Ana səhifə

Hadrian (IL3) Contents Service Definition


Yüklə 56.8 Kb.
tarix13.06.2016
ölçüsü56.8 Kb.





SCC

LOT 3 – Software as a Service (SaaS) – Supply Chain Information Assurance

HADRIAN (IL3)


Contents


Service Definition

This is the minimum set of information that is expected in a service definition (suppliers may choose not to provide these aspects of a service, but do need to be clear in their service definition that they don’t).



An overview of the G-Cloud Service

(functional, non functional)



HADRIAN is a web based supply chain information assurance solution, provided by SCC Ltd and available via the SCC G-Cloud Service. HADRIAN provides Government suppliers with an online tool to complete self assessment questionnaires and address recommendations relating to the risk of data loss within their own company environment. HADRIAN is fully compliant with the CESG Supplier Information Assurance Assessment Framework and the Supplier Information Assurance Tool (SIAT) question sets and specification. The solution is used by leading UK Government organisations, including but not limited to Departments such as the Home Office, the Ministry of Defence and Her Majesty's Revenue & Customs. These organisations are using HADRIAN to assess their supply chain risk in relation to the management of Government data.

The HADRIAN application is hosted on infrastructure that resides within an SCC data centre facility and is accessible by supplier users over the Internet and can be accessed by Government users either over the Internet or via the GSi. The supplier self assessments are completed online and can only be accessed via a registered user account. Suppliers of the HADRIAN application do so from their own designated computers accessing a URL over the Internet.



Key Service Attributes

Service Name

HADRIAN (IL3)

Service Layer

SaaS

Cloud Deployment Model

Private

This service shall be delivered from an infrastructure platform that is private, in the context of it being available to the UK Government community only.



Networks to which the service is connected (directly)?

GSi , VPN or Point to Point

VPN or Point to Point will be established using approved CESG products for the transit of IL3 data.



'API' access available, documented and supported?

No

API access to the service management tools shall not be available to the customer or 3rd parties.



Services available to other suppliers so they can use them to provide services to government?

No

This service shall not be available to 3rd party suppliers for delivery of service to Government.



Data centre tier?

Tier 3+

The data centre conforms and exceeds the open uptime standards for a Tier 3 DC



Minimum Contract/Billing Period?

Year

The minimum commitment and minimum billing periods are both 1 Year.



Free option?

No

Trial Option?

No

Information assurance

Impact Level (IL) at which the G-Cloud Service is accredited to hold and process information



HADRIAN has been assessed by the Home Office Departmental Security Unit, and has been approved for processing sensitive data up to and including Impact Level 2 / PROTECT. The system has also been formally reviewed by CESG approved CHECK consultants, and received a follow up review by a CESG CLAS consultant.

Additionally, HADRIAN has been accredited, by the Home Office to hold, forward and process data up to Impact Level 3.

The information provided by HADRIAN supplier users is not identifiable as their information. A code is provided to supplier users as reference in place of the supplier's company name.

Individual supplier records (completed HADRIAN questionnaires) and aggregated anonymised supplier records (multiple HADRIAN questionnaires) have been evaluated to Impact Level 2. Government organisations can connect via the Internet and view anonymised supplier data.

The aggregation of information across an organisations supply chain, with the inclusion of company name, has been identified as being Impact Level 3 for the HADRIAN system for confidentiality, Integrity and Availability.

HADRIAN has been accredited by the Home Office to hold, forward and process information up to IL3. As such, government organisations can also connect to the HADRIAN application over the GSi.

The anonymised data from the IL2 environment is transferred to a second database in an accredited IL3 environment with a 'one-way' push. Government users then access the transferred information which is linked to supplier's company name, via the GSi. Supplier users who have access to the GSi are also able to complete assessments via the GSi connection. This connection via the GSi is made over a Cable & Wireless hosted PSN (Private Service Network) with the fibre presentation within the physically secured SCC data centre. The Cable & Wireless PSN environment is accredited by CESG.

The live infrastructure for HADRIAN is housed within a hosting facility maintained by SCC. The environment within the data centre is split into two distinct areas. The main data centre hall houses cabinets for IL2 data and a caged environment within the data centre hall houses the IL3 data environment.

Government organisations can therefore choose between an IL2 service offering and an IL3 service offering.


Details of the level of backup/restore and disaster recovery that will be provided

The service shall be backed up to disk each day and backups will be retained for 10 days, this backup shall be at a mailbox level allowing individual mailbox restores to be available.

Recovery of a data from backup shall be completed within 4 Hours from the point of request by the customer through the customer portal.

The SharePoint service is designed to be highly resilient and will failover automatically to a secondary data centre in the event of the primary systems failing. All data is replicated between data centres to ensure availability and recovery is always available.


