IT SYSTEMS & SUPPORT LIMITED

Backup As A Service

A fully automated data backup solution for protecting sensitive data. The recovery and re-provisioning of data onto the school system is part of our end-to-end process.
Our solution supports either full server or single folder / file recovery and stores data within a standard 35 day retention window.

Features

• File/folder/disk/system recovery capability
• Backups can be taken at customer requested intervals
• A fully managed service provided by IT Systems
• Maintains a 3-2-1 approach to backup
• Adheres to RPA Cyber Insurance requirements

Benefits

• Includes disaster recovery as standard
• Integrates with Microsoft 365
• Can recover individual MS 365 emails and mailboxes
• Proactively monitored for operability
• Backups tested and vetted for recovery
• Can recover Sharepoint and Teams

£1.75 to £1.75 a gigabyte

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tcoad@itsystems.uk.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

417702636963536

Contact

Tristen Coad
0343 8868660
tcoad@itsystems.uk.net

Service scope

• Service constraints: No
• System requirements: A broadband connection of a minimum of 100mbps

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within business hours: a two hour response; Out of business hours: next working day
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Response level of file recovery = two hours; Response level of disk recovery = four hours (dependent on disk size); Response level of server recovery = upto 24 hours (dependent on server size)
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We undertake formal project management processes to onboard the client, enable a secure end-to-end connection, provision the system and to undertake the clients first primary backup whilst setting up their required retention policy
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Data is extracted by IT Systems and presented in the format customer requires it
• End-of-contract process: Data is held for an additional 30 days and then sanitised from IT Systems backup service

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: The platform service is upscaled and forward-filled to always leave additional capcity on the service and is monitored via system metrics as provided centrally and to the establishment directly; The system is load balanced
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • Disk
  • Network
  • Number of active instances
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Encapsulates all data held in on-premise servers
  • On premise server system state
  • Microsoft 365 email, calendar, contacts, sharepoint
• Backup controls: Undertaken by IT Systems on behalf of and, if required, under the direction of the client
• Datacentre setup: Single datacentre with multiple copies
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: 32 days retention of data; Daily or up to every three hours incremental; Weekly full
• Approach to resilience: The backup service operates on a 3,2,1 basis; The backup platform replicates all backups to an offsite location
• Outage reporting: Outages are reported to customers within five working days explaining the outage circumstances and mitigation

Identity and authentication

• User authentication: Other
• Other user authentication: Clients do not access the service. It is a managed provision undertaken by IT Systems personnel
• Access restrictions in management interfaces and support channels: Authorised members of staff authenticate based upon user and role. Access is recorded in the IT Systems logging service
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Limited access network (for example PSN)
  • Username or password
• Devices users manage the service through: Dedicated device over multiple services or networks

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Standards Institute
• ISO/IEC 27001 accreditation date: 24/08/2018
• What the ISO/IEC 27001 doesn’t cover: Customer facing systems
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: IT Systems operates an InfoSec Management Team responsible for the delivery, dissemination and rollout of Information Security policies and procedures within IT Systems. Staff have full access to all relevant policies and procedures with regular training including "toolbox talks" as well as "chalk and talk" sessions. All aspects involving Information Security are reported to the InfoSec Management Team. The team regularly meets to review the Information Security calendar for IT Systems in terms of audits, reviews, training, non-conformances and corrective actions.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Change management is initiated by a change request form from either a client or the internal team.; This is logged onto our support desk and processed as a support ticket and implemented upon the client’s confirmation.; Internal change requests are logged and raised in the company weekly service meeting. A formal risk assessment is undertaken to assess the need for the change in relation to any potential risks associated with making the change. If authorised, the change is factored into a planned maintenance schedule with all stakeholders informed. Changes are made, monitored, reviewed, rolled-back as required and then closed off.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Patching and updating of the system is undertaken in a cyclical monthly manner.; Vendor releases are logged, assessed, tested and then implemented as necessary. Should an update require roll-back, this is undertaken as soon as any issues are found.; Critical vendor patch release such as zero-day exploit fixes, are undertaken as unplanned maintenance windows overnight or as soon as vendors release updates to resolve.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: IT Systems utilises PRTG monitoring solution to monitor the backup solution service status; The backup solution communicates via notification to key personnel responsible for backups should an issue arise; Incidence response is undertaken within the contractual response times.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: IT Systems defines incidents under its non-conformance umbrella. An incident log is created with a non-conformance number issued and raised onto our support desk. The incident is investigated by senior staff to undertake the nature of the incident, initial disposition to undertake immediate corrective action, define timescales and person(s) responsible. Root cause analysis is undertaken to move forward with implementing corrective and/or preventative measures which are reviewed and monitored over a defined timescale. Once this monitoring is signed off the incident is closed. All users affected by said incident are informed in writing and are involved with the incident process.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity

  Covid-19 recovery

  IT Systems employees are its most valuable assets. They are the face of our company and instill our ethos, beliefs and practices. Our staff literally are what make IT Systems the company it is both now and in the future. In line with this our company ethos is that a person’s health and wellbeing must always come before the needs of the company. Should staff require time for mental health, physical health and/or medical needs this is given without hesitation, question or with any penalisation. ; We are all human. At these times where we could be potentially at our most vulnerable we should be supportive, empathetic and above all kind to what is going on with others. IT Systems staff are not penalised in any manner; be it financially or leave-based, to recover from mental health, physical health and/or medical needs and are supported throughout.

  Tackling economic inequality

  IT Systems believes in creating employment opportunities for all regardless of socio-economic background and academic qualifications. We do not factor in someone’s socio-economic background when undertaking employment but are more interested in the type of person they are. Coupled with this IT Systems offers a robust and well-rounded apprenticeship programme tailored to the individual to empower them to raise their skill set and knowledge in an ever changing and progressive industry.; IT Systems proactively encourages all its employees to enhance and grow their skill set. To do this, we as a company do not believe learning should be stymied by factors such as cost or, if required, travel. Any and all barriers are removed from professional development as a matter of course to enable our staff to be the very best they can be.; Further afield from our own staff, IT Systems feels duty bound to actively progress members of our own supply chains to raise standards for all. We believe in home-grown talent and excellence. As such, IT Systems actively promotes using companies in our supply chain that are local and/or reside in our region. In doing this we are not only raising the profile of our local and regional environment but also providing quality employment to people in our area.; As an ISO 27001:2013 company with UK-GDPR Practitioners we provide complimentary data security and GDPR training to all members of our supply chain. In the first hand this enables us to ensure our supply chain meet our needs in terms of data protection and information security. In doing this however, companies in our supply chain are enhanced and can expand their opportunities in confirming their awareness, alignment and working to national and internationally recognised standards.

  Equal opportunity

  IT Systems prides itself in its commitment to equality and diversity in the workplace. As a company, we view competency and capability above gender-based, sexuality-based and disability-based stereotypes. In a widely male-dominated industry, IT Systems is proactive in raising the profile amongst women (including all who identify as women) of opportunities to enter the IT sector.; At IT Systems we do not believe opportunities for development and progression should be dictated by ones background. Our employment process disregards people’s socio-economic background as a factor for employment and focuses on the quality person themselves. Our apprentice programme gives individuals from all socio-economic backgrounds the opportunity to gain industry recognised qualifications and experience work life in the IT sector. ; IT Systems is encouraged that equality is instilled in the company as:; • 30% of IT Systems staff do not identify as male; • Over 20% of IT Systems are members of the LGBTQ+ community; • IT Systems workplaces are recognised as being DDA compliant; • IT Systems staff come from a variety of socio-economic backgrounds; • Over 40% of IT Systems staff have either undertaken or are currently undertaking an apprenticeship route to qualification

Pricing

• Price: £1.75 to £1.75 a gigabyte
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tcoad@itsystems.uk.net. Tell them what format you need. It will help if you say what assistive technology you use.