TIBUS

Cloud Hosting TIBUS PaaS

TIBUS PaaS allows you to create, build and scale Virtual Servers with selected O/S and database on demand. Typically these are used for Production, Test and Development environments, priced on an Annual, Monthly, Daily and Per Hour basis. All services are ISO27001 accredited (equivalent IL2/IL3)

Features

• Secure ISO27001 platform
• 99.999% Availability. No single points of failure
• Fully Managed IaaS Platform proactively monitored 24x7x365
• Fixed, Burstable & Elastic models available
• Discount Scheme

Benefits

• Peace of mind. ISO27001 accredited platform managed 24x7x365
• Data Sovereignty UK Datacentres
• Service Guarantee. SLA & Service Credits regime
• Competitive pricing & Discount Scheme

£35 to £1,260 a unit a month

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at commercial@tibus.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

141518101370526

Contact

Darren Richardson
02890331122
commercial@tibus.com

Service scope

• Service constraints: No
• System requirements: Internet Access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our ticketing system is monitored 24 hours / 365 by our in house support team. Once a fault has been detected / logged it will be classed according to to priority codes and allocated a resolution target time. ; Standard response times for lower priority tickets may not be applicable at weekends.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our approach is to work with clients to determine a matrix for all service issues and create a prioritised target response time for each category. All targets are documented in a comprehensive and bespoke SLA. ; Priority 1 - Client Service non-functional with high impact; Response 15 minutes. Resolution 1 hour.; Priority 2 - Client Service functional but with impact; Response 15 minutes. Resolution 1 hour.; Priority 3 - Minor Problems, low impact; Response 15 minutes. Resolution 4 hours.; Priority 4 - Cosmetic, documentation errors; Response 60 minutes. Resolution 4 hours.; Priority 5 - Change Control; Request dependent. Agreed with client.; ; Service calls logged via telephone, email and self-service portal. Each call is logged at the Tibus Service Desk and a unique call reference number issued to the caller so that the call can be identified throughout the support process. The initial priority of the call will be agreed with the caller, based on the predefined impact and urgency matrix. Where there is a specific business need, a call may be assigned a higher priority level at the caller’s request. Proactive support 24x7x365. Service desk 0800-1800 normal business days. Optional 24x7x365 access to engineer £100/Month.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The Tibus support desk will be available to assist as required and take you through our Technical Migration process. Equally if required we can manage the transition for you.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: As part of the Exit Management process we will assist with the smooth transition of the service to another platform and provide a snapshot of the latest build.
• End-of-contract process: No additional cost.

Using the service

• Web browser interface: Yes
• Using the web interface: Access via Internet to set up or make server changes. There are no limitations.
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: We use Selenium to test web interfaces.
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: Our capacity planning process monitors our entire network resource and will increase capacity as we reach 70% usage.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Network
  • Number of active instances
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • All data
  • Virtual Server build
  • Databases
• Backup controls: Backups can be tailored as required and the support desk will be available to assist.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users contact the support team to schedule backups
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: We provide a 99.999% availability supported by service credits. If unavailable for over 0.001% time within a month, upon the Customer's request, we will credit the Customer's account the pro-rated cost for one-day's charges for each hour of unavailability, up to a maximum of 1 week’s charges within any one month. For the purpose of this Service Availability Commitment Remedy, a Week shall mean the period from 12:00:01 AM Monday, until 12:00:00 AM the following Sunday.
• Approach to resilience: Cloud and hosting services are delivered from our Tier 3 and 4 ISO 27001 accredited datacenters. All datacenters operate to ISO27001, ISO22301, ISO 50001, ISO9001, ISO 14001, OHAS 18001, PCI DSS standards and are audited and operated to the EU Code of Conduct’s best practice for datacenters. VESDA detection technology is installed and all infrastructure monitored 24x7x365 by the Network Operations Centre (NOC). There are dual 10G connections between each of our datacentres for resilience and we peer with 5 different Tier 1 telecoms to provide for the best connectivity and internet routes worldwide. In addition we are a member of INEX, LINX and LONAP for further capacity and resilience. There are no single points of failure, with redundancy built in at every layer of the load balanced platform, as well as within the core. Tibus can facilitate any frequency of backups e.g. hourly, daily or anything in between. All data, including server configuration, application data and configuration, is backed up on minimum a daily basis, and retained for a minimum of 30 days.
• Outage reporting: Direct contact from Service Desk or email.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Our Access Control Policy ensure that the principles of ‘least privilege’ and ‘need to know’ are applied consistently across the management of authorised access to information assets including management interfaces and support channels.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Certification Europe
• ISO/IEC 27001 accreditation date: 14/01/2015
• What the ISO/IEC 27001 doesn’t cover: All Tibus business processes are covered by ISO27001
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: PCI DSS via Datacentres

