A federated roaming service for the wider public sector, providing seamless connectivity to the end user. Govroam makes offering offsite connectivity easy, delivering savings and efficiencies while enhancing the control employers have over staff roaming behaviours. Operated by Jisc, govroam brings regional roaming initiatives together under a standardised national-scale service.
- Provides a national standard for federated roaming design
- Guaranteed minimum service capability allows effective remote working.
- Service design built on a fabric of trust between participants.
- Uses your existing staff authentication mechanisms to grant access.
- Transfer of authentication data secured by end-to-end encrypted protocols.
- Support offered by end users' home organisation.
- Free at point of service to end users.
- Device and infrastructure agnostic, enabling BYOD.
- Geolocation companion app supports easy venue discovery.
- Explicitly national in scope, with potential international integration.
- Reuses and extends the life of existing network infrastructure.
- Reduces/eliminates the overheads of providing guest connectivity.
- Supports your mobile workforce, improving productivity by simplifying off-site connectivity.
- User-friendly roaming, with a “zero-touch” automated process after initial configuration.
- Secure authentication incorporating a real-time “member in good standing” check.
- Standardises your guest WLAN provision to an industry best-practice standard.
- Reduces/eliminates the need for customer-facing visitor support.
- Reduces/eliminates the use of temporary credentials, improving network security.
- Reduces/eliminates the need for costly SIM-based data provision.
- Allows real-time control of the roaming behaviour of your staff.
£300 to £3000 per unit per month
- Education pricing available
- Free trial available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
- Modern Slavery statement
Jisc Services Ltd
|Software add-on or extension||No|
|Cloud deployment model||Community cloud|
Scheduled maintenance is under the control of Jisc, and will be announced at least 7 days in advance and will be scheduled into the next available maintenance window.
Unscheduled maintenance, which is only undertaken in an emergency, of the govroam central service, as well as the other servers and services under control of Jisc, will be announced as early as possible.
|Email or online ticketing support||Email or online ticketing|
|Support response times||For general enquiries or technical questions Members should contact the govroam team at firstname.lastname@example.org. The team will acknowledge receipt within 4 hours during a working day, and provide a solution or initiate further investigation to all enquiries as soon as possible, but no later than 5 working days.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||Technical boarding, B2B troubleshooting and security incident management is included as standard. Enhanced RADIUS federation design consultancy at SFIO rates. (see service definition for SLA).|
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||There is a defined technical boarding process supported by both deployment and operations training, an extensive documentation package and unlimited telephone/email support.|
|End-of-contract data extraction||Service operations do not require holding end user data. Any business contacts etc will be deleted in accordance with our data protection policy.|
|End-of-contract process||Trust relationship between customer and central RADIUS servers are removed. All public references to customer as a participant are removed.|
Using the service
|Web browser interface||No|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||As a connectivity service, the only differences between mobile and desktop are the OS elements required for initial configuration. The service has no interface for the end user.|
|Independence of resources||Resilience and redundancy in depth across all service elements. Normative use of the service by customers creates minimal load as authentication services are light touch.|
|Service usage metrics||Yes|
|Metrics types||A govroam service report is presented at stakeholder meetings approximately every six months. The report includes information on the number of member organisations and the number of successful roaming sessions.|
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||Other|
|Other data at rest protection approach||Physical access control, very little data to protect. Both datacentres are ISO/IEC 27001:2013 certified.|
|Data sanitisation process||No|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||No data to export|
|Data export formats||Other|
|Other data export formats||N/A|
|Data import formats||Other|
|Other data import formats||N/A|
|Data protection between buyer and supplier networks||Other|
|Other protection between networks||Combination of end to end 802.11i AES encryption, RADIUS shared secrets, customer operated EAP methods and use of a private network (Janet)|
|Data protection within supplier network||Other|
|Other protection within supplier network||Combination of end to end 802.11i AES encryption, RADIUS shared secrets, customer operated EAP methods and use of a private network (Janet)|
Availability and resilience
|Guaranteed availability||The availability of the central service is targeted as 99.9%.|
|Approach to resilience||There are multiple load-balanced instances to handle load in the event of an outage. These are hosted in geographically redundant tier 3 facilities, with redundant backups of infrastructure.|
|Outage reporting||Email alerts are generated against central service as part of the major incident handling process. Major outages are also reported via the service webpage and Twitter account.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||The member organisation determines who can access roaming provision, and controls credential issue and revocation according to their own policies. Govroam receives a connectivity request from a visiting user’s device and securely conveys it to their home organisation, where their identity is confirmed and the home organisation decides, based on its policies, whether the user is allowed to connect. Govroam conveys that back to the visited organisation which then grants or blocks access accordingly, confident that the visitor’s home organisation is aware of the transaction and has just checked that the visitor in question is a member in good standing.|
|Access restrictions in management interfaces and support channels||
Access credentials are only issued to required staff, as specified by the RFO.
Note that the govroam app is managed by a third-party consultant.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||
Credentials are issued individually to verified contacts at the request of an RFO.
Two-factor authentication for VPN login provides network access via a secure hosting facility.
Username and password used to access the service.
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||LRQA|
|ISO/IEC 27001 accreditation date||23/06/2016|
|What the ISO/IEC 27001 doesn’t cover||Please contact us for more information|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||Please contact us for more information|
|PCI DSS accreditation date||Please contact us for more information|
|What the PCI DSS doesn’t cover||Please contact us for more information|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||ISO 9000. Also aligned with ITILv3. The responsibility for secure provision is split between Jisc, the end-user's home organisation, and the organisation they are visiting. For incidents with actual or potential information security or service integrity implications, we may delegate incident investigation and management to the Janet network CSIRT.|
|Information security policies and processes||
Member organisations are required to comply with the Janet Acceptable Use Policy and the Janet Security Policy.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||Change management controls are applied to industry best practice. In particular, we are aware of the change management principles in ITILv3 and align our processes with these.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||We have a long-established vulnerability management process which is managed through our ISO27001 certified ISMS.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||We deploy a variety of effective systems and process; including fire-walling, IDS, inline DDOS prevention, regular internal and external vulnerability scanning, penetration testing, flow logging and centralised logging and authentication. our incidence response process is modelled in NIST/SAN principles. It is managed via dedicated incident response lead and backup roles. This process mandates engagement with CSIRT, SIRO and Infisec security manager. JISC CSIRT works to a 2hr response SLA on Incidents.|
|Incident management type||Supplier-defined controls|
|Incident management approach||We have a long-established vulnerability management process which is managed through our ISO27001 certified ISMS.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||Yes|
|Other public sector networks||Potentially, all public sector networks can connect guests through govroam.|
|Price||£300 to £3000 per unit per month|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||
Trial available for the technical onboarding process, not the roaming function.