Secure Information Assurance Ltd

SecureIA Software as a Service

SecureIA enables the sharing and hosting of OFFICIAL/OFFICIAL-SENSITIVE information between HMG Departments and stakeholders via Internet and Private WANs (RLI/SMI, PSN and HSCN). SecureIA provides a secure environment, accessible from a range of end-points. Our flexible technology platforms enable user-focused applications to be delivered in a secure and low-cost way.

Features

  • OFFICIAL/OFFICIAL-SENSITIVE Remote Access Service via Internet, RLI, PSN or HSCN.
  • Document Sharing and Collaboration (inc: SharePoint, eRooms).
  • Competitive Tendering and Bid Decision Support applications.
  • Digital Asset Management repository and applications.
  • eDisclosue and Discovery applications.
  • Database applications.
  • Map Centric Data visualisation applications.
  • Red Hat Openshift and Oracle APEX environments.
  • Secure Development and Test environments (DevOps).
  • Bespoke application hosting.

Benefits

  • Partnership approach to SaaS (more than just a hosting provider).
  • Users can collaborate across RLI/SMI, the Internet, PSN and HSCN.
  • Simple, transparent pricing model.
  • UK Hosted Services, SC Cleared staff.
  • Increase productivity and operational effectiveness by remote working.
  • Over 18 years experience of working with HMG Departments.
  • Experience to support developers and application integration.
  • Hosted from Police Assured Server Facility (PASF)

Pricing

£6.25 per person per month

  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

4 3 1 2 4 3 2 9 3 8 6 2 7 3 4

Contact

Secure Information Assurance Ltd

Stephen Jewell

0161 215 3788

steve.jewell@s-ia.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
The provision of the Cloud Software Services includes planned maintenance activities, which are documented within a Service Level Agreement. SecureIA work with our customers to ensure that systems are regularly patched and maintained, whilst minimising impact on the User community and business requirements.
SecureIA work with the customers and User community of the cloud software to deliver secure and resilient services, balancing the security and functionality that are commensurate with the business requirements.
System requirements
  • End Point Devices to be approved for OFFICIAL use.
  • Code of Connection provides specific requirements for the project services.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support response times

Calls are responded to within 3 rings. Service Ticket response time is dependent on the criticality: 1. Critical - Immediate Response 2. High - Response within 10 minutes 3. Medium - Response within 1 hour 4. Low - Response within 4 hours 5. Very Low - Response within 24 hours. The standard SLA response times are applicable from 09:00 to 17:00 Monday to Friday (excluding UK Bank Holidays). 365/24/7 Support is also available as a service at an additional cost.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Standard support is provided 08:00 to 18:00 Monday to Friday and include 1st line (User support) through to the system management, monitoring and Administration.
Additional support is available to extend the service support to 24/7 at additional cost.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Specific support is provided to Users for onboarding services, which includes documentation, online training material and can include onsite training.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Access is provided for the customer to extract data, or can be undertaken by SecureIA at no additional charge, depending on the method of delivery. Data can be provided as an image of the Virtual Machines, as extracted data or specific formats such as database exports. Where data is to be delivered by SecureIA, encrypted portable drives can be provided.
End-of-contract process
SecureIA will work with the customer to ensure that the required data, records and audit logs have been extracted and verified before the services are terminated. Data content is then destroyed in accordance with InfoSec Standard 5. The SecureIA service support team will assist the customer with communications to the User community about the end of the contract and either the termination or transfer of services. Images of Virtual Machines will be provided to the customer on request to allow the transfer of the services. Where support from SecureIA is required beyond the end of the contracted services, for example to support the transition to another provider may incur additional charges.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Mobile Access to the specific software services is supported through the Private Cloud service; the specific support for mobile device access to the software applications varies between the applications.
Service interface
No
API
No
Customisation available
Yes
Description of customisation
Access to the software services is provided via a web-based portal which performs authentication an authorisation to the cloud software services. This portal can be customised to match customer or project branding or to tie in with the application software user interface.
The customisable elements of the software services themselves vary between the applications, but SecureIA will apply customisations where they are supported.
Other elements of the service, such as the reporting and dashboard can also be customised.

