FCO Services Platform as a Service (PaaS) IL0-2 Service Definition Version 5.0 - Service Definition

 
FCO Services Platform as a Service (PaaS) IL0-2 Service Definition Version 5.0 - Service Definition
UNCLASSIFIED

Service Definition

                                   FCO Services
               Platform as a Service (PaaS) IL0-2
                                Service Definition

                                           Version 5.0

                                         April 2014
PaaS IL0-2 Service Definition

Table of Contents
Table of Contents ........................................................................................................................................... 2	
  
1	
         Introduction .............................................................................................................................................. 3	
  
2	
         FCO Services’ Cloud Solutions ............................................................................................................... 4	
  
3	
         Service Description ................................................................................................................................. 5	
  
        3.1	
      Service Overview ............................................................................................................................. 5	
  
        3.2	
      Service Model .................................................................................................................................. 5	
  
        3.3	
      Provisioning ...................................................................................................................................... 7	
  
        3.4	
      Data Centres .................................................................................................................................... 8	
  
        3.5	
      Back up and Restoration .................................................................................................................. 9	
  
        3.6	
      Cyber Security .................................................................................................................................. 9	
  
        3.7	
      Monitoring....................................................................................................................................... 11	
  
        3.8	
      Customer Responsibilities .............................................................................................................. 12	
  
        3.9	
      Service Roadmap ........................................................................................................................... 12	
  
4	
         Service Management ............................................................................................................................ 12	
  
        4.1	
      Service Support .............................................................................................................................. 12	
  
        4.2	
      Key Performance Indicators ........................................................................................................... 15	
  
        4.3	
      Utilisation and Reporting ................................................................................................................ 16	
  
5	
         Financial ................................................................................................................................................ 17	
  
        5.1	
      Pricing Terms ................................................................................................................................. 17	
  
6	
         Optional Service .................................................................................................................................... 18	
  
        6.1	
      Service Delivery Management ....................................................................................................... 18	
  
7	
         Abbreviations and Acronyms ................................................................................................................. 19	
  

Version 5.0                                                                                                                                             Page 2 of 20
PaaS IL0-2 Service Definition

1 Introduction
PaaS is a service hosted on FCO Services’ Pan Government Accredited (PGA) IL2 Cloud platform for
customers to purchase virtual hardware, operating systems, storage and network capacity. Available to any
department on the Government Secure intranet (GSi) or Public Services Network (PSN) at IL2, PaaS
provides a fully managed and maintained operating system and virtual server environment without the FCO
Service Government Secure Application Environment (GSAE).

Version 5.0                                                                                  Page 3 of 20
PaaS IL0-2 Service Definition

2 FCO Services’ Cloud Solutions
Cloud Computing has the potential to enable public sector organisations to deliver better and more flexible
Information Technology (IT) services at reduced costs. The FCO Services’ PaaS IL0-2 service eliminates
the cost and complexity of evaluating, buying, configuring, and managing complex environments and
provides organisations with the perfect platform for hosting IT infrastructure securely.

   •   Cost efficient. PaaS allows organisations to create a secure and effective IT platform by accessing
       virtualised Cloud services, without the costly and complex refresh programmes of infrastructure that
       are required in traditional IT

   •   Shared service. PaaS is less costly to operate than traditional IT delivery models because it is
       delivered from a shared services facility that already supports multiple organisations. Organisations
       can also reduce the requirement for physical office space by making use of a remotely hosted
       solution

   •   Transparent. Pricing for PaaS IL0-2 is based on a published table of per-month charges aligning
       with costs available for Cloud services available through FCO Services

   •   Secure environment. FCO Services has used its experience in operating secure IT services to
       ensure that PaaS meets the standards required for IL0-2. The design of the PaaS IL0-2 platform
       makes possible the use of technologies and monitoring services that may not be affordable with
       individual installations

   •   Reliable. FCO Services’ Cloud Platform is designed with a high degree of resilience built into it and
       is operated from two locations with separate network connections and power supplies. This offers
       users a stable and reliable environment to remotely access PaaS IL0-2

   •   Flexible. Each PaaS IL0-2 tenant can be tailored to a customer’s individual requirements and can
       be evolved as the business need evolves

   •   Cross-Boundary. Many IT services cannot be shared across organisational boundaries, and this
       limitation impedes collaboration with stakeholders and partners. FCO Services’ Cloud Platform can
       be accessed across the public internet and does not suffer the same limitation.

FCO Services has a unique position as a Trading Fund within Government, enabling it to support
commercial enterprises with their activity both inside and outside the public sector and to assist public
sector organisations as they transition to Cloud services from traditional IT services. PaaS IL0-2 realises
the cost and flexibility benefits of Cloud computing.

Version 5.0                                                                                      Page 4 of 20
PaaS IL0-2 Service Definition

3 Service Description
The name of the service is PaaS IL0-2.

3.1    Service Overview
PaaS IL0-2 allows organisations to access FCO Services’ established Cloud Platform through the public
internet.

