NHS Greater Manchester Integrated Care

Private and Public Cloud Hosting & Consultancy

GMSS provides a flexible low-cost alternative to owning/operating a data centre. Offering secure, scalable, high-performance public/private cloud hosting for severs, applications and data storage. Hosting is quickly mobilised, UK-based and scalable (up/down). Solutions can be tailor-made. We are ISO27001 accredited and a Microsoft Gold Partner.

Features

• Server Hosting, including backup, monitoring and DR
• Hybird Cloud Approach
• Single, private and multi-tenant cloud solutions
• Secure highly resilient infrastructure
• Customised service providing remote monitoring and systems management
• Production and DR environments with 24x7x365 monitoring
• 24/7/365 IT Service Desk Support with engineering teams on call

Benefits

• Microsoft Gold Partner with qualified staff
• Flexible capacity with secure UK Data Centres
• Secure highly resilient infrastructure means more uptime for your business
• Reliable, tailored service
• Scaleable architecture
• Prince 2 qualified project managers
• All Staff resident and vetted in the UK
• ITIL processes
• Backed with years of NHS experience

£252 to £737 a unit a day

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ann.halpin@nhs.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

815588316558788

Contact

Ann Halpin
07967184535
ann.halpin@nhs.net

Service scope

• Service constraints: Monthly routine and emergency maintenance windows.
• System requirements: Internet connected devices.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We respond to queries within 15 minutes in core UK working hours and, through a 24/7 call back facility, within 30 minutes outside of core UK working hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: IT Service Desk agents are available by chat. They can provide first line support and log issues onto other GMSS IT Teams for further diagnosis and resolution.
• Web chat accessibility testing: We continually develop and test our customer portal to add new functionality to ensure it is functioning as designed and updating with new content.
• Onsite support: Onsite support
• Support levels: Our dedicated team of IT Service Delivery Managers (SDMs) are key points of contact for new customers and service requirements. They are also escalation points for important issues. Each customer is assigned a named IT Service Delivery Manager. Our IT Service Desk offers a highly technical and customer focused Single Point of Contact (SPoC). Faults, queries and requests can be logged by telephone and online through the GMSS Service Portal. GMSS services align to ITIL industry best practice and we have 4-star certification from the Service Desk Institute (SDI) for our excellent customer service and robust processes. This demonstrates that the GMSS has Business-Led IT Service Desk. We are a member of the Institute for Customer Services (ICS), and comply with GP IT Futures Framework. Our IT Service Desk prioritises incidents following an Incident Prioritisation criteria. Our systems generate alerts to other Teams and Service Management leads when a high priority status is assigned so that they receive prompt attention. Standard IT Service Desk hours are 7:30am to 6:00pm Monday to Friday, excluding Bank Holidays. Calls made to the Service Desk outside of these core business hours are escalated to on-call support for urgent system wide issues.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: GMSS provides qualified and dedicated staff to help our clients begin to use our service. A dedicated team will be available to engage regularly during the onboarding process. Customers will be given their credentials and instructions to enable them to use our support service.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The client data can be extracted and supplied to the client in a format that is agreeable to both parties.
• End-of-contract process: If the customer does not wish to renew their subscription with GMSS they will need to provide contractual notice so that we can plan and provide support for the data extraction/migration of the specific subscription. The client will continue to pay for services to the point of the account termination. The client retains ownership of their data and will be deleted from our system 30 days after account termination. Any additional hardware / software / resource costs to enable the off-boarding will be the responsibility of the client.

Using the service

• Web browser interface: Yes
• Using the web interface: Service Now portal to raise/manage tickets related to the customers SLA
• Web interface accessibility standard: WCAG 2.1 AA or EN 301 549
• Web interface accessibility testing: Testing is done in a development environment prior to updating to new releases/upgrades.
• API: No
• Command line interface: Yes
• Command line interface compatibility: Other
• Using the command line interface: CLI is used by GMSS to manage infrastructure systems, this would not generally be available to customers however read-only access can be provided to some systems for troubleshooting.

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: Multi-tenant environment with data/resource partitioning, auto-scaling and monitoring.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
  • Network
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
• Other data at rest protection approach: We utilise full drive and blade encryption as standard (Bit locker) and SQL DTE Encryption
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Virtual Machines
  • VMware
  • Hyper-V
  • MSSQL
  • Files
  • Windows
• Backup controls: Customers can choose backup schedules and retention periods based on business requirements. Alternatively the GMSS will backup systems and data to a regular schedule.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: GMSS operate a private MPLS network, managed by Virgin Media (IP VPN). This infrastructure can have multiple different VRFs to segregate customers and traffic as required.

