John White PM Ltd

JW PM Health and Justice Cloud Hosting Services

JW PM is a lead provider of VDI solutions for the Health and Justice healthcare arena in England. Successfully deploying VDI solutions to police healthcare and prisons healthcare. The solutions are bespoke to the client, follow all standards set by the authority including integration with NHS SPINE services.


  • Works with thin-client as well as zero-client devices
  • Managed cloud-based solutions, designed and implemented end-to-end
  • Platform dedicated to health and justice healthcare
  • Co-residency service to reduce cost across your estate
  • Standalone dedicated platform to match your needs
  • Software Assurance will provide customer with pre-defined upgrade plan
  • Two factor authentication utilising NHS Smartcards
  • ISO 27001 certified
  • Cyber Essentials Certified
  • Connectivity with N3/HSCN


  • Centralised management of anti-virus and cyber-security
  • Centralised management of the OS for updates and patching
  • Enhanced user experience due to standardised desktop across estate
  • Simplified deployment model reduces cost and time
  • Connectivity to HSCN authorised sites
  • All staff have security clearance for police, courts and prisons
  • Known price model throughout duration of contract
  • Scalable to suit your need during duration of contract


£3000 per unit per year

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

7 1 5 7 6 0 1 8 8 3 1 5 4 8 0


John White PM Ltd

John White


Service scope

Service constraints
1. A N/3 HSCN connection is required, the exact speed of which is determined by the number of users/devices on the VDI system.
2. Existing devices that the client wants to convert to thin-clients will need to be verified as acceptable prior to inclusion. There may be charges to support these devices.
3. Telephony is not supported currently.
4. The solution is built to match national EMR requirements across Health and Justice.
System requirements
  • HSCN connection - JWPM can procure if required
  • Internal network - JWPM can install/configure if required
  • Warranted VDI terminals - JWPM can procure if required
  • KVM hardware may be required for Police and Prison installations
  • NHS Smartcards - JWPM can supply and Manage if required

User support

Email or online ticketing support
Email or online ticketing
Support response times
JW PM offers a 24/7/365 service desk to support all end users of the application. All tickets are responded to as follows: P1 = 30 mins or less P2 = 2 Hours or less P3 = 4 Hours or less P4 = 8 Hours or less P5 = 16 Hours or less.

During project mobilistion SLA/KPIs will be reviewed and agreed with the clients to match their needs.
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Onsite support
Support levels
JWPM offer the following support:
1. Telephone Support 24/7/365 - included as part of the package;
2. Onsite support - provided during the go-live phase;
3. Additional onsite support can be purchased if required for other projects or support requirements;
4. Support for 1 x HMP with approx 30 devices: is approx. £40,000 per site per annum, ex VAT, ex desktop/network refresh costs and HSCN connectivity;
5. Support for 1 x Police Custody Suite: approx. £4,000 per annum, ex VAT, ex desktop/network refresh costs and HSCN connectivity;
5. Price reductions apply for multiple sites, as per the costing sheet;
6. A technical account manager is provided, as is a cloud support engineer.
Support available to third parties

Onboarding and offboarding

Getting started
All new customers are assigned a Project Manager and Solution Architect to define the requirement and work with the client to ascertain cost, time and effort in the delivery of their project. the outputs of this engagement will be as a follows: proposed budget, high-level timeline and high-level design. JWPM will then step back and allow the customer to review this information, for them to make a decision, based on their needs. at all times the client will have access to the project manager and solutions architect. During engagement, an escalation process will be defined and agreed with the client.
Service documentation
Documentation formats
  • PDF
  • Other
Other documentation formats
  • Microsoft Office
  • Microsoft Visio
End-of-contract data extraction
All data stored on the platform will be returned to the client in its native format or as a CSV file format. JW PM will not hold any data after contract end data. If required, a secure destruction certified can be obtained, if the client wishes all data to be destroyed.
End-of-contract process
As part of the off-boarding process, JWPM will meet with the client and review what data has been collected and stored over the duration of the contract. It will be agreed with the client what data they wish to retain or destroyed. This engagement of process is included in the overall contract cost.

Using the service

Web browser interface
Using the web interface
End users could utilise existing hardware and JWPM could work with your IT team to install and configure the Citrix Desktop Client. This is run via a web browser and, if HSCN connectivity is available, could connect to the JWPM cloud platform. As the platform is bespoke to the client and pre-configured by JWPM, the end user to not able to make any changes to the desktop environment.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
The web interface is accessible through an icon on a standard Windows or Mac desktop.
Web interface accessibility testing
As the desktop is a standard Windows 10 interface, people with assistive requirements can change the desktop to suit their needs.

