Secure Information Assurance Ltd

SecureIA Software as a Service

SecureIA enables the sharing and hosting of OFFICIAL/OFFICIAL-SENSITIVE information between HMG Departments and stakeholders via Internet and Private WANs (RLI/SMI, PSN and HSCN). SecureIA provides a secure environment, accessible from a range of end-points. Our flexible technology platforms enable user-focused applications to be delivered in a secure and low-cost way.


  • OFFICIAL/OFFICIAL-SENSITIVE Remote Access Service via Internet, RLI, PSN or HSCN.
  • Document Sharing and Collaboration (inc: SharePoint, eRooms).
  • Competitive Tendering and Bid Decision Support applications.
  • Digital Asset Management repository and applications.
  • eDisclosue and Discovery applications.
  • Database applications.
  • Map Centric Data visualisation applications.
  • Red Hat Openshift and Oracle APEX environments.
  • Secure Development and Test environments (DevOps).
  • Bespoke application hosting.


  • Partnership approach to SaaS (more than just a hosting provider).
  • Users can collaborate across RLI/SMI, the Internet, PSN and HSCN.
  • Simple, transparent pricing model.
  • UK Hosted Services, SC Cleared staff.
  • Increase productivity and operational effectiveness by remote working.
  • Over 18 years experience of working with HMG Departments.
  • Experience to support developers and application integration.


£6.25 per person per month

  • Free trial available

Service documents

G-Cloud 10


Secure Information Assurance Ltd

Stephen Jewell

0161 215 3788

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints The provision of the Cloud Software Services includes planned maintenance activities, which are documented within a Service Level Agreement. SecureIA work with our customers to ensure that systems are regularly patched and maintained, whilst minimising impact on the User community and business requirements.
SecureIA work with the customers and User community of the cloud software to deliver secure and resilient services, balancing the security and functionality that are commensurate with the business requirements.
System requirements
  • End Point Devices to be approved for OFFICIAL use.
  • Code of Connection provides specific requirements for the project services.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Typical response times are 30 Minutes.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard support is provided 08:00 to 18:00 Monday to Friday and include 1st line (User support) through to the system management, monitoring and Administration.
Additional support is available to extend the service support to 24/7 at additional cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Specific support is provided to Users for onboarding services, which includes documentation, online training material and can include onsite training.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction Access is provided for the customer to extract data, or can be undertaken by SecureIA at no additional charge, depending on the method of delivery. Data can be provided as an image of the Virtual Machines, as extracted data or specific formats such as database exports. Where data is to be delivered by SecureIA, encrypted portable drives can be provided.
End-of-contract process SecureIA will work with the customer to ensure that the required data, records and audit logs have been extracted and verified before the services are terminated. Data content is then destroyed in accordance with InfoSec Standard 5. The SecureIA service support team will assist the customer with communications to the User community about the end of the contract and either the termination or transfer of services. Images of Virtual Machines will be provided to the customer on request to allow the transfer of the services. Where support from SecureIA is required beyond the end of the contracted services, for example to support the transition to another provider may incur additional charges.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Mobile Access to the specific software services is supported through the Private Cloud service; the specific support for mobile device access to the software applications varies between the applications.
Accessibility standards None or don’t know
Description of accessibility The services are delivered via a customisable web-interface which authenticates and authorises User access to the services to which they have been allocated. The accessibility features of the User Interface can be configured with the customer and User community to deliver the features and functions required to meet the specific business needs.
Accessibility testing Web-interface testing is normally included in the Acceptance Testing of the service provided to the customer, the scope of this testing being agreed as part of the Service definition.
Customisation available Yes
Description of customisation Access to the software services is provided via a web-based portal which performs authentication an authorisation to the cloud software services. This portal can be customised to match customer or project branding or to tie in with the application software user interface.
The customisable elements of the software services themselves vary between the applications, but SecureIA will apply customisations where they are supported.
Other elements of the service, such as the reporting and dashboard can also be customised.


Independence of resources Resources can be independently allocated to project User communities to ensure resilience of the service and capacity. Capacity of services are monitored, and customers are informed of changes in demand.