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: TIBUS ISO27001 scope includes but not limited to: Secure Engineering Principles Supplier Assurance Training and Awareness Information Security Metrics & KPIs Remote Working Removeable Media Security Education and Awareness Access Control Policy Accounting and Audit Anti Malware Operating System Hardening Business Security Continuity Management Business Security Continuation Plan Change Management Policy Cryptography Policy Customer Access Management Email Usage Forensic Readiness IA Policy Incident Identification Reporting and Management Information Classification Information Security in Project Management Information System Backup Information Transfer Internal Audit IT Account Management - Users IT Account Policy – Administrator Mobile Device and Telephony Network Security Patch Management Physical and Environmental Controls Secure Information Asset Disposal Virtual Private Network Document Control Employee Arrivals Employee Exit Employee Movers Security Operating Procedures Corrective Action. There is a IT Security Working group chaired by the SIRO and including ITSO, Change Managers, Systems Manager. Reporting structure is available as an Organisational Chart detailing ISMS.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We have a bespoke change management tool to enable all change requests to be logged, tracked, approved/rejected and reported on. The change management process includes: ; • Documented Change Requests; ; • Identification, prioritisation and initiation of change; ; • Proper authorisation of change; ; • Requirements analysis; ; • Inter-dependency and compliance analysis; ; • Business Impact Assessment;; Change approach; ; • Change testing; ; • UAT and approval; ; • Implementation, release planning and roll back procedures; ; • Documentation; ; • Change monitoring; ; • Defined responsibilities of all users and IT personnel; ; • Emergency change parameters.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Patch management is part of ISO27001. There are resources available for monitoring status of vulnerabilities and patches including vendor/3rd party websites, mailing lists, vulnerability databases, Network management tools scanning for vulnerabilities, provide information regarding needed patches and other software updates on those computers. Patch deployment should be conducted under direction of the Change Manager. They must be applied in a structured and methodical way, based on a determination of priority and within pragmatic timeframes: Emergency 24 hours, High priority 7 days, Medium within 30 days.; Systems are in place to alert NOC to potential issues as soon as they develop.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Systems are in place to alert NOC to potential issues as soon as they develop. The G Cloud platform sits behind perimeter enterprise-class, redundant core routers, firewalls and intrusion prevention systems. This includes Syslog, Netflow use of MD5 passwords. Perimeter firewalls are configured with ports locked down. Other ports are locked down to individual fixed IP addresses. Cisco IPS provides for real-time traffic analysis and packet logging on our IP networks to perform protocol analysis, content searching/matching to detect buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting. Regular vulnerability assessments of core network are undertaken.
• Incident management type: Supplier-defined controls
• Incident management approach: We provide a consolidated incident management process. The primary objective of the process is to restore normal operation as soon as possible, in accordance with service levels. The Incident Manager responsibilities include:; ; o Ensuring that issues are accurately recorded and that investigation is undertaken in a timely manner;; o Agreeing an appropriate priority with impacted users;; o Communicating relevant information about the incident and resolution progress to impacted users; ; o Ensuring that business and technical escalations are managed in line with agreed best practice and service level targets;; o Communicating, resolution and closure of the incident to impacted users.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: Each organisation has its own VPN. Private Cloud clients are also on their own physical hardware.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Equinix is a Corporate Participant in the European Code of Conduct for Energy Efficiency in Data Centres programme. ; ; Telehouse holds ISO standards 14001 (Environmental Management) and 50001 (Energy Management).

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  We place significant importance on Social Value and look to exploit any opportunities to add Social Value in every contract we deliver. For example, we have a formal Volunteering Policy which outlies our; commitment to the communities in which we live and work. Through sharing our expertise, skills and resources, together we can have a positive impact. All full and part time permanent employees have up to; four days a year to volunteer for any approved charities. This entitlement is available each calendar year and can be booked as either full or half days. We also offer to match fundraising completed by employees.

Pricing

• Price: £35 to £1,260 a unit a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: So you can gain confidence in our ability to deliver, Tibus are offering a free trial for 1 Month service use in a development and/or test environment. Please contact us for details.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at commercial@tibus.com. Tell them what format you need. It will help if you say what assistive technology you use.