Carelink HSCN Cloud - Managed VM Service
A secure, highly available virtual platform with connectivity to HSCN and the Internet.
Features
- Secure highly accredited UK based company and facilities
- HSCN and Internet connectivity
- Flexible and expandable virtual servers
- High availability as standard
- Dual data centre DR capability
- Multiple architectures to provide best value
- Built on industry leading infrastructure - HP, EMC, VMWare
- ITIL aligned service management
- ISO 27001, 20000, 9001, DPA, IGSoC
- 24x7 Service Desk
Benefits
- Increased efficiency of a single provider for connectivity and infrastructure
- Services available everywhere - web, cloud, HSCN, PSN, JANET
- Security of information assured
- Access from anywhere with secure remote connectivity solutions
- Supporting the latest technologies and methodologies
- Service management and availability assured through ITIL and ISO 20000
- Customer centric approach working as trusted partners
- Strong governance and shared ownership of security and service
- Total focus on health and social care
- 20 years' of NHS IT experience
Pricing
£350 a virtual machine a month
- Free trial available
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at zak.suleman@piksel.com.
Tell them what format you need. It will help if you say what assistive technology you use.
Framework
G-Cloud 10
Service ID
7 6 6 0 6 3 7 2 3 3 0 0 3 8 2
Contact
Carelink - Piksel Ltd
Zak Suleman
Telephone: 07703818329
Email: zak.suleman@piksel.com
Service scope
- Service constraints
-
Planned maintenance is carried out at pre-scheduled windows but will often not affect the service.
Servers are managed under our ITIL aligned managed service. - System requirements
- By default servers are installed with a managed AV package
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Response times are dependent on the service impact level of the incident. Where the incident impact is critical and the service is not available then target response times are 30 minutes.
- User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 24 hours, 7 days a week
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
-
We provide a single level of support where we deliver a fully managed service for the platform up to OS level with 24x7 monitoring. We take responsibility for the availability of the platform and manage the underlying hardware, hypervisor and system.
Incident resolution is office hours but can optionally be extended to 24x7 for high priority incidents.
All customers have a named Service Delivery Manager and a Technical Architect and Technical Lead available for consultation through the SDM. We provide guidance and advice on getting the best value server architecture, performance and optimisation, security and data protection and compliance with NHS requirements. We'll bring in other experts from the wider business: infosec, DbA, firewall/networks, cloud specialists, devops etc etc wherever required. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
-
We provision and manage the server platform in line with customer requirements, so that they need only be concerned with the deployment of their applications. We assist in this process by providing the necessary secure access and making any configuration changes requested to support the application.
We provide documentation to assist customers in using our secure access solution. - Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
- The method would depend on the nature and volume of the data that needs to be extracted, we can provide a range of tools for this. This could be anything from a simple copy, to a secured online transfer or where large volumes are present, using a physical, portable storage device.
- End-of-contract process
- At the end of the contract, once all necessary data has been transferred, monitoring is removed, servers are decommissioned and resources returned to the pool, SAN data is overwritten, backups are removed, service desk systems and CMDB are updated. All this is included in the price of the contract. Additional charges may be incurred where large volumes - multi TB - of data require transfer and there is a direct cost to us to provide this.
Using the service
- Web browser interface
- No
- API
- No
- Command line interface
- Yes
- Command line interface compatibility
-
- Linux or Unix
- Windows
- Using the command line interface
-
Users are provided with RDP or CMD line access to the server platforms for deployment and management of their applications. This access is provided on a least rights basis. Changes to the base server configuration, operating system and components, and reboots would normally be executed by us in order to maintain an audit trail of low level changes that have taken place and enable us to ensure the stability and availability of the platform.
We take a pragmatic approach and try to find the balance between giving customers the rights they need to work efficiently, while also being able to maintain our responsibility for the availability of the service.
Scaling
- Scaling available
- No
- Independence of resources
- We monitor capacity of the overall platform and manage this in line with our ITIL and ISO 20000 Capacity Management and Planning practices.
- Usage notifications
- Yes
- Usage reporting
-
- Other
Analytics
- Infrastructure or application metrics
- Yes
- Metrics types
-
- CPU
- Disk
- HTTP request and response status
- Memory
- Network
- Number of active instances
- Reporting types
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Security Clearance (SC)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
- Protecting data at rest
- Physical access control, complying with CSA CCM v3.0
- Data sanitisation process
- Yes
- Data sanitisation type
- Hardware containing data is completely destroyed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Backup and recovery
- Backup and recovery
- Yes
- What’s backed up
-
- Virtual machines using Veeam
- Files using Asigra Televaulting
- Backup controls
- Backups are performed on a daily basis by default, as part of the managed service. Further backups can be scheduled to backup specific elements at different times. This would be implemented by the managed service team as a change request and additional charges may be incurred.