FCO Services provides a fully managed service aligned to the ITIL v3 best practice framework from
implementation of the agreed PaaS IL0-2 solution, through patching and updates of the underlying platform
to providing a comprehensive service desk to address any issues. The solution provides organisations with
the ability to make strategic decisions to reduce the economic and environmental impact of their IT
solutions.

3.2   Service Model
PaaS IL0-2 is an offering from the IL0-2 platform for customers to purchase hardware, operating systems,
storage and network capacity over the internet; therefore PaaS IL0-2 is defined as a Public Cloud. This
allows the customer to procure virtualized servers and associated services for running existing applications.
The offering is managed by FCO Services up to and including the operating system, and we will ensure
that all software deployed by FCO Services is adequately patched with the latest recommended updates
from manufacturers and that all antivirus patches are applied, ensuring the platform is secure and stable.
FCO Services does not offer any Application Languages as such, but customers can utilise or procure
application languages of their choice for use in the PaaS IL0-2 platform. PaaS IL0-2 is available to both
Government departments and other commercial organisations that are looking for a secure Cloud Platform
to deliver their services to Government.

FCO Services provide three defined virtual server builds that can be used in the delivery of PaaS IL2.
Customers may also configure each virtual server up to a maximum of 24 vCPUs and 192GB of RAM per
server. The table below shows three standard server configurations and the components included in the
PaaS IL2 offering:

Components ↓
                              Large                   Medium                    Small                 G-Cloud
Level →
No of vCPUs                      2                        1                        1                     0.5
Processor               Intel Xeon 2.6Ghz        Intel Xeon 2.6Ghz        Intel Xeon 2.6Ghz       Intel Xeon 2.6Ghz
RAM (Standard)                16GB                      8GB                      4GB                    2GB
                       Windows Server 2008 R2   Windows Server 2008 R2   Windows Server 2008 R2
Operating System       Windows Server 2012 R2   Windows Server 2012 R2   Windows Server 2012 R2      Non-specific
                               Linux                    Linux                    Linux
Disk Space/20GB
                                 1                        1                        1                      8
Units
AV and OS
                               Yes                      Yes                      Yes                    Yes
patching
Security Operating
                               Yes                      Yes                      Yes                    Yes
System (SOC)
Monitoring                     Yes                      Yes                      Yes                    Yes
Daily Back Ups                 Yes                      Yes                      Yes                    Yes
Technical
                               Yes                      Yes                      Yes                     No
Assistance
RAM (High)                    20GB                     12GB                      6GB                     No

                          Additional storage can be purchased in increments of 20GB to be used for live storage or
Storage
                          snapshot retention.

Version 5.0                                                                                             Page 5 of 20
PaaS IL0-2 Service Definition

The final solution build would be done in consultation with the Cloud Services Onboarding Team to ensure
all PaaS IL0-2 products are consistent and supportable. Should the customer require it, limited
customisation may be possible. Any requests for changes or customisation to the service once operational
would be classed as a Service Request, which the customer would submit via the FCO Services’ Global
Support Centre (GSC). This would then be progressed and managed via the Change Management
function, which is delivered as part of the support services offered.

3.2.1 Hypervisor
FCO Services’ PaaS IL0-2 platform uses VMWare vSphere as its Hypervisor. VMWare vSphere provides a
scalable and extensible platform that forms the foundation for FCO Services’ Virtualisation Management
tools. VMWare vSphere centrally manages virtual environments providing FCO Services with dramatically
improved control over the entire virtual environment. It provides unified management of all the hosts and
virtual machines (VM) in our data centre from a single console with an aggregate performance monitoring
of clusters, hosts and VMs.

3.2.2 Open Standards
FCO Services is able to offer tools to on-board applications delivered in the Open Virtualisation Format
(OVF). Applications and services operating on the FCO Services’ PaaS IL0-2 platform are published to
customer networks via proxy devices which support and police W3C standards compliance for security and
compatibility.

3.2.3 Open Source
FCO Services’ hosting platform is based on commercial software, however we do also offer ‘Gold’ build
virtual machines containing the CentOS Open Source operating system based on Linux. Other open source
products are in use providing platform support functions. Further information on these can be made
available under a Non Disclosure Agreement (NDA) to prospective customers.

3.2.4 Technical Boundaries
The PaaS IL0-2 platform boundaries are the virtual network interfaces of the customer’s VMs. FCO
Services is responsible for components outside this boundary, with the exception of any public networks
involved in delivery of the solution (See 4.2 for further detail on service boundaries and availability). The
customer is responsible for all software, configuration, and operations on the guest virtual machine.

Application Programming Interface (API) access is not available on the PaaS IL0-2 platform.

3.2.5 Burst Resources
Compute resource allocations within the platform are static; this includes the processing power and
memory allocations to the virtual machines.

