SERVICE DEFINITION RESTRICTED MANAGED HOSTING

(1)

File: SERVICE DEFINITION - RMH Doc Reference: CUST-0000-000 Issue: 1

Document Type: Proposal Copyright: Capita Business Services Ltd 2011

G-CLOUD FRAMEWORK

SERVICE DEFINITION – RESTRICTED

MANAGED HOSTING

Capita Division / Supplier:

Capita Business Services Ltd (Capita)

Service Name:

RESTRICTED Managed Hosting

(2)

SERVICE DEFINITION – RESTRICTED MANAGED HOSTING

1 OVERVIEW OF THE RESTRICTED MANAGED HOSTING SERVICE

Capita Business Services Ltd (Capita) has developed a RESTRICTED Managed Hosting (RMH) Infrastructure as a Service (IaaS) proposition to host for computer, storage and network capabilities. The service is designed to host information assets of multiple Government customers by combining the security required in customer data environments with the cost benefits of a shared and leveraged management infrastructure capability. The service handles data up to and including a protective marking of RESTRICTED, as defined by the Cabinet Office’s Security Policy Framework, or for data assessed as a Business Impact Level of IL3 for Confidentiality.

Connections to the service are achieved in two ways:

 Persistent utilising CAPS approved BASELINE encryption

 Non-Persistent utilising two factor authentication configured in line with CESG requirements

There is also a shared management environment which can manage lower protective markings as required from a system high point of view.

1.1 STANDARD PRODUCTS

The table below lists the standard products available and optional services to enhance the standard service:

Component RMH Standard for IL3

Physical or Virtual Servers Virtual and Physical

Windows OS included Yes

Operational Hours 24 x 7

Hours of Support 24 x 7

Availability KPI 99.98%

Infrastructure Services

Infrastructure Management Yes

Infrastructure Monitoring Yes

Backup Services Yes

Storage Services Yes

Operating System Anti Virus Management Yes

Operating System Maintenance Yes

Disaster and Data Recovery Services

Active/Active Environments Optional

Hot standby Optional

Warm Standby Yes

Disaster Recovery Testing Optional

Supporting Services

(3)

Component RMH Standard for IL3

AD Management Yes

Transformational Services

Server and storage consolidation Optional

Migration Management Optional

Network & Communication Services

Network Maintenance Yes

Network Support Yes

Network Monitoring Yes

Intrusion Detection (IPS/IDS) Yes

Network Anti Virus Management Yes

Managed Firewall Yes

ISA Server Management Yes

Proxy Server Management Yes

VPN Service Yes

Secure Remote Access Optional

Government Connect Service Optional

Penetration Testing Optional

Service Management

Access Management Yes

Password Management Yes

Joiners and Leavers Optional

Disposal Services Optional

Service Desk Yes

Service Level Management Optional

Service Reporting Optional

Incident Management Yes

Major Incident Management Yes

Problem Management Yes

Change Management Yes

Asset Tracking Optional

Configuration Management Optional

Software Licence Management Optional

Availability Management Optional

(4)

2 SERVICE ROADMAP

The service is fully managed by change control; all changes to the infrastructure, not matter how minor, are reviewed by the RMH CAB and change process and are assessed by the Infosec Operations team. Major changes are presented to the RMH Security Working Group and assessed to ascertain the security impact of the requested change.

All changes and software updates and patches are tested prior to implementation.

A Continual Service Improvement Plan (CSIP) is managed and maintained and via formal change control all improvements of securely managed into the service with little disruption to the user community; all changes that affect customers are communicated via the appointed Service Delivery Managers.

3 TECHNOLOGIES USED

 EAL4 Assured Firewalls (from multiple vendors, i.e. Cisco, Checkpoint & Juniper)

 Cisco Network Switches

 F5 Load Balancers

 AEP Baseline Certified Encryption Devices

 BeCrypt Baseline Disk Protect

 BeCrypt Connect Protect

 McAfee AVS

 McAfee Vulnerability Manager

 IBM Site Protector IPS

 Juniper AS4500 VPN (in line with CESG Security Procedures)

 ActiveID RAS Tokens

 Tripwire file medication

 Various Tivoli system monitoring tools, i.e. TADDM, TSM, ITNM etc.

