Scott Logic Limited

Cloud Service Management

Our ISO 27001 Service Management function takes the pain, complexity and overhead of managing cloud hosting away from clients by providing resilient and repeatable infrastructure and services, including: cost optimisation and management; capacity management; performance management; and scalability optimisation, sustainability optimisation and management.

Features

• ISO 27001 certified SLA management
• Cost analytics and insight
• Scalability Optimisation and Management
• Vulnerability Management
• Security Information and Event Management
• Managed Disaster Recovery
• Advanced Monitoring and Alerting
• Data logging tools and management
• Data Warehousing and Data Ingestion management

Benefits

• Improved availability of services
• Solid understanding where and how cloud spend is being attributed
• Having confidence applications scale when needed, in time and appropriately
• Confidence in endpoint compliance
• More efficient incident handling of security incidents
• Improved protection of system components
• Get business services running quickly in the event of disaster
• Deep insight into health of services
• Deep insight into warnings and errors etc.
• Access to data in a timely and appropriately aggregated fashion

£0.03 to £0.03 an instance an hour

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sangell@scottlogic.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

108538118463239

Contact

Suzanne Angell
020 3787 4085
sangell@scottlogic.com

Service scope

• Service constraints: None
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Critical ( 30 minute Reponse, 1 hour Escalation, 4 hours Mitigation); High ( 1 hour Response, 2 hour Escalation, 8 hours Mitigation); Medium ( 4 hour Reponse, 6 hour Escalation, 12 hours Mitigation); Low ( 8 hour Response, 12 hour Escalation, 16 hours Mitigation); Move Add Change (12 business hours Response)
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: There is a single level of support, each request has access to senior technical (all streams) and architect level staff should it be necessary. In addtion each customer has a dedicated account manager who is contactable via Email, Phone and Instant Message. We remain in regular contact because we want to ensure your needs are being heard and met. We’re committed to understanding your business and application landscape challenges as well as understanding what extra we can do to keep you feeling happy and supported.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Transition is done as a partnership and supported by account manager and managed by a lead engineer. Detailed overviews and how to reference material are provided as necessary based on what subset of services are being utilised.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Data can be extracted through multiple means as defined by the client.
• End-of-contract process: At the end of the contract, all data, accounts and access will be permanently deleted. Should the cloud provided have any additional costs then thee are payable by customer.

Using the service

• Web browser interface: Yes
• Using the web interface: The service desk tool is accessed via a web interface. In addtion to this the monitoring system health dashboard is availble as is the logfile dashboard(s) if used.
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: None
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: Managed by Cloud provider who continuously monitor service usage to project infrastructure needs to support availability commitments/requirements.
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email
  • SMS
  • Other
• Other usage reporting: We agreed all notification processes with our clients and select the appropriate options for the client.

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Network
  • Number of active instances
  • Other
• Other metrics: Customised to meet customer requirements
• Reporting types: Regular reports

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: AWS, Azure, GCP

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: AWS/Azure/GCP adheres to independently validated privacy, data protection, security protections and control processes. (Listed under “certifications”).; ; AWS/Azure/GCP is responsible for the security of the cloud; customers are responsible for security in the cloud. AWS/Azure/GCP enables customers to control their content (where it will be stored, how it will be secured in transit or at rest, how access to their AWS/Azure/GCP environment will be managed).; ; Wherever appropriate, AWS/Azure/GCP offers customers option to add additional security layers to data at rest, via scalable and efficient encryption features. Key management options and dedicated hardware-based cryptographic key storage are available also.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Files
  • Folders / Bucket Storage
  • Volumes
  • Virtual Machines
  • Applications
  • Locally Attached Dsisks
• Backup controls: Managed services provide backup support as needed
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network: Other
• Other protection within supplier network: Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them. Cloud providors gives customers ownership and control over their content by design through simple, but powerful tools that allow customers to determine how their content will be secured in transit.; Cloud providors also enables customers to open a secure, encrypted channel to AWS services using TLS/SSL, and/or IPsec or TLS VPN (if applicable), or other means of protection the customer wish to use.; API calls can be encrypted with TLS/SSL to maintain confidentiality