3.2.6 Elastic Resources
All resources can be increased and reduced in line with the FCO Services’ Compute Unit specifications by
raising change requests with FCO Services’ GSC.

3.2.7 Guaranteed/Non-Guaranteed Resources
Compute resource allocations within the platform are all guaranteed; this ensures that all processing and
memory allocations to the virtual machines are always reserved and available for the customer.

3.2.8 Persistence
All storage within the FCO Services’ PaaS IL0-2 platform is persistent and available following scheduled
reboots or application instance failures. System Memory space on the virtual machines is non-persistent.

Version 5.0                                                                                        Page 6 of 20
PaaS IL0-2 Service Definition

3.2.9 Data Storage and Processing
The PaaS IL0-2 products are deployed across FCO Services’ IL0-2 data centres, situated within a secure
site in the UK.
Each ‘Locale’ is a physically separate set of infrastructure, and provides resilience in that should one locale
fail, it will not impact any other locale. All data processing is carried out within FCO Services’ Data Centres,
supported by Developed Vetting (DV) cleared personnel.

3.2.10 Network
FCO Services’ PaaS IL0-2 is available via the internet. The network bandwidth is provided as a ‘contended’
allocation on a shared bearer up to the maximum bandwidth available on the connection. Customers have
the option to purchase dedicated, non-contended bandwidth at an additional cost.
FCO Services holds and is responsible for a Code of Connection and all users of PaaS IL0-2 will have to
comply with that Code.
3.2.11 Anti-Virus and Operating System Patching
Antivirus updates are deployed on a daily basis. Operating System Patches are deployed on a monthly
basis.

3.3   Provisioning
There is no ‘self service’ provisioning available for PaaS IL0-2. Should the customer wish to procure
services within this offering then there will be a requirement for pre-deployment consultancy to ensure that
the proposed solution meets both the customer requirements and also any security constraints regarding
working at PaaS IL0-2. This function will be delivered by a dedicated on-boarding team, whose primary role
is to engage with customers to ensure that the solution delivered will meet all their requirements. Once the
final solution has been defined and agreed, FCO Services will provision the solution within five working
days.

3.3.1 On-Boarding
The customer will define the business need that they are addressing and the number of virtual machines
required is agreed in consultation with the FCO Services’ Onboarding Team. FCO Services will then deploy
the requested VMs and allocate specific storage. Following appropriate security measures, FCO Services
will then send details of how the customer can connect and manage their VMs. The Onboarding Team will
be available to assist the customers and provide technical assistance in the deployment of any applications
the customer wishes to deploy.

3.3.2 Off-Boarding (Data Extraction/Removal)
Data can be extracted at any time during the term of the agreement. If this is required, then the customer
would need to raise a Service Request via the FCO Services’ GSC. The data would be made available to
the customer within five working days and would be presented as a virtual HDD on appropriate media, such
as a VMWare vmdk file or files.

All data extraction/removal is a chargeable service.

3.3.3 Information Principles for the UK Public Sector
The FCO Services GSAE Platform supports some of the Information Principles for the UK Public Sector, in
that not all principles are strictly relevant for a PaaS offering. Specifically, the 7 Principles are supported as
stated below:

Version 5.0                                                                                          Page 7 of 20
PaaS IL0-2 Service Definition

Principle                                  FCO Services Response

Information is a Valued Asset              The GSAE Platform is a resilient and fully managed hosting
                                           service with documented backup, recovery and availability
                                           procedures. All Information stored in the Platform, including
                                           backups and resilient copies are located in UK Government
                                           Sites and will be protected as valued assets.
Information is Managed                     All information in the GSAE Platform is Managed appropriately
                                           as an HMG data Asset. Governance is defined and
                                           documented in the System Risk Management and
                                           Accreditation Documentation Set (RMADS). FCO Services, as
                                           a Government Organisation, operates its systems in
                                           accordance with all relevant HMG Information Management
                                           Standards.
Information is Fit for Purpose             All Information collected and stored for operation of the
                                           Platform is stored and processed in appropriate formats and is
                                           necessary for platform operation and compliance with relevant
                                           regulations. Information stored by Customer systems operating
                                           on the Platform is not modified or used by FCO Services in any
                                           way.
Information is Standardised and Linkable   As a PaaS system GSAE does not natively deliver on this
                                           principle. Information formats and publishing methods are the
                                           responsibility of tenant applications. However, FCO Services
                                           strongly encourage tenant applications to support Web
                                           Standards and be deployed and published to appropriate
                                           networks.
Information is Re-Used                     As a PaaS system GSAE does not natively deliver on this
                                           principle. Information use and publishing are the responsibility
                                           of tenant applications. It is not appropriate, as a service
                                           provider to re-use tenant information. However, as a Shared
                                           Service the GSAE platform enables an innovative and flexible
                                           shared platform for application providers to build shared
                                           services and repositories.
Public Information is Published            The GSAE IL0-2 platform has managed internet access
                                           gateways and can be used as a hosting platform for publishing
                                           information to the Public.

