Regency Cloud as a Service provides a secure, ISO 27001:2013 certified, UK based, direct connection hosting platform for multiple applications up to Official. The service provides a secure, agile and reliable subscription based hosting solution that meets the needs of UK Public Sector and includes internet access for client services.
- Secure Hosting solution up to Official
- •ISO/IEC 27001:2013 certified Data Centre
- Direct Connection
- Internet connected;
- Reliable and available IT infrastructure
- Resource based pricing
- IEC/ISO 27001:2013 certified Data Centre
- SLA’s appropriate to business requirements
- Flexible support options
- Secure, agile and reliable services
- Client direct connection
- Subscription based
- Flexible and scalable
£0.10 per gigabyte per hour
Cassidian CyberSecurity Ltd T/A Regency IT Consulting
|Service constraints||Outages may be required for the patching and updating of systems. Where possible, these will be carried out at night and notification will be provided to clients where possible.|
|System requirements||Licences for specific software as required by client.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Regency staff will respond to email queries within the next working day. If a question is submitted on Friday, it will be answered on the next working day i.e. the following Monday.|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
The service is monitored internally 24x7 and Regency provides telephone and email support during normal UK business hours. For larger or dedicated deployments a lead engineer and account manager will be assigned to each customer, a project manager (additional cost) can also be provided. Out of hours or emergency response can be provided if required (costs on request).
Regency can provide design and security authorities or dedicated engineers for any period of time, the day rates for these are in line with the SIA rate card.
|Support available to third parties||Yes|
Onboarding and offboarding
The on-boarding process for the Cloud Hosting Service is unique to each client.
The on-boarding process will see Regency IT Consulting working with our clients to determine the most appropriate cloud platform, write a proposal to include the design, implementation time-scales, a proposed migration plan and a total cost including any additional engineering, project management or service management costs.
|End-of-contract data extraction||
The off-boarding process will see Regency IT Consulting working with our clients to determine the most effective migration route or method and, if required, write a proposal to include a proposed migration plan and a total cost including any additional engineering, project management or service management costs.
In the event that the service is being taken over by a new supplier, the off-boarding process will typically consist of performing a review of the migration plan and the responsibilities of all parties . If the service is to be ceased without it being taken over by a new supplier, the process will typically consist of providing the data in an agreed format to the users.
|End-of-contract process||The contract will specify what happens at the end of the agreed term. For example, typically the data will be archived for a period of one month before being securely destroyed. During this time, the data can be made available to the customer on request. Beyond this period, if the customer requires the maintenance of a copy of the data for a longer period, there would be an additional charge.|
Using the service
|Web browser interface||Yes|
|Using the web interface||The facilities available to users will be tailored to the requirements of the buyer. Examples include provisioning of new virtual machines, increasing or decreasing CPU allocations, memory allocation etc.|
|Web interface accessibility standard||None or don’t know|
|How the web interface is accessible||The service being offered has a direct connection to the interface and is available from any device anywhere unless the customer has requested a dedicated service where access may be limited to certain IP ranges.|
|Web interface accessibility testing||No|
|Command line interface||No|
|Independence of resources||Regency monitors the server usage and will notify customers of any potential conflicts. Regency also provides a dedicated cloud hosting service where customers can run their environments on dedicated resources.|
|Infrastructure or application metrics||Yes|
|Reporting types||Regular reports|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Backup and recovery
|Backup and recovery||Yes|
|What’s backed up||Virtual machines|
|Backup controls||The backup regime will be defined during the initial contract and changes can be requested during the course of the contract.|
|Datacentre setup||Single datacentre|
|Scheduling backups||Users contact the support team to schedule backups|
|Backup recovery||Users contact the support team|
|Data protection between buyer and supplier networks||
|Other protection between networks||Other methods may be available, subject to discussion with the customer.|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
All SLAs will be aligned to the customer requirements above and written against Regency IT Consulting’s own Service Level Objectives. These are based upon our Systems Capacity Management, Business Continuity Management and projected Service availability.
The service level goal, excluding any planned maintenance or planned outages, is 99.9% availability.
Regency proactively monitors network connectivity 24x7.
Regency will use reasonable endeavours to maintain the cloud infrastructure availability.
|Approach to resilience||Information available on request.|
|Outage reporting||Regency will report any outages to customers via email alerts in most cases although contact via telephone may occur in certain circumstances.|
Identity and authentication
|Access restrictions in management interfaces and support channels||Physical access to the datacentre is limited to engineers only. Logical access is managed via username and password based on a least privileged access model.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
|Devices users manage the service through||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||Between 6 months and 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||Between 6 months and 12 months|
|How long system logs are stored for||Between 6 months and 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||02/06/2015 – Last assessment date 21/03/2017|
|What the ISO/IEC 27001 doesn’t cover||Our certification covers “The Information Security Management System for the provision of the managed encryption service, general office systems and secure date centre in accordance with the Statement of Applicability Version 2.6 dated 22/01/16.” This covers the entirety of the Regency operation.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||No|
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Acceptable Use of IT
Cryptographic Management Policy
Regency also has Security Operating Procedures (SyOps) in place, directing the use of IT devices, applications and systems including office-based, mobile or client-supplied devices.
All new starters receive a security briefing from the Regency Security Controller as part of their induction into the company and are required to read the security policies and SyOps, signing to confirm that they have done soon and a record is maintained of this. All staff are required to reacquaint themselves with the polices and procedures annually and sign to confirm that they have done so - again records are maintained as are records of any additional training or briefings provided.
All users are responsible for reporting actual or suspected security incidents and any identified or suspected security weaknesses to the Security Controller who will decide on the relevant course of action. The Security Controller (or deputy) is responsible for managing information security incidents, including recording incidents, conducting investigations and presenting details of all security incidents to the Regency IT Working Group.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||The Regency Change Management Policy is aligned with ISO20000. All change requests are assessed for risk and potential impact throughout the change cycle. This is reviewed by several support staff to ensure accurate assessment of risk and impact of the change before acceptance by the ITWG and the Change Advisory Board (CAB) - individual managed services may also run separate CABs particular to that service, or when third-party or customer access to the CAB is required.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Regency staff monitor a number of security forums and pick up information from there. Patches are deployed depending on the vulnerability level. For Windows systems, we look to patch monthly but, if we receive information that there's a high risk vulnerability, we would seek to patch earlier or deny access to that service.
Regency has a Patching Policy which sets out the process followed.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||Regency will work with the customer to identify the compromise events that they would like monitored. Where possible triggers will be defined and alerts sent to the Regency Operations team for action in accordance with defined processes (customer agreed). Regency will inform the customer according to the agreed timescales dependant on the risk level of the event.|
|Incident management type||Supplier-defined controls|
|Incident management approach||
Regency will have a dedicated email address for each customer. Everything emailed to that email address would be added to the Regency IT ticketing system and allocated to an engineer; actions taken to address the incident are recorded on the system. The process is compliant with ITIL.
In relation to security incidents, these are reported to the Security Controller in line with the Regency Security Incidents Policy.
|Approach to secure software development best practice||Supplier-defined process|
Separation between users
|Virtualisation technology used to keep applications and users sharing the same infrastructure apart||Yes|
|Who implements virtualisation||Supplier|
|Virtualisation technologies used||VMware|
|How shared infrastructure is kept separate||Regency can supply dedicated virtual machines or otherwise comply with customer requirements and design the solution as desired.|
|Price||£0.10 per gigabyte per hour|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|