On-boarding and Off-boarding processes/scope

SCC follow a defined and structured client take on process for each new HADRIAN engagement service. Templates and standard formats for initial engagement communications are utilised to ensure a consistent approach to implementation and the engagement with suppliers. Each client is nominated a dedicated Account Manager or Telephone Account Manager who acts as the senior liaison point and coordinator for the implementation of HADRIAN. This individual will also have overall responsibility for the delivery of the required HADRIAN services to the agreed time scales.

The Account Manager has responsibility for taking each new client through a well defined step by step take on process. This covers supplier identification, internal and external communication and awareness, analysis and reporting and performance improvement. This take on process includes providing a new client with a set of template documents that can be used.

The templates are designed to cover each of the key stages of the HADRIAN process and remove the burden from the Government organisation.

In addition to the template documents that are available as part of the take on process, there are also a series of process maps that detail the HADRIAN engagement programme and the interfaces between SCC, the Government organisation and the supplier. These are shared with new clients on commencement of the HADRIAN service and discussed in detail at the initial kick off meeting.



Pricing (including unit prices, volume discounts (if any), data extraction etc.)

The most common configuration of HADRIAN is available to Government organisations at £81,768 exclusive of VAT

Service management details

HADRIAN is supported in accordance with the widely recognised Information Technology Infrastructure Library (ITIL) Service Management methodology and the ITIL disciplines and principles are actively used for change management, release management and configuration management requirements.

Service constraints (e.g. maintenance windows, level of customisation permitted, schedule for deprecation of functionality/features)

Deployment of updates and upgrades will take place outside the peak hours and affected parties will be given at least one working week's notice.


Service Levels (e.g. performance, availability, support hours and severity definitions)

The Services shall be provided by SCC in accordance with the following Service Levels;

The Incident Resolution Timescale shall be measured from the point where SCC accepts the Incident or Service Request from the Customer, to the point where either;


Service Component

Service Level

Hours of Support

SLA Target

Secure Virtual Managed Machine

Service Availability

24 Hours

99.9%

Secure Virtual Managed Machine

Service Availability

24 Hours

99.95%

The customer has accepted that it has been resolved or completed in accordance with the relevant criteria specified in the service Schedule.

The Incident has been forwarded to a 3rd party or Resolver Group for resolution.

In the event the customer is not available to confirm acceptance at the point of resolution of the Incident or completion of the Service Request then SCC shall be authorised to confirm acceptance on behalf of the Customer and close the Incident or Service Request with the Customer.

For avoidance of doubt due to the sometimes complex nature of Software problems and faults, it is not possible to provide a definitive Incident Resolution Timescale or SLA Target, therefore Incident Resolution will be provided on a reasonable endeavours basis only.

SCC shall determine the severity of an Incident in accordance with the following:




Severity Level

Description

Severity 1 (Critical)

The Service failure creates a serious business and financial exposure, causing a high number of Users to be unable to work or perform an essential portion of their job, and there is no acceptable workaround to the problem (ie: the job cannot be performed in any other way).

Severity 2 (High)

The Service failure creates a significant business and financial exposure, causing a high (fixed) number of Users to be unable to work or perform some significant portion of their job, but there is an acceptable workaround to the problem in the short term (ie: the job can be performed in some other way).

Severity 3 (Medium)

The Service failure creates a low business and financial exposure to an isolated number of Users causing them to be unable to perform a portion of their job, but they are still able to complete most other tasks, or;

General Service related questions and requests for information.



Severity 4 (Low)

The Service failure creates a minimal business and financial exposure causing one or two User to be unable to perform a minor portion of their job, but they are still able to complete most other tasks.

There may be occasions where the Customer requires additional resource or focus to be applied to an Incident. In such circumstance the escalation procedure below shall apply;

Figure 1: Escalation levels within SCC



oval 6

oval 7

The escalation activities and response timescales shall be as detailed in the table below. For avoidance of doubt the response timescales below are indicative only and do not supersede or replace the applicable Service Levels or SLA Targets specified in Clause 1 above.



Escalation Level

Response Activity

Escalation to Next Level Timescales

Level 1

The SCC Service Desk or NOC operations representative will acknowledge the Incident and advise on tests and actions required in order to resolve the Incident, consulting as necessary with other SCC representatives and/or 3rd parties. Should the SCC representative be unable to resolve the problem or provide an action plan suitable to the Customer, the Incident will be escalated to the respective team leader of either the NOC operations or Service Desk team.

Severity Level 1: 30 Minutes

Severity Level 2: 3 Working Hours

Severity Level 3: 6 Working Hours

Severity Level 4: Not Applicable



Level 2

The respective team leader will determine a suitable action plan and agree it with the Customer. The Service Delivery Manager will be notified. Third party manufacturers and/or suppliers may be contacted for additional technical support.

