Secure Desktop delivers a secure, managed, desktop including Office 365 and business specific applications. Accessible from desktops, laptops, tablets, phones and thin clients it meets OFFICIAL and OFFICIAL-SENSITIVE security needs.
- Secure End User Computing: with all data held centrally.
- Integrated Office 365, Secure E-mail and filtered Web Browsing.
- Accessibility supporting BYOD: using any device with an internet connection.
- Application Centric: Applications delivered for native user experience.
- Accounts configurable to user profiles for knowledge workers/ power users.
- Optional mobile device integration with MDM/MAM /EMM services.
- Data protection: full recovery of all data capability.
- Options for graphic acceleration for power users.
- Desktop AV and intrusion detection service included.
- Comprehensive service catalogue.
- Lower Total Cost of Ownership.
- Reduced attack surface.
- IT Support personnel based in optimized locations.
- Data encrypted in transit.
- Centralised patching and update.
- Profiles follow users rather than being tied to desks.
- Desktop as a Service based on ‘pay-as-you-use’ model.
- Flexible swift response to both increases and reductions in demands.
- Security through two-factor authentication and data centre storage.
- DaaS model accommodates enterprise specific Application Delivery.
£46.75 to £171.30 per user per month
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
The Services are always available except for:
• scheduled maintenance carried out during a regular maintenance window, such as backups, database administration and log processing.
• Public holidays (in England and Wales) where the service desk will not be manned.
For scheduled maintenance windows we will give customers at least 4 weeks notice, and endeavour to schedule the windows for lower impact time periods. Over any 12 month period, the average maintenance windows will not exceed 4 hours per month.
All users, configurators and administrators will require internet access or connectivity through the government secure internet to the platform.
|Email or online ticketing support||Email or online ticketing|
|Support response times||Initial response within one hour, Monday to Friday 0800 to 1800. No response at weekends.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||Web chat is based around Slack which can be acessed by any web browser that supports HTML5 or its own desktop client, and can also accessible programmatically via its API.|
|Web chat accessibility testing||Nil.|
|Onsite support||Yes, at extra cost|
There are two Service levels offered:
• Standard, which provides support during the working day, supported by 24/7 monitoring.
• Enhanced, which allows for long day or 24/7 support where required. Enhanced support incurs additional charges.
All Service Levels include a full ITIL Service Management system including Incident, Problem and Change Management, Release and Deployment Management, Access,
Availability and Capacity Management, Service Measurement and Reporting.
A Technical Account Manager will own the relationship and be responsible for ensuring that the service meets the customers’ needs.
Level 1 Support responds to helpdesk queries, simple resolution such as passwords and account changes.
Level 2 Support includes: Infrastructure support, responding to all support issues in line with agreed SLAs, performing root cause analysis of problems, including raising tickets for other 3rd party support providers, if required.
Level 3 application support issue fixes are provided either by client or third party delivery teams, with support issues added to the story backlog for prioritisation by the product owner.
Disaster Recovery processes are assumed to have been designed and implemented as part of systems and applications development. Our support offering includes carrying out any agreed disaster recovery procedures where these are not automated.
|Support available to third parties||Yes|
Onboarding and offboarding
A Service Specialist will work with the client to understand the scope and nature of the required services, including: the deployment process, any integration requirements of legacy services/applications, end users, segmentation and associated security profiles. Details include agreeing reporting requirements and scheduling, formats and transportation. This will normally take place prior to contract award.
It is assumed that the Customer will work together with the Support team to decide on roles and responsibilities of customer and supplier. Customer will work together with the Support Team on the requirements for the cloud environment and provide sign-off on the same before commencement of services.
Designated and authorized resource from customer side will actively work with Support Team to resolve any dependencies on the customer team.
We will provide User Guides, both online and in crib card format as part of user activation.
Onsite training can also be provided as an additional charged item.
|End-of-contract data extraction||
All data will be returned to the client, on CD or DVD, in the original format it was stored and managed. Additional formats, such as client specific XML, or export mechanisms can be provided at extra cost.
Log data can also be transferred and is charged in accordance with our SFIA rates.
Termination of service, for any reason, triggers the development and implementation of a Termination phase. A Termination Plan will be produced and agreed with the customer. A generic termination plan is available, on request, and this will be tailored to reflect appropriate roles and responsibilities. Production of this tailored plan is included within the service price.
On termination of the service, all client data will be destroyed in accordance with Anson Resolution Information Assurance processes, which are appropriate for Official and Official Sensitive data. For particularly sensitive data additional Government approved sanitization or destruction mechanisms can be deployed, at extra cost.
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||None.|
|Accessibility standards||None or don’t know|
|Description of accessibility||Web interface.|
|Description of customisation||
The service Provider can customise the Service to provide:
- Enhanced User Profiles (more memory, storage, etc).