Citizens and Businesses Can Access         The GSAE IL0-2 platform has managed internet access
Information About Themselves               gateways and can be used as a hosting platform for publishing
                                           information to the Public. Appropriate controls around right of
                                           access and auditing are the function of the hosted application,
                                           not the platform itself.

3.4   Data Centres
FCO Services’ Data Centres providing PaaS IL0-2 are classified as TIA 942 Tier 3 data centres. This is a
self certified assessment, and details can be provided if requested.

Version 5.0                                                                                     Page 8 of 20
PaaS IL0-2 Service Definition

The data centres are staffed 24/7 and are fully temperature and humidity controlled, incorporating fire
detection systems.

Access to the server rooms is secure and controlled by card and pin number access. Only FCO Services’
staff with DV security clearance are allowed access to the room unaccompanied. Any other access to the
server room is by appointment only restricted to office hours (Mon-Fri 0830-1630).

Electrical power for the server farm is delivered from a 2MVA Uninterruptible Power Supply (UPS), which is
capable of supporting the facility for up to ten days. All cabling is CAT5, CAT6 or fibre optic and is
positioned and secured to appropriate cable trays with adequate capacity for growth.

3.5   Back up and Restoration
Data restoration or back ups are not provided as part of the standard offering, but are available as a costed
option.

Should this option be taken up, a brief explanation of the backup policy/process is included below.

Backups are snapshots which are taken on a daily basis. These snapshots contain all the virtual machine
builds and all data.

Data restoration is available by customers raising a Service Request via the FCO Services’ GSC. Once this
request is received, data can be restored from any point within the 14 days prior to the request being
received, as the snapshots are kept for 14 days before being overwritten. All requests for data restoration
will be completed as a Priority 4 request and will be completed within either 24 or 36 hours of the request
being received, depending on the level of service procured.

Customers much purchase sufficient GSAE Storage to cover live disk data and snapshot storage. FCO
services on-boarding team can advise on appropriate storage capacities.

3.5.1 Information Lifecycle Policy
All snapshots are retired from storage systems after 14 days.

Longer data retention times are available at an additional cost, should the customer have a requirement for
this, and this can be defined and agreed during pre deployment consultation.

3.6   Cyber Security
Full security monitoring of customer applications is an optional chargeable service for PaaS IL0-2, and is
not included as standard.

FCO Services use a range of tools, specifically selected and tailored to your customer needs. This ensures
that FCO Services are able to monitor all services, and record all operational data on a small number of
tools, enabling accurate management information to be produced to both internal FCO Services’
management and the customers. These tools include the Security Operating Centre (SOC) and FCO
Services’ suite of monitoring tools.

3.6.1 Security Operating Centre
The SOC is designed to provide an accredited protective monitoring solution, compliant with the
requirements of GPG13 predominantly to FCO Services’ clients within Government as well as to clients
within the Critical National Infrastructure sector. There are four levels of segmentation used to define the
core level of service that the SOC protective monitoring solution will offer. These four levels map directly to
the CESG Good Practice Guide number 13. The four levels are: Aware, Deter, Detect & Resist and Defend.

Version 5.0                                                                                       Page 9 of 20
PaaS IL0-2 Service Definition

The FCO Services’ SOC provides a protective monitoring solution that correlates and amalgamates the raw
data from all the system logs (network switches and firewalls etc), event log accounting data from the
Windows servers and clients, UNIX server syslogs and the alerting output from the intrusion detection
systems. These are then fed into a uniform alerting dashboard provided by the Security Information and
Event Management (SIEM) system which will be available to all the analysts and SOC management staff.

The SOC is built to handle data up to and including IL5 and should be independently accredited by
customers to that level if their requirement demands it.

The SOC Core service provides the following key features;

   •   Alignment with CESG Good Practice Guide 13
   •   Provision of counter-measures to assist with conformity to Security Policy Framework
   •   Reducing the residual risk figure – IS1 calculations
   •   Providing a security barrier for inclusion within the RMADS
   •   Securing outsourcing of Protective Monitoring solutions from a trusted Government Data Centre
   •   Providing monthly reporting statistics on events and attacks
   •   Helping to ensure systems are operating according to policy
   •   Removing the burden of complex security analysis from the client’s workforce.

3.6.2 Aware IL0/1
For client systems that require protective monitoring and are within the segmentation level of Aware, the
SOC can offer the following monitoring states.

