the UK Government community only.
Networks to which the service is connected (directly)?
Internet (tunelled VPN)
VPN will be established using approved CESG products for the transit of IL3 data.
'API' access available, documented and supported?
N/A
Services available to other suppliers so they can use them to provide services to government?
Yes
This service shall be available to 3rd party suppliers such as ISVs in order for them to deliver platform or software services to government.
Data centre tier? Tier 3+
The data centre conforms and exceeds the open uptime standards for a Tier 3 DC
Minimum Contract/Billing Period? Month
The minimum commitment and minimum billing periods are both 1 Month.
Free option? No
Trial Option? No
Information assurance
Impact Level (IL) at which the G-Cloud Service is accredited to hold and process information
This service shall be delivered at Impact Levels 2 & 3.
The service shall be delivered from a pre-accredited gateway infrastructure and shall allow access from the internet for remote users into the SMTC platform.
In order to maintain HMG Security compliance SCC shall ensure hardening and patch compliance is maintained in line with CESG Good Practice Guides. GAP will be referenced for Microsoft builds of the service laptops.
to the community as a whole.
The sponsoring SMTC tenant (whether its for a direct user or ISV user) shall be responsible for ensuring that the RAS user has appropriate clearance to access the data/resource which they need the RAS service for.
Details of the level of backup/restore and disaster recovery that
will be provided
The service gateway configuration (firewall & switch configurations, security appliances) shall be backed up to disk weekly and backups will be retained for 10 days. A backup will also be taken before and after any configuration mainatence or patch deployment within the gateway infrastructure.
The RAS infrastructure will operate on a 99.9% availability.
SCC shall not be responsible for internet connectivity at the client connection point.
On-boarding and Off-boarding processes/scope
On-boarding
The scope of this process covers the steps required to establish a new RAS service consumer within the SCC environment. The process caters for 2 integration scenarios:
Deployment of a RAS user for a Government SMTC tenant
In all cases initial discovery is required to determine the platform and resources that must be allocated from the environment to the managed server in order to define the setup activities and Charges associated with such.
This information established in discovery shall specify:
SMTC Target Resources
Setup activities and resources.Managed RAS On-Boarding
Establish SMTC Target Resource
RAS User Creation Requirement
ISV RAS User
SMTC Tenant RAS User
Application made via Gov’t Tenant
SCC validates ISV ID With Gov’t Tenant
SCC Configures Gateway & Resource
Access
ISV User Agrees to SyOps & CoCo
SCC validates ID With Gov’t Tenant
SCC Configures Gateway & Resource
Access
User Agrees to SyOps & CoCo
2 Factor Token Laptop Issued
Off-boarding
The scope of this process covers the steps taken to remove a managed RAS user from the SCC environment and return the laptop & token to SCC as the service provider.
The RAS user, either through their representative or directly, shall notify the SCC helpdesk that the remote solution is no longer required for that user.
SCC shall disable user access and resource access within the RAS gateway infrastructure. The RAS user (or department representative) shall then be responsible for return of the RAS laptop and 2-Factor authentication token.
SCC, commensurate with the appropriate HMG guidelines, will then securely erase the laptop for redeployment. SCC will also ensure the 2-Factor token is placed back in the central pool for redeployment.
Managed RAS Off-Boarding
RAS User Notifies SCC
SCC Disables Relevant Account & Resource
Access
RAS User Returns Laptop & 2 Factor
Token
SCC Secure Wipe Laptop & Return Token to Pool
Pricing (including unit prices, volume discounts (if any), data
extraction)
The pricing for this service shall be based upon the units of compute, memory and storage consumed by the service with a variance made for the availability service level required:
1) On-boarding Charges
In all cases initial discovery is required to determine the resources that must be made available from the SMTC tenanacy via the RAS platform.
The on-boarding charge is £6,000.
This is per tenant onto the RAS platform, not per RAS user onto the platform.
If there is a requirement to deliver services over and above, Email, Intranet, File services and Remote Desktop Protocol, SCC can provide consultancy services for RAS services. These are based on the SFIA rate card.
