Microsoft Azure Hosting

Service scope

Service constraints: NA
System requirements: NA

User support

Email or online ticketing support: Email or online ticketing
Support response times: Our standard response time is four working hours Monday-Friday 8 - 6pm.
User can manage status and priority of support tickets: Yes
Online ticketing support accessibility: None or don’t know
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: No
Support levels: We provide Tier-1 CSP Support for our customers, providing a single point of contact into Microsoft where we can leverage Microsoft Premier Support services.

This is for the services transacted through the CSP procurement model only.
Support available to third parties: No

Onboarding and offboarding

Getting started: We provide an Azure enablement and adoption program as part of the onboarding services.

This consists of onboarding the Azure tenant into the CSP relationship, providing the Azure subscription for the customer to then procure, management and maintain the services procured under this model.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: There is no data extraction required. The customer will have an option to continue with the subscription through re-contracting or move the subscription to an alternative supplier.
End-of-contract process: The customer has an option to re-contract, move their procurement to another supplier or access to the Azure subscription will be placed on hold.

Using the service

Web browser interface: Yes
Using the web interface: Microsoft provide a management interface to access Microsoft Azure.
Web interface accessibility standard: WCAG 2.1 AAA
Web interface accessibility testing: NA
API: No
Command line interface: No

Scaling

Scaling available: Yes
Scaling type: Automatic

Manual
Independence of resources: This is down to the customer to manage
Usage notifications: No

Analytics

Infrastructure or application metrics: No

Resellers

Supplier type: Reseller providing extra support
Organisation whose services are being resold: Microsoft

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)

Other locations
User control over data storage and processing locations: Yes
Datacentre security standards: Managed by a third party
Penetration testing frequency: Never
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Physical access control, complying with another standard

Encryption of all physical media

Scale, obfuscating techniques, or data storage sharding
Data sanitisation process: No
Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery: No

Data-in-transit protection

Data protection between buyer and supplier networks: Private network or public sector network

TLS (version 1.2 or above)

IPsec or TLS VPN gateway
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: All Azure SLAs can be found here: https://azure.microsoft.com/en-gb/support/legal/sla/
Approach to resilience: Everything is built on top of the resilient foundation, which is a requirement for any
application to achieve resiliency. To achieve resilience—the application on top has to
take advantage of the resilient services built on the foundation.
The three pillars of the Azure resilient foundation are:
• Design: How Microsoft designs its global fiber network, evolving datacenters, and
storage protections built into the Azure platform.
• Operate: How Microsoft rolls out releases into the environment, performs
maintenance (planned and unplanned), and uses machine learning to predict
failures and protect customer workloads.
• Observe: How customers can observe what’s happening in their environment(s),
inform people and systems to make informed decisions before/during issues,
and determine their own availability requirements.
Outage reporting: Public dashboards, APIs and email alerts

Identity and authentication

User authentication: 2-factor authentication

Identity federation with existing provider (for example Google apps)

Dedicated link (for example VPN)

Username or password
Access restrictions in management interfaces and support channels: Administrative and management networks are physically separate from other staff networks, within our secure NOC. Technical Staff access is strictly controlled.
Access restriction testing frequency: At least every 6 months
Management access authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Identity federation with existing provider (for example Google Apps)

Dedicated link (for example VPN)

Username or password
Devices users manage the service through: Dedicated device on a segregated network (providers own provision)

Dedicated device on a government network (for example PSN)

Dedicated device over multiple services or networks

Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: No audit information available
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: DNV Business Assurance UK Limited
ISO/IEC 27001 accreditation date: 01 December 2023
What the ISO/IEC 27001 doesn’t cover: This certificate is valid for the following scope:

