GP STRATEGIES LIMITED

GP Strategies Managed Hosting including Moodle

To ensure we provide the highest security and quality of service, we partner with Amazon web services (AWS), a leader in cloud-based hosting. We host a wide range of applications including Moodle, Mahara, Django and Laravel. GP's team can also provide support and maintenance services.

Features

• Maintenance: installation of updates and patches, data backups
• Support: dedicated service desk

Benefits

• Secure: complies with ISO 27001, 27017 and 27018
• Easy setup: team of dedicated hosting engineers
• 24/7 uptime, with minimum of 99.5% availability per calendar year
• Team of specialists with Defence experience

£5,000 a unit a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at lxbidteam@gpstrategies.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

994247289176025

Contact

Sean Nugent
020 8694 7120
lxbidteam@gpstrategies.com

Service scope

• Service constraints: The managed hosting service will require that any learning web applications or integrations and their underlying dependencies are updated to the latest secure version and that a security maintenance model is appropriately defined.
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our target initial response time for all support queries is 4 business hours, and our target fix time for all support queries is 5 business days. User can manage status and priority of support tickets
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide support on our managed hosting service via email and phone through the GP support desk. This is included in our hosting pricing and is provided Monday to Friday UK time, between 9.00 a.m. and 5.30 p.m. excluding Bank Holidays and the week between Christmas and New Year. Our dedicated support team will be your main point of contact, and they will escalate to, and liaise with, development and hosting teams as appropriate.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Within the GP Consulting & Professional Services offering, GP would tailor any Onboarding/offboarding requirements specifically to the clients needs. This often include documentation, support and/or training.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: We would provide a full site copy for data to be extracted.
• End-of-contract process: At the end of the contract we would provide a copy of the site to the client.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type:
  • Automatic
  • Manual
• Independence of resources: The hosting team receive alerts in periods of demand and will monitor and adjust the service as required.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other
• Other usage reporting: Via phone call

Analytics

• Infrastructure or application metrics: Yes
• Metrics types: Other
• Other metrics:
  • Performance
  • Support tickets
  • Availability
• Reporting types: Regular reports

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: AWS, Rackspace

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: Less than once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Virtual machines
  • Databases
  • Files
• Backup controls: Our standard backups are carried out nightly and are retained for 14 days. Should a different arrangement be required, we can investigate this (additional costs may be incurred).
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The Hosting Services under this agreement will provide 24/7 uptime, with a minimum of 99.5% availability per calendar year (excluding reasonable and scheduled maintenance periods). Uptime is defined as the Website being accessible and fully usable from a site that is physically different to the one that hosts the Website. If the Website is unavailable beyond this 0.5 percent period by the cause or fault of GP (or its suppliers) then, by means of the Client’s sole remedy, GP shall provide a service credit of four (4) hours free Hosting Services at the end of the term of this agreement for each subsequent 30 minutes that the Website is not accessible. The maximum service credit in respect of any single 24-hour period of non-availability is 48 hours of free Hosting Services at the end of the term of this agreement. The maximum service credit arising under this contract shall not exceed 12 weeks. A standard server design will not cater for large User Surges. GP has designed the Client’s specific server configurations such that User Surges should not have an impact on user experience, but any foreseeable Website User Surges should be communicated to GP in advance.
• Approach to resilience: Our hosted platforms have a 99.5% availability target as a standard part of our service level agreement.
• Outage reporting: Outages are reported via email alerts.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Username or password
  • Other
• Other user authentication: Whitelisted self-registration - e.g. using a specific email domain, such as @gpstrategies.com
• Access restrictions in management interfaces and support channels: This will depend on the setup of the site being hosted - Moodle has an extensive and extendable roles and permission system including providing access to specific reports to specific individuals or roles.
• Access restriction testing frequency: Less than once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Hosting provided by AWS (subprocessor), who are ISO 27001 certified

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: Our Information Security policy is the responsibility of the IT management team and is carefully monitored on an ongoing basis to ensure compliance with regulations (e.g. GDPR and the Data Protection Act). Key points from the policy and procedures include: • Staff must undertake mandatory training annually to ensure they are aware of potential security threats and concerns and are able to support the security policy in the course of their work • Any member of staff suspecting an incident involving GP's IT/IS Security must immediately report their concerns to the Systems Manager who will assess any immediate action required to protect both GP/Client data and reputations, and inform the Head of Information Security •In order to identify potential Information Security breaches, GP reserves the right to monitor all external and internal communications and access to the GP network, intranet and the internet, where the property of GP is used in the communication or is accessed remotely from outside GP • All systems have security products installed to protect against unauthorised entry • All systems are protected by passwords, especially those permitting updates to data • All servers use encryption technology

