Nine23

Mobileiron Managed Private Cloud Official-Sensitive Unified Endpoint Management Platform FLEX

FLEX, A fully managed Nine23 owned infrastructure enterprise mobility management platform Accredited(NCSC/GPG) to OFFICIAL-SENSITIVE-SECRET ready to onboard mobile, tablet, and laptop devices from any operating system including iOS, Android, and Windows10. Encompassing the entire management/audit requirements from MDM, App Store, Content Management, secure endpoint hosting, performance, DR and SIEM reporting.

Features

• Secure scaleable Nine23 owned UK hosted managed platform Accredited OFFICIAL-SENSITIVE-SECRET
• Walled garden boundary protection NCSC Secure by default PSN/HSCN/RLI
• Secure remote access to sensitive corporate data using always-on VPN
• NCSC Cloud security principles in fully managed scaleable IaaS/PaaS/public/hybrid environments
• NCSC secure End User Device Guidance profiles UEM/MDM/EMM enterprise mobility
• Complete secure turnkey solution for managing secure endpoints at Official-Senstive
• Management/Service reporting provided on platform usage and performance
• AV, Patching, Monitoring, Base OS Management, security monitoring, DR management
• Built-in scaling cloud hosting requirements VMWare cloud architecture Android/Apple/Linux/Windows
• Secure connection government networks & accessible to internet capability GSI/HSCN/PSN/PND

Benefits

• Native mobile experience for end-users from fully accredited cloud infrastructure
• Complete end-to-end secure managed solution set-up and in service quickly
• Connect mobiles to secure services on HSCN/PSN/PND via one platform
• Complete end-to-end secure managed solution set-up and in service quickly
• Secure PSN Code of service/code of connection accredited gateway provider
• Fully Managed secure official-sensitive service NCSC Cloud Security Principles
• Secure-container App Secure-messaging Secure-calls Secure-endpoint secure-cloud Remote Device-wipe
• Secure your estate of mobile devices with innovative MDM/EMM/UEM solution
• Secure remote access to enable the remote worker connectivity PSN/HSCN/PND
• Samsung-Knox iOS Windows 10 & Android deployments Secure containerisation

£1,750 an instance a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@nine23.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

908824001444204

Contact

Stuart McKean
+44 (0) 23 8202 0300
gcloud@nine23.co.uk

Service scope

• Service constraints: No service contraints yet identified.
• System requirements:
  • System outline will be discussed with client
  • No pre-conditions or extra licences required outside the service
  • Mobiliron Core
  • MobileIron licences are transferred, or purchased as part of service

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within one hour
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: We are ISO 20000 certified for Service Management, we provide a standardised SLA for clients to ensure the service is understood by you and is sufficiently supported by our engineers. You will be able to interact directly with engineers who know your account and can deal with issues directly without having to first negotiate an unskilled Helpdesk.; All helpdesk staff are SC and NPPV3 cleared.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Clients can follow documentation on how to initiate and start receiving our services. This can be augmented with training onsite, or delivered remotely. We deliver a standardised service, honed during deliveries to existing public sector clients, meaning a low risk and swift deployment without unexpected consultancy costs.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: Client will provide secure physical media to Nine23, which will then be populated with the specified client data and returned to the client.
• End-of-contract process: The client will have been given the data they need to keep for archive or transition purposes. Any managed devices are taken off management which will wipe enterprise and managed data from the devices. The client is then free to undertake any disposal requirements that may be stipulated under IS5. Hosted areas are then made inaccessible to the internet and deleted. This is all provided without cost to the client. Any additional services will be charged based on the day rates on our SFIA rate card.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Technical separation of resources to client areas is achieved at virtualisation level so that one client is not competing for the same resources as another; client areas are independent private clouds so processing is not shared. Our ITIL aligned service processes have defined scaling markers to ensure the service team is not short-staffed.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • GPG13 compliant reports
  • Number of managed devices, users, applications, etc.
  • Compliance and non-compliance status and reasons
  • Number and lists of active and inactive users
  • OS and application versions and usage splits
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Mobileiron

