MASS Consultants Ltd

Secure ICT Managed Services

With FSC, we support project/programme collaboration, data driven decision making and application hosting with secure fixed and/or deployable solutions at Official, Secret, Above Secret and Top-Secret including caveats such as Sensitive, NNPPI and ITAR. Enabling interoperability with GOV(RLI/SLI/PSN) and adhering to Secure-by-Design, Cloud Security Principles and ITIL best practice.

Features

• Secure by Design Networking
• Agnostic solutions
• Tailored reports
• Automated asset management processes
• Secure content and threat management
• Log management
• Licence management
• Authentication, identity and access management
• IT asset management
• Quality assurance and performance testing

Benefits

• Provide tool-agnostic backup solutions
• IT Service Management tooling to aid support monitoring
• Implement Service Level Management plans
• Collaborative approach to service delivery
• Early client engagement
• Provide unified, flexible, and scalable solutions
• Implement Continual Service Improvement (CSI) initiatives
• Ensure robust support channels

£0 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at frameworks@mass.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

722390247076193

Contact

Frameworks
01480 222600
frameworks@mass.co.uk

Service scope

• Service constraints: Our ICT Managed Services are not vendor specific, therefore there are no service constraints.
• System requirements: No service requirements / dependent on the contract

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: This is dependent on buyer's and contract requirements. We ensure adherence to any pre-agreed Service Level Agreements (SLAs) to respond to requests based on the priority and nature of the requests.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: MASS provides a service desk with 1st, 2nd and 3rd line support for IT services, with additional specialist support for infrastructure, other technologies, and cloud services. Depending upon the support package requested, we provided such services at different levels of cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: MASS has extensive experience providing onsite training, instructor-led online training, and user documentation to ensure users are able to access and make best use of our services. We can provide a bespoke mixture of the above to suit individual needs.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats:
  • Microsoft Office (including Word, PowerPoint)
  • Other formats - dependent on buyer's requirements
• End-of-contract data extraction: MASS often works within our clients' infrastructure where users do not have to extract data when the contract ends. If we have set up such environments, we will ensure a suitable handover process at the end of the contract, this would be outlined within an Exit Management Plan.
• End-of-contract process: At the end of the contract, we will discuss with the buyer whether they would like to extend or end the contract. If the buyer would prefer to end the contract, then we will establish an exit agreement where we will agree elements such as: returning devices and passes, removing access to data, disposal of material. If the buyer would like to extend the contract, we will discuss and agree a new contract. ; ; Within our price we have included a day rate for MASS personnel. Anything that is required in addition to this will be discussed on a case-by-case basis dependent on the requirement of the contract.

Using the service

• Web browser interface: Yes
• Using the web interface: MASS' web interface is used to provide support services to users. Users can access the MASS service portal to request support, raising tickets for incidents and change, as well as Continual Service Improvement (CSI). They can also view open tickets, providing clients with visibility and continued communication with the support team.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: Our web interface follows Microsoft 365 accessibility guidelines, such as providing alt text and screen readers. If a specific requirement is requested by a buyer, we can assess that need and may be able to adapt. We aim to follow the WCAG guidelines set and will always aim to achieve the AA/AAA standard.
• Web interface accessibility testing: MASS has not completed interface testing with users of assistive technology. However, this can be completed if it suits the buyer's requirements.
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: MASS' system is designed to perform for a significant amount of concurrent buyers. Each contract is assigned it's own Project Manager, and they will manage the resource(s), risk(s), deliverable(s), and dependencies, ensuring that each individual buyer is not affected by the demand from other users. Each buyer will have a POC to escalate any issues. As part of our service management approach, we conduct regular capacity testing to ensure that our service does not slow or become hindered via increased usage. We can also manage separate networks for buyers, if required, to make it separate from other users.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other
• Other usage reporting: MASS will notify users if they are near their service limits through emails, Microsoft Teams notifications/messages and through our interface portal. This process is customised for every customer to ensure communication is efficient as possible.; ; During our Project/Service review meetings, we will discuss with the customer their usage and future predicted levels of demand. This will enable us to manage capacity as required to ensure there is no reduction in service levels.