 LogRhythm SIEM in line with GPG13

 Microsoft Windows XP (configured with Enterprise Client)

 Microsoft SQL

 Microsoft Windows 2003 and 2008 (32bit & 64bit)

 Microsoft ISA Proxy Servers

 AMDOCS Helpdesk and Change Management Tool

 LANDesk Application Patching

 Windows Server Update Services

 IBM AIX 6.1 OS

 VMWare ESX 3.5.2

 RedHat Linux 5.4 Enterprise

(5)

4 STORAGE SERVICES AVAILABLE WITH RMH

The following table details the levels and ‘classes’ of storage available within the RMH service:

Name Performance Availability Density Target Availability

Description

Platinum Highest Highest Lowest 99.98% (Real-Time Mission-Critical)

Highly available with no single point of failure and maximum performance levels. Highest local protection / recovery against data loss with no impact to performance during

recovery. Low density

utilisation in order to achieve

highest performance even

during recovery.

Typical usage for mission

critical services and

applications with real-time, very low latency and very high

performance storage

requirements.

Gold High High Medium 99.9% (Mission-Critical)

Highly available with no single point of failure and enterprise

performance levels. Good

local protection / recovery against data loss with limited impact to performance during recovery. Performance close to Tier 1, but at a lower cost due to increased density. Typical usage for mission

critical services and

applications with very high

performance storage

requirements.

Silver Medium High Medium 99.9% (Mission-Supporting)

Highly available with no single point of failure and good performance levels (although lower than tiers 1 & 2). Good local protection / recovery against data loss with limited impact to performance during recovery.

Typical usage for business

important services and

applications requiring high levels of storage performance.

(6)

Name Performance Availability Density Target Availability

Description

Bronze Standard High High 99.9% (Standard)

Highly available storage with lower performance than tier 1, 2 & 3. Good local protection / recovery against data loss with limited performance impact during recovery. Best price per GB

Typical usage for file and print, archive, development, lower performance/risk and static data services.

5 INFORMATION ASSURANCE

The service is suitable for hosting data up to and including a Protective Marking of RESTRICTED and/or for data assessed as a Business Impact Level of IL3 for Confidentiality. The service is currently accredited (with the current customers) for connectivity from the internet to a web application tier and not the internet for white listed sites via a dedicated proxy service. In addition, connectivity for persistent connections across Capita’s MPLS network using is allowed using AEP baseline cryptographic devices.

There is a GSE DMZ built into the design to allow future connectivity for potential customers; this is not currently in use nor covered by the existing accreditation.

The diagram provided in the On-boarding section shows how customers are securely brought into the RMH service; specifically with regards to ensuring agreed accreditation scope per customer.

6 BACKUP/RESTORE AND DISASTER RECOVERY

There are multiple optional Disaster Recovery and Backup offerings available within the RESTRICTED Managed Hosting service designed to meet the diverse requirements of any complex organisation.

The backup service is an enterprise grade backup solution which can either be shared between customers or a dedicated solution.

Retention periods are defined per customer but have a default of an initial full backup and an incremental forever policy (all changes are backed up in an incremental basis).

Backup tapes are encrypted using AES-256 and a minimum of two copies of the data are created with at least one stored offsite to the primary data, which is part of the current accreditation on the service.

No end user intervention is required to perform the backups as it is a fully automated service. Daily exception reports are available if requested.

Requests for data restores are made via the Service Desk. Target recovery times are dependent on the priority and range from <1hr to <8hr and based on a restore size of 100GB of data. Larger volumes of data may take longer.