Availability and resilience

• Guaranteed availability: Cloud providers provide various SLAs which are best reviewed directly via links such as https://aws.amazon.com/legal/service-level-agreements/ and https://azure.microsoft.com/en-gb/features/resiliency/
• Approach to resilience: The AWS/Azure/GCP Business Continuity plan details the process that AWS/Azure/GCP follows in the case of an outage, from detection to deactivation. AWS/Azure/GCP has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS/Azure/GCP performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions. ; ; AWS/Azure/GCP maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. ; ; Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS/Azure/GCP. AWS/Azure/GCP provides customers with the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.
• Outage reporting: Public dashboard; personalised dashboard with API and events; configurable alerting (email / SMS / messaging)

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: IAM provides user access control to AWS services, APIs and specific resources. Other controls include time, originating IP address, SSL use, and whether users authenticated via MFA devices. ; ; API calls to launch/terminate instances, change firewalls, and perform other functions are signed by customers’ Amazon Secret Access Key (either the root AWS Account’s Secret Access Key or the Secret Access key of a user created with AWS IAM). Amazon EC2 API calls cannot be made on customers’ behalf without access to customers’ Secret Access Ke. ; ; API calls can be encrypted with TLS/SSL for confidentiality and customers can use TLS/SSL-protected API endpoints.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication
• Devices users manage the service through: Dedicated device on a segregated network (providers own provision)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Amtivo Group Ltd T/A British Assessment Bureau
• ISO/IEC 27001 accreditation date: 15/11/2023
• What the ISO/IEC 27001 doesn’t cover: Covered by certification: Service Management Department, including but not limited to:; Infrastructure Management; Event Management; Incident Management (including Major Incident Management); Security Management; IT Service Continuity Management; Service Catalogue Management; Change and Release Management; ; Not covered by certification:; Admin; HR; Professional Services; Business Development; Internal Operations
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: AWS/Azure/GCP implements formal, documented policies and procedures that provide guidance for operations and information security within the organisation. Policies address purpose, scope, roles, responsibilities and management commitment. ; ; Employees maintain policies in a centralised and accessible location. AWS/Azure/GCP Security Assurance is responsible for familiarizing employees with the AWS/Azure/GCP security policies. ; ; AWS/Azure/GCP has established information security functions that are aligned with defined structure, reporting lines, and responsibilities. Leadership involvement provides clear direction and visible support for security initiatives. ; ; The output of AWS/Azure/GCP Leadership reviews include any decisions or actions related to:; ; • Improvement of the effectiveness of the ISMS. ; • Update of the risk assessment and treatment plan.; • Modification of procedures and controls that affect information security to respond to internal or external events that may impact the ISMS. ; • Resource needs. ; • Improvement in how the effectiveness of controls is measured. ; ; Policies are approved by AWS/Azure/GCP leadership at least annually or following a significant change to the AWS/Azure/GCP environment.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes to services and features follow secure software development practices, including security risk reviews prior to launch. ; ; All production environment changes are reviewed, tested and approved.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerability scans are ran on all elements of the VPC by a SIEM tool and any identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: AWS deploys (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor:; ; • Port scanning attacks; • Usage (CPU, processes, disk utilization, swap rates, software-error generated losses); • Application metrics; • Unauthorized connection attempts; ; Near real-time alerts flag incidents, based on AWS Service/Security Team- set thresholds.; ; Requests to AWS KMS logged and visible via the account’s AWS CloudTrail Amazon S3 bucket. Logs provide request information, under which CMK, and identify the AWS resource protected through the CMK use. Log events are visible to customers after turning on AWS CloudTrail in their account.
• Incident management type: Supplier-defined controls
• Incident management approach: AWS/Azure/GCP adopts a three-phased approach to manage incidents:; ; 1. Activation and Notification Phase; 2. Recovery Phase ; 3. Reconstitution Phase ; ; To ensure the effectiveness of the AWS/Azure/GCP Incident Management plan, AWS/Azure/GCP conducts incident response testing, providing excellent coverage for the discovery of defects and failure modes as well as testing the systems for potential customer impact.; ; The Incident Response Test Plan is executed annually, in conjunction with the Incident Response plan. It includes multiple scenarios, potential vectors of attack, the inclusion of the systems integrator in reporting and coordination and varying reporting/detection avenues.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: Cloud provider proprietary
• How shared infrastructure is kept separate: Customer environments are logically segregated, preventing users and customers from accessing unassigned resources. Customers maintain full control over their data access. Services which provide virtualized operational environments to customers, ensure that customers are segregated and prevent cross-tenant privilege escalation and information disclosure via hypervisors and instance isolation. ; ; Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. The Amazon EC2 firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets pass through this layer. The physical random-access memory (RAM) is separated using similar mechanisms.

