Q-Solution Ltd

Secure Platform as a Service

An AWS secured platform, connected to PSN Protected, accredited to OFFICIAL SENSITIVE. Allows the buyer to focus on application build, leaving infrastructure security and connectivity to us.

Platform includes all necessary System Monitoring, Protective Monitoring (GPG13), AV, IDS, IPS, Alerting, Remote Access, Vulnerability Assessment, Threat Detection and Behavioural Monitoring

Features

• PSN Protected connection accredited to hold up to OFFICIAL-SENSITIVE data
• Protective Monitoring and real time alerting
• Dynamic alerting via Slack, email, SMS and .GOV notify
• Anti Malware for data in transit
• Open API enabling customers to consume data in house
• Dedicated Support team
• Built to scale on 100% serverless architecture
• Certified against Cyber Essentials Plus
• Data held entirely within UK Sovereign Data Centres
• Design against NCSC Cloud Security Principles and Architecture Patterns

Benefits

• Accelerates Digital Transformation Programmes
• Reduced Capital Expenditure
• Leverage the benefits of an integrated Continuous Integration (CI) pipeline
• Connection to PSN Protected at the outset enabling early integration
• Reduced maintenance overhead
• User security inherently built into the platform
• Integrate Management information (MI) into your own in house systems
• No requirement to build complex and time-consuming Protective Monitoring services

£1,500 a unit a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kevin.hoskins@q-solution.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

675316780397095

Contact

Kevin Hoskins
07966 306058
kevin.hoskins@q-solution.co.uk

Service scope

• Service constraints: The following are the current limitations of the service. We do however encourage customers to review these pages and the dashboard for changes made to the service as we aim to continually improve the capacity, availability and overall service provision.; ; The platform is currently only accessible on the PSN Protected network and indirect networks. e.g PSN in Policing as managed through the GCN by Vodafone; ; AWS Connect PSN Protected bandwidth over VPLS port limited to 100Mbps
• System requirements: To be completed

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide 4 hour response times to tickets Monday to Friday
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Support hours for the service desk is between 8am and 6pm, Monday to Friday excluding UK Public Holidays. Protective Monitoring and System Monitoring however operates 24/7/365 and will generate alerts throughout this period in the event of any priority incidents occurring. Agreement on how these incidents outside of core hours are resolved will be agreed during the on-boarding process
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Detailed onboarding documentation will be provided to the buyer at service commencement
• Service documentation: No
• End-of-contract data extraction: This will be detailed in the On Boarding and Off boarding process documents provided to the customer and will align to the latest Data Protection Standards
• End-of-contract process: Details of any additional costs will be provided in the Off Boarding procedures. However, as a PasS service, there would typically not be expected any additional costs for Off Boarding

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: Our OFFICIAL SENSITIVE Platform as a Service (PaaS) is a multi-tenanted service. Resources are not consumed dynamically throughout a customers contract but, instead, consumed and fixed at the point of service commencement. Our solution is fully scalable and, coupled with a monitored capacity plan, we ensure that the service has the necessary resource capacity to cater for additional customers as they are on boarded onto the service
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
• Other metrics:
  • AWS Cloudwatch
  • AWS Config
  • AWS Guard Duty
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: We have a detailed Access Control Policy as well as Malware and Encryption policy, subjected to annual security review that details our approach to securing customers data at rest. These can be provided to the customer upon request
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up: Grouping of Virtual Machines - vAPPs
• Backup controls: Virtual machine backups are automated, the default is a rolling 14 day window.; ; Other backups are available upon request
• Datacentre setup:
  • Single datacentre with multiple copies
  • Single datacentre
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Service level for availability is 99.95%
• Approach to resilience: Available on request
• Outage reporting: Planned outages are reported through formal Change Requests raised with the customer at least 2 weeks prior to the implementation. Change Management procedures are available upon request Any unplanned outages are alerted via email initially and tracked through our ticketing system

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Only support staff with SC clearance have access. Access is restricted to individuals accredited machines. Support staff required password and MFA. Account activity is protectively monitored and alerted. Staff have a single master account for logging in and 'Assume Role' into other accounts enable fine grain authentication and access on a 'needs to know' basis.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 17/04/2024
• What the ISO/IEC 27001 doesn’t cover: Please refer to the formal BSI Certificate of Registration and our Statement of Applicability available on request
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Annual Check Approved ITHC
  • PSN Protected Code Of Connection

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials,; Cyber Essentials Plus,; Ministry Of Justice Accreditation,; PSN connection compliance certificate,; PSN service provision compliance certificate.
• Information security policies and processes: Q-Solution have a defined set of Security Policies that form part of our Risk Management Accreditation Document Set (RMADS). Together with our monthly security working group, we ensure that appropriate operational security measures are in place to maintain our ongoing government accreditation and support our overall company Information Security Management System (ISMS) conforming to ISO27001:2013. Specific details of our Security practices are not made public here but are available upon request from the buyer along with details of our Cyber Essentials Plus certification. We employ highly skilled security architects and accreditors to ensure our security policies are relevant to our services and maintained in line with industry and government standards

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Q-Solution have a defined set of Operational Security Policies that form part of our Risk Assessment. Together with our security working group, we ensure that appropriate operational security measures are in place to maintain our ongoing government accreditation and support our overall company Information Security Management System (ISMS) conforming to ISO27001:2022. Specific details of our Operational Security practices including our Change Management Processes are not made public here but are available upon request from the buyer along with details of our Cyber Essentials Plus certification.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We have a separately documented vulnerability management process that can be shared with customers upon request covering areas such as Monitoring, Threat Detection, Security Alerting, Compliance, Audit Logging, SIEM, Patch Management and anti malware
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: We have a separately documented Protective Monitoring process that can be shared with customers upon request covering areas such as Monitoring, Threat Detection, Security Alerting, Compliance, Audit Logging and SIEM
• Incident management type: Supplier-defined controls
• Incident management approach: We have a comprehensive documented approach to both Incident and Problem Management. This information, in the form of PDF can be provided to customers on request

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: UKCloud
• How shared infrastructure is kept separate: Assured by independent testing of implementation

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: This service is provided using UKCloud IaaS

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  The infrastructure supporting this service uses a serverless architecture in public cloud with autoscaling. Compute resources such as processor, memory and storage are minimised by automatically scaling down at times of low usage. Hosting the solution in public cloud results in efficiencies as infrastructure is shared across all of the cloud providers customers in that region.; ; This approach leads to a reduction in power usage and cooling requirements compared with a traditional infrastructure using either physical machines at a data centre, or virtual machines at a cloud provider.; ; The service also benefits from the progressive environmental sustainability program of the public cloud provider hosting the service, resulting in a positive impact on climate change.

Pricing

• Price: £1,500 a unit a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kevin.hoskins@q-solution.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.