Hexegic

Interoperability Assurance Platform (IAP)

The Assurance Platform as a Service (PaaS) enables clients to undertake application (including but not limited to NATO FAS apps) interoperability assurance activities within a secure and scalable virtualised representative environment.

Features

• Templated 'spiral' builds
• Scalable nodes
• Accreditable infrastructure
• Secure remote access
• International and national interoperability
• NATO FAS and C2 application knowledge
• Enable joint, inter-agency and multi-national collaboration
• Support to FLCs, exercises and experimentation

Benefits

• Derisk FAS and C2 application deployment
• Bring Your Own Application (BYOA)
• Ability to interconnect with national partners
• Rapid fielding of baselines to meet Urgent Operational Requirements
• Agile support to exercises including non-traditional partners
• Cost and time savings
• Known configuration and applications baseline
• Managed security wrapper

£1,235.00 a virtual machine a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at contact@hexegic.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

869933177245551

Contact

Rob Sommerville
0870 7622111
contact@hexegic.com

Service scope

• Service constraints: Platform operates at OFFICIAL unless otherwise requested.; Platform operates to 99.9% availability.
• System requirements:
  • Bring Your Own Applications (BYOA)
  • VPN connectivity required from Endpoint

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Average mean response time less than 15 minute, Monday to Friday.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Level 1 - Telephone Support ; Level 2 - Deskside Support (subject to contract); Level 3 - Application Support
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online training to assist with the activation of the PaaS.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Bulk secure export arranged as a part of the off-boarding processes.
• End-of-contract process: Secure off-boarding is conducted including sanitisation against IS5 Baseline (Enhanced available at additional cost).

Using the service

• Web browser interface: Yes
• Using the web interface: Access to the Assurance environment through RDP TS, VDI and, or Hypervisor Web Interface.
• Web interface accessibility standard: WCAG 2.1 A
• Web interface accessibility testing: Results available on request.
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: Technical implementation of resource scheduling.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Virtual Machines
  • Files
  • Databases
• Backup controls: Backups agreed in contract scoping.
• Datacentre setup: Multiple datacentres
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: IPsec or TLS VPN gateway
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.9% availability. Service credits available.
• Approach to resilience: Equipment and software set up for high Availability (HA).
• Outage reporting: Email alerts.

Identity and authentication

• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Out of band management.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
• Devices users manage the service through: Dedicated device on a segregated network (providers own provision)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 19/04/2024
• What the ISO/IEC 27001 doesn’t cover: Nil
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • JOSCAR Accreditation
  • NCSC Certified Consultancy
  • Chartered Cyber Security Professional
  • IASME Cyber Advisor (Cyber Essentials)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO27001 accredited ISMS with Board Level management. ISO9001 accredited to ensure continuous improvement.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change Management in accordance with ISO27001 ISMS.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerability Management in accordance with ISO27001 ISMS.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Protective Monitoring in accordance with ISO27001 ISMS.
• Incident management type: Supplier-defined controls
• Incident management approach: Incident Management in accordance with ISO27001 ISMS.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: Service provider using dedicated hardware per tenant.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Environmental Management Plan.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  (1) Statement of Need. Effective stewardship of the environment.; (2) Method Statement. Hexegic will expand its current published Carbon Reduction Plan and commitment towards Net Zero, by investing in an initiative to enhance the natural environment through increasing local biodiversity by encouraging the number of pollinators in the area with the introduction of new beehives. Whilst native trees and plants that sustain pollinators through spring, summer and autumn, will be planted in the vicinity. New hives and locations will be added, as well as extending education and training to local community groups. ; (3) Model Award Criteria. The policy outcome follows MAC 4.1 - Deliver additional environmental benefits in the performance of the contract including working towards net zero greenhouse gas emissions.; (4) Project Plan:; (a) Timed Action Plan:; i. +3 months – Attend training and join a local beekeeping branch. ; ii. +6 months – Secure permission to locate new beehive(s). ; iii. + 1 year – Establish new beehive(s) with supporting inspection regime. ; (b) Metrics:; i. Number of beehives established.; ii. Number of training/inspection days attended per annum.; iii. Number of native trees planted to support pollinators.; (c) Tools/Processes:; i. SmartCarbon Carbon Reporting Platform. ; ii. GHG Reporting Protocol Corporate Standard.; (d) Reporting:; i. Annual Carbon Reduction Plan.; (e) Feedback & Improvement:; i. The initiative will follow Hexegic’s ISO9001 accredited QMS.; ii. Lessons identified/lessons learnt will be captured.; (f) Transparency:; i. Published on corporate website in accordance with PPN 06/21.; ii. The procuring Authority on request.; (g) Influence:; i. Published on the corporate website.

