Communication-STEM Ltd

1Cloud Infrastructure as a Service Platform

1Cloud is a flexible, scalable Infrastructure as a Service (IaaS) platform, built into the core of our network across geographically diverse Tier 3 UK data centres.

Features

• No additional data ingress and egress charges
• Builtin resilience and contingency from Tier 3 data centre
• Pay-as-you-go or fixed resource pricing
• Platform resides within the core of our network

Benefits

• Connect privately and securely for free when using our connectivity
• Vmware hypervisor

£0.10 a virtual machine an hour

Service documents

• Pricing document

  ODT

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrea.le.velle@c-stem.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

668525206485197

Contact

Andrea le Velle
0345 241 0000
andrea.le.velle@c-stem.co.uk

Service scope

• Service constraints: No
• System requirements: Supported web browser for management console

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Standard support response time in one hour Monday to Friday 09:00 to 17:00 excluding English and Welsh bank holidays. Support can be extended to 24x7 if required.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: C-STEM provide standard UK working hours support but for an additional cost, this can be extended to 24x7 support. A TAM can be allocated at an additional cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: C-STEM will create a project team who will walk new customers through the on boarding process including discovery of current systems and the creation of a migration plan. As part of this, on-site or remote training will be provided to the users of the service to help them take over the day to day operations of the platform. C-STEM is also able to continue post-project to support the on-going operations. Generic documentation is also available along with bespoke documentation if required.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Virtual machines can be backed up and migrated to other platforms before the end of the contract. Once the contract is finished, if the virtual machines are not paid for they will be shut down and removed.
• End-of-contract process: If the contract is not renewed, the virtual machines will be shut down at the end of the contract and the customer's data securely deleted.

Using the service

• Web browser interface: Yes
• Using the web interface: The web interface provides day to day control over the platform with access to the most popular features. In exceptional circumstances, if required by the customer the service can also be customised beyond what is available in the web interface to meet customer demands. Most customers find that the web interface provides them with everything they need.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: The web interface uses standard HTML however it has not been tested with users of assistive technology. Accessing virtual machine consoles is likely to be difficult for users of assistive technology.
• Web interface accessibility testing: No testing has been performed.
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: We follow VMWare's maximum contention ratios for resources. These are 4:1 for CPUs and 1:1.2 for memory and 1:1.5 for HDD storage.
• Usage notifications: No

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
  • Number of active instances
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: PCX

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Backup to the cloud or on-site
  • Backup all machines, included hosted and on site
  • Backs up Windows, Linux, MacOS, vSphere, Hyper-V and Virtuozzo
  • Backs up Android, iOS, Office 365, G Suite and Exchange
  • Backs up MSSQL, Oracle, Sharepoint, AD and SAP
• Backup controls: Web interface allows for full control of the product.
• Datacentre setup: Multiple datacentres
• Scheduling backups: Users schedule backups through a web interface
• Backup recovery: Users can recover backups themselves, for example through a web interface

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The service has a standard availability of 99.95%. The management console has an availability of 99.9%. Service credits can be claimed as discounts on the monthly charge. Note that for calculation purposes, a month is 43800 minutes long.
• Approach to resilience: We use enterprise grade hardware located in ISO27001 accredited datacentres connected into the core of PCX's UK carrier network. More detailed information is available on request.
• Outage reporting: Service outages can be reported by email if required by the customer.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: There is a data hierarchy for the management of the orchestration and an additional tier for vCentre management. PlatformX retains direct management of vCentre although all virtual machines are identified by only machine-readable names and only modifiable via the orchestration layer. vCentre access is limited to senior Cloud Architects and the overall Head of Architecture.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: URS
• ISO/IEC 27001 accreditation date: 28/04/2022
• What the ISO/IEC 27001 doesn’t cover: All business activities are covered.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • BS7799
  • ISO 22301:2019

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: There is a Master Security Policy (MSP) which the whole organisation must adhere to, this contains information relating to physical, people, organisational and technological security. This is reviewed annually and approved by our Security Committee and Security Leadership team. ; ; Under this MSP are a number of Security Standards and Frameworks which provide further detail and guidance on how to comply with the measures in the MSP. ; ; Our MSP and security standards are available to all employees for reference via our Security intranet page. The MSP is also referenced in annual security training for employees as well as regular awareness communications.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our approach for general review of point releases in any system and customer solution is to take our current version of the vendors software and look ahead, stepping through the subsequent releases and check the release notes for fixes, features and existing issues and decide on the next; increment to move to. In some cases, we will opt to wait, in others we identify a candidate and test it against our use cases.; In addition to this, where appropriate, we conduct half-yearly reviews to look at the latest release and assess a suitable candidate.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Any suspected or actual vulnerabilities should be reported to C-STEM's service desk who will add the details into our Security Incident Register or escalate to PCX as a appropriate. PCX will also subscribe to vendor notifications and perform internal testing to ensure that any vulnerabilities are discovered as soon as possible. Critical vulnerabilities are reviewed daily and patched within 7 days. Important updates are reviewed weekly and applied in 14 days. Moderate updates are reviewed weekly and applied within 21 days but only if relevant. Low updates are reviewed monthly and only applied if they resolve an issue.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Potential compromises can be reported by customers, partners, staff or any other individual or organisation that becomes aware of a compromise. The response time varies depending on the severity and potential impact of the compromise but is within the legal limits set by UK legislation. The DPO, Ofcom or any other interested party that is legally required to be informed by UK law will be informed.
• Incident management type: Undisclosed
• Incident management approach: Users report incidents to C-STEM's service desk. They have pre-defined plans that they will follow to resolve the incident with the assistance of our partners. Incident reports are available post incident on request.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: PCX
• How shared infrastructure is kept separate: The solution consists of an Orchestration layer sitting on top of VMWare vCentre. The Orchestration layer is there to simplify the operation of the vCentre services and to capture data to allow for things like billing and reporting. It also leads towards consideration of the underlying vCentre security as the main method for data partitioning.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Our datacentre has a Power Usage Effectiveness (PUE) of less than 1.2, making it some of the most efficient data centres in UK. We also hold ISO 50001:2011 (Energy Management) certification and ISO 14001:2004 (Environmental Management) to demonstrate our commitment to the environment and energy usage reduction.

Social Value

• Social Value:

  Social Value

  Equal opportunity

  Equal opportunity

  Our employees are our most valuable resource and are a key factor in the delivery of services to our clients. We recognise that it is the calibre of the people that make up our teams that differentiates us from our competitors. As such, we work hard to recruit, develop and retain the best talent in the industry. As part of their personal development, each of our employees is given a clear route for progression, including technical and professional training. Further to this, it is crucial that all employees maintain a high level of safety and technical expertise, therefore regular training and advice is made available. We provide our employees with training to ensure they are aware of the company's legal obligations, policies and internal procedures relating to the provision of Equality and Diversity. This understanding of their obligations allows them to interact with their colleagues fairly and equally in all areas of their employment. Annual appraisals are conducted with all employees, allowing quality one-to-one time with their manager to discuss their performance, establish new objectives and determine the employee's individual training and development needs that are required to assist in achieving their goals.

Pricing

• Price: £0.10 a virtual machine an hour
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  ODT

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrea.le.velle@c-stem.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.