The following Disaster Recovery options are available as a value added service; the default pricing model excludes the provision of Disaster Recovery services:

(7)

7 ON-BOARDING AND OFF-BOARDING PROCESSES

All customers entering the RMH service have to conform to a standard Entry and Exit criteria. This criterion is inclusive of the standards and principles defined in the Security Policy Framework and the relevant Good Practice Guides and Manuals from CESG.

If a customer has dedicated hardware, this can be provided at termination of contract along with LTO-4 tapes of the data; these tapes are encrypted using AES-256 and IBM TKLM. Shared components will not be decommissioned when one tenant terminates their subscription to the service but data cleansing in line with IS5, where applicable, will be undertaken.

The following is taken from the Entry / Exit specification and shows the differing stages required for securing a customer entry into RMH:

Name Recovery Point Objective

Recovery Time Objective

Usage

Warm < 24 hours 24 hours Data will be protected by daily

backups and daily replication to the

disaster recovery location.

Equivalent processing capacity will be pre allocated at the DR location but the workload will be inactive until a DR event is declared.

Hot < 1 hours 4 hours Data will be protected by daily

backups and asynchronous

continuous replication to the disaster

recovery location. Equivalent

processing capacity will be pre allocated at the DR location and the workload will be Active but not processing transactions until a DR event is declared. Note that the replication can be provided by the

application stack (e.g. Oracle

DataGuard) or via SAN level replication.

(8)

Document Type: Proposal Copyright: Capita Business Services Ltd 2011 Figure 1 - RMH Customer Provisioning Process

8 PRICING

Due to the highly bespoke nature of IL3/RESTRICTED environments, and their higher security requirements, Capita experience has been that most customers prefer to use physical servers. As such, the Capita price is based on a standard configuration dedicated 1U physical server, running a single (non virtualised) instance of the Microsoft Windows Server:

8.1 COMPUTE UNIT

HP ProLiant DL360 G7 E5606 2.13GHz 4-core (8.52 GHz total) 1P 4GB-R P410i/ZM 4 SFF 460W RPS EU Server: £6,623.92/year

This includes:

 Service Management as detailed above

 Shared Management Capability (Hardware and Software)

 Operating Systems Management

 Tier 3, N+1 Data Centre Hosting

 Power

 Physical Racking and Caging

This excludes:

 Professional Service in support of the RMADs production, this will be subject to the Lot4 SFIA specified day rates

 Disaster Recovery provision. This price is based on a single site production service with tape-backup and no reciprocal / mirror compute or storage capacity and a geographically diverse data centre location Capita is able to provide additional physical server configurations. The specification detailed above is intended to provide the GPS with a baseline of reference.

(9)

8.2 STORAGE

The following table details the cost of physical storage disk storage for the RMH service:

Price per Gb per Annum Price per Gb per Annum Price per Gb per Annum Price per Gb per Annum Price per Gb per Annum Name Retention - 7 Days Retention - 14 Days Retention - 35 Days Retention - 2 Months Retention - 7 Years Platinum £6.19 £6.56 £7.67 £10.86 £12.71 Gold £4.44 £4.82 £5.93 £9.11 £10.97 Silver £2.79 £3.16 £4.27 £7.45 £9.31 Bronze £2.25 £2.62 £3.73 £6.91 £8.77

Storage Discount - applied against storage based on volume cons:

Usage (TB) Discount

1-49 0.0%

50-499 5.0%

500-1000 9.5%

9 SERVICE MANAGEMENT

The Capita Data Centres are managed using standard ITIL based best practices (subject to BSI audit every six months) and the data centres hosting the services are run and audited to meet various compliance requirements including:

 ISO27001 Information Security Management system

 ISO9001 quality Management System

 BS25999 Business Continuity Management

 Registered participant with the EU code of conduct for Data Centres

All data centre operational staff are Home Office security cleared at SC level. Standard service management components include:

 The provision of an ITIL v3.0 aligned Service Desk function, which includes:

