SecureIA Software as a Service
SecureIA enables the sharing and hosting of OFFICIAL/OFFICIAL-SENSITIVE information between HMG Departments and stakeholders via Internet and Private WANs (RLI/SMI, PSN and HSCN). SecureIA provides a secure environment, accessible from a range of end-points. Our flexible technology platforms enable user-focused applications to be delivered in a secure and low-cost way.
- OFFICIAL/OFFICIAL-SENSITIVE Remote Access Service via Internet, RLI, PSN or HSCN.
- Document Sharing and Collaboration (inc: SharePoint, eRooms).
- Competitive Tendering and Bid Decision Support applications.
- Digital Asset Management repository and applications.
- eDisclosue and Discovery applications.
- Database applications.
- Map Centric Data visualisation applications.
- Red Hat Openshift and Oracle APEX environments.
- Secure Development and Test environments (DevOps).
- Bespoke application hosting.
- Partnership approach to SaaS (more than just a hosting provider).
- Users can collaborate across RLI/SMI, the Internet, PSN and HSCN.
- Simple, transparent pricing model.
- UK Hosted Services, SC Cleared staff.
- Increase productivity and operational effectiveness by remote working.
- Over 18 years experience of working with HMG Departments.
- Experience to support developers and application integration.
£6.25 per person per month
- Free trial available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
Secure Information Assurance Ltd
0161 215 3788
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
The provision of the Cloud Software Services includes planned maintenance activities, which are documented within a Service Level Agreement. SecureIA work with our customers to ensure that systems are regularly patched and maintained, whilst minimising impact on the User community and business requirements.
SecureIA work with the customers and User community of the cloud software to deliver secure and resilient services, balancing the security and functionality that are commensurate with the business requirements.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Support response times
Calls are responded to within 3 rings. Service Ticket response time is dependent on the criticality: 1. Critical - Immediate Response 2. High - Response within 10 minutes 3. Medium - Response within 1 hour 4. Low - Response within 4 hours 5. Very Low - Response within 24 hours. The standard SLA response times are applicable from 09:00 to 17:00 Monday to Friday (excluding UK Bank Holidays). 365/24/7 Support is also available as a service at an additional cost.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Standard support is provided 08:00 to 18:00 Monday to Friday and include 1st line (User support) through to the system management, monitoring and Administration.
Additional support is available to extend the service support to 24/7 at additional cost.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Specific support is provided to Users for onboarding services, which includes documentation, online training material and can include onsite training.|
|End-of-contract data extraction||Access is provided for the customer to extract data, or can be undertaken by SecureIA at no additional charge, depending on the method of delivery. Data can be provided as an image of the Virtual Machines, as extracted data or specific formats such as database exports. Where data is to be delivered by SecureIA, encrypted portable drives can be provided.|
|End-of-contract process||SecureIA will work with the customer to ensure that the required data, records and audit logs have been extracted and verified before the services are terminated. Data content is then destroyed in accordance with InfoSec Standard 5. The SecureIA service support team will assist the customer with communications to the User community about the end of the contract and either the termination or transfer of services. Images of Virtual Machines will be provided to the customer on request to allow the transfer of the services. Where support from SecureIA is required beyond the end of the contracted services, for example to support the transition to another provider may incur additional charges.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Mobile Access to the specific software services is supported through the Private Cloud service; the specific support for mobile device access to the software applications varies between the applications.|
|Description of customisation||
Access to the software services is provided via a web-based portal which performs authentication an authorisation to the cloud software services. This portal can be customised to match customer or project branding or to tie in with the application software user interface.
The customisable elements of the software services themselves vary between the applications, but SecureIA will apply customisations where they are supported.
