IGspectrum Ltd

Secure Infrastructure Platform

Provides the highest level of security to Healthcare Service providers without the cost and timescales involved in developing and commissioning a secure platform for confidential patient data.

Features

• Secure service which can be deployed quickly and effectively
• Fully compliant with regulations including DoH and IGSOC2 (IG Toolkit)
• Protected by periodic penetration testing – see IGsecurity service
• Hosted at secure facilities managed by experienced BS27001 accredited staff
• 100% guaranteed network and infrastructure uptime
• Delivery partners are world leaders in hosting, computing and security
• HSCN Connection available

Benefits

• Uptime guarantee ensures that your database is always available
• Hosted configuration meets your required service levels and subsequent dependencies
• Cost effective
• Availability requirements can be satisfied
• Annual cyber-security test
• Help desk during normal working hours
• 24/7 Help Desk available
• Maintenance and enhancment services available
• Capacity management included

£9,600 to £20,000 a unit a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at paul.gillot@igspectrum.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

562783507886257

Contact

Paul Gillot
07774 929 823
paul.gillot@igspectrum.com

Service scope

• Service constraints: There are no constraints
• System requirements: There are no system requirements. PaaS built to your requirements

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 1 hour on working days – 4 hours at weekends
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: The support is generally available during the standard working day and is chargeable. Special arrangements can be accommodated and are also chargeable.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide initial support to determine PaaS requirements free of charge to include processor, disk, memory, resilience, software, operating system and security requirements. Once the PaaS is configured we hand-hold through the testing and migration process. Additional early life support is provided to ensure smooth running of the service.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: We work with the user to provide an extract in the most common formats. If any other formats are required we can look to satisfy these. When data has been extracted we provide a certificate of destruction if required.
• End-of-contract process: Extract in a standard format - no charge; Extract in a non-standard format - price on application; Destruction of data and certificate of same - no charge; Destruction of applications etc. - no charge; Movement of data and or applications to a third party - price on application

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: We are alerted to excessive resource usage and can scale resources if needed.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Virtual machines
  • Databases
  • Storage devices
  • Dedicated servers
• Backup controls: Back-ups can be configured to meet user's requirements - there maybe an additional charge.; Standard back-ups take place on a periodic basis - no charge
• Datacentre setup:
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
  • Single datacentre
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: 99.99% assured by independent validation of assertion; contract determines any refunds if availability levels are not met
• Approach to resilience: Available on request
• Outage reporting: Via Email alerts or by other means if required and available.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: OTP
• Access restrictions in management interfaces and support channels: We can satisfy any user requirement access management and restriction.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: OTP
• Devices users manage the service through:
  • Dedicated device on a government network (for example PSN)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 21/10/2009
• What the ISO/IEC 27001 doesn’t cover: No exclusions
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 31/12/2009
• CSA STAR certification level: Level 5: CSA STAR Continuous Monitoring
• What the CSA STAR doesn’t cover: No exclusions
• PCI certification: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SSAE ISAE
• Information security policies and processes: IG Statement of Compliance; ; IG Toolkit Level 2

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Full lifetime tracking is deployed. No changes are made without a full security assessment.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: All existing and new treat types are evaluated and if necessary the appropriate action is taken.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Threat detection and prevention require a combination of people, process, and security experts who monitor, analyse, and alert any incidents on a 24x7 basis. Threat intelligence is monitored to provide continuous protection for your sensitive data. ; ; A full plan is in place to respond to any real or potential compromise. This plan can be initiated at any time on a 24/7 basis.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Pre-defined processes exist.; ; Users report to the service desk.; ; Incident reports are provided as needed.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: VMware and database segregation.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Rackspace maintains the ISO14001 certification on the system which we use. This certification is on the Rackspace website here: https://www.rackspace.com/en-gb/compliance/iso which requires them to manage their environmental performance, including energy and waste management, in a systematic way equivalent to the related EU Code of Conduct above by setting environmental objectives

Pricing

• Price: £9,600 to £20,000 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at paul.gillot@igspectrum.com. Tell them what format you need. It will help if you say what assistive technology you use.