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes to systems within the development lifecycle are controlled by: * Ensuring changes are submitted by authorised users. * Ensuring authorised users accept changes prior to implementation; * History of all events is maintained and old versions retained for reference purposes. Most systems are also configured using Puppet, and Continuous Deployment services (Jenkins) which provide a standard way of delivering and operating software, no matter where it runs. This automated solution provides visibility and reporting when we need to make decisions and prove compliance.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Most systems are configured for Automatic Security Updates and patch deployment. GP periodically carries out a vulnerability assessment of our corporate offices as part of the Cyber Essential PLUS certification process. We use an automated patch management system. Patching is done 3 times per week. This includes operating system and application support. We are subscribed to a number of infrastructure and platforms related security forums so that we are aware of vulnerabilities as they are found.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Depending upon need, we can set up web application firewalls and enhanced protective monitoring tools to block potential attacks to a site. We also regularly apply released security patches to keep the platform up to date against known vulnerabilities. In the event of a compromise our estimated maximum time to restore is 1 day.
• Incident management type: Supplier-defined controls
• Incident management approach: We have monitoring tools that pick up whether a site is likely to become or has become unavailable. We then investigate this after we receive an alert. Users can also report incidents by phone, ticketing system, or email depending upon the support services supplied. Communications are sent via our support service desk to the confirmed client contact(s), including incident reports to an agreed SLA.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: AWS
• How shared infrastructure is kept separate: When deploying applications to public cloud infrastructure, a VPC (virtual private cloud) network is created into which the web serving infrastructure is launched onto their respective public and private subnets. The VPC provides overall segregation between organisations' infrastructure with the public and private networks providing tiers within the network.

Energy efficiency

• Energy-efficient datacentres: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  GP Strategies is committed to fighting climate change and reducing the direct environmental impacts of our operations. We follow best environmental practices, reducing our carbon footprint, and supporting our clients' efforts to minimise their impact on the environment.; ; We incorporate sustainable thinking into our business and working to deliver solutions that reduce environmental impact for both GP Strategies and our clients. Taking a responsible approach to the environment is one of our core values and we aspire to achieve this by controlling and minimizing our environmental impacts, driving continuous improvement, and evaluating new opportunities for environmental stewardship that improve our environmental performance. Our Environmental Management Program guides our strategies and actions to reduce greenhouse gas emissions, which include these five priorities:; ; 1. Reducing our physical office footprint through reductions in square footage of office space by promoting more virtual work environments, where feasible; 2. Leveraging renewable energy, where feasible; 3. Minimizing GHG emissions related to business travel; 4. Reducing consumption and promoting recycling of electronic equipment; 5. Reducing consumption and promoting recycling of consumables, including paper; ; To help our clients reduce their carbon footprint we delivery effective learning experiences using a mix of modalities. Our approach includes digital content and virtual instructor-led training, which helps reduce Scope 3 emissions. When in-person training is necessary, we prioritise local resources and regional trainer pools to minimise travel.; ; To ensure transparency, we publish our objectives and targets on CDP and EcoVadis. We periodically evaluate the progress of our environmental performance goals to ensure our environmental management program is on target.

  Covid-19 recovery

  For one global client, the corporate standard virtual meeting environment quickly proved to be grossly inadequate for virtual learning sessions. Audio and video reliability and quality were poor, and the tool lacked common features that enable virtual learning sessions to succeed. Through GP’s enterprise license agreement with a well-known and highly capable virtual learning platform, we quickly (in four business days) arranged 12 licenses for our client’s use. We also provided virtual session administration and delivery process flows and procedures to ensure all aspects of the sessions, from scheduling to closeout, were professionally handled.; ; For another global client, GP was engaged to support the design, development, and in-person delivery of their “New Horizon” content globally (a strategy that outlines how the client will focus on their people, their customers, and their shareholders.) With the onset of COVID-19, a drastic change in approach was required. Everything regarding the rollout had to be reimagined. The GP team had to quickly pivot and create an engaging solution that could be delivered virtually by our client’s leaders and supported by GP staff. ; ; GP can help organisations stabilize in times of disruption. We can help you navigate any disruption and can offer support in many ways, including:; ; • Emergency preparedness - includes support through strategic planning, response, training, and staff augmentation.; • Change support and enablement strategies to help you adapt to new ways of working together.; • Learning continuity strategies to ensure learning continues and your employees remain up to date.; • Learning and collaboration tools and technologies.; • Converting face-to-face training into virtual experiences.; • Instructor training to help your instructors become effective virtual facilitators.; • Virtual design thinking and collaborative sessions to give you the thought leadership you need to succeed.; • Access to virtual moderators and facilitators.