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types: Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: Never
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: In-house destruction process

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Files
  • VMs
  • Databases
  • Configurations
  • All system files
• Backup controls: MASS will create a backup schedule that is then reviewed and agreed with the buyer, which will be controlled by MASS throughout the duration of the contract.
• Datacentre setup: Multiple datacentres
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: MASS utilises enforced TLS 1.2 or higher where possible protocols for data in transit. Our Information Security policies, processes and instructions are followed by all MASS staff, in support of our adherence to our ISO 27001 standard and Cyber Essentials Plus certification. It ensures that all information is used appropriately, data integrity is perpetuated, and systems, information and technologies have the appropriate number of controls and correspond to the context of the organisation. We also apply our Data Protection Policy, which conforms to the Data Protection Act 2018. We will follow any specific security requirements required for the contract.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Our Information Security policies, processes and instructions are followed by all MASS staff, in support of our adherence to our ISO 27001 standard and Cyber Essentials Plus certification. It ensures that all information is used appropriately, data integrity is perpetuated, and systems, information and technologies have the appropriate number of controls and correspond to the context of the organisation. We also apply our Data Protection Policy, which conforms to the Data Protection Act 2018. We make use of intelligence monitoring systems such as DarkTrace.

Availability and resilience

• Guaranteed availability: To ensure a full understanding of their requirements, based on their current infrastructure, MASS will engage in early discussions with the buyer prior to Contract Award. SLAs, including those related to availability, will be dependent on the client's requirements and the budget available.; Where required we will also utilise Service Credits to provide customers with reassurance that their service(s) will be available and users can be reimbursed in the unlikely event we’re unable to meet an agreed level of service.
• Approach to resilience: MASS implements a ‘secure by design’ approach to ensure that systems eliminate single points of failure, wherever possible, across servers, firewalls, internet connectivity, routing and file storage (not definitive). Further information is available upon request.
• Outage reporting: MASS utilises email alerts to inform clients of any planned outages as soon as a scheduled date is confirmed, and according to any agreed upon notice requirements. Once acknowledged and accepted by the client, we display notice of the upcoming outage on our service desk tool (dashboard), accessible to all users. The outage email details several details about the planned outage, including (but not limited to) the locations affected, the service(s) affected, the start and end times, the date of the outage, and the estimated downtime.; ; For unplanned outages, MASS adheres to protocol, agreed upon with individual clients, to notify all users of the outage and when service has been restored.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: MASS personnel operate multiple networks within our business domains, ensuring separation and safeguarding of physical and electronic data and restricting access to only those who require it. In addition, our facilities are secured with PAC access control systems to restrict and audit the movement of employees.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Standards Institute (BSi)
• ISO/IEC 27001 accreditation date: March 2024
• What the ISO/IEC 27001 doesn’t cover: No exceptions listed
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • IASME Cyber Assurance Level 1
  • ISO 27001:2022 Full Scope SoA
  • IASME Cyber Assure Gold
  • Joint Services Publication 440
  • Gov S007 and a variety of other international standards.

