BMT Defence Services Limited

RLI Application & Website Hosting

BMT provide secure hosting of classified UK MOD systems via the Restricted LAN Interconnect (RLI). We provide first and third line helpdesk support and off/on-site training packages. Our service includes hosting support, high system availability and daily backups of all data and documentation stored within websites and back-end databases.

Features

  • Secure RLI hosting
  • Classified data storage and hosting
  • First and third line software helpdesk/technical support
  • Email, phone and on-site helpdesk support
  • Issue management and resolution
  • Provision of off-site and on-site training courses
  • Service Level Agreements
  • System administration
  • Backup & Recovery, including secure off-site back storage
  • ISO27001 accredited security

Benefits

  • Confidence in hosting/support infrastructure which utilises ITIL principles
  • Excellent 24/7/365 hosting uptime statistics
  • Proven, scalable hosting service which accommodates large-scale data/user expansions
  • Responsive and friendly helpdesk/support staff putting users at ease
  • Rapid response to support requests with quick resolution times
  • Proven support experience with high levels of user satisfaction
  • Customised training courses to meet needs of specific user groups
  • Confidence in hosting service regularly audited under ISO9001/27001 certification
  • Service Level Agreements to meet user needs

Pricing

£3000 per unit per year

Service documents

G-Cloud 9

368634707349014

BMT Defence Services Limited

Sonia Taylor

01225 473622

staylor@bmtdsl.co.uk

Service scope

Service scope
Service constraints Helpdesk support available within office hours Mon-Fri 07:00-17:30 (not including Bank Holidays)
System requirements
  • Microsoft ASP.NET or Classic ASP web application/website hosting
  • Microsoft SQL Server back-end

User support

User support
Email or online ticketing support No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels BMT provide different Service Level Agreement options, dependent on the criticality of the hosted system and the customer needs.

All of our hosting options are backed up by a Service Team which is comprised of a number of experienced first line support technicians, software developers and test analysts. Our helpdesk support service is available between 07:00 – 17:00 (UK hours) Monday to Friday excluding Public Holidays. Users can call our helpdesk directly (on a Bath, UK fixed line) or email the helpdesk with any issues.

Our support levels include different Service Level Agreement (SLA) options. Our SLAs have defined Severity Categories with associated reporting procedures and response/resolution timescales against all support requests.

The support options we provide include training packages comprising on-site classroom training sessions, administrable on-line training/guidance tools and web-enabled, interactive, SCORM-compliant training systems.

For Content Management System (CMS) hosting, we also provide system administration support options which can include system configuration changes and content updates.

For hosting/support costs, please see the Pricing Document.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The support options we provide include training packages comprising on-site classroom training sessions, administrable on-line training/guidance tools and web-enabled, interactive, SCORM-compliant training systems.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction At the end of the contract, BMT provide the customer with a copy of all software files and databases for potential migration to a new hosting service. Where applicable, BMT also provide the relevant supporting documentation including:

- Technical specifications;
- Help/User Guides;
- Functional documentation;
- Technical proposals;
- Data models;
- Architectural diagrams;
- System Deployment Guides;
- Technology stack/licensing requirements.
End-of-contract process The end of contract data extraction and provision to the customer is included in the price of the contract.

In addition, we also offer handover meetings with new hosting providers to cover the relevant architectures of the system to ensure the new supplier is fully ready upon switchover of hosting services. These meetings are also used to provide the new supplier with all required assistance - including systems training for support, data migration assistance, hardware sizing and usage statistics.

Using the service

Using the service
Web browser interface No
API No
Command line interface No

Scaling

Scaling
Scaling available No
Independence of resources BMT Defence Services hosting environment allows for individual services to have resources throttled and / or dedicated per service. This includes storage capacity, processing capacity and bandwidth.
Usage notifications Yes
Usage reporting
  • Email
  • Other

Analytics

Analytics
Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Other
Other metrics
  • System Performance Metrics
  • Uptime statistics
  • Helpdesk Logs
  • Incident Logs, including resolution times
Reporting types Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Other
Other data at rest protection approach All data resides on systems that are accredited by Defence Assurance Information Security (DAIS) to hold information up to Official-Sensitive. BMT Defence Services hold ISO27001:2013 certification. The ICT systems comply with the Defence Cyber Protection Partnership (DCCP) Medium level risk profile including Cyber Essentials Plus certification.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Hardware containing data is completely destroyed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • Virtual Machines
  • Logs
  • Application Files
  • Databases
  • Uploaded Document Files
Backup controls BMT control the backup service. The web hosting servers are backed-up at 12pm and 7pm daily and the Microsoft SQL Server databases are backed up at 7pm daily. These backup files are transported via an encrypted fibre link to a separate BMT office, so there is no risk in physical transportation of MOD files. We provide the customer with a Backup & Recovery Schedule to demonstrate the process that is in place, including mitigation against loss of data and maintenance of data integrity.
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • Other
Other protection between networks Firewall. Majority of ports are closed except those specifically used for NET use and SSH when required.
Data protection within supplier network Other
Other protection within supplier network All data resides on systems that are accredited by Defence Assurance Information Security (DAIS) to hold information up to Official-Sensitive. BMT Defence Services hold ISO27001:2013 certification. The ICT systems comply with the Defence Cyber Protection Partnership (DCCP) Medium level risk profile including Cyber Essentials Plus certification.