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Virtual Machines
  • Configurations of machines, firewalls and applications dependent on VSS compliance
  • Profiles
• Backup controls: Standard back ups are taken for client data and platforms. Additional requirements are discussed at the outset of the service so that more frequent, or longer archiving of backups can take place, which may be required for the client accreditation.
• Datacentre setup:
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We provide SLAs to each client outlining the expected availability of each service. Unplanned outages that lead to decreased availability from the levels set out in the SLAs lead to credits on those services during the next period.
• Approach to resilience: Architectural resiliency is designed into the hosted environment and is backed by the Tier 3+ UK Data Centre. Details can be given to clients upon request.
• Outage reporting: Email alerts to nominated client representatives, with quantitative and qualitative detail.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: We restrict mangement interface access to known personnel on known devices that are authenticated with 2FA and connect via vpn to secured management hosts with limited permissions.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: UKAS
• ISO/IEC 27001 accreditation date: 03/05/20
• What the ISO/IEC 27001 doesn’t cover: 14.1.1 Information security requirements analysis and specification ; 14.1.2 Securing applications services on public networks ; 14.1.3 Protecting application services transactions ; 14.2.1 Secure development policy ; 14.2.6 Secure development environment ; 14.2.7 Outsourced development ; 14.3.1 Protection of Test Data; 16.1.7 Collection of evidence
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications:
  • Government Ministries' accreditations at OFFICIAL-SENSITIVE (available on request)
  • Cyber Essentials Plus
  • 14 Cloud Security Principles
  • NPPV3 Vetting
  • NCSC Secure Communications Principles
  • NHS DSP IG Toolkit - Passed
  • SC Clearances for all Engineering, Project Helpdesk staff

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Independently tested and accredited by existing government clients. References available on request.; ; Cyber Essentials Plus; ; NHS DSP IG Toolkit - Standards exceeded
• Information security policies and processes: We apply ISO27001, 20000 and 9001, NCSC and industry best practice to ensure 14 Cloud Security Principles are applied during design, deployment, operation, and decommission. We provide IS1&2 compliant RMADS and maintain our own Security Management Plan which is integral to our ISO9001, 27001, 20000 accreditation, which is independently audited every year.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Services are configured and documented for reference. Changes are initiated with internal or external requests that start a Change Acceptance Process, during which the business imperative, security risks, user impact, and costs are considered. A lightweight process is adopted for agility of service, but If necessary, a full security impact assessment is undertaken and when the requisite authorisations are received, the change is effected and documentation updated.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We subscribe to a number of vulnerability and threat monitoring agencies including the NCSC threat newsletter. A baseline patching process is maintained monthly for all services, and emergency responses to critical threats are evaluated and actioned appropriately.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Our protective monitoring tools examine SIEM data from our platform and client areas, including GPG13 compliant reporting. Incidents are responded to appropriately based on the severity of the event.
• Incident management type: Supplier-defined controls
• Incident management approach: Our SyOPs and Security Management Plan outline procedures for incident management and reporting. Our SMP is ISO27k controls and verified by a CCP qualified IA lead.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: Each client instance is separated at the virtualisation layer to private cloud instances, which are further segregated by multiple separation technologies including CPA firewalls and walled garden architectural patterns.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: UKFast were the first UK hosting company to achieve PAS2060 Carbon Neutral standard, enabling us to offer 100% carbon neutral solutions. Our data centres achieve a PUE of <1.3 at full design load. This means that when the data centre is fully occupied, for every 1.3KW of power input into the data centre, 1KW is delivered to the IT equipment. As a data centre operator with a low PUE we reduce our running costs with efficient technologies, that use less power. We pass these cost savings on to our customers. As part of our commitment to energy efficiency, UKFast are certified to the environmental standards of ISO 14001:2015. UKFast has a voluntary Climate Change Agreements (CCA) which a agreement is made with the Environment Agency to reduce energy use and carbon dioxide (CO2) emissions. Although UKFast are not members of the EU code of conduct for data centres, they do adhere to the requirements of the code of conduct.

Pricing

• Price: £1,750 an instance a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@nine23.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.