 The ability to log Incidents and Service Requests

 Email and telephone contact channels

 Tier 3 Data centre Managed Hosting

 Tier 3 compliant data centre environment

 All IT equipment dual powered

 24x7x365 on-site security at Primary Data Centre at West Malling in Kent

(10)

Document Type: Proposal Copyright: Capita Business Services Ltd 2011  Multi Layered security model

 Infrastructure Management

 Installation and system administration of virtual and physical UNIX and Linux variants

 Installation and administration of virtual and physical Windows operating systems

 Support of associated hardware

 Investigation and resolution of incidents allocated by the Service Desk

 Storage Services

 Support and maintenance of Storage Network hardware

 Maintenance of storage software to latest vendor recommended levels via formal change control

 Maintenance of firmware to latest tested vendor supplied level via formal change control

 Storage builds and provisioning of storage fabric/cabling

 Maintenance of storage allocation and usage records for storage arrays

 Hardware Maintenance

 On-site customer service engineer for Windows & Unix environments at Primary DC

 On-site spares inventory holding at Primary DC.

 Operating System Anti-Virus Management

 Management of all anti-virus solutions for Windows servers

 Ensuring servers have up to date anti-virus software installed and functioning

 Removal of identified virus

 Incident Management

 Incident resolution

 Incident management

 Incident reporting

 Major Incident Management

 Problem Management

 Capita WAN Management

 Support and maintenance of all associated hardware

 Fault resolution management

 Management of 3rd party vendors

10 SERVICE CONSTRAINTS

Service features and infrastructure will be maintained for a minimum of three years from date of deployment.

A schedule of service is agreed with all customers to ensure service levels of the entire service are maintained and the security of the environment is not reduced.

(11)

11 SERVICE LEVELS

Capita’s target availability for RMH is 99.98% on a 24x7 basis (excluding planned maintenance). The support hours and operational hours are both 24 x 7.

The following table shows the Incident Priority Matrix and KPIs:

Priority Description Example

P1

An incident that results in a full loss of service or functionality affecting multiple users or whole systems, with critical business impact, and there is no immediate workaround solution.

Server down; network down; critical application down; local or wide area connection unavailable; E-mail server is unavailable; virus.

P2

An incident that results in a partial loss of service or functionality with potentially critical business impact and for which there is no immediate workaround solution.

Server down in one area of the office; partial network or server unavailable

where alternate functions are

available; a critical business function with tight deadlines incapable of being met; a critical PC or peripheral device is unavailable.

P3

An incident that results in a partial loss of service or functionality with

no immediate critical business

impact and for which a workaround is available.

A non-critical printer or PC is not

working but an alternative is

temporarily available; the business system functionality is impaired but is not critical.

P4 The incident has not impacted

normal service

An individual has an intermittent power problem on their laptop which is fixed by a hard reboot, but does not cause issues when using the service.

Performance Indicator SLA

Calls answered within 60 seconds – total calls not

including calls abandoned by the customer* >= 80%

True call abandonment rate (any call abandoned after 20 seconds) measured from the end of the ACD incoming message*

<= 6%

P1 ticket resolution target 95% within 4hours

P2 ticket resolution target 95% within 8 hours

P3 ticket resolution target 95% within working 2 days

(12)

12 FINANCIAL RECOMPENSE MODEL

This is negotiated on a deal by deal basis.

Provided below are the RMH Service Levels as defined in the Service Design documentation:

Priority Description Target resolution times

KPI target

1

Full loss of a service, with no immediate workaround available

NOTE : Security alerts will be raised as P1 to include logical or physical site breach

4 working hours

95%

2

Partial loss of a service with critical business

impact, with no immediate workaround

available. e.g. non-critical applications

8 working hours

95%

3

Partial loss of a service with no immediate business impact, for which a workaround is available

2 working days

95%

4

Partial loss of service with nominal business impact e.g. impacting single user, PC or standard printer where the user has access to other infrastructure

4 working days

95%

5 Single user outages on non-business critical

systems

To be agreed at time of logging

95%

13 TRAINING

Security training, education and awareness by Capita CLAS consultants are available on an ‘as needed’ basis.