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
• Other security governance standards: ISO 27001:2022 Full Scope SoA,; IASME Cyber Essentials Plus,; IASME Cyber Assure Gold,; Joint Services Publication 440,; Gov S007 and a variety of other international standards.
• Information security policies and processes: The MASS Information Security Management System has been developed in accordance with the HMG Security Policy Framework, MOD JSP440, HMG IS1 & IS2, MOD DCPP CSM, ISO 27001/2:2013, GDPR, PECR, Cyber Essentials (PLUS) Scheme, CIS Top 20 Critical Security Controls, NIST SP800-171 (i.a.w.SP800-53), ISO31000 (Risk), NCSC Guidance, NIS Framework, Cloud Security Alliance Cloud Controls Matrix (CSA CCM v 3.0.1), and PCIDSS 3.2 (s9.5). Statement of Applicability v3. Our Security organisation is led by our Chief Information Officer and supported by our Company Security Controller, both of whom form part of a Security Working Group. We ensure policies are followed through annual compulsory training for all employees, auditing, and unannounced spot checks.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Changes are submitted and managed in accordance with the ITIL process, regardless of their origin (Client / Service Delivery Organisation / Supplier). They are allocated a category; standard change (pre-approved low risk, low impact), normal change (non-urgent changes that pose an intermediary risk) and emergency change (high risk, high impact). For normal and emergency changes, we follow a robust change management and approval process. A decision is made based upon a change's implementation and urgency. The Change Manager ensures all changes required are authorised, monitored, and implemented in a controlled manner.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We use Tenable.io vulnerability management software to continually scan systems and identify necessary patches, and their severity. ; ; We categorise patches into critical and non-critical, based on risk, and establish schedules for the deployment of patches in accordance with the operational requirements of our clients’ systems. We can implement critical patches within 24 hours.; ; We provide patch management for the MOD, on highly classified systems, maintaining stability and 99.9% uptime. We can provide an early sight of vulnerabilities, ensuring reduced instances of zero-day, emergency patches, updates, fixes, mitigating security risks.; ; All patches are classified in line with ITIL Change Management.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Compromises are identified through regular daily checks of the systems, information from colleagues, and audits. ; ; In the event of a Security Incident, the details will be reported immediately to the MASS Company Security Controller using the our Security SharePoint Site page and/or by phone without undue delay. MASS comply with our legal obligations to report any data breaches within the correct timescales. MASS will inform all affected buyers at the earliest opportunity.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Users report incidents through the service desk. Following any incident or problem, we produce a ‘Root Cause Analysis Report’ with: • A description of incidents or service failures. • Analysis undertaken to identify the root causes, together with our findings. • The benefits, risks and costs of possible resolutions to prevent the incident or service failure reoccurring and the impact if they reoccurred. • A recommendation on which resolution(s) should be implemented. We bring reports to weekly meetings and, subject to buyer approval, implement recommendations under change management procedures. Successful implementation results in a Problem Resolution Report for future reference.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Hyper-V
• How shared infrastructure is kept separate: VLANs are in use to segregate areas of the network from each other, with the central router provided or restricting access between VLANs as required. Data on VLANs is then restricted to servers or users via ACLs.; Separate physical servers can be implemented if required, or deemed necessary, to provide an additional layer of segregation.

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  MASS is dedicated to fighting climate change and ensuring that we reduce our carbon footprint. We have implemented a Carbon Reduction Plan, in accordance with PPN 06/21, that is reviewed annually to ensure that we are meeting our targets and continually improving. We are committed to achieving Net Zero emissions by 2050. ; ; MASS has introduced a variety of policies to reduce our carbon footprint and fight climate change, including:; • Introducing an electric car leasing scheme for employees; • Implementing car charging stations at MASS-owned sites which use green energy; • Ensured all MASS owned sites use green energy to power the building; • Continuing our roll out of electric pool cars; • Provided technology to enable employees to work from home; • Encouraged video calls rather than travelling to meetings; • Planted 357 trees to offset our carbon emissions, making us a carbon-neutral organisation; • Introduced hybrid working so the majority of employees have the option to work from home two days a week; • Created a social value group to drive forward social value initiatives; • Switching all office lighting to low-energy LEDs; • Installing PIR sensors in every room for automatic switch-off.; ; MASS aligns to the standards set by ISO 50001 and strive for all our sites to either be compliant or working towards being compliant. Where we are not currently ISO 50001 compliant, we undertake Energy Savings Opportunity Scheme (ESOS) assessments to understand what opportunities we have to operate more efficiently. These standards provide a holistic approach to resource efficiency and waste reduction.

  Covid-19 recovery

  The Covid-19 pandemic allowed MASS to implement business continuity processes to ensure we have the ability to deal with changing circumstances, including embracing the benefits of remote and flexible working. This has resulted in a hybrid home-working culture to support our staff and environmental goals post-pandemic.