   •   Analysts on Station - 9 to 5 Monday - Friday
   •   SIEM will be used to monitor system and network logs
   •   First response (Critical Events) - Within a working day
   •   Investigation Initiated – Within four working days
   •   Log retention – Three months
   •   IDS deployed – As required
   •   Accurate Time Source - Clocks within the data centre (PMC1)
   •   Recording of Boundary Traffic - Detect Malware via IDS and Boundary Devices AV (PMC2)
   •   Recording of Suspicious behaviour at Boundary - Dropped packets at Firewall reported to SIEM
       (PMC3)
   •   Recording on Server and Workstation - Report critical Messages/Malware Detection reported by
       system logs to SIEM (PMC4)
   •   Recording of Suspicious internal network activity - Dropped packets (Internal Firewalls) reported to
       SIEM (PMC5)
   •   Monitoring of Network Connections - Remote user access failure VPN or change in DHCP status,
       reported by system logs to SIEM (PMC6)
   •   Recording of session activity by user workstation - Log On/Off reported by system logs to SIEM
       (PMC7)
   •   Recording of data backup status - Backup, test and recovery failures reported by system logs to
       SIEM and Operations Hawkeye Consoles (PMC8)
   •   Alerting critical events - Alert messages routed to and displayed on SIEM Dashboards (PMC9)
   •   Status of the audit system – Monthly reporting from the SIEM (PMC10)
   •   Management reports - Sanitised and statistical management reports will be produced by the SIEM
       (PMC11)
   •   Compliance review – Yearly.

Version 5.0                                                                                   Page 10 of 20
PaaS IL0-2 Service Definition

3.6.3 Deter IL2/3
The SOC can offer the following monitoring states for systems that require protective monitoring and are
within the segmentation model Deter. The states below are in addition or above those listed for the Aware
model.

      •    Analysts on Station - 9 to 5 Monday - Friday
      •    SIEM will be used to monitor system and network logs
      •    First response (Critical Events) - Within four hours
      •    Investigation Initiated – Within two working days
      •    Log retention – three to six months as required by the client
      •    IDS deployed – On Boundaries as required
      •    Accurate Time Source – Cryptographic checksums (PMC1)
      •    Recorded blocked file import/export and blocked web browsing (PMC2)
      •    Recording of suspected boundary attacks, recording of user sessions at boundary devices (PMC3)
      •    Record changes to file or path access rights or failed file system access attempts (PMC4)
      •    Recording of user sessions on internal network devices, user authentication failures on internal
           network devices (PMC5)
      •    Recording of failed attempts to connect network devices or WiFi points and record user sessions on
           network consoles (PMC6)
      •    Record user lock-out and privilege escalation on Servers (PMC7)
      •    Graphical display of alert streams dashboards (PMC9)
      •    Rolling Top Ten attacks displayed on dashboard (PMC11)
      •    Compliance review – Yearly.

3.6.4 Additional Monitoring
The SOC is capable of recording and monitoring other services; for example intrusion prevention or file
integrity monitoring (as additional cost items as the client’s designs demand). The table below details the
current additions to the services.

      Description                                         Pricing Model
Additional Log Retention                               Per GB
Full Packet Capture                                    Per GB

Intrusion Prevention System – blocks some              Per Service – single deployment cost
attacks

It is recommended that these additional services should be discussed with the Onboarding Team at the
consultation phase in order to effect smooth provisioning.

3.7       Monitoring
FCO Services has a suite of monitoring tools, such as HP Operations Manager for Windows, HP Business
Availability Centre, HP OpenView Performance Manager and What’s up Gold. Standard monitoring
capability is as shown below:
Operating System Monitoring for Windows, LINUX and UNIX platforms:
   • Common Windows services and UNIX processes
   • Disk utilisation thresholds
   • Performance threshold alerts – CPU, disk, memory, page file etc
   • Event log monitoring – Windows includes application, system & security + UNIX logs.

Version 5.0                                                                                     Page 11 of 20
PaaS IL0-2 Service Definition

Database monitoring:
   • Microsoft SQL Server
   • Oracle
   • Key database performance threshold metrics and performance thresholds.

Performance management data is collected via OpenView Performance Agent (OVPA)
Performance management data provides:
   • Infrastructure threshold alerts – CPU, memory, disk and network type threshold events
   • Application threshold alerts via Smart Plug In (SPI)
   • Weekly and monthly reporting including:
         o Near real time reporting
         o Historical reporting
         o Long term reporting.

The suite of monitoring tools deployed by FCO Services is for internal use only, detected issues will be
escalated to customers via existing support channels. Management tools are not accessible to customers
or external third party suppliers.

3.8       Customer Responsibilities
Customers of PaaS IL0-2 will be responsible for the following:

      •    Application accreditation - (FCO Services can provide this as a chargeable service)
      •    Complying with FCO Services’ Code of Connection for Internet services
      •    Accredited PaaS IL0-2 access systems
      •    Application Backup and Restore
      •    Application Monitoring
      •    Application to be hosted
      •    Application user interface
      •    Information on sizing of application.