14 INVOICING PROCESS

Invoices for consumed services are produced on a monthly basis and payment is required based on individual customer’s payment terms. All customers would need to be registered and will have a SAP account so EDI/CHAPS payment is the preferred method.

15 TERMINATION TERMS

Bespoke contract based upon customer requirements usually over a fixed number of years.

16 DATA RESTORATION / SERVICE MIGRATION

Requests for data restoration are managed via the RMH Help Desk facility. Providing the customer has taken a valid backup service from Capita, then a data restore function is available and is requested via the Service Desk facility.

Capita offers a range of services to assist with the migration of legacy services into the RMH service. These can range from just a few servers up to large enterprise data centre migrations and include discovery, planning and the actual migration. Due to the complexity and nature of this it is

(13)

a bespoke service that is priced on a case by case basis. Capita is happy to offer a full migration service, under its G-Cloud LOT 4 ‘Specialist Cloud Services’.

17 CUSTOMER RESPONSIBILITIES

Customers need to adhere to the RMH Exit / Entry Specification document. This document demonstrates to all current and new customers that enter the RMH environment that by following the specification no undue increase in risk will occur. The specification essentially:

 Provides a basis upon which a customer can engage with their

Accreditor as part of an initial scoping exercise for reducing risk in down selecting the RMH service

 Identifies to each customer how the introduction of multiple clients into the environment occurs following a defined code of connection

 Identifies a complementary penetration testing regime which ensures that for each customer introduced a secondary penetration test will be undertaken confirming need to know boundaries have not been compromised.

For each customer that is introduced into the RMH service the following will be confirmed:

 That the customer has a formal requirement for the achievement of accreditation to the protective marking of RESTRICTED (IL3 for Confidentiality);

 The customer can verify, through a business impact assessment that they have:

 Defined a Risk Appetite Level

 Defined the business category of their data

 Defined the impact levels for the range of information assets for which are to be processed, transmitted and/or stored within RMH

 Confirmation from the customer that the customer site is required to be

an access point into RMH and that it meets the requirements defined in SPF Security Policy No.5 for a RESTRICTED system

 Confirm with the customer that the design for the solution as a minimum is required to be compliant with the IS1 Baseline Control Set for the level of Aware and Deter

 Confirm formally with the customer the CHECK penetration test

requirements for the first phase of tests for its own system and clarify the second phase of test in support of current customers within RMH

18 TECHNICAL REQUIREMENTS

Technical requirements are to be defined on a case-by-case basis depending upon customer needs.

All infrastructure within RMH has been architected to meet or exceed all current CESG standards, policies and good practice guidance, or where not available to meet the Target of Evaluation within the assured products EAL certification requirements.

(14)

 Secure VPN RAS via the internet using Juniper SA4500 and two-factor

authentication;

 Secure access to all servers via Virtual Desktop Infrastructures (VDI), with VDIs being allocated to specific personnel;

 Persistent remote access via AEP cryptographic devices utilising

CESG baseline key material; End user access to the environment is via customer specific application stack only, using hardened desktop image.

Client side requirements include premises that meet appropriate physical security standards for accessing RESTRICTED / IL3 information, appropriate personnel security measures in place, i.e. BPSS and security education and awareness, and appropriate procedural controls implemented and maintained for handling protectively marked information.

Capita uses its internal MPLS network for persistent connectivity, bandwidth requirements will be investigated on a case-by-case basis to ensure latency and resiliency requirements are met. These are the standard technologies used but the service does not preclude the use of other, customer specific, infrastructure components or applications. Any new infrastructure or applications required will require to be fully investigated to ensure the security requirements of the service are not degraded.

19 DETAILS OF ANY TRIAL SERVICE AVAILABLE

As this is a live service and due to existing accreditation of the user community it would be impractical to offer a trial of the service; however should this be a customer requirement then a trial on an isolated environment may be supported on a case by case basis.