- Graphics Acceleration.
This will be implemented in response to a Service request, and incurs extra charges.
|Independence of resources||
Resource pool sized to meet maximum demand.
Utilisation is constantly monitored and the capacity management process puts additional resources into the pool before limits are reached.
|Service usage metrics||Yes|
Call response time.
Backup and Restore Testing.
Service Request fulfillment.
|Reporting types||Regular reports|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Data can be exported and passed returned to the client, on CD or DVD, in the original format it was stored and managed. Additional formats, such as client specific XML, or export mechanisms can be provided at extra cost.|
|Data export formats||
|Data import formats||
|Data protection between buyer and supplier networks||
|Data protection within supplier network||IPsec or TLS VPN gateway|
Availability and resilience
Availability 97.0%. Users are credited a service credit of up to 10% of monthly charge (15% for Enhanced support) if availability falls below this level.
Standard SLAs are assumed as:
• 0800 to 1800 for Standard Support.
• 24x7 Access For Enhanced Support and Crisis incidents only.
|Approach to resilience||Available on request.|
Voice Service Message.
Identity and authentication
|User authentication needed||Yes|
|User authentication||2-factor authentication|
|Access restrictions in management interfaces and support channels||
There is no access from User Accounts to management interfaces.
System Admins access management capabilities from dedicated machines connected via an SSTP VPN requiring proprietary Certificates.
|Access restriction testing frequency||At least once a year|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||Security Governance follows the ISO 27001 model. Certification is being applied for.|
|Information security policies and processes||
NOC/SOC are responsible for monitoring systems and responding to customer events. In the first instance they are accountable to the Head of Customer Support, whose responsibilities include the secure operation of all systems. Where appropriate they pass issues for resolution to either the System Design Authority, they do, however, retain ownership of the issues’ resolution.
The Chief Security Officer (CSO) is responsible for all aspects of security of the company and its services. He:
• Runs an internal and external audit programme to ensure that policies are being adhered to and are effective.
• Maintains a record of who has signed SyOps and what access they have been granted.
• Has oversight of the development, maintenance and update of risk assessments.
• Runs a security training programme for all staff.
• Is available to provide advice on the handling of security incidents.
The CSO is directly accountable to the CEO.
The System Design Authority owns the Change process including making security assessments of change impacts, and where appropriate obtaining advice from the CSO.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
The System Design Authority owns the Configuration Management Database and process.
Configuration items are discovered through an automated process. Verification audits take place prior to, and after, major changes, and recovery of a major incident. Additionally Configuration verification is conducted periodically.
Change Process: Classification begins when an incident or change is identified. If appropriate a Change Request is raised and passed for Evaluation where the impact is quantified including assessing the security implications. Modeling and Testing is conducted to ensure that the impact on the environment is fully understood. In Implementation the change is embodied and Configuration Items recorded.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Regular vulnerability scans are performed on the system.
On identification, Vulnerabilities are prioritised based on the Common Vulnerability Scoring System (CVSS) Version 3. This uses analysis of the Exploitability and Impact of a Vulnerability to generate an initial assessment of its priority, and to track the progressive impact of mitigations applied.
Normally a 4 week Test and Patch cycle is employed, however, there is also a facility for expedited deployment of urgent patches as an emergency Change, identified either by CVSS scoring or by early warning from organisations such as CiSP, Threat Intelligence or Customer CERTs.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Log Data is recorded to a policy aligned with CESG Good Practice Guide 13 (GPG 13) Recording Profile A (Aware), which is appropriate for Official Data. Enhanced collection to align with GPG 13 Recording Profiles B (Deter), C (Detect/Resist), D (Defend) for data of greater sensitivity can also be provided at additional cost
The data we monitor includes: Integrated dynamic asset management and network discovery, log and event correlation and analysis, Network Traffic Analysis, Deep Packet Inspections, IDS, Vulnerability Scanning, Blacklist monitoring, Privileged User monitoring, Collaboration and continuous service improvement.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Incidents can be triggered either by Customer issues or in response to system events. Standard processes are defined for common events.
Initial Customer Response:
• Priority 1 –15 minutes
• Priority 2 –4 hours
• Priority 3 –12 hours
• Priority 4 –24 hours
• Priority 1 –8 hours
• Priority 2 –16 hours
• Priority 3 –24 hours
• Priority 4 –28 hours
In response to either a very high Business Impact or multiple related instances a Major Incident can be declared, bringing a higher level of support resourcing and a dedicated Incident communications channel.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||Yes|
|Price||£46.75 to £171.30 per user per month|
|Discount for educational organisations||No|
|Free trial available||No|