3.9       Service Roadmap
The PaaS IL0-2 service will be kept up to date through a continuous review process which seeks to evolve
the offerings both on the existing processing tiers, and also into wider customer networks and impact
levels.
The PaaS IL0-2 offering will be extended to include a larger number of managed platform instances
covering popular application stacks.
PaaS IL0-2 is likely to be enhanced with tiered storage offerings to give customers increased flexibility in
building their applications.

4 Service Management
This section describes the common approach to service management that is taken by FCO Services across
all of its services. It also explains how FCO Services ensures data availability and service reliability to
customers. FCO Services’ PaaS IL0-2 platform benefits from the following Service Management
components.

4.1       Service Support
Leveraging our existing Cloud Services Operating Model, which is aligned to ITIL v.3, FCO Services will
ensure the smooth operation and delivery of the PaaS IL0-2 platform. FCO Services’ support staff have
Version 5.0                                                                                      Page 12 of 20
PaaS IL0-2 Service Definition

strong skills and knowledge of the service and its associated components.
The support organisation offers fast resolution times and provides a channel for customers’ voices to be
heard. Feedback from customers provides input to the planning, development, and operations processes.
Support staff also play an integral part in Continual Service Improvement and identify actions from the
ground level to the benefit of the services they support and provide.

4.1.1 Incident Management
Incidents will be recorded in accordance with the standard FCO Services’ Incident Management
process and with the appropriate priority within the FCO Services’ GSC. All incidents will be recorded
in FCO Services’ Service Management toolset, which is fully integrated to ensure detailed
management information, is available, ensuring consistent high levels of support is maintained. All
incidents will be actioned and progressed as defined in the FCO Services’ Incident Management
policy and processes, and will aim to achieve the key performance indicators as defined in section
4.2.

4.1.2 Event Management
The various tools deployed will monitor the PaaS IL0-2 and will capture any event based on pre-set
thresholds and triggers. Any events which affect either capacity or availability of PaaS IL0-2, or raise the
risk of a service being impacted will be recorded into the service management tool and treated as an
incident by the GSC service desk. This automated monitoring will provide further assurance that the
availability of PaaS IL0-2 will remain consistently high.

4.1.3 Problem Management
FCO Services operates an effective problem management process as part of the delivery of all PaaS
IL0-2 products. We maintain a problem register to record the treatment of each known problem and its
proposed resolution. The problem register is the subject of a monthly review by service delivery
management and will be an input to development and enhancement plans for products and services.

4.1.4 Change Requests
Should the customer require configuration or customisation activities to be completed by FCO Services
these will be processed in accordance with our Change Management Process and catagorised as either
Minor or Major changes.

Minor changes are defined as those changes that have little impact on the overall confidentiality, integrity or
availability of service or application. As opposed to Service requests, minor changes are defined as small
changes that cannot be fulfilled through the normal administrative tools.

Examples of minor changes include:

   •   Rename a Server
   •   Add / Remove Network Interface Card (NIC)
   •   Change INBOUND Access to a Tenant (Firewall & F5)
   •   Change OUTBOUND Access from a Tenant (Firewall & F5)
   •   Change F5 Load balancing
   •   Firewall White listing (User & Administrator Access)
   •   Add / change / delete an Email Domain (for existing tenant)
   •   Add / change / delete an Administrator Account (for existing tenant).

Organisations often question if they have to create a service request or a request for minor change. Both
have in common a minor impact and a predefined workflow. There will typically be grey areas between

Version 5.0                                                                                      Page 13 of 20
PaaS IL0-2 Service Definition

Request Fulfillment and Change Management processes. Minor changes (as opposed to service requests)
do not require an RFC and will be charged at a rate of £195 per change.

Major changes are covered under the standard change request process and will need to be assessed on a
case by case basis.

4.1.5 Release Management
The FCO Services’ Release Management process ensures that all releases of new or changed
components are effectively planned, designed, tested, packaged and deployed in a methodical and
consistent manner, thereby protecting the integrity of the PaaS IL0-2 platform and maintaining the
availability of all services to customers.

4.1.6 Configuration Management
The configuration management process manages and controls the revision of all managed components of
the PaaS IL0-2 platform that have been released to production. Configuration Items (CI) managed by this
process include hardware items, software components and their object code, network items,
documentation, and any other elements within the IT infrastructure that FCO Services needs to control.
Data is stored in a logical entity (the configuration management database or CMDB).

Configuration management maintains the status of all CIs (e.g. live in production, retired, in-stock etc.) on
the PaaS IL0-2 platform and includes any backup documentation related to a CI. It creates, maintains,
tracks, and reports on information that enhances the ability of other supporting processes to be effective,
especially the change, problem, and release management processes.

4.1.7 Capacity Management
The FCO Services’ Capacity Management process assures that the relevant capacity is available to meet
the performance requirements of all customers of the PaaS IL0-2 products, keeping capacity aligned to the
needs of customers by acting on historical demand and forecast demand data.

Capacity management reports will be used to meet predicted demand or to correct capacity-related
incidents.

