SysGroup Trading Limited

BaaS/DRaaS/SysAssure/SysAssure365

A flexible, bespoke Cloud-based Disaster Recovery as a Service (DRaaS) providing businesses with a cost-effective means of replicating their critical IT systems to an enterprise-class secondary location.

Features

• Cloud-based Disaster Recovery as a Service (DRaaS)
• N-able Backup for Exchange, OneDrive and SharePoint

Benefits

• Only pay for what you use
• Tech workshop led model
• Identify key applications and produce a detailed recovery plan
• Functionality to select only the mailboxes/accounts required for backup

£3.54 a gigabyte

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@sysgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

165227583007897

Contact

Nick Guite
0333 101 9000
sales@sysgroup.com

Service scope

• Service constraints: No constraints however all service impacting scheduled maintenance is usually advised 2 weeks in advance.
• System requirements: It depends on the service and requirements of customer

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: SLAs vary depending on the questions and requests. Additional out of hours support is available at an extra cost. SLAs do not apply between 6pm and 8am or weekends unless enhanced support is purchased.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard Infrastructure - ; ; Incident 24x7x365 (SLAs do not apply between 6pm-8am), ; Unavailability of a business-critical system affecting multiple users which prevents them from carrying out daily tasks - 15 minutes.; ; Incident 8am-6pm Mon-Fri, ; Degradation in performance or unavailability of a non-business critical system affecting multiple users - 30 minutes, ; Problem affecting single user - 4 hours, ; Identified problem that may lead to a loss of service - 4 hours.; Request 8am-6pm Mon-Fri ; Restore request - 12 hours; ; Change Request 8am-6pm Mon-Fri,; Emergency change required to fix an immediate problem - 1 hour. ; ; Standard User Support - ; ; Incident 24x7x365 (SLAs do not apply between 6pm-8am), ; Unavailability of a business-critical system affecting multiple users which prevents them from carrying out daily tasks - 15 minutes.; ; Incident 8am-6pm Mon-Fri,; Degradation in performance or unavailability of a non-business critical system affecting multiple users - 30 minutes,; Problem affecting a single user - 1 hour,; Identified problem that may lead to a loss of service - 2 hours,; ; Request 8am-6pm Mon–Fri – all 12 hours,; Password reset & unlock, User assistance, New user/delete user, Restore request, IMAC's (PC moves and changes), service request requiring long term analysis or allocated project resource.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide user documentation and if required user training.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Data can be securely imported to a new environment upon request, the backup can be configured to a new environment and once the backup is turned off, at the end of the backup period there will no longer be any data stored in the SysCloud environment.
• End-of-contract process: Any time spent handing over to a new provider will be charged at an additional rate.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: Each customer is allocated resources based on their contract, utilising the cloud platforms technology these are set as guaranteed minimum limits for each customer.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
  • Network
• Reporting types: Regular reports

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: N-Able

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up: Files, virtual machines, or databases
• Backup controls: The backups required are agreed upon at the outset of the contract and controlled by the SysGroup support team. Users can contact the support team to schedule backups or they can control the whole backup schedule themselves if needed.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users contact the support team to schedule backups
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: N/A
• Approach to resilience: Platform and Datacentre resilience is available on request.
• Outage reporting: Outages are reported via verbal communications and email alerts. Each customer has designated key contacts and a service delivery manager to liaise with during an outage.

Identity and authentication

• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Access to SysGroup’s network and business critical software is controlled by means of individual user logins and passwords. Users level of access is controlled by permissions allocated to the various login identities. Users may access the network and their own files by logging on to any PC on the system. However, access to network objects is limited by individual logins that are authorised on the basis of operational requirements. User rights are decided by the Job Role and are kept to the minimum necessary for efficient working.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International
• ISO/IEC 27001 accreditation date: 12/01/2022
• What the ISO/IEC 27001 doesn’t cover: The following sections are out of scope for our ISO27001 certification:; ; A.9.4.5 - Access control to program source code; A.11.1.6 - Delivery and loading areas; A.12.1.4 - Separation of development, testing and operational environment; A.14.2 - Security in development; A.14.3.1 - Protection of test data
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Cipher
• PCI DSS accreditation date: 17/09/2021
• What the PCI DSS doesn’t cover: 1.2.2-N/A there were no routers in scope of the assessment. 1.2.3-N/A there were no wireless networks in scope of the assessment. 1.4-N/A all access to the environment in scope is performed by desktops. 2.1.1-N/A there were no wireless networks in scope of the assessment. 2.2.3-N/A no insecure services were being used at the assessed environment. 2.6-N/A SysGroup is not a shared hosting service provider. 3:3.2, 3.2.c-N/A SysGroup does not store SAD after authorisation. 3.2.a, 3.2.b-N/A SysGroup is not an issuer or supports issuing services. 3.2.1, 3.2.2, 3.2.3-N/A SysGroup does not operate a face to face payment channel or devices which directly interact with payment cards. 3.6.6.a-N/A SysGroup does not use manual clear-text cryptographic key-management operations. 4.1.1-N/A there were no wireless networks in scope of the assessment; 4.2.a-N/A SysGroup does not use end user messaging to transmit cardholder data. 6.3, 6.5-N/A SysGroup does not develop any applications. 6.6-N/A there are no public facing web applications in scope of the assessment. 8.2.2-N/A no non-face-to-face methods are used for password resets at the environment. 9.9-N/A there are no POI devices or hardcopy cardholder data in scope of the assessment. Appendix A2-N/A SysGroup does not use SSL or earlier versions of the TLS
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We hold ISO27001 for which we have ISMS roles and responsibilities, internal training and internal audits. Any non conformances are reported and corrected in line with the information security policies and processes.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We deal with three different types of change: Emergency, Scheduled and Logged. A change request is logged on our service desk, requirements assessed and approved by our customer, change tested, if unsuccessful we have rollback procedures in place and if necessary a change resubmission will take place until the change is approved by the customer.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: 24/7/365 monitoring identifies any unusual behaviour that could be deemed a potential threat, if this is the case it is escalated for investigation. We have a patching policy that covers automated and manual patching. Security patching is done immediately and recurring non-critical scheduled patches occur once a week.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: SysGroup maintains a 24/7/365 team responsible for environmental health and platform availability by utilising a specialist service provider's management platform. The monitoring function proactively manages alerts that could result in outages (e.g., storage issues) and react to any unplanned outages. In such cases, the team will take direct action on the customer environments, and/or open up communications with the customer (depending on the issue in question). We monitor metrics that provide data on the availability of a device, storage state and compute performance.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a Business Continuity Plan and a Major Incident Response Policy that we follow which clearly sets out roles, responsibilities, communication and routes of escalation. Our monitoring provides us with the data we need prevent incidents and users can report any issues with services via email or telephone. After any events an incident report is provided to the customers impacted.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: We use VMware and Hyper-V
• How shared infrastructure is kept separate: Utilising the technology stack that allows virtual tenancies and segregation of data both communication and stored.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Our primary SysCloud data centre uses 100% renewable electricity.

Social Value

• Fighting climate change:

  Fighting climate change

  Please contact us for more details surrounding our ESG reporting.
• Covid-19 recovery:

  Covid-19 recovery

  Please contact us for more details surrounding our ESG reporting.
• Tackling economic inequality:

  Tackling economic inequality

  Please contact us for more details surrounding our ESG reporting.
• Equal opportunity:

  Equal opportunity

  Please contact us for more details surrounding our ESG reporting.
• Wellbeing:

  Wellbeing

  Please contact us for more details surrounding our ESG reporting.

Pricing

• Price: £3.54 a gigabyte
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@sysgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.