BMT Defence Services Limited

RLI Application & Website Hosting

BMT provide secure hosting of classified UK MOD systems via the Restricted LAN Interconnect (RLI). We provide first and third line helpdesk support and off/on-site training packages. Our service includes hosting support, high system availability and daily backups of all data and documentation stored within websites and back-end databases.

Features

  • Secure RLI hosting
  • Classified data storage and hosting
  • First and third line software helpdesk/technical support
  • Email, phone and on-site helpdesk support
  • Incident and Problem management and resolution
  • Provision of off-site and on-site training courses
  • Service Level Agreements
  • System administration
  • Backup & Recovery, including secure off-site back storage
  • ISO27001 accredited security

Benefits

  • Robust and secure hosting/support infrastructure underpinned by ITIL principles
  • Excellent 24/7/365 hosting uptime statistics
  • Proven, scalable hosting service which accommodates large-scale data/user expansions
  • Responsive and friendly helpdesk/support staff putting users at ease
  • Rapid response to support requests with quick resolution times
  • Proven support experience with high levels of user satisfaction
  • Customised training courses to meet needs of specific user groups
  • Confidence in hosting service regularly audited under ISO9001/27001 certification
  • Service Level Agreements to meet user needs
  • Pay for what you use pricing model

Pricing

£5000 per unit per year

Service documents

Framework

G-Cloud 11

Service ID

8 0 1 8 4 9 9 1 5 6 3 7 0 3 0

Contact

BMT Defence Services Limited

Sonia Taylor

01225 473622

Sonia.Taylor@bmtglobal.com

Service scope

Service constraints
Service Desk support available within office hours Mon-Fri 07:00-17:30 (not including English Bank Holidays)
System requirements
  • Microsoft ASP.NET or Classic ASP web application/website hosting
  • Microsoft SQL Server back-end

User support

Email or online ticketing support
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
BMT provide different Service Level Agreement options, dependent on the criticality of the hosted system and the customer needs. Our SLAs have defined reporting procedures, incident categories and priorities (determined by impact and urgency) that drive response/resolution timescales against all support requests.
Our Service Desk is available between 07:00 – 17:00 (UK hours) Monday to Friday excluding English Public Holidays. Users can call our Service Desk directly or email the Service Desk with any issues. All of our hosting options are backed up by a Service Desk team which is comprised of a number of experienced first line support technicians, software developers and test analysts.
We are also able to provide training packages comprising on-site classroom training sessions, administrable on-line training/guidance tools and web-enabled, interactive, SCORM-compliant training systems.
For Content Management System (CMS) hosting, we also provide system administration support options which can include system configuration changes and content updates.
For hosting/support costs, please see the Pricing Document.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
In addition to our standard support package, we are also able to provide training packages comprising on-site classroom training sessions, administrable on-line training/guidance tools and web-enabled, interactive, SCORM-compliant training systems.
We can also provide technical guidance and on-site visits to help capture and understand your requirements and map your requirements to a suitable hosting service.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
At the end of the contract, BMT provide the customer with a copy of all software files and databases for potential migration to a new hosting service. Where applicable, BMT also provide the relevant supporting documentation including:

- Technical specifications;
- Help/User Guides;
- Functional documentation;
- Technical proposals;
- Data models;
- Architectural diagrams;
- System Deployment Guides;
- Technology stack/licensing requirements.
End-of-contract process
The end of contract data extraction and provision to the customer is included in the price of the contract.

In addition, we also offer handover meetings with new hosting providers to cover the relevant architectures of the system to ensure the new supplier is fully ready upon switchover of hosting services. These meetings are also used to provide the new supplier with all required assistance - including systems training for support, data migration assistance, hardware sizing and usage statistics.

Using the service

Web browser interface
No
API
No
Command line interface
No

Scaling

Scaling available
No
Independence of resources
BMT's hosting environment allows for individual services to have resources throttled and / or dedicated per service. This includes storage capacity, processing capacity and bandwidth.
Usage notifications
Yes
Usage reporting
  • Email
  • Other

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Other
Other metrics
  • System Performance Metrics
  • Uptime statistics
  • Helpdesk Logs
  • Incident Logs, including resolution times
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Other
Other data at rest protection approach
All data resides on systems that are accredited by Defence Assurance Information Security (DAIS) to hold information up to Official-Sensitive. BMT holds ISO27001:2013 certification. The ICT systems comply with the Defence Cyber Protection Partnership (DCCP) Medium level risk profile including Cyber Essentials Plus certification.
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Virtual Machines
  • Logs
  • Application Files
  • Databases
  • Uploaded Document Files
Backup controls
BMT control the backup service. The web hosting servers are backed-up at 12pm and 7pm daily and the Microsoft SQL Server databases are backed up at 7pm daily. These backup files are transported via an encrypted fibre link to a separate BMT office, so there is no risk in physical transportation of MOD files. We provide the customer with a Backup & Recovery Schedule to demonstrate the process that is in place, including mitigation against loss of data and maintenance of data integrity.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • Other
Other protection between networks
Firewall. Majority of ports are closed except those specifically used for NET use and SSH when required.
Data protection within supplier network
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network
All data resides on systems that are accredited by Defence Assurance Information Security (DAIS) to hold information up to Official-Sensitive. BMT holds ISO27001:2013 certification. The ICT systems comply with the Defence Cyber Protection Partnership (DCCP) Medium level risk profile including Cyber Essentials Plus certification.