The components of the PaaS IL0-2 platform which fall into the scope of capacity management for the PaaS
IL0-2 platform are as follows:

   •   IL3 blade enclosure
   •   Virtual machine hosts
   •   Storage
   •   Virtual machines
   •   Licenses
   •   Database performance
   •   Backup processes
   •   Network
   •   Environment

4.1.8 Availability Management
The PaaS IL0-2 Service Level Agreement (SLA) will have an agreed set of performance management
metrics that cover the end to end performance management and measurement to assure service
availability (see section 4.2).

The PaaS IL0-2 platform has been designed to ensure high levels of availability for all hosted applications,
and to ensure that there is always adequate availability. Real-time and historical data regarding all aspects
Version 5.0                                                                                     Page 14 of 20
PaaS IL0-2 Service Definition

of capacity utilisation and availability management, including network and servers (both physical and
virtual) are provisioned through the automated performance collection tools and the suite of monitoring
tools available to the FCO Services’ Operational Support teams.

4.1.9 Service Level Management
Service Delivery Management function supports the Service Desk (GSC) ensuring that the services being
provided to PaaS IL0-2 customers are aligned to the individual needs and to contractual obligations.

Additional Service Delivery Management Services can be requested as per section 6.1.

4.1.10 Global Support Centre Service Desk
The FCO Services’ service desk, known as the GSC will be the single point of contact for the receipt of all
calls from customers and is available 24/7/52. Customers will be able to either phone or email the GSC
service desk to raise incidents or service requests. The GSC service desk is based around a fully
configured and integrated service management toolset. This tool will be used to record all incidents raised
by customers concerning PaaS IL0-2. The GSC service desk will have available a detailed knowledge
base, enabling first line staff to assist customers at the point of call, and maintain high first time resolution
rates.

FCO Services does not provide a facility for the GSC to be utilised by any third party for their services for
security reasons.

The dedicated and highly motivated team at the heart of service management, combined with the use of
the processes and tools available will enable us to provide a highly flexible and scalable service in delivery
of PaaS IL0-2.

4.2     Key Performance Indicators

4.2.1 Availability Key Performance Indicator (KPI)
Availability Key Performance Indicator (KPI) measures the extent to which the PaaS IL0-2 platform is
available to customers of the service.

There will be two levels of support available for PaaS IL0-2.

Core hours are defined as Monday to Friday 7AM-7PM (UK time) excluding UK Bank Holidays
How we calculate the SLA:
_____________________________________________________________________________________
The minimum “Monthly Uptime Percentage” for a Service is calculated by the following formula:
                     (Available Minutes* - Downtime) / Available Minutes x 100
*Minutes available during agreed reporting period excluding planned maintenance minutes
_____________________________________________________________________________________
Availability KPIs measure the extent to which the GSAE Platform is available to organisations.
The service is made available to its customers: 24 hours a day, 7 days a week.
The target level of availability is shown in the table below:

  Service	
     Availability*	
                                                      Description	
  
                99.9%	
  core	
  /	
      Includes	
  Core	
  infrastructure	
  and	
  internal	
  network,	
  but	
  excludes	
  Customer’s	
  
   Gold	
  
                95%	
  non	
  core	
      Internet	
  provision	
  	
  
                                          Includes	
  Core	
  infrastructure	
  and	
  internal	
  network,	
  but	
  excludes	
  Customer’s	
  
   Silver	
     95%	
  core	
  only	
  
                                          internet	
  provision	
  	
  

Version 5.0                                                                                                                             Page 15 of 20
PaaS IL0-2 Service Definition

*Availability is measured from an access point on the FCO Services’ Data Centre side of the boundary
internet router within FCO Services’ Data Centre to the application. It does not apply to the router itself, or
any portion of the circuit outside of this router. Customers are responsible for their own access to the
internet.

Additional Service levels are available upon request.

4.3   Utilisation and Reporting
No real-time customer accessible reporting is available at the time of writing this document. However, if
required, FCO Services can produce a monthly service report for all customers containing information
relating to the service levels and availability targets defined within this document.

Version 5.0                                                                                     Page 16 of 20
PaaS IL0-2 Service Definition

5 Financial
PaaS IL0-2

                  VM Specification     VM Size     Per Annum Price £        Price Per Day £
                  Standard RAM         Large                      8,630                   23.64
                  Standard RAM         Medium                     6,030                   16.52
                  Standard RAM         Small                      4,030                   11.04
                  Standard RAM         G-Cloud                    3,430                    9.40