2) Baseline Service
The standard configuration for this Service will be:
Laptop
Windows 7 Operating System
Locked down to Government Assurance Pack standards
RSA 2-Factor tokenManaged Costs: £85 per month per user
3) Service Level
The availability options available shall be 99.9% (single DC)
4) Off-Boarding Charges
Charges will be made for the administration of the off-boarding of a user from the RAS platform. Additional charges will also be made for the complete off-boarding of a tenancy from the RAS platform.
Service management details
Connections
All data centre operations conform to ISO2001/2, ITIL and the Code of Conduct for Data Centre Operations. Additionally SCC maintains Code of Connection agreements with Government network services provider such as GCSX, Gsi and PSN
SCC Service Desk
Where The Customer is unable to resolve the issue via The Customer Portal then SCC shall provide a telephone support capability for escalation directly as follows:
Within the Working Hours provide the SCC Service Desk as a point of contact for The Customer to log Incidents, receive Incidents via The Customer service desk, assign an individual reference number to each accepted Incident received and record, track and update accepted Incidents or Service Requests within the SCC incident management tool.
Customer Responsibilities
Report and provide the SCC Service Desk with all information it may reasonably require in order to resolve the Incident, ensure an Incident Owner or a nominated deputy is available during Working Hours. Provide the necessary resources to ensure that any changes to the Agreement are addressed and agreed with SCC via the Change Control Procedure in a timely manner. Ensure all Users understand and comply with the various processes, policies and procedures of The Customer and as may be agreed between the parties from time to time.
Exclusions
The following are not provided as part of the SCC Service Desk and any materials and labour provided in these circumstances will be subject to agreement of the parties in writing and;
1. Provided on a reasonable endeavours basis (i.e. outside of the Service Levels) unless agreed otherwise by SCC in writing, and
2. Charged as Additional Ad-hoc Charges.
3. Incidents and Service Requests received by the SCC Service Desk from The Customer service desk outside of Working Hours.
SCC will not be liable for failure to meet the SLA in the event 3rd Party Suppliers, other than those engaged by SCC fail to deliver services in accordance with their contractual commitments.
Service constraints
The service shall be allocated a maintenance window between the hours of 22:00 and 06:00 the window shall be allocated during service initiation.
The service shall be change managed in accordance with SCC change schedules. Change boards will sit weekly and changes shall be carried out during the subsequent change window. A maximum of 4 changes during a month shall be included in the service.
Configuration changes that cause a reboot/downtime but are deemed urgent shall not impact SLAs and the associated charging mechanism.
The ability to add move or change the number of VMs in The Customer solution shall be achieved via the change request process and may be subject to appropriate financial approvals.
VMs shall be decommissioned via change control and images will be shut down but the images will be left in place for a further 24 hours after which point they will be destroyed.
All virtual backups will be destroyed and any physical backups will be returned to The Customer or destroyed.
Decommissioned machines shall be quarantined and can be restored to full operational state within 24 hours of being decommissioned.
Service Roadmap
The road map for this service shall follow two main paths; The first being service improvement in terms of:
management
automationThis can either drive down the cost, or improve the quality of service; including the security procedures, the service management and change request response times.
The second path is based on service functionality improvements and upgrades.
The service improvements and upgrades that can be expected within this service are listed below but are not limited to this. The service is under constant review and development.
Service Improvement:
Real Time Management information - increase frequency and detail
Backup RTO – decrease the time to restore
Change request action - increase frequency available and reduce implementation time
Prune monitoring probes and feedback systems
Service dashboards & reporting tools
Billing platform automation.Service Levels (e.g. performance, availability, support hours and
severity definitions)
The service level for the RAS service shall be:
SCC shall determine the severity of an Incident in accordance with the following:
There may be occasions where The Customer requires additional resource or focus to be applied to an Incident. In such circumstance the escalation procedure below shall apply;
Service Component Service Level Hours of
Support SLA Target
Secure RAS Platform (Single Site) Service Availability 24 Hours 99.9% Severity Level Description Severity 1 (Critical)
The Service failure creates a serious business and financial exposure, causing a significant percentage of Users to be unable to work or perform an essential portion of their job, and there is no acceptable workaround to the problem (ie: the job cannot be performed in any other way).