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Scott Logic is publicly committed to creating sustainable prosperity and safeguarding the future of the natural environment, through both our B Corp certification and Tech Zero (a UN Race To Zero partner) membership. In living up to that commitment, we aspire not only to mitigate the risk of rising emissions from our own fast-growing business, but also to demonstrate climate leadership amongst our peers, industry and clients by going beyond the minimum requirements.; ; We have committed to SBTi-verified targets, aiming to halve our 2021 baseline Scope 1, 2 and 3 GHG emissions by 2030 and achieve Net Zero by 2040. Our 2023 environmental impact already shows a 34% reduction in emissions against the 2021 baseline, and we publish details of our measurement, efforts and progress annually on our website.; ; We have also been running a dedicated Sustainable Technology R&D team since December 2022. They evaluate existing openly available approaches and collaboration opportunities to minimise the environmental impacts of services and technologies we deliver to clients. As part of this, we have developed the Technology Carbon Standard, a framework for open and transparent collaboration between organisations and ecosystems around the environmental impact of digital technology, including minimising waste and resource usage.; ; We engage clients and the wider community to share insights and encourage two-way feedback through: open thought leadership via blogs and public speaking; participation in targeted networks, including the DEFRA-led Government Digital Sustainability Alliance; and, involvement in relevant Open Source initiatives such as Cloud Carbon Footprint and Green Software Foundation.

  Covid-19 recovery

  While the unprecedented circumstances surrounding Covid undoubtedly affected Scott Logic, our strong business foundations meant we comfortably maintained business performance and client delivery throughout the pandemic, and returned to our previous pattern of sustainable, double-digit growth in 2021 and 2022.; ; Our use of only permanent employees (current headcount circa 475) and a UK-wide office network means that all contracts placed with us will encourage the recruitment of greater numbers of UK-based permanent employees, across our Newcastle, Edinburgh, Bristol, London, Leeds and Glasgow offices. ; ; Our recruitment process, providing focussed support to our local communities, has been in full swing post-covid, with 347 staff hired since the start of 2021, at varying levels of experience from graduates to executives, across all functions of the business.; ; We have run a very successful graduate recruitment programme every year since 2006, and this did not stop through the pandemic with a total of 138 graduates joining the business since the start of 2021. We’re committed to developing their technical skills and introducing them to recognised business and commercial software development practices, leading to excellent retention rates. In 2023, we retained 92% of colleagues.; ; In 2023, 32.3% (approx. £1.7m) of our spending was with MSMEs local to our physical office locations, and the median of all invoice payments was 20 days. We believe these types of behaviours are critical parts of our being a good corporate citizen of our local communities.