  Tackling economic inequality

  GP, as part of LTG, has always supported internships and apprenticeships. We have people in senior roles who came to work with us through these schemes. We have adopted the new apprenticeship scheme and have already used it to hire an IT apprentice for one of our London offices.; ; We always choose interns who are local to the area and with specific interests that we can nurture and they can contribute. For example, we recently had an intern in our Sheffield office for the summer shadowing our Quality, Health & Safety and Environmental Manager. She had an interest in Wellness and we have captured her feedback in relation to integrating aspects of her contribution into one of our Health and Safety policies.; ; In 2021 we took the first steps towards establishing a graduate scheme that aims to recruit a diverse group of future leaders with an apprenticeships programme in the UK, to enable us to reach less fortunate socio-economic groups.

  Equal opportunity

  GP Strategies is committed to creating a culture that embraces and celebrates people’s differences. We believe that organisations should embrace their workforces as they are, and we continually review how we ourselves can best promote and advance a culture in which all our staff feel comfortable being themselves in the workplace.; ; We implemented three goals: awareness (to increase sensitivity and understanding and create a common language around diversity, equity, and inclusion); training (to help employees appreciate cultural differences and equip leaders with greater confidence and competence in taking actions that create a greater sense of equity and inclusion); and engagement (to address cultural and structural barriers). To meet these goals, we developed the GP IDEA (Inclusion, Diversity, Equity, and Accountability) Council. This cross-functional, cross-enterprise Council’s mission is to foster an environment where diversity is not only accepted, but also embraced and valued.; ; Employees are invited to actively participate in monthly, voluntary, employee-led and leadership-sponsored Employee Resource Groups (ERGs) that foster a diverse, inclusive workplace aligned with our organizational mission, values, goals, business practices, and objectives. Our ERGs include Asians & Asian Americans plus Allies; Black plus Allies; LBGTQ+ plus Allies; Allies and People Living with Disabilities (APLD); Women’s Inclusion Network (WIN); Veterans plus Allies; and The Mind & Fitness Café.; ; Our consultancy, facilitation, and programme design options encompass leadership and DE&I programmes, enabling our clients to work towards the common goal of fostering inclusion, equity, and social justice.; ; We also help our clients communicate their ESG priorities through engaging content. Our tailored ESG learning content covers a range of topics, including health and safety, cyber and data security, modern-day slavery, anti-harassment, personal ethics, whistleblowing, anti-bribery, and consumer protection. By providing this content, we aim to enhance the operating resilience, sustainability metrics, and ethical culture of your organisation.

  Wellbeing

  An important part of our Corporate Social Responsibility (CSR) strategy is taking care of our people. This includes the following:; ; Employee wellness programme - the programme focuses on a number of areas: Mental health; Physical health; Health and safety; Personal development; Social connections, and Social contributions.; ; Diversity and inclusion - we believe that the diversity of our workforce is a key point of strength, making the group a more vibrant and dynamic place to work. We continually review how we can best promote and advance a culture in which all staff feel comfortable being themselves in the workplace.; ; Communication and staff surveys - We prioritise measuring the staff’s well-being through our regular engagement surveys. We have peer focus groups who look at the results of the surveys to better understand how we can improve aspects of the working environment including the delivery of training and development interventions. We have made a concerted effort to act on any feedback received and have worked hard this year to listen to our people. For example, in response for better communication, we have introduced regular town halls and monthly newsletters.; ; Employee Assistance Programmes - in the US and UK we provide staff with support in a range of areas, including well-being support, financial advice and legal advice; Professional development - we have in place a talent management system for career development, goal setting and progression at GP.

Pricing

• Price: £5,000 a unit a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at lxbidteam@gpstrategies.com. Tell them what format you need. It will help if you say what assistive technology you use.