Availability and resilience

Guaranteed availability
Under our ISO 27001:2013 accreditation, BMT has implemented a number of controls to ensure that we mitigate any risks associated with the integrity, confidentiality and availability of our systems. We typically provide a contractual agreement to a minimum of 99.5% uptime.

BMT agrees a Service Level Agreement (SLA) with each buyer for our cloud hosting service. In addition to uptime levels, our SLAs have defined reporting procedures, incident categories and priorities (determined by impact and urgency) that drive response/resolution timescales against all support requests.
Approach to resilience
A warm standby site is maintained. Further details available on request.
Outage reporting
Services are provided through virtualised infrastructure which is monitored through the VMWare service provision. Alerts are raised to the internal service desk and escalated through the integrated support and infrastructure team on premises.

Identity and authentication

User authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels
Under our ISO 27001:2013 accreditation, BMT has implemented a number of controls to ensure that we mitigate any risks associated with the integrity, confidentiality and availability of our systems.

We develop our services with secure programming principles in mind to ensure that the risk of any malicious activity is mitigated. The data architecture and security model within the websites/applications themselves provide the necessary confidentiality of information as authenticated users can only access areas that they have been granted access to and users without a valid username and password cannot access the application or data at all.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Limited access network (for example PSN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Lloyds Register
ISO/IEC 27001 accreditation date
14/08/2014
What the ISO/IEC 27001 doesn’t cover
All services are covered by ISO27001:2013
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Accredited by Defence Assurance Information Security to hold Official-Sensitive information
  • Comply with the Defence Cyber Protection Partnership Medium level risk
  • Cyber Essentials Plus certification

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
The BMT Hosting Support Team is constructed from a number of members of staff from the Information Systems Department within BMT. It is the company’s policy to put every member of staff through the security clearance process and, as such, every staff member working on any hosting-related task has SC level clearance.

Under our ISO 27001:2013 accreditation, BMT has implemented a number of controls to ensure that we mitigate any risks associated with the integrity, confidentiality and availability of our systems.

Our hosting and data centres are protected through anti-virus, software patching, EAL4 firewalls and regular testing by our IT Department. This is demonstrated as a number of our systems are subjected to almost weekly penetration tests which confirm the appropriate controls we have in place.

BMT’s IT Department has a thorough patching policy that is subject to external audits every 6 months as part of our ISO 27001:2013 accreditation. The accredited controls that are in place protect against malicious attacks, viruses, Trojan horses, Denial of Service (DOS) attacks, SQL injections and a range of other threats.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our Change Management process is initiated from a number sources which include ICT Strategy, Capacity Management, Incident/Problem Management (which include security incidents) and Service Requests. All Change Requests (RFCs) are recorded in our Service Desk system. Changes are assessed (including security impact assessment) and either approved/scheduled for planning or are rejected. Minor, Major and Significant changes must be approved by the BMT ICT Change Assessment Board (CAB). Changes are implemented as a series of tasks which are recorded and actioned within the BMT Service Desk. Changes are reviewed and closed during weekly management review s and quarterly strategic reviews.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
BMT has staff who are members of CISP. Additionally, the SIEM solution used within the infrastructure (Alienvault) provides real-time threat updates and analysis internal traffic for signatures.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The SIEM solution used within the infrastructure (Alienvault) provides real-time threat updates and analysis internal traffic for signatures. Incidents are managed by the integrated service team and escalated to third –parties (including HMG) if outside of internal skill profile.
Incident management type
Supplier-defined controls
Incident management approach
Incidents are raised by email, phone or personal contact (site visit). The impact and urgency are selected using the appropriate matrix as a guide. Priority is automatically assigned and SLA targets set.

Initial analysis of an incident identifies the timescales for resolution and the requester is notified.

The incident passed to the appropriate management process, if required.

Once the incident has been resolved, the Requester is notified and prompted to mark the incident as closed or respond to reinstate the incident.

A user or analyst can reinstate a resolved incident if necessary.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
VMware
How shared infrastructure is kept separate
All applications and services are provided through segmented virtualised servers. Each application can be self-contained with its own virtual server.

Energy efficiency

Energy-efficient datacentres
No

Pricing

Price
£5000 per unit per year
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