Specialist Computer Centres plc

SCC Public Sector Cloud

Public Sector Cloud, by Specialist Computer Centres (SCC), Infrastructure as a Service (IaaS) keeps data secure to NCSC security standards (including OFFICIAL and OFFICIAL Sensitive). PSN and Cyber Essentials Plus (CE +) Certified. PSN / GCF Connectivity. The first to be Pan-Government Accredited multi-tenanted Infrastructure as a Service(IaaS) cloud solution.

Features

• Multiple secure network connections and services (inc PSN & GCF)
• Secure Compute - Infrastructure-as-a-Service (IaaS) and Storage
• Secure network interconnect capability to HSCN, PNN, CJX and RLI
• Dedicated physical machines available
• Optional PSN; DNS Resolver and Secure Internet Gateway (SIG)
• ISO 27001, ISO 9001, ISO 14001, ISO 20000 quality standards
• Delivered by UK based Security Cleared (SC) staff
• Replacement OFFICIAL GCF services
• Self-service management and provisioning portal

Benefits

• PSN OFFICIAL certified, Network, Compute and Storage Platform
• Pay as you go compute model (IaaS) providing flexible environments
• Pre-sized machine offerings with incremental, customised sizing options available
• Multiple Operating Systems supported (Windows Server and RedHat Enterprise)
• GPG 13 Compliant (DETER) platform
• Connect available via the Internet, PSN Government Networks or more
• Single site and disaster recovery options available
• Built upon industry standard components and services
• Cyber Essentials Plus (CE +) security accreditation
• Access to SCC's Vision portal for reporting

£0.12 a virtual machine an hour

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at frameworksales@scc.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

621716134868328

Contact

Warren Strain
01217667000
frameworksales@scc.com

Service scope

• Service constraints: Maximum standard number of vCPU's 32; Maximum standard RAM of 1TB; Maintenance window between the hours of 23:00 and 06:00; Platform support included; MACs via SCC service request process
• System requirements:
  • Connect via an approved network connection
  • Meet the requirements of the associated Code of Connections

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Priority Response 1 - 15 mins, Priority Response 2 - 60 mins, Priority Response 3 - 4 Hrs Priority Response 4 - 24 Hrs Support is available up to 24x7x365
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: No
• Support levels: We have a modular range of support and managed services available, from base Cloud Platform support through to a fully managed service including OS, backup, DR and application support. Our managed services include a technical account manager, access to our Vision reporting portal and regular customer engagement to drive continuous improvement within your Cloud services.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: All new customer opportunities are run as a project, as part of this there is a discovery and transition phase which help identify the customer requirements and bring them into the service. Transition, Project and Service Delivery Managers are also assigned to assist customer into the service.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The virtual machine file, together with the configuration files shall be supplied to the Customer using either encrypted media as appropriate. SCC will then destroy all live and backup copies of the virtual machine file and data within our control in line with NCSC guidelines and provide written.
• End-of-contract process: SCC will work with the Customer to create an exit plan and strategy within 3 months of the start of service. This is included in the price of the contract. The exit plan will define what happens at the end of the contract.

Using the service

• Web browser interface: Yes
• Using the web interface: The Self Service portal enables users to request new items such as virtual machines, applications and networks. Users can also fully manage their assets from the portal, including power cycle functions, adding and removing resources, re-provisioning and decommissioning, with role based access determining which functions a user has access to.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Web interface is accessible via an SSL VPN over an approved secure network connections and devices. This includes the PSN and Internet.
• Web interface accessibility testing: None
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: QoS policies in place to ensure secure segregation is in place. All customers and their users must agree to the Acceptable Usage Policy.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
  • Network
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • VM-level backup&restore with agent based individual file restore capabilities
  • Per GB per month with application aware backups available
  • Examples include Exchange, SQL, SharePoint, ActiveDirectory
• Backup controls: Either via the self-service portal, or via change control and SCC service desk
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery:
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: Separate management platform for accessing Customers. Management platform utilising firewalling and proxy layers to access Customers. Proxy layer contains different jump boxes to access different management domains, which present different access methods to and from Customers. Customer tenancy severs require backend private VLAN interfaces for SCC Public Sector Cloud Management access and logging.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: IPS, Use of secure protocols TLS,SSH for services where possible, Private VLAN's to isolate Customer environments

Availability and resilience

• Guaranteed availability: Offering a 99.99% single site availability SLA for all VM components - compute, storage and network.
• Approach to resilience: SCC’s Public Sector Cloud platform is housed within Tier 3+ data centres delivering resiliency at all levels of the infrastructure, providing a stable, reliable infrastructure platform. To offer additional levels of availability SCC provide the option for disaster recovery, utilising SCC’s secondary Data Centre as a standby facility.
• Outage reporting: Monitoring with SCC toolsets and alerting through our ITSM platform and major incident management process where required.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Number of different methods that a user can access the estate including Government network (PSN-A and PSN-P), a PSN Assured 2-factor authentication Remote Access Service, and a PSN Assured site-to-site VPN Service.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: LRQA
• ISO/IEC 27001 accreditation date: 06/07/2023
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Barclaycard Data Security Manager
• PCI DSS accreditation date: 27/06/2023
• What the PCI DSS doesn’t cover: N/A
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO 22301 - Business Continuity
  • CAS (S) - Sanitisation of classified material

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: All our security policies are aligned to and certified to ISO 27001:2013. All policies are reviewed annually for relevance and accuracy and to ensure the policies are up to date with technology and current legislation and signed off by the SIRO.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: The configuration and change management process is documented and described in the SCC Public Sector Cloud Change Management Process document. The various types of changes are defined and detailed, the risks and impacts defined, roles and responsibilities are defined and the CAB process is detailed.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: SCC's vulnerability scanning and penetration testing policy documents the process and how vulnerabilities are proactively detected and remediated in a timely fashion. SCC performs monthly vulnerabilities across the Public Sector Cloud platform covering approximately 20% of the platform each month, ensuring the whole platform is covered twice within a 12 month period.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Protective monitoring is carried out in accordance with GPG 13 to level B (Deter)
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: All our incident management processes are aligned to and certified to ISO 27001:2013 as defined in HMG Cloud Security Guidance: Standards and Definitions

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: The service is built upon industry standard components and services ensuring segregation of customers. The entire platform inclusive of hardware, software and network is PSN accredited for a multi-tenanted environment and we are an accredited PSN Service Provider (PSNSP).

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Our data centre's are managed in accordance with our ISO 14001 accreditation and therefore part of our Environmental and Sustainability process and procedures.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Sustainability is central to SCC’s operations and embedded into our business. Our defined carbon reduction targets are externally reported in our Carbon Reduction plan via the Carbon Disclosure Project.

  Covid-19 recovery

  SCC’s products, services and solutions can help facilitate and implement new ways of working for our customers. Through our propositions, additional health, wellbeing and agile working benefits can be achieved.

  Tackling economic inequality

  SCC provides employment and training opportunities, are members of the Disability Confident Scheme and supporters of the Armed Forces Covenant. Working with our supply chain we promote collaboration and diversity.

  Equal opportunity

  SCC is an inclusive employer with various initiatives to support, engage and develop our employees. We promote supply chain diversity and have mechanisms in place to manage modern slavery risks.

  Wellbeing

  SCC has a range of health and wellbeing activities available for our employees to access. Our volunteering programme and charity partnerships help facilitate and deliver a range of community benefits.

Pricing

• Price: £0.12 a virtual machine an hour
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at frameworksales@scc.com. Tell them what format you need. It will help if you say what assistive technology you use.