This G-Cloud 10 service is no longer available to buy.

The G-Cloud 10 framework expired on Tuesday 2 July 2019. Any existing contracts with Carelink - Piksel Ltd are still valid.
Carelink - Piksel Ltd

Carelink HSCN Cloud - Managed VM Service

A secure, highly available virtual platform with connectivity to HSCN and the Internet.

Features

  • Secure highly accredited UK based company and facilities
  • HSCN and Internet connectivity
  • Flexible and expandable virtual servers
  • High availability as standard
  • Dual data centre DR capability
  • Multiple architectures to provide best value
  • Built on industry leading infrastructure - HP, EMC, VMWare
  • ITIL aligned service management
  • ISO 27001, 20000, 9001, DPA, IGSoC
  • 24x7 Service Desk

Benefits

  • Increased efficiency of a single provider for connectivity and infrastructure
  • Services available everywhere - web, cloud, HSCN, PSN, JANET
  • Security of information assured
  • Access from anywhere with secure remote connectivity solutions
  • Supporting the latest technologies and methodologies
  • Service management and availability assured through ITIL and ISO 20000
  • Customer centric approach working as trusted partners
  • Strong governance and shared ownership of security and service
  • Total focus on health and social care
  • 20 years' of NHS IT experience

Pricing

£350 a virtual machine a month

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at zak.suleman@piksel.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 10

Service ID

7 6 6 0 6 3 7 2 3 3 0 0 3 8 2

Contact

Carelink - Piksel Ltd Zak Suleman
Telephone: 07703818329
Email: zak.suleman@piksel.com

Service scope

Service constraints
Planned maintenance is carried out at pre-scheduled windows but will often not affect the service.

Servers are managed under our ITIL aligned managed service.
System requirements
By default servers are installed with a managed AV package

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times are dependent on the service impact level of the incident. Where the incident impact is critical and the service is not available then target response times are 30 minutes.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
We provide a single level of support where we deliver a fully managed service for the platform up to OS level with 24x7 monitoring. We take responsibility for the availability of the platform and manage the underlying hardware, hypervisor and system.

Incident resolution is office hours but can optionally be extended to 24x7 for high priority incidents.

All customers have a named Service Delivery Manager and a Technical Architect and Technical Lead available for consultation through the SDM. We provide guidance and advice on getting the best value server architecture, performance and optimisation, security and data protection and compliance with NHS requirements. We'll bring in other experts from the wider business: infosec, DbA, firewall/networks, cloud specialists, devops etc etc wherever required.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We provision and manage the server platform in line with customer requirements, so that they need only be concerned with the deployment of their applications. We assist in this process by providing the necessary secure access and making any configuration changes requested to support the application.

We provide documentation to assist customers in using our secure access solution.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
The method would depend on the nature and volume of the data that needs to be extracted, we can provide a range of tools for this. This could be anything from a simple copy, to a secured online transfer or where large volumes are present, using a physical, portable storage device.
End-of-contract process
At the end of the contract, once all necessary data has been transferred, monitoring is removed, servers are decommissioned and resources returned to the pool, SAN data is overwritten, backups are removed, service desk systems and CMDB are updated. All this is included in the price of the contract. Additional charges may be incurred where large volumes - multi TB - of data require transfer and there is a direct cost to us to provide this.

Using the service

Web browser interface
No
API
No
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
Using the command line interface
Users are provided with RDP or CMD line access to the server platforms for deployment and management of their applications. This access is provided on a least rights basis. Changes to the base server configuration, operating system and components, and reboots would normally be executed by us in order to maintain an audit trail of low level changes that have taken place and enable us to ensure the stability and availability of the platform.

We take a pragmatic approach and try to find the balance between giving customers the rights they need to work efficiently, while also being able to maintain our responsibility for the availability of the service.