Severity 2 (High)
The Service failure creates a significant business and financial exposure, causing a high (fixed) number of Users to be unable to work or perform some significant portion of their job, but there is an acceptable workaround to the problem in the short term (ie: the job can be performed in some other way). Severity 3
(Medium)
The Service failure creates a low business and financial exposure to an isolated number of Users causing them to be unable to perform a portion of their job, but they are still able to complete most other tasks, or;
General Service related questions and requests for information. Severity 4
(Low)
The Service failure creates a minimal business and financial exposure causing one or two User to be unable to perform a minor portion of their job, but they are still able to complete most other tasks.
Figure 1: Escalation levels within SCC
The escalation activities and response timescales shall be as detailed in the table below. For avoidance of doubt the response timescales below are indicative only and do not supersede or replace the applicable Service Levels or SLA Targets specified in Clause 1 above.
Escalation Level
Response Activity Escalation to Next Level Timescales
Level 1 The SCC Service Desk or NOC operations representative will acknowledge the Incident and advise on tests and actions required in order to resolve the Incident, consulting as necessary with other SCC representatives and/or 3rd parties. Should the SCC representative be unable to resolve the problem or provide an action plan suitable to The Customer, the Incident will be escalated to the respective team leader of either the NOC operations or Service Desk team.
Severity Level 1: 30 Minutes Severity Level 2: 3 Working Hours Severity Level 3: 6 Working Hours Severity Level 4: Not Applicable
Level 2 The respective team leader will determine a suitable action plan and agree it with The Customer. The Service Delivery Manager will be notified. Third party manufacturers and/or suppliers may be contacted for additional technical support.
Severity Level 1: 1 Working Hour Severity Level 2: 4 Working Hours Severity Level 3: 8 Working Hours Severity Level 4: Not Applicable
Level 3 If unresolved following Stage 2, the Incident will be escalated to the Service Delivery Manager who will involve all necessary resources, both internally and externally, to attempt to provide an acceptable resolution for The Customer. The SCC DCS’ Network Operations Manager will also be informed.
Severity Level 1: 2 Working Hours Severity Level 2: 5 Working Hours Severity Level 3: 9 Working Hours Severity Level 4: Not Applicable
Level 4 If unresolved following Stage 3, then SCC DCS’ Network Operations Manager will take
responsibility for the Incident and involve all necessary senior and management resources, both internally and externally, to ensure an acceptable resolution for The Customer. SCC DCS’ Professional Services Director will be appraised of the situation.
N/a
Financial recompense model for not meeting service levels
Service Credits
1.1 Subject to Clause 1.3 below, in the event that SCC fails to meet the SLA Target for the applicable Service Level”, then the Service Credit mechanism in Clause 1.2 shall apply; 1.2 SCC shall provide a rebate of 1% of the Monthly Charge for this Service, which is
applicable over the Report Period for every 1% below the SLA Target to a maximum of 10 % rebate. The applicable Service Credit shall be deducted off the next invoice due to The Customer.
1.3 Payment by SCC of Service Credits to The Customer shall be in full and final settlement of SCCs liability to The Customer for failure to meet the Service Levels during the Report Period.
Training
There is no training required within this secure backup service.
Ordering and invoicing process
SCC will provide ordering of G-Cloud services via their Lifecycle portal.
Customers will need to register all relevant details and will receive login details within 5 working days. This is a secure site and this mechanism will provide an account and a password protected login.
A basket of G-Cloud services can be compiled, with quotations for those specific services. Once The Customer is satisfied that an order is complete it can then be converted into an order.
To place the order on SCC for delivery, The Customer will click ‘checkout’ and complete the relevant details.
Once the services are enabled and confirmation of the ordered G-Cloud services is delivered to The Customer a monthly invoice in arrears will be generated against the order, via the registered Customer details on the Lifecycle portal.
Should The Customers usage of the Service increase beyond the contracted volumes during any period then this will be retrospectively invoiced, at the next month end, as additional services.