JW PM, will during mobilisation, pro-actively engage with any end user who has these requirements.
Command line interface


Scaling available
Scaling type
  • Automatic
  • Manual
Independence of resources
1. Web load balancers
2. High speed data interfaces
3. Upgradable servers in the hosting environment
4. Dedicated platform for dedicated clients
Usage notifications
Usage reporting
  • Email
  • SMS


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
The service can back up virtual machines and associated data.
Backup controls
During project mobilisation it will be agreed with client what backup controls they wish to have in place and subject to them being reasonable, they will be implemented. It is most likely to be daily, weekly and monthly backups as per industry standards.
Datacentre setup
Single datacentre with multiple copies
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
CIMAS is hosted in a Tier 1 Data Centre which is rated as 99.999%, within which the platform works at 99.9% availability or higher, subject to the end-user's internal network connection.
2. Refunds are investigated on a case by case basis due to the areas that are outside the control of JWPM.
Approach to resilience
This information is available on request, and we more than happy to discuss the security, resilience and redundancy of the service with any potential customers.
Outage reporting
1. If an outage was to occur, the JWPM Service Desk, which operates 24/7/365 would notify by email a predefined cohort of service users to the outage.
2. The outage report would continue an initial assessment of the issue and an expectation resolution timeline.

Identity and authentication

User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Access to management interfaces will be permitted only on dedicated management VLANs separated by a firewall. Support engineers and their roles are controlled by Active Directory accounts and delegations on security groups as organisation units.
If external access is required, access will be only permitted through two factor authentication.
VDI users are controlled by Active directory distributed polices.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
CQS (Certified Quality Systems) Ltd
ISO/IEC 27001 accreditation date
13th December 2018
What the ISO/IEC 27001 doesn’t cover
This is a company wide accreditation and applies to all departments
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
1. JWPM is certified to ISO 27001:2013 (Cert Num: ISM7799306) and has information security policies and procedures in place to comply with this standard.
2. Internal audits are undertaken to monitor and assure compliance.
3. Reporting structure is to Head of PMO, then Director, who met weekly to review organisational and project risks, including information risks.
4. JWPM completes NHS Digital's Data Security and Protection Toolkit (JWPM ODS Code: 8K421, Status=Satisfactory, Submitted Jan 2019)
5. JWPM is working towards Cyber Essentials certification during 2019.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
1. All application configuration and change management is as per ITIL v3 2. All changes are subjected to a rigorous UAT
3. All changes are applied to a sandpit installation and tested for security weaknesses before being applied to live
4. All platform hardware is monitored as per the manufacturer's Hardware Life Cycle and replaced as advised
5. All O/S and Service Delivery Software is tracked to comply with the manufacturer's System Life Cycle and replaced as advised to ensure ongoing security and support
Vulnerability management type
Vulnerability management approach
1. JWPM follows the Capability Maturity Model for Vulnerability Management, and will also: Identify, assess, define and plan a resolution when a threat is identified
2. Scan on a regular basis for potential threats
3. Regularly monitor security forums
4. Keep all AV and Cyber Security software up to date
5. JW PM has a defined process and maintenance regime for identifying and installing O/S and application security policies. Reports are generated on a regular basis to show the status of these activities.
6. For emergency patch management; depending on criticality will depend on how quickly JWPM patches the servers.
Protective monitoring type
Protective monitoring approach
All staff are trained to inform the 24/7 service desk on any potential incident. A ticket is raised by the Service Desk and this is immediately allocated to the Information Security Office for review and action. As part of the Information Security Policy, there are controls in place by JWPM. Policies are available on request. Any compromise would be investigated by the Information Security Officer and Information Governance Lead.
Incident management type
Supplier-defined controls
Incident management approach
All staff are trained to inform the 24/7 service desk on any potential incident. A ticket is raised by the Service Desk and this is immediately allocated to the Information Security Office for review and action. As part of the Information Security Policy, there are controls in place by JWPM. Policies are available on request.

Secure development

Approach to secure software development best practice
Supplier-defined process

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
Citrix XenServer
How shared infrastructure is kept separate
Compute separation is provided by the software. Network and storage virtualisation techniques are also employed.

Energy efficiency

Energy-efficient datacentres


£3000 per unit per year
Discount for educational organisations
Free trial available
Description of free trial
JW PM is happy to discuss a proof of concept (PoC) with any prospective client. This would typically be tied down to one location with one team who primarily work that location. We would expect the PoC to run for approx. 2 months.

Service documents

Return to top ↑