Scaling

Independence of resources
Resources can be independently allocated to project User communities to ensure resilience of the service and capacity. Capacity of services are monitored, and customers are informed of changes in demand.

Analytics

Service usage metrics
Yes
Metrics types
Service usage metrics can be defined by the customer to either be provided as on-demand dashboards and/or periodic reports. Typical usage data includes numbers of users per period, peak usage, average usage, heat-map of usage over time and days of the week, bandwidth consumption, volume of data uploaded/downloaded etc.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The export of data is supported and will vary depending upon the software applications being provided. This can include automated exports to external data repositories or specific data exports on request. Some of the applications also provide User driven data export functions.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • Database exports
  • Application specific exports
Data import formats
  • CSV
  • ODF
  • Other

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Each customer is provided with a Service Level Agreement which specifies the availability and response targets. Typical availability is 99.96, assured by contractual commitment. SecureIA offer Service Credits against the guaranteed levels of availability.
Approach to resilience
Resilience of the service is provided throughout the service provision. • The Data Centres are classified as a Tier 3 data centre with alternate supply paths for all services to ensure 100% Data Centre uptime. • All redundant systems are regularly tested for operation and effectiveness. • N+1 Redundant Power Supplies. • The Public Sector Dataroom also has additional power connection allowing the entire room to be independently serviced in the event of a catastrophic failure at the site). • Redundant Backup Power from Generators and UPS (N+1). • 100% carbon neutral, PAS 2060 certified hosting. • Carrier Neutral with a range of Tier 1 and 2 carriers. • Multihomed internet presentation, means that if 1 carriers Point of Presence fails communications will automatically failover to another. • Redundant (N+1) Air Conditioning and Environmental Control. • Environmental systems supported by redundant power systems. DR facilities are also available, with secure connectivity provided to replicate data between the production and DR facilities.
Outage reporting
Service outages and planned maintenance activities are communicated via the service web-interface status dashboards and messaging, via email alters and the Service Desk team make contact with agree Points of Contact in order to communicate status and ongoing activities.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Separate accounts are required for Administrative Access, with authentication and authorisation controls applied to all Administrative functions. SSH access to the Virtual machines command line, and RDP sessions requires key-based authentication from a specified source location into a bastion host, which then requires further authentication and account escalation at each onward connection to the specific administrative services.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Alcumus ISOQAR Limited
ISO/IEC 27001 accreditation date
24/06/2016
What the ISO/IEC 27001 doesn’t cover
The processes and procedures agreed within the Risk Managed Accreditation Document Set (RMADS) that have been agreed with the Accreditor in compliance with JSP and MoD policies.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Formal Accreditation from MoD (DAIS).
  • Cyber Essentials.

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
Formal Accreditation from DAIS, Cyber Essentials, IASME Governance
Information security policies and processes
Security policies and procedures form part of the formal system accreditation by DAIS.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Components of the system are recorded and tracked through their lifetime Every change to a configurable item requires a Change Control Form to be documented and approved. Changes are assessed for potential security impact, and where necessary are communicated to the system Accreditor for approval.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability management processes form part of the Risk Managed Accreditation Document Set (RMADS) which have been reviewed and approved by the DAIS Accreditor. SecureIA monitor threat sources, including CERT to gain information about potential threats. Vulnerabilities and Remediation activities are assessed to determine the priority, with patches being applied within the hour for critical security issues through to monthly patching for routine updates.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
SecureIA employ protective monitoring services in compliance with Protective Monitoring for HMG ICT systems (GPG-13).
Incident management type
Supplier-defined controls
Incident management approach
Processes for reporting incidents is included within the Risk Managed Accreditation Document Set (RMADS) which includes HMG monitoring departments and points of contact. Users should report incidents to the first line Service Desk team, either by phone, email or via the web-portal. Incident reports are provided as part of the reporting cycle, with exceptional RCA and incident reports provided for security incidents.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • Health and Social Care Network (HSCN)
  • Other
Other public sector networks
RLI (SMI2)

Pricing

Price
£6.25 per person per month
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
SecureIA are happy to provide a trial of the services or Proof of Concept to demonstrate and verify that the business requirements can be delivered by our services. The period and extent of the trial can be agreed to support the customers business case.

Service documents

Return to top ↑