Termination terms
By Consumers (i.e. consumption)
A G-Cloud service shall commence on the Effective Date and shall, unless specified otherwise in the Order Form, continue for the Initial Term and shall remain in force thereafter unless and until terminated by either Party giving to the other not less than 30 days written notice, but shall be subject to earlier termination as referenced within the Termination/Consequence of Termination section of the standard SCC G-Cloud terms and conditions.
By the Supplier (removal of the G-Cloud Service)
A G-Cloud service shall commence on the Effective Date and shall, unless specified otherwise in the Order Form, continue for the Initial Term and shall remain in force thereafter unless and until terminated by either Party giving to the other not less than 30 days written notice, but shall be subject to earlier termination as referenced within the Termination/Consequence of Termination section of the standard SCC G-Cloud terms and conditions.
Data restoration / service migration
Where data is needed to be restored to the running service from a backup this shall be requested by The Customer through The Customer portal.
Recovery of a VM Image from backup shall be completed within 4 Hours from the point of request by The Customer through The Customer portal.
Service migration shall be possible after completing the data extraction process at which point the VMDK file will be available to migrate to and alternative service, should The Customer require assistance with this process SCC can provide migration service at additional cost.
Consumer responsibilities
The consumer responsibilities will be as follows:
Provide SCC with a list of users who will be consumers of the RAS platform
Provide SCC with a list of applications that need to be made available via the RASplatform
Procurement, maintenance and management of any Customer data communications lines not identified in the Order Form and/or Agreement.
Should SCC determine that The Customers usage of the SMTC Infrastructure is not compliant with best practice guidelines then The Customer must comply with SCC’s reasonable requests for change.Technical requirements (service dependencies and detailed
technical interfaces, e.g. client side requirements and
bandwidth)
to access the SMTC RAS platform.
Provide SCC with a list of applications that need to be made available via the RAS platform
Provide SCC with a list of users who will be consumers of the RAS platformDetails of any trial service available.
There is no option to consume this service for a trial period.Information Principles for the UK Public
Sector
SCC Cloud services for the UK Public Sector support the defined Information Principles published where appropriate to the service being delivered. At the core of all of the SCC services are principles 1 and 2 in that all data is valued and is managed in line with the appropriate UK Public Sector Information Assurance guidelines that define the security controls for holding the data. Information Principles 3 through to 7 are considered and followed during the on boarding of systems in to the SCC Cloud infrastructure. These principles will be considered and followed in line with the appropriate UK Public Sector Information Assurance guidelines.
Government ICT Strategy and Greening
Government ICT Strategy
SCC are leading the way in responding to the Governments Greening ICT strategy and sustainable procurement agenda, by adopting CAESER (Corporate Assessment of Economic, Social and Environmental Responsibility), an online toolkit which helps companies to demonstrate a commitment to society and the environment.
CAESER constantly review changing and emerging standards to quickly establish and ensure that our operations and our supplier’s operations are compliant and not exposed. It enables us to monitor new developments in UK and International CSR legislation which focus on the supply chain. The CAESER system helps to ensure adherence to the requirements of new and current legislation, allowing us an avenue to positively monitor and engage with suppliers responsible for the products available under this framework agreement.
To provide the basis for best practice in line with the Government supply chain agenda, we work alongside leading UK Government departments and International organisations to promote acceptable standards, current trends and initiatives. These organisations include the UK Global Compact, the International Labour Organisation and the Global Reporting Initiative.
In addition to CAESER, we also use the FTSEGood Index and UNSPSC Codes to identify and monitor risk within the supply chain. We also have preference for suppliers that are members of Electronic Industry Citizenship Coalition (EICC) where a code of practice governs labour, health and safety, environmental management systems and ethics exists.
Practical steps taken by the business ensure that the operations of the business have a minimal impact on the environment; these steps further support the supply chain methodologies.
European Green Datacentre of the Year 2011
The SCC Data Centre is an award winning carbon zero facility. We have provisioned some unique technologies to achieve that level of sustainability, as well as investing in eco-friendly projects within Kenya.