Availability and resilience

Availability and resilience
Guaranteed availability Under our ISO 27001:2013 accreditation, BMT has implemented a number of controls to ensure that we mitigate any risks associated with the integrity, confidentiality and availability of our systems. We typically provide a contractual agreement to a minimum of 99.5% uptime. BMT agrees a Service Level Agreement (SLA) with each buyer for our RLI hosting service. In addition to uptime levels, our SLA defines categories of incident severity and the mandated reporting and resolution processes that will be adhered to in each instance.
Approach to resilience A warm standby site is maintained. Further details available on request.
Outage reporting Services are provided through virtualised infrastructure which is monitored through the VMWare service provision. Alerts are raised to the internal service desk and escalated through the integrated support and infrastructure team on premises.

Identity and authentication

Identity and authentication
User authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Under our ISO 27001:2013 accreditation, BMT has implemented a number of controls to ensure that we mitigate any risks associated with the integrity, confidentiality and availability of our systems.

We develop our services with secure programming principles in mind to ensure that the risk of any malicious activity is mitigated. The data architecture and security model within the websites/applications themselves provide the necessary confidentiality of information as authenticated users can only access areas that they have been granted access to and users without a valid username and password cannot access the application or data at all.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Limited access network (for example PSN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyds Register
ISO/IEC 27001 accreditation date 14/08/2014
What the ISO/IEC 27001 doesn’t cover All services are covered by ISO27001:2013
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • Accredited by Defence Assurance Information Security to hold Official-Sensitive information
  • Comply with the Defence Cyber Protection Partnership Medium level risk
  • Cyber Essentials Plus certification

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The BMT Hosting Support Team is constructed from a number of members of staff from the Information Systems Department within BMT. It is the company’s policy to put every member of staff through the security clearance process and, as such, every staff member working on any hosting-related task has SC level clearance.

Under our ISO 27001:2013 accreditation, BMT has implemented a number of controls to ensure that we mitigate any risks associated with the integrity, confidentiality and availability of our systems.

Our hosting and data centres are protected through anti-virus, software patching, EAL4 firewalls and regular testing by our IT Department. This is demonstrated as a number of our systems are subjected to almost weekly penetration tests which confirm the appropriate controls we have in place.

BMT’s IT Department has a thorough patching policy that is subject to external audits every 6 months as part of our ISO 27001:2013 accreditation. The accredited controls that are in place protect against malicious attacks, viruses, Trojan horses, Denial of Service (DOS) attacks, SQL injections and a range of other threats.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our Change Management process is initiated from a number sources which include ICT Strategy, Capacity Management, Incident/Problem Management (which include security incidents) and Service Requests. All Change Requests (RFCs) are recorded in our Service Desk system. Changes are assessed (including security impact assessment) and either approved/scheduled for planning or are rejected. Minor, Major and Significant changes must be approved by the BMT ICT Change Assessment Board (CAB). Changes are implemented as a series of tasks which are recorded and actioned within the BMT Service Desk. Changes are reviewed and closed during weekly management review s and quarterly strategic reviews.
Vulnerability management type Supplier-defined controls
Vulnerability management approach BMT Defence Services has staff who are members of CISP. Additionally, the SIEM solution used within the infrastructure (Alienvault) provides real-time threat updates and analysis internal traffic for signatures.
Protective monitoring type Supplier-defined controls
Protective monitoring approach The SIEM solution used within the infrastructure (Alienvault) provides real-time threat updates and analysis internal traffic for signatures. Incidents are managed by the integrated service team and escalated to third –parties (including HMG) if outside of internal skill profile.
Incident management type Supplier-defined controls
Incident management approach Incidents are raised by email, phone or personal contact (site visit). The impact and urgency are selected using the appropriate matrix as a guide. Priority is automatically assigned and SLA targets set.

Initial analysis of an incident identifies the timescales for resolution and the requester is notified.

The incident passed to the appropriate management process, if required.

Once the incident has been resolved, the Requester is notified and prompted to mark the incident as closed or respond to reinstate the incident.

A user or analyst can reinstate a resolved incident if necessary.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate All applications and services are provided through segmented virtualised servers. Each application can be self-contained with its own virtual server.

Energy efficiency

Energy efficiency
Energy-efficient datacentres No

Pricing

Pricing
Price £3000 per unit per year
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