  Covid-19 recovery

  (1) Statement of Need: Helping local communities to manage and recover from; the impacts of COVID 19, tackling economic inequality, and driving the workforce including creating new businesses, jobs and skills as well as increasing supply chain resilience.; (2) Method Statement: Hexegic will offer gratis Cyber Risk Assessments to SME members of the Silverstone Technology Cluster (STC) to assist organisations strengthen their cyber resilience. The one-day assessments are aimed at raising their awareness and understanding of cyber threats and vulnerabilities, as well as provide Action Plans (where necessary) to strengthen security controls, whilst enabling new working practices.; (3) Model Award Criteria: The policy outcome follows MAC 1.3 - Support for organisations and businesses to manage and recover from the impacts of COVID-19, including where new ways of working are needed to deliver services.; (4) Project Plan: The impact will be delivered by the following initiatives:; (a) Timed Action Plan:; i. +3 months - Engage the STC leadership team.; ii. +6 months - Promotion of offer to STC membership.; iii. + 1 year - Commitment to complete at least three gratis assessments.; (b) Metrics:; i. Number of assessments completed per annum.; ii. Number of days efforts consumed per annum.; (c) Tools/Processes:; i. STC newsletters and events will be the forum for engaging members.; ii. Consultancy Lifecycle will be used to standardise the process.; iii. Engagement will follow Hexegic’s ISO9001 accredited QMS.; (d) Reporting:; i. To be included in NCSC ACSC Annual Management Reporting.; (e) Feedback & Improvement:; i. The engagement will follow Hexegic’s ISO9001 accredited QMS.; ii. Lessons identified/lessons learnt will be captured as part of the standing QMS.; (f) Transparency:; i. Silverstone Technology Cluster.; ii. National Cyber Security Centre.; (g) Influence:; i. Co-design of promotional material and collateral with STC.

  Tackling economic inequality

  (1) Statement of Need. Tackling Economic Inequality through employment opportunities.; (2) Method Statement. Hexegic will invest in a talent strategy to identify and respond to the skills shortages in the high growth sector of cyber security. A talent lead will be identified to coordinate professional development investment amongst the workforce, to develop the key skills in demand by the contract and sector. The strategy will also seek to promote awareness of careers and recruitment opportunities in this sector, amongst Service leavers and veterans of the Armed Forces. ; (3) Model Award Criteria. The policy outcome follows MAC 2.2 - Create employment and training opportunities particularly for those who face barriers to employment and/or who are located in deprived areas, and for people in industries with known skills shortages or in high growth sectors.; (4) Project Plan:; (a) Timed Action Plan:; i. +3 months - Appoint a full-time talent lead for professional development.; ii. +6 months - Complete a professional development plan to address skills shortage.; iii. + 1 year - Commitment to spend £5,000 per employee per year on training.; (b) Metrics:; i. Number of training days attended per annum.; ii. Number of professional qualifications gained per annum.; iii. Number of Service leavers/veterans offered employment opportunities.; (c) Tools/Processes:; i. Record professional development attended and skills attained.; ii. SFIA Rate Card to assess professional mobility of staff.; iii. Training review will follow Hexegic’s ISO9001 accredited QMS.; (d) Reporting:; i. Monthly professional development updates in the company newsletter.; ii. Annual professional development reporting.; (e) Feedback & Improvement:; i. The initiative will follow Hexegic’s ISO9001 accredited QMS.; ii. Lessons identified/lessons learnt will be captured as part of the standing QMS.; (f) Transparency:; i. Hexegic leadership team and employees.; ii. The procuring Authority on request.; (g) Influence:; i. Assigned as a leadership team priority.