Provision of IT and Telecommunications Services (AV and Video Conferencing, Business Mobile, Cloud Telephony, Contact Centre, Cyber Security, Data Centre Services, Data services, IT, Software Development, Mobile Data) in accordance with the Statement of Applicability, version 1.0, plus Code of Practice ISO 27017:2015 on information security controls for cloud services and Code of Practice ISO 27018:2019 for protection of personally identifiable information (PII) in public clouds.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: Yes
Any other security certifications: NHS Data Security and Protection Toolkit. ODS Code: 8J121

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001

Other
Other security governance standards: Cyber Essentials Plus, ISO27001
Information security policies and processes: The Chief Executive Officer, along with the board, in partnership with the Head of IT is responsible for the approval of all of the IT policies and ensuring that they are discharged to the relevant managers. Arrow's Information Security Policy outlines our approach to information security as well as being a method to establish a set of tools to outline the responsibilities necessary to safeguard the security of the Company’s information systems with supporting policies, codes of practice, procedures and guidelines. The policy applies to all employees - current and new - of the Company as well as all other authorised users. The policy relates to the use of all Company-owned information system assets, to all privately owned systems when connected directly or indirectly to the Company’s network and to all Company-owned and or licensed software/data. Authorised members of the IT Department will from time to time monitor the information systems under their control to ensure compliance. This is supported by training during the Induction process for new employees and updates to existing staff as appropriate.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: This is a service managed by Microsoft or the customer.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Microsoft have a security operations team who manage vulnerability management services. The customer is then responsible for updating anything within their hosting environment.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Arrow's Data Protection Policy details the extensive controls, measures and methods used to protect personal data, uphold the rights of data subjects, mitigate risks, minimise breaches and comply with the data protection laws and associated laws and codes of conduct. We also carry out regular audits and compliance monitoring processes, to ensure that the measures and controls in place are adequate, effective and compliant at all times. All data breaches are reported immediately to the direct line manager and the reporting officer. Measures must be taken immediately to contain the breach and to stop any further risks or breaches.
Incident management type: Supplier-defined controls
Incident management approach: Arrow’s Data Breach Policy states that all staff must report a data breach immediately to the direct line manager.

The Supervisory Authority is to be notified within 72 hours of any breach where it is likely to result in a risk to the rights and freedoms of individuals.

A full investigation is conducted and recorded on the incident form, the outcome of which is communicated to all staff involved in the breach, in addition to upper management. A copy of the completed incident form is filed for audit and record purposes.

Secure development

Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
Who implements virtualisation: Third-party
Third-party virtualisation provider: Microsoft Azure
How shared infrastructure is kept separate: Microsoft maintain a completely isolated user environment for all companies sharing underlying hardware services.

Energy efficiency

Energy-efficient datacentres: Yes
Description of energy efficient datacentres: Microsoft Azure, a global cloud platform of services, successfully demonstrated its compliance with the EU Cloud Code of Conduct (CoC) through a rigorous, detailed assessment. This accomplishment is the latest example of Microsoft’s commitment to meet and exceed data protection requirements in the EU.

Social Value

Wellbeing

To help us drive wellbeing and engagement throughout Arrow, we have dedicated Wellness Champions at each of our key sites – these are voluntary roles and act as a central point of contact for advice and guidance around the mental health and wellbeing of our people. They also help to drive the promotion and organisation of various corporate social responsibility initiatives across Arrow further driving engagement. A dedicated Teams channel is used to communicate, share, and promote these activities. Each Champion has completed Mental Health First Aider training so that they are equipped with the necessary skills to fulfil this role. These courses run through MHFA England have also been attended by other members of the wider team. The engagement of our people is paramount at Arrow, and we track this closely, currently sitting at 89% this places us in the upper quartile of all benchmarked organisations. In addition to our 2 main annual surveys, we also track the wellbeing and resilience of our people as well as our eNPS score monthly to ensure we keep a close temperature check on how they are feeling. Our current eNPS score is 52% which places us in the top 25% of organisations in our industry.

Pricing

Price: £900 a unit a day
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Pricing

Service documents

Cookies on Digital Marketplace

Microsoft Azure Hosting

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Social Value

Pricing

Service documents