  Tackling economic inequality

  We made a £150,000 donation to Durham University to set up two scholarship programmes designed to support students from under-privileged backgrounds: one encouraging students from the North East of England to study Computer and Mathematical Sciences; and another designed to attract talented students from developing countries to the North East of England.; ; Since 2019 we have donated over £500,000 in seed funding to the Altitude Foundation, a charity set up to support disadvantaged students from age 9+ in pursuing technology careers. We provide ongoing logistical support including free office space and equipment to enable the continuation of its vital work, and our consultants’ time to teach coding to its students.; ; We donated laptops to a school in a disadvantaged area of Newcastle in January 2021 to enable their pupils to continue their studies at home, and have recently made laptop donations to DigiLocal, supporting disadvantaged families in the Bristol area.; ; Scott Logic’s diversity policy provides all employees with the same opportunities based only on ability and ensures all individuals are treated with dignity and respect in a working environment free from discrimination, victimisation or harassment. We have adopted an employee-led approach to maintaining and improving our culture of inclusivity. Our recruitment practices run in the same light, ensuring every individual, regardless of background, is equally likely to be hired.; ; We aim to attract candidates from a diverse range of backgrounds that have not all taken the traditional path to a career in software. We do not limit our graduate scheme to those with a computer science degree, but welcome those with core skills to benefit our clients and strengthen our business. In 2022 we also welcomed our first apprentices into the business, opening up training and career development within Scott Logic to those who have not attended university.

  Equal opportunity

  We are committed to treating employees fairly and equally. We seek to provide all employees with the same opportunity for employment, career and personal development on the basis of ability, qualifications and suitability for the work, in addition to their potential for development.; Scott Logic has an Equality & Diversity policy that opposes all forms of unlawful and unfair indirect and direct discrimination on the grounds of all the key characteristics protected by law. The objective of this is to ensure that all individuals are treated with dignity and respect and that their working environment is free from discrimination, victimisation or harassment. Our employees are responsible for ensuring their daily actions and behaviour are compliant with our policy.; Our Code of Conduct requires all to treat all others equally, to be respectful, dignified and courteous in all circumstances. We will not tolerate discrimination or harassment or bullying, either by colleagues or directed at colleagues.; Our volunteer D&I Ambassadors and Committee members champion and influence the embedding of diversity and inclusion across the company, supporting our D&I Strategy and Key Moments. ; We run a D&I survey annually to measure the progress of our key drivers of Non-Discrimination, Diversity, and Inclusiveness. In November 2023 this showed an increase in score for our areas of focus for improvement. The D&I survey results are then reviewed with actions put into place. ; A review of our recruitment processes has been undertaken. All adverts and career website have been updated to incorporate inclusive language. Inclusive recruitment workshops have been run during 2023 for our recruiting managers.; We work with external partners Stonewall, Inclusive Employers, Involve and Unum to create an inclusive employee value proposition for our employees with education activities, a suite of inclusive policies and employee benefit packages.

  Wellbeing

  Our People Promise ensures our focus on long-term staff development and wellbeing. We hire with quality in mind, not quantity, growing through long-term staff investment. All employees have fixed-hours, permanent contracts and are paid over the living wage. We discourage out-of-hours working and, if clients expect this, we fix the engagement rather than make unsustainable staff demands. Based on on-going employee engagement surveying over a range of engagement drivers, our current employee net promoter score (eNPS) is 42, 16 above the industry benchmark.; ; We provide an annual individual development budget for all employees, for learning and development activities each person deems will improve their career prospects, with time out of the office, separate from Annual leave, to accomplish their goals.; ; Our hybrid working model enables flexible working to best suit our employees’ lifestyles, mixing high quality office space with technical, logistical and emotional support for a safe home working environment. We uphold the interests and wellbeing of our employees, ensuring they are safe, included and supported to continually benefit from our fair work policies.; ; Our mental health manifesto prioritises mental health on par with physical health and we have recently introduced Mental Health First Aiders to support our staff. Our Employee Assistance Programme supports employees with matters that are affecting their mental, physical and emotional health. We utilise opportunities within the Mental Health Calendar to educate and discuss matters related to Wellbeing e.g. Mental Health Awareness week, Loneliness etc.; ; We promote inclusion and diversity and a “one team” approach fosters an open, enjoyable environment (Glassdoor 4.4). Our line management processes include regular catch-ups to ensure consultants’ wellbeing. We make “social time” a standard daily activity; we hold regular informal online events promoting togetherness (Techie Brekkies, 'Pub' Quizzes, chat roulette etc), intentionally including client personnel, promoting an inclusive “one-team” mentality.

Pricing

• Price: £0.03 to £0.03 an instance an hour
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sangell@scottlogic.com. Tell them what format you need. It will help if you say what assistive technology you use.