                  High RAM             Large                      9,630                   26.38
                  High RAM             Medium                     7,030                   19.26
                  High RAM             Small                      4,730                   12.96
                   Additional CPU        Unit      Per Annum Price £        Per Day Price £
                                         Size
                  vCPU                     1                        750                    2.05
                       Additional        Unit       Per Annum Price £       Per Day Price £
                        Memory           Size
                  GB                       1                        500                    1.37
                        Storage          Unit      Per Annum Price £      Per Month Price £
                                         Size
                  Storage Unit         20GB                          50                    0.14
                       Bandwidth         Unit      Per Annum Price £      Per Month Price £
                                         Size
                  Dedicated            1MB                          620                    1.70
                  Non-Dedicated        1MB                          120                    0.33
                  On-Boarding/Off-Boarding                                      Price £
                  On-Boarding Cost - Dedicated Bandwidth                                   620
                  On-Boarding per Separate Tenant Environment                             3000
                  On-Boarding per VM                                                       300

5.1       Pricing Terms
      •    FCO services does not offer any free trial periods for any services provided
      •    Prices are in pounds sterling and exclude Value Added Tax (VAT)
      •    Invoicing is in accordance with FCO Services’ Terms & Conditions
      •    On-Boarding and Off-Boarding quoted prices are for Virtual Machine provisioning only
      •    On-Boarding does not include accreditation of any customer deployed software
      •    Payment options are as per FCO Services’ Terms & Conditions.

Version 5.0                                                                                       Page 17 of 20
PaaS IL0-2 Service Definition

6 Optional Service

6.1       Service Delivery Management
FCO Services offer additional services for PaaS IL0-2. These Services are not available as standard for
PaaS IL0-2, however; can be made available at additional cost. As each customer may have differing
requirements, FCO Services’ Onboarding Team will provide consultancy and advice prior to provisioning.

The Service Delivery Manager will be supported by experienced technical and service architects along with
the security consultants whose services will be available as required throughout the term. They will act
together as the Design Authority, to assure continued integrity of the service, to review and provide an
impact analysis of proposed changes, to moderate on technical issues, to maintain design/process and
technical documentation.

The Service Delivery Manager will also deliver the following value add.

      •    Understand the client’s needs and expectations and develop strategies to exceed and continuously
           improve
      •    Monthly Review Meetings
      •    Service Improvements Plan (SIPS) or Continuous Service Improvement Plan (CSIP)
      •    Ongoing process management to ensure continual improvement of key metrics and deliverables
      •    To act as the single point of contact for all service related issues and provide relationship ownership
           and continuity service
      •    To identify and manage issues and risks and take responsibility for reporting issues and risks in a
           timely, open and appropriate manner

The Customer will make a request for SDM services through the service desk as a service request. FCO
Services will respond to this service request within two working days. Subject to availability of qualified
FCO Services resources, the parties will agree a commencement date for the SDM services. The SDM
services will require completion of an additional Order Form by the Customer.

Version 5.0                                                                                         Page 18 of 20
PaaS IL0-2 Service Definition

7 Abbreviations and Acronyms

 Abbrev.      Meaning

 API          Application Programming Interface

 CESG         Communications-Electronics Security Group

 CI           Configuration Item

 CMDB         Configuration Management Data Base

 CPU          Central Processing Unit

 CSIP         Continuous Service Improvement Plan

 DV           Developed Vetting

 EDM          Enterprise Delivery Model

 EUD          End User Device

 GB           Gigabyte

 GHz          Giga Hertz

 GSAE         Government Secure Application Environment

 GSC          Global Support Centre

 GSi          Government Secure intranet

 HDD          Hard Disk Drive

 HMG          Her Majesty’s Government

 HP           Hewlett Packard

 IL0-2        Impact Levels 0 – 2

 IT           Information Technology

 ITIL         Information Technology Infrastructure Library

 KPI          Key Performance Indicator

 MVA          MegaVoltAmp

 NDA          Non-Disclosure Agreement

 NDC          Non Disclosure Agreement

 NIC          Network Interface Card

Version 5.0                                                                  Page 19 of 20
PaaS IL0-2 Service Definition

     OS                                                               Operating System

     OVF                                                              Open Virtualization Format

     OVPA                                                             OpenView Performance Agent

     PaaS                                                             Platform as a Service

     PGA                                                              Pan Government Accredited

     PIN                                                              Personal Identification Number

     PSN                                                              Public Services Network

     RAM                                                              Random Access Memory

     RFC                                                              Request for Change

     RMADS                                                            Risk Management and Accreditation Documentation Set

     SDM                                                              Service Delivery Manager

     SIEM                                                             Security Information and Event Management System

     SIPS                                                             Service Improvements Plan

     SLA                                                              Service Level Agreement

     SOC                                                              Security Operations Centre

     SPI                                                              Smart Plug In

     UK                                                               United Kingdom

     UPS                                                              Uninterruptible Power Supply

     VAT                                                              Value Added Tax

     VM                                                               Virtual Machine

24x7, 99.90%, accredited, Advisory, Agency, Anti, Anti Virus, API, Application Programming Interface, Applications, archive, Assured, austerity, Authority, availability, availability management, aware, Azure, back up, backup and restoration, bandwidth, benefits, bespoke