Cassidian CyberSecurity Ltd T/A Regency IT Consulting

Cloud Hosting

Regency Cloud as a Service provides a secure, ISO 27001:2013 certified, UK based, direct connection hosting platform for multiple applications up to Official. The service provides a secure, agile and reliable subscription based hosting solution that meets the needs of UK Public Sector and includes internet access for client services.


  • Secure Hosting solution up to Official
  • •ISO/IEC 27001:2013 certified Data Centre
  • Direct Connection
  • Internet connected;
  • Reliable and available IT infrastructure
  • Resource based pricing


  • IEC/ISO 27001:2013 certified Data Centre
  • SLA’s appropriate to business requirements
  • Flexible support options
  • Secure, agile and reliable services
  • Client direct connection
  • Subscription based
  • Flexible and scalable


£0.10 per gigabyte per hour

Service documents

G-Cloud 9


Cassidian CyberSecurity Ltd T/A Regency IT Consulting

Dave Butler

0124 2225699

Service scope

Service scope
Service constraints Outages may be required for the patching and updating of systems. Where possible, these will be carried out at night and notification will be provided to clients where possible.
System requirements Licences for specific software as required by client.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Regency staff will respond to email queries within the next working day. If a question is submitted on Friday, it will be answered on the next working day i.e. the following Monday.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels The service is monitored internally 24x7 and Regency provides telephone and email support during normal UK business hours. For larger or dedicated deployments a lead engineer and account manager will be assigned to each customer, a project manager (additional cost) can also be provided. Out of hours or emergency response can be provided if required (costs on request).

Regency can provide design and security authorities or dedicated engineers for any period of time, the day rates for these are in line with the SIA rate card.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The on-boarding process for the Cloud Hosting Service is unique to each client.
The on-boarding process will see Regency IT Consulting working with our clients to determine the most appropriate cloud platform, write a proposal to include the design, implementation time-scales, a proposed migration plan and a total cost including any additional engineering, project management or service management costs.
Service documentation Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction The off-boarding process will see Regency IT Consulting working with our clients to determine the most effective migration route or method and, if required, write a proposal to include a proposed migration plan and a total cost including any additional engineering, project management or service management costs.

In the event that the service is being taken over by a new supplier, the off-boarding process will typically consist of performing a review of the migration plan and the responsibilities of all parties . If the service is to be ceased without it being taken over by a new supplier, the process will typically consist of providing the data in an agreed format to the users.
End-of-contract process The contract will specify what happens at the end of the agreed term. For example, typically the data will be archived for a period of one month before being securely destroyed. During this time, the data can be made available to the customer on request. Beyond this period, if the customer requires the maintenance of a copy of the data for a longer period, there would be an additional charge.

Using the service

Using the service
Web browser interface Yes
Using the web interface The facilities available to users will be tailored to the requirements of the buyer. Examples include provisioning of new virtual machines, increasing or decreasing CPU allocations, memory allocation etc.
Web interface accessibility standard None or don’t know
How the web interface is accessible The service being offered has a direct connection to the interface and is available from any device anywhere unless the customer has requested a dedicated service where access may be limited to certain IP ranges.
Web interface accessibility testing No
Command line interface No


Scaling available No
Independence of resources Regency monitors the server usage and will notify customers of any potential conflicts. Regency also provides a dedicated cloud hosting service where customers can run their environments on dedicated resources.
Usage notifications Yes
Usage reporting Email


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
Reporting types Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up Virtual machines
Backup controls The backup regime will be defined during the initial contract and changes can be requested during the course of the contract.
Datacentre setup Single datacentre
Scheduling backups Users contact the support team to schedule backups
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks Other methods may be available, subject to discussion with the customer.
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability All SLAs will be aligned to the customer requirements above and written against Regency IT Consulting’s own Service Level Objectives. These are based upon our Systems Capacity Management, Business Continuity Management and projected Service availability.
The service level goal, excluding any planned maintenance or planned outages, is 99.9% availability.
Regency proactively monitors network connectivity 24x7.
Regency will use reasonable endeavours to maintain the cloud infrastructure availability.
Approach to resilience Information available on request.
Outage reporting Regency will report any outages to customers via email alerts in most cases although contact via telephone may occur in certain circumstances.

Identity and authentication

Identity and authentication
User authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Physical access to the datacentre is limited to engineers only. Logical access is managed via username and password based on a least privileged access model.
Access restriction testing frequency At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 02/06/2015 – Last assessment date 21/03/2017
What the ISO/IEC 27001 doesn’t cover Our certification covers “The Information Security Management System for the provision of the managed encryption service, general office systems and secure date centre in accordance with the Statement of Applicability Version 2.6 dated 22/01/16.” This covers the entirety of the Regency operation.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Policies: -
Information Security,
Acceptable Use of IT
Access Control,
Change Control
Forensic Incident
Forensic Readiness
Security Classifications
Security Incident
Cryptographic Management Policy
Password Policy
Patching Policy

Regency also has Security Operating Procedures (SyOps) in place, directing the use of IT devices, applications and systems including office-based, mobile or client-supplied devices.

All new starters receive a security briefing from the Regency Security Controller as part of their induction into the company and are required to read the security policies and SyOps, signing to confirm that they have done soon and a record is maintained of this. All staff are required to reacquaint themselves with the polices and procedures annually and sign to confirm that they have done so - again records are maintained as are records of any additional training or briefings provided.

All users are responsible for reporting actual or suspected security incidents and any identified or suspected security weaknesses to the Security Controller who will decide on the relevant course of action. The Security Controller (or deputy) is responsible for managing information security incidents, including recording incidents, conducting investigations and presenting details of all security incidents to the Regency IT Working Group.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The Regency Change Management Policy is aligned with ISO20000. All change requests are assessed for risk and potential impact throughout the change cycle. This is reviewed by several support staff to ensure accurate assessment of risk and impact of the change before acceptance by the ITWG and the Change Advisory Board (CAB) - individual managed services may also run separate CABs particular to that service, or when third-party or customer access to the CAB is required.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Regency staff monitor a number of security forums and pick up information from there. Patches are deployed depending on the vulnerability level. For Windows systems, we look to patch monthly but, if we receive information that there's a high risk vulnerability, we would seek to patch earlier or deny access to that service.

Regency has a Patching Policy which sets out the process followed.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Regency will work with the customer to identify the compromise events that they would like monitored. Where possible triggers will be defined and alerts sent to the Regency Operations team for action in accordance with defined processes (customer agreed). Regency will inform the customer according to the agreed timescales dependant on the risk level of the event.
Incident management type Supplier-defined controls
Incident management approach Regency will have a dedicated email address for each customer. Everything emailed to that email address would be added to the Regency IT ticketing system and allocated to an engineer; actions taken to address the incident are recorded on the system. The process is compliant with ITIL.

In relation to security incidents, these are reported to the Security Controller in line with the Regency Security Incidents Policy.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Regency can supply dedicated virtual machines or otherwise comply with customer requirements and design the solution as desired.

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £0.10 per gigabyte per hour
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