Service usage metrics Yes
Metrics types Service usage metrics can be defined by the customer to either be provided as on-demand dashboards and/or periodic reports. Typical usage data includes numbers of users per period, peak usage, average usage, heat-map of usage over time and days of the week, bandwidth consumption, volume of data uploaded/downloaded etc.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The export of data is supported and will vary depending upon the software applications being provided. This can include automated exports to external data repositories or specific data exports on request. Some of the applications also provide User driven data export functions.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • Database exports
  • Application specific exports
Data import formats
  • CSV
  • ODF
  • Other

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Each customer is provided with a Service Level Agreement which specifies the availability and response targets. Typical availability is 99.96, assured by contractual commitment. SecureIA offer Service Credits against the guaranteed levels of availability.
Approach to resilience Resilience of the service is provided throughout the service provision. • The Data Centres are classified as a Tier 3 data centre with alternate supply paths for all services to ensure 100% Data Centre uptime. • All redundant systems are regularly tested for operation and effectiveness. • N+1 Redundant Power Supplies. • The Public Sector Dataroom also has additional power connection allowing the entire room to be independently serviced in the event of a catastrophic failure at the site). • Redundant Backup Power from Generators and UPS (N+1). • 100% carbon neutral, PAS 2060 certified hosting. • Carrier Neutral with a range of Tier 1 and 2 carriers. • Multihomed internet presentation, means that if 1 carriers Point of Presence fails communications will automatically failover to another. • Redundant (N+1) Air Conditioning and Environmental Control. • Environmental systems supported by redundant power systems. DR facilities are also available, with secure connectivity provided to replicate data between the production and DR facilities.
Outage reporting Service outages and planned maintenance activities are communicated via the service web-interface status dashboards and messaging, via email alters and the Service Desk team make contact with agree Points of Contact in order to communicate status and ongoing activities.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Separate accounts are required for Administrative Access, with authentication and authorisation controls applied to all Administrative functions. SSH access to the Virtual machines command line, and RDP sessions requires key-based authentication from a specified source location into a bastion host, which then requires further authentication and account escalation at each onward connection to the specific administrative services.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus ISOQAR Limited
ISO/IEC 27001 accreditation date 24/06/2016
What the ISO/IEC 27001 doesn’t cover The processes and procedures agreed within the Risk Managed Accreditation Document Set (RMADS) that have been agreed with the Accreditor in compliance with JSP and MoD policies.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Formal Accreditation from MoD (DAIS).
  • Cyber Essentials.

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Formal Accreditation from DAIS, Cyber Essentials, IASME Governance
Information security policies and processes Security policies and procedures form part of the formal system accreditation by DAIS.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Components of the system are recorded and tracked through their lifetime Every change to a configurable item requires a Change Control Form to be documented and approved. Changes are assessed for potential security impact, and where necessary are communicated to the system Accreditor for approval.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerability management processes form part of the Risk Managed Accreditation Document Set (RMADS) which have been reviewed and approved by the DAIS Accreditor. SecureIA monitor threat sources, including CERT to gain information about potential threats. Vulnerabilities and Remediation activities are assessed to determine the priority, with patches being applied within the hour for critical security issues through to monthly patching for routine updates.
Protective monitoring type Supplier-defined controls
Protective monitoring approach SecureIA employ protective monitoring services in compliance with Protective Monitoring for HMG ICT systems (GPG-13).
Incident management type Supplier-defined controls
Incident management approach Processes for reporting incidents is included within the Risk Managed Accreditation Document Set (RMADS) which includes HMG monitoring departments and points of contact. Users should report incidents to the first line Service Desk team, either by phone, email or via the web-portal. Incident reports are provided as part of the reporting cycle, with exceptional RCA and incident reports provided for security incidents.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • New NHS Network (N3)
  • Other


Price £6.25 per person per month
Discount for educational organisations No
Free trial available Yes
Description of free trial SecureIA are happy to provide a trial of the services or Proof of Concept to demonstrate and verify that the business requirements can be delivered by our services. The period and extent of the trial can be agreed to support the customers business case.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