Within the Data Centre Environment SCC operates a Carbon Off-set programme enabling a zero carbon rating, across both our Data Centre infrastructures. The primary offsetting project we run is through an organisation called CO2Balance.com building low carbon villages in Kenya. SCC are also members of the Carbon Reduction Commitment energy efficiency scheme. SCC Customers, who utilise our Data Centre services, are in turn able to advertise this credential within their eco-statements published to their Customers and Suppliers. SCC also utilise additional ecological Data Centre technologies, such as external chillers, which use external, ambient air temperatures to cool water to a level that can in turn be used within the data centre CRAC units. This enables SCC to reduce their cooling costs by up to 40%, which is then relayed to our Customers in reduced bills for their power and cooling usage.
Variable Refrigeration Flow (VRF) Air Conditioning is an advanced cooling technology, which allows us to independently cool each data room, enabling us to minimise heat loss and create energy savings of up to 30% over conventional systems.
Floor pressurisation systems, which streamline cooling within lower utilised Data Centres to where the floor pressure is, i.e. the full racks. We’re therefore not flood cooling via the under floor voids, but focussing the cooling in the areas that need it. This system also controls the output from the
Green Power
During 2013 SCC will be switching its energy supply contract to a pure green power contract to further increase its commitment to supporting a strong CSR policy.
Recycling
SCC can manage your IT recycling for you, providing a cost-effective and secure solution with environmental reporting to support your CSR. This will help you avoid the damaging
consequences of serious deliberate or negligent breaches of the Waste Electrical and Electronic Equipment (WEEE) directive.
The WEEE Directive was introduced into UK Law in January 2007 and aims to reduce the amount of electrical and electronic equipment being produced, while promoting the secure reuse and recycling of IT equipment.
Many companies underestimate security issues surrounding end-of-life data and focus on protecting live assets. However, unprotected disposal significantly increases the likelihood of a detrimental data breach, with information being far easier to access, and can be equally as harmful to your organisation, as not recycling at all.
As part of our IT recycling services, we offer state of the art shredding and separation technologies which safely destroy your redundant IT equipment, optimising the recycling and recovery of original raw materials.
SCC recycle on average 20% of the IT we recover and remarket up to 80% to create a revenue stream for the customer. This offsets your costs and supporting your Corporate Social Responsibility (CSR). We can guarantee the secure and environmental disposal of your IT waste, as we operate a 0% landfill policy, allowing us to effectively manage your WEEE compliance.
We remarket
80%
We recycle
20%
Challenges
Data Security
Capital Expenditure
Compliance
Asset Management
Residual Value Benefits
Money in the bank
Simplicity
Freed resource
Carbon efficiency
SustainabilityCarbon Offset
Starting in September 2010, SCC has been working with leading carbon management company co2balance, to calculate and offset the carbon dioxide emissions created from the operation of its data centres and the National Recycling Centre to achieve CarbonZero status.
The total carbon offset covering emissions for 2011, 2012 and 2013 has amounted to 13,138 tonnes of CO2e. During this period a number of verified carbon reduction projects in developing countries have been supported.
Carbon Offset Projects – African Energy
Efficient Stove Project
The African Energy Efficient Stove Project builds energy saving cooking stoves for villages in Kenya. These brick stoves result in 50% reduction in the need for firewood and thereby prevent carbon from being emitted.
In addition to carbon prevention it also provides families with a cost and time effective method to cook with. The reduced need for firewood helps to prevent deforestation, creating a wealth of benefits for the wildlife in terms of habitat and flood prevention. It is also a healthier method of cooking as it reduces in door smoke by up to 70%. In door smoke is a serious problem in Africa and the World Health Organisation dubbed it the “kitchen killer” as it is responsible for nearly two million deaths in Africa every year.
External Project Verification
The African Energy Efficient Stove Project is externally accredited through the Gold Standard. An international respected standard that assesses the social and community benefits to the region in addition to carbon savings. The Gold Standard was
initiated by the World Wildlife Fund and is endorsed by over 70 non-governmental organisations worldwide. It is the benchmark for carbon reduction projects with the maximum verified benefit to the communities where the projects take place.