Severity Level 1: 1 Working Hour

Severity Level 2: 4 Working Hours

Severity Level 3: 8 Working Hours

Severity Level 4: Not Applicable



Level 3

If unresolved following Stage 2, the Incident will be escalated to the Service Delivery Manager who will involve all necessary resources, both internally and externally, to attempt to provide an acceptable resolution for the Customer. The SCC DCS’ Network Operations Manager will also be informed.

Severity Level 1: 2 Working Hours

Severity Level 2: 5 Working Hours

Severity Level 3: 9 Working Hours

Severity Level 4: Not Applicable



Level 4

If unresolved following Stage 3, then SCC DCS’ Network Operations Manager will take responsibility for the Incident and involve all necessary senior and management resources, both internally and externally, to ensure an acceptable resolution for the Customer. SCC DCS’ Professional Services Director will be appraised of the situation.

N/a




Financial recompense model for not meeting service levels

SCC can offer a service credit regime as part of a service level agreement with government organisations. Any such service credit regime would be agreed with individual clients based on their required service levels.

Training

To further enable Government organisations and their users to have fact based discussions with their suppliers on information assurance, we provide training designed to provide guidance on how to use the data provided through HADRIAN to encourage supplier performance improvement to realise improved supply chain information assurance and in doing so reduce the risk of data loss.

Ordering and invoicing process

SCC will provide ordering of G-Cloud services via their Lifecycle portal.

Customers will need to register all relevant details and will receive login details within 5 working days. This is a secure site and this mechanism will provide an account and password protected login.

A basket of G-Cloud services can be compiled, with quotations for those specific services. Once The Customer is satisfied that an order is complete it can then be converted into an order.

To place the order on SCC for delivery, against defined SLA’s, The Customer will click ‘checkout’ and complete the relevant details.

Once the services are enabled and confirmation of the ordered G-Cloud services is delivered to The Customer a monthly invoice will be generated against the order, via the registered Customer details on the Lifecycle portal.

Should The Customer burst any services during their contract period this will be retrospectively invoiced, at the next month end, as additional services, against the contract base agreement.



Termination terms

By consumers (i.e. consumption)

The HADRIAN service is available on a 12 month minimum contract term. There is no termination fee associated with a Government organisation opting not to extending the contract term beyond 12 months. Termination terms will comply with the terms of the Framework Agreement.

By the Supplier (removal of the G-Cloud Service)

The HADRIAN service is available on a 12 month minimum contract term. There is no termination fee associated with a Government organisation opting not to extending the contract term beyond 12 months. Termination terms will comply with the terms of the Framework Agreement.

Data restoration / service migration

As the data stored in the HADRIAN database is key to the operation of the system, data import and export is a primary function. HADRIAN is compatible with a variety of different technologies based on open standards such as XML, CSV and SQL.

Consumer responsibilities

Any action required by the client will be agreed during the on-boarding process.

Technical requirements (service dependencies and detailed technical interfaces, e.g. client side requirements and bandwidth)

The HADRIAN application can be accessed by supplier users and Government users through all standard web browsers including:

  • Microsoft Internet Explorer 6 and above

  • Mozilla Firefox 3 or higher

  • Google Chrome

  • Apple Safari

  • Opera

Details of any trial service available.

There is no option to consume this service for a trial period.

Data Extraction

Suppliers will provide a “simple” and “quick” exit process to enable consumers to move to a different supplier for each of their G-Cloud Services and/or retrieve their data. Suppliers will commit to providing details of this, clearly and unambiguously in the Service Definition for each service. This will include, but not be limited to:



The data standards that will be in use (within the service).

The data held within the HADRIAN system is in a proprietary format.

A commitment to returning all consumer generated data (e.g. content, metadata, structure, configuration etc.) and a list of the data that will be available for extraction. Where there is a risk of confusion, data that will not be available for later extraction will also be published.


All data will be returned to the Customer upon request via data export which is a primary function of HADRIAN.


The formats/standards into which data will be able to be extracted and preferably a list other common services/technologies to which an export/import mechanism is available.


HADRIAN is compatible with a variety of different technologies based on open standards such as XML, CSV and SQL.

A price for the extraction of consumer generated data (or the migration to another service provider’s service).


Data Extraction shall be charged dependent upon amount of data and media to be extracted to.

Confirmation that the Supplier will purge and destroy (as defined in security accreditation for different ILs) consumer data from any computers, storage devices and storage media that are to be retained by the Supplier after the end of the subscription period and the subsequent extraction of consumer data (if requested by the consumer).


All data at rest contained within the SCC platform shall be purged or destroyed with standard service, volume, LUN deprecation procedures.

All data leaving the SCC platform shall be purged or destroyed using CESG approved white spacing prior to shipping.



Where a physical drive from a drive set fails then that drive shall be destroyed in accordance with CESG procedures.






Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©kagiz.org 2016
rəhbərliyinə müraciət