Scaling

Scaling available
No
Independence of resources
We monitor capacity of the overall platform and manage this in line with our ITIL and ISO 20000 Capacity Management and Planning practices.
Usage notifications
Yes
Usage reporting
  • Email
  • Other

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Yes
Data sanitisation type
Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Virtual machines using Veeam
  • Files using Asigra Televaulting
Backup controls
Backups are performed on a daily basis by default, as part of the managed service. Further backups can be scheduled to backup specific elements at different times. This would be implemented by the managed service team as a change request and additional charges may be incurred.
Datacentre setup
Multiple datacentres
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • IPsec or TLS VPN gateway
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We provide an expected up-time of 99.95% for customers hosted at a single site without DR capability. Dual data centre architectures have higher expected up-times, dependent on the specific design of the platform. Service credits can be provided in cases where the SLA is breached. The level and triggering of these is agreed at service inception and included in the SLA.
Approach to resilience
Our entire infrastructure is designed from the ground up with no single points of failure. Networks, firewalls, switches, routers, physical servers and storage are all configured with redundancy and automated fail over capability, to provide a highly available virtual hosting platform.

We can provide detailed information on the technology and configurations that we have in place on request.
Outage reporting
We would notify customers by email and telephone and continue those communications throughout the incident to resolution.

Identity and authentication

User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Access to management interfaces and support channels is restricted by the use of Two-Factor-Authentication and protected by SSL VPN.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
You control when users can access audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
SGS
ISO/IEC 27001 accreditation date
5/12/2014
What the ISO/IEC 27001 doesn’t cover
It covers the full scope of our operational activities.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • IGSoC and N3 Aggregator
  • CN-SP for HSCN once launched
  • CAS(T) pending

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have a formal documented ISMS that provides the framework for our ISO27001 certification. A key component of this is our suite of 21 security policies covering all aspects of security controls. These policies are regularly and routinely reviewed and updated and are stored on the corporate intranet to ensure they are available to all staff.

All staff receive security awareness training which includes the core requirements of these policies and these policies are also endorsed by the company executive. A statement expressing this endorsement is published on the intranet alongside the policies to ensure its visibility to all staff.

We ensure all our policies are complied with by following a program of internal audits to verify and this is further endorsed by independent external audits conducted in support of ISO27001 certification every 6 months.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Our Configuration and Change Management approach is aligned with ITIL and is ISO 20000 certified.

We maintain a CMDB to record and track components (Configuration Items - CI) through their lifetime.

Each change is logged as a Request for Change - RFC - by our Service Desk and enter the Change Management process. Any RFC affecting a CI is reviewed by the Change Advisory Board - CAB. The CAB includes members of our Information Security team who assess the potential security impact of each CI RFC.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Vulnerability Management forms part of our ISO 27001 certification.

We operate a continuous Vulnerability Assessment process with routine scanning of environments to identify and mitigate vulnerabilities.

We monitor a variety of external channels and internal devices for awareness of emerging threats.

We carry out annual Check Approved Penetration Testing of our internal and external networks and infrastructure and complete remedial follow up actions where required.

Where our Information Security team has classified a patch as an emergency we initiate our Emergency Change process and have the ability to deploy the patch immediately, at the discretion of our Information Security Officer.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Protective Monitoring forms part of our ISO 27001 certification and is the responsibility of our Information Security team.

Potential compromises are identified by the active monitoring of a range of logs, audits, reports and alerts provided by network boundary devices and internal network and server activity.

Security Incidents are assigned to our Information Security team by our Service Desk. The Information Security team will assess the impact and work with technical operations to mitigate and take remedial action.

A security compromise would have the highest priority and be responded to in less than 30 minutes.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Incident Management forms a key part of our ITIL aligned managed service and ISO 20000 certification.

We have a well defined Incident Management process, for all common events, centred on our 24/7 Service Desk.

Users log incidents to the Service Desk by telephone or email and these are assigned to the customer-specific engineering team. Each customer team has a Service Delivery Manager who is responsible for maintaining the service within the agreed SLA and communicating the details of Incidents to customers in Incident Reports. Where disruption has occurred the SDM will provide a Service Outage Analysis to the customer.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
VMware
How shared infrastructure is kept separate
Environments are segregated at both a network level using vLAN and at hypervisor level. Further details are available on request.

Energy efficiency

Energy-efficient datacentres
Yes

Pricing

Price
£350 a virtual machine a month
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
We can provide a trial period for organisations who have a requirement to assess the solution. This is at our discretion and is assessed on a case by case basis. It would include the full service for a restricted number of machines for a limited time.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at zak.suleman@piksel.com. Tell them what format you need. It will help if you say what assistive technology you use.