  Equal opportunity

  (1) Statement of Need: Promoting diversity within the cyber security sector.; (2) Method Statement: Hexegic will appoint a talent lead with a mandate and funding to promote diversity and equal opportunities within the cyber sector. Each employee will have access to a professional development fund as well as access to the senior leadership team to assist team members upskill into cyber security roles. Disadvantaged groups will be a particular focus for support and mobility.; (3) Model Award Criteria: The policy outcome follows MAC 6.2 - Support in-work progression to help people, including those from disadvantaged or minority groups.; (4) Project Plan: The impact will be delivered by the following initiatives:; (a) Timed Action Plans: ; i. +3 months - Appoint a talent lead for professional development.; ii. +6 months - Complete a company-wide professional development plan.; iii. + 1 year - Commitment to spend £5,000 per employee per year on training.; (b) Metrics:; i. Number of courses attended per annum.; ii. Number of training days attended per annum.; iii. Number of professional qualifications gained per annum.; (c) Tools/Processes:; i. Record of professional development attended, and skills attained.; ii. Training review will follow Hexegic’s ISO9001 accredited QMS.; (d) Reporting:; i. Monthly professional development updates in the company newsletter.; ii. Annual professional development reporting.; (e) Feedback & Improvement:; i. The initiative will follow Hexegic’s ISO9001 accredited QMS.; ii. Feedback on the conduct of the training will be systematically collected and analysed.; iii. Lessons identified/lessons learnt will be captured as part of the standing QMS.; (f) Transparency:; i. Reporting to Hexegic leadership team and employees.; ii. Reporting to external certification bodies.; (g) Influence:; i. Assigned as a leadership team priority.

  Wellbeing

  (1) Statement of Need: Supporting health and wellbeing in the workforce.; (2) Method Statement: Hexegic will invest in a wellbeing initiative that seeks to cater for both physical and mental health through the provision of gym membership, private healthcare, and access to mental health services (including mindfulness resources). The company will train workplace Mental Health First Aiders within key teams. Hexegic will also plan and conduct experiential learning opportunities, outside of the workplace, to foster personal growth, social interaction between teams, and overall good health. ; (3) Model Award Criteria: The policy outcome follows MAC 7.1 - Demonstrate action to support health and wellbeing, including physical and mental health, in the contract workforce.; (4) Project Plan:; (a) Timed Action Plan:; i. +3 months - Identify and train a minimum of two Mental Health First Aiders.; ii. +6 months - Implement a calendar of experiential education opportunities. ; iii. + 1 year - Reaffirm the eligibility criteria for private healthcare enrolment. ; (b) Metrics:; i. Number of Mental Health First Aiders trained.; ii. Number of attendees at each event. ; iii. Number of enrolments to the wellbeing initiative. ; (c) Tools/Processes:; i. Record professional development attended and skills attained.; ii. Annual Employee Opinion Survey to track sentiment.; iii. The initiative will follow Hexegic’s ISO9001 accredited QMS.; (d) Reporting:; i. Monthly professional development updates in the company newsletter.; ii. Annual professional development reporting.; (e) Feedback & Improvement:; i. The initiative will follow Hexegic’s ISO9001 accredited QMS.; ii. Lessons identified/lessons learnt will be captured as part of the standing QMS.; (f) Transparency:; i. Hexegic leadership team and employees.; ii. The procuring Authority on request.; (g) Influence:; i. Assigned as a leadership team priority.

Pricing

• Price: £1,235.00 a virtual machine a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at contact@hexegic.com. Tell them what format you need. It will help if you say what assistive technology you use.