Availability and resilience

• Guaranteed availability: Our availability KPI is 99.9%. The GMSS IT Service Desk will prioritise incidents following its Incident Prioritisation criteria. Our systems generate alerts to other IT teams and Service Management leads when a high priority (P1 or P2) status is assigned so that they receive prompt attention.
• Approach to resilience: The GMSS has a on-prem Data Centre, Microsoft Azure and Amazon Web Services clouds and a geographically separate Backup, Archiving and Disaster Recovery facility. More data is available upon request. We have a team of trained and qualified engineers to ensure we are able to maintain staffing levels for all customers and manage holiday/sickness along with demand. We also operate an on call rota.
• Outage reporting: GMSS send communications regarding planned, unplanned and national outages/issues via email to customers from the IT Service Desk. We will also publish notification on the GMSS Service Portal and telephony system for high impacting issues.; ; The GMSS also publishes reporting information on the Service Portal. Closure reports are published for any major incidents and problem records.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Separate management accounts for vetted and cleared staff only - more info available upon request
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BMTrada
• ISO/IEC 27001 accreditation date: 12/06/2020
• What the ISO/IEC 27001 doesn’t cover: All GMSS IT services are within scope of our ISO27001 certification. The physical locations of our customers offices are out of scope, although work performed at these locations by GMSS IT teams is within scope.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Data Security and Protection Toolkit (DSPT)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Data Security and Protection Toolkit (DSPT) and Cyber Essentials Plus
• Information security policies and processes: The GMSS IT service has all the relevant Information and IT Security policies in place in compliance with its ISO 27001 certification. These includes Network Security, Business Continuity, Risk Management and other policies/procedures. Policies are enforced and checked using the relevant logs and technological systems where possible (including firewall logs, server logs, pen testing, CCTV etc.). The GMS IT Security Manager reports to the Head of IT, who is a Senior Management Team member reporting to the Managing Director

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The GMSS has an IT Change Control Policy and ITIL change management processes in place. We operates weekly Technical Review Group (to review any technical requirements) and Change Advisory Board (to approve any changes prior to implementation) meetings. Any new service requirements are assessed by the GMSS IT Security Team and must meet the GMSS IT Code of Connection. All changes are risk assessed and a member of the GMSS IT Security team attends the Change Advisory Board to authorise changes from a security perspective.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The GMSS utilises the NHS Digital CareCert monitoring and alerting service, and has Advanced Threat Protection on its managed assets. We also have our own log aggregation tool, monitoring and alerting systems in place managed by the GMSS IT Security Team. The GMSS has a monthly patching policy in place for servers and devices. Patches are tested and deployed within one week of release. Any critical / urgent patches receive immediate attention and are tested/deployed outside of the monthly patching schedules as required.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We manage and monitor the end point security of supplied devices via a central management console, and also collate and monitor system audit log information via our SIEM log aggregation tool. Any potential compromises are logged as a high priority category 2 incident, and are investigated and managed by our IT Security Team. Our systems generate alerts to other Teams and Service Management leads when a high priority status is assigned so that they receive prompt attention. Priority 2 issues have a target resolution time of 8 service hours.
• Incident management type: Supplier-defined controls
• Incident management approach: GMSS run incident management according to ITIL best practice. All incidents are reported to our 24/7/365 IT service desk via the GMSS Service Portal or telephone and are prioritised and managed in line with our incident management policy/processes. Customers initially receive an automated e-mail with the incident number and details, and can view any updates on the record as investigations and the resolution progresses. Closure reports are published for any Major Incidents and Problem records. Incident reports are available via our Service Delivery Managers and can be discussed in service review meetings.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: We utilise VMware Firewalls and NSX for Micro Segmentation. Various firewalls are used depending on the cloud environment.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: We follow the guidelines and recommendations set out in the European Energy Efficiency Platform (E3P). We also have a footprint in Microsoft Azure and Amazon Web Services.

Social Value

• Equal opportunity:

  Equal opportunity

  The GMSS pays due regard to the requirements of the Public Sector Equality Duty (PSED) of the Equality Act 2010 in policy development and implementation. As a NHS organisation, we are committed to ensuring our activities do not unlawfully discriminate on the grounds of any of the protected characteristics defined by the Equality Act, which are age, disability, gender re-assignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. We are committed to ensuring that our activities also consider the disadvantages that some people in our diverse population experience when accessing health services. Such disadvantaged groups include people experiencing economic and social deprivation, carers, refugees and asylum seekers, people who are homeless, workers in stigmatised occupations, people who are geographically isolated, gypsies, Roma, and travellers. As employers, we are committed to promoting equality of opportunity in recruitment, training, and career progression and to valuing and increasing diversity within our workforce. To help ensure that these commitments are embedded in our day-to-day working practices.
• Wellbeing:

  Wellbeing

  One of GMSS organisational values is Everyone Counts, and Health and Wellbeing of staff is a priority for the organisation. The ‘Everyone Counts’ section of our intranet provides staff with information about health and wellbeing activities that are taking place across the organisation, national campaigns, local events and general health and wellbeing hints and tips. GMSS has an employee assistance programme and Mental Health First Aiders trained to listen and be a point of contact for anyone who may be experiencing a mental health issue or emotional distress. As part of the NHS, our staff also have access to Our NHS People that offers a range of support to suit different needs and help manage health and wellbeing including a confidential staff support line, free apps that offer psychological support, self-guided mental health support bereavement and loss support, and Common Rooms to meet other professionals in a safe and guided space. Time taken to participate in health and wellbeing activities in encouraged to be incorporated as part of the normal working day.

Pricing

• Price: £252 to £737 a unit a day
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Initial consultation free of charge and potential Proof Of Concepts (POCs).

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ann.halpin@nhs.net. Tell them what format you need. It will help if you say what assistive technology you use.