- Datacentre setup
- Multiple datacentres
- Scheduling backups
- Users contact the support team to schedule backups
- Backup recovery
- Users contact the support team
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- IPsec or TLS VPN gateway
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- We provide an expected up-time of 99.95% for customers hosted at a single site without DR capability. Dual data centre architectures have higher expected up-times, dependent on the specific design of the platform. Service credits can be provided in cases where the SLA is breached. The level and triggering of these is agreed at service inception and included in the SLA.
- Approach to resilience
-
Our entire infrastructure is designed from the ground up with no single points of failure. Networks, firewalls, switches, routers, physical servers and storage are all configured with redundancy and automated fail over capability, to provide a highly available virtual hosting platform.
We can provide detailed information on the technology and configurations that we have in place on request. - Outage reporting
- We would notify customers by email and telephone and continue those communications throughout the incident to resolution.
Identity and authentication
- User authentication
-
- 2-factor authentication
- Identity federation with existing provider (for example Google apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
- Access to management interfaces and support channels is restricted by the use of Two-Factor-Authentication and protected by SSL VPN.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Dedicated link (for example VPN)
- Username or password
- Devices users manage the service through
-
- Dedicated device on a segregated network (providers own provision)
- Dedicated device on a government network (for example PSN)
- Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- You control when users can access audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- Between 6 months and 12 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- SGS
- ISO/IEC 27001 accreditation date
- 5/12/2014
- What the ISO/IEC 27001 doesn’t cover
- It covers the full scope of our operational activities.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- Yes
- Any other security certifications
-
- IGSoC and N3 Aggregator
- CN-SP for HSCN once launched
- CAS(T) pending
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
-
We have a formal documented ISMS that provides the framework for our ISO27001 certification. A key component of this is our suite of 21 security policies covering all aspects of security controls. These policies are regularly and routinely reviewed and updated and are stored on the corporate intranet to ensure they are available to all staff.
All staff receive security awareness training which includes the core requirements of these policies and these policies are also endorsed by the company executive. A statement expressing this endorsement is published on the intranet alongside the policies to ensure its visibility to all staff.
We ensure all our policies are complied with by following a program of internal audits to verify and this is further endorsed by independent external audits conducted in support of ISO27001 certification every 6 months.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
-
Our Configuration and Change Management approach is aligned with ITIL and is ISO 20000 certified.
We maintain a CMDB to record and track components (Configuration Items - CI) through their lifetime.
Each change is logged as a Request for Change - RFC - by our Service Desk and enter the Change Management process. Any RFC affecting a CI is reviewed by the Change Advisory Board - CAB. The CAB includes members of our Information Security team who assess the potential security impact of each CI RFC. - Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
-
Vulnerability Management forms part of our ISO 27001 certification.
We operate a continuous Vulnerability Assessment process with routine scanning of environments to identify and mitigate vulnerabilities.
We monitor a variety of external channels and internal devices for awareness of emerging threats.
We carry out annual Check Approved Penetration Testing of our internal and external networks and infrastructure and complete remedial follow up actions where required.
Where our Information Security team has classified a patch as an emergency we initiate our Emergency Change process and have the ability to deploy the patch immediately, at the discretion of our Information Security Officer. - Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
-
Protective Monitoring forms part of our ISO 27001 certification and is the responsibility of our Information Security team.
Potential compromises are identified by the active monitoring of a range of logs, audits, reports and alerts provided by network boundary devices and internal network and server activity.
Security Incidents are assigned to our Information Security team by our Service Desk. The Information Security team will assess the impact and work with technical operations to mitigate and take remedial action.
A security compromise would have the highest priority and be responded to in less than 30 minutes. - Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
-
Incident Management forms a key part of our ITIL aligned managed service and ISO 20000 certification.
We have a well defined Incident Management process, for all common events, centred on our 24/7 Service Desk.
Users log incidents to the Service Desk by telephone or email and these are assigned to the customer-specific engineering team. Each customer team has a Service Delivery Manager who is responsible for maintaining the service within the agreed SLA and communicating the details of Incidents to customers in Incident Reports. Where disruption has occurred the SDM will provide a Service Outage Analysis to the customer.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Separation between users
- Virtualisation technology used to keep applications and users sharing the same infrastructure apart
- Yes
- Who implements virtualisation
- Supplier
- Virtualisation technologies used
- VMware
- How shared infrastructure is kept separate
- Environments are segregated at both a network level using vLAN and at hypervisor level. Further details are available on request.
Energy efficiency
- Energy-efficient datacentres
- Yes
Pricing
- Price
- £350 a virtual machine a month
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- We can provide a trial period for organisations who have a requirement to assess the solution. This is at our discretion and is assessed on a case by case basis. It would include the full service for a restricted number of machines for a limited time.
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at zak.suleman@piksel.com.
Tell them what format you need. It will help if you say what assistive technology you use.