  Tackling economic inequality

  MASS is committed to tackling economic inequality by developing an inclusive, diverse culture, welcoming people from all backgrounds and encouraging them to be their best selves and contribute their unique insights, helping us to drive innovation, enhance employee engagement and accelerate our performance.; To ensure MASS understand the effects of economic inequality and tackle it appropriately within the business we have implemented processes, including:; • Becoming a part of the deprived areas UK Levelling Up agenda, a mission to challenge and change unfairness of opportunity; • Offering apprenticeships, graduate programmes and Science, Technology and Mathematics (STEM) outreach programmes.; • Ensuring personal development plans are in place for all new and existing personnel; • Ensuring MASS’ pay approach is representative of external market value, through an annual market value assessment; • Committing to providing a fair, equitable and competitive reward package aligned to the external market; • Helping to raise awareness within the business of the role that everyone can play into creating an inclusive environment through training and engagement; • Providing inclusive recruitment training and workshops; • Encouraging regular communication with employees through and listening forums run by managers and the People team.

  Equal opportunity

  MASS are dedicated to ensuring equal opportunities within the workplace, MASS has implemented policies and processes to ensure that this remains at the forefront of our business, including:; • As part of the induction process all staff must:; o commit to our company policies (including our Equality & Diversity and Environmental Policy); o Undertake training on Equal Opportunities; o Be provided points of contact within MASS; o Be shown repositories of information to ensure that there is always a set of guidance available to ensure staff are aware of their responsibilities.; • Guidelines accessible to the People team writing job vacancies to ensure they are advertised to all backgrounds and educational and professional levels; • Regular company wide communications to raise awareness of updated policies, training and related practices; • All managers are provided with guidance on managing behaviours and performance; • Reward employees that demonstrate positive behaviours through our Applause Awards (nominated by colleagues; • All employees included within the training, policies and recognition schemes; • Members of the Bloomberg Gender Equality Index to measure and benchmark our performance; • Partnered with other defence and security organisation to achieve change through initiatives including the Woman in Defence charter and WeAreTechWomen; • Work with charities including SSAFA (include definition) to understand barriers to employment; • Employees are encouraged to develop and enhance their skills and maintain certifications including, LinkedIn Learning courses (recognised technical courses and personal development courses); • MASS’ Apprenticeship Programme encourages individuals from deprived backgrounds to access employment and provides opportunities for formal qualifications up to degree level, along with a structured training programme; • MASS are signatories for the Armed Forces Covenant and Tech Talent Charter; • MASS are part of the 5% Club.

  Wellbeing

  MASS take the mental and physical wellbeing of our employees seriously. To ensure that this remains a priority we have implemented a Mental Health and Wellbeing Programme that incorporates:; • A corporate policy committing the company to advancing health, safety and wellbeing; • Comprehensive risk assessments and safe systems of work, including high-demand environments; • Training and guidance; • Employee engagement, particularly regarding workloads and levels of work-related stress; • Monitoring, measuring and reporting up to Executive level; • Learning lessons to continuously improve.; ; We use a range of sources to identify health and wellbeing issues our staff may face. These are:; • Partnering with a professional HR provider, Croner, who provide health and wellbeing advice; • Feedback from staff through Line Managers’ 1:1 check ins, appraisals, staff engagement surveys, and open employee forums.; • Partnering with an Employee Assistance Programme provider, Care First, to understand the range of issues our staff may face and provide webinars to support staff; • Employee Safety Programme; • Mental Health First Aiders; • Anonymous staff suggestions.; ; To support health and wellbeing we: ; • Provide private medical insurance, including a mental health and wellbeing mobile application ; • Raise awareness of mental health throughout the year using team briefings and bulletins ; • Maintain a dedicated mental wellbeing page on our intranet ; • Participate in Mental Health Awareness Month ; • Maintain a regular Employee Forum, at which staff can raise concerns or suggestions for improvement ; • Employ a Health and Safety Manager (qualified to IOSH) with responsibility for wellbeing

Pricing

• Price: £0 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at frameworks@mass.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.