Other elements of the service, such as the reporting and dashboard can also be customised.
|Independence of resources||Resources can be independently allocated to project User communities to ensure resilience of the service and capacity. Capacity of services are monitored, and customers are informed of changes in demand.|
|Service usage metrics||Yes|
|Metrics types||Service usage metrics can be defined by the customer to either be provided as on-demand dashboards and/or periodic reports. Typical usage data includes numbers of users per period, peak usage, average usage, heat-map of usage over time and days of the week, bandwidth consumption, volume of data uploaded/downloaded etc.|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||The export of data is supported and will vary depending upon the software applications being provided. This can include automated exports to external data repositories or specific data exports on request. Some of the applications also provide User driven data export functions.|
|Data export formats||
|Other data export formats||
|Data import formats||
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||Each customer is provided with a Service Level Agreement which specifies the availability and response targets. Typical availability is 99.96, assured by contractual commitment. SecureIA offer Service Credits against the guaranteed levels of availability.|
|Approach to resilience||Resilience of the service is provided throughout the service provision. • The Data Centres are classified as a Tier 3 data centre with alternate supply paths for all services to ensure 100% Data Centre uptime. • All redundant systems are regularly tested for operation and effectiveness. • N+1 Redundant Power Supplies. • The Public Sector Dataroom also has additional power connection allowing the entire room to be independently serviced in the event of a catastrophic failure at the site). • Redundant Backup Power from Generators and UPS (N+1). • 100% carbon neutral, PAS 2060 certified hosting. • Carrier Neutral with a range of Tier 1 and 2 carriers. • Multihomed internet presentation, means that if 1 carriers Point of Presence fails communications will automatically failover to another. • Redundant (N+1) Air Conditioning and Environmental Control. • Environmental systems supported by redundant power systems. DR facilities are also available, with secure connectivity provided to replicate data between the production and DR facilities.|
|Outage reporting||Service outages and planned maintenance activities are communicated via the service web-interface status dashboards and messaging, via email alters and the Service Desk team make contact with agree Points of Contact in order to communicate status and ongoing activities.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Separate accounts are required for Administrative Access, with authentication and authorisation controls applied to all Administrative functions. SSH access to the Virtual machines command line, and RDP sessions requires key-based authentication from a specified source location into a bastion host, which then requires further authentication and account escalation at each onward connection to the specific administrative services.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users receive audit information on a regular basis|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users receive audit information on a regular basis|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Alcumus ISOQAR Limited|
|ISO/IEC 27001 accreditation date||24/06/2016|
|What the ISO/IEC 27001 doesn’t cover||The processes and procedures agreed within the Risk Managed Accreditation Document Set (RMADS) that have been agreed with the Accreditor in compliance with JSP and MoD policies.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||Formal Accreditation from DAIS, Cyber Essentials, IASME Governance|
|Information security policies and processes||Security policies and procedures form part of the formal system accreditation by DAIS.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||Components of the system are recorded and tracked through their lifetime Every change to a configurable item requires a Change Control Form to be documented and approved. Changes are assessed for potential security impact, and where necessary are communicated to the system Accreditor for approval.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Vulnerability management processes form part of the Risk Managed Accreditation Document Set (RMADS) which have been reviewed and approved by the DAIS Accreditor. SecureIA monitor threat sources, including CERT to gain information about potential threats. Vulnerabilities and Remediation activities are assessed to determine the priority, with patches being applied within the hour for critical security issues through to monthly patching for routine updates.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||SecureIA employ protective monitoring services in compliance with Protective Monitoring for HMG ICT systems (GPG-13).|
|Incident management type||Supplier-defined controls|
|Incident management approach||Processes for reporting incidents is included within the Risk Managed Accreditation Document Set (RMADS) which includes HMG monitoring departments and points of contact. Users should report incidents to the first line Service Desk team, either by phone, email or via the web-portal. Incident reports are provided as part of the reporting cycle, with exceptional RCA and incident reports provided for security incidents.|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||Yes|
|Other public sector networks||RLI (SMI2)|
|Price||£6.25 per person per month|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||SecureIA are happy to provide a trial of the services or Proof of Concept to demonstrate and verify that the business requirements can be delivered by our services. The period and extent of the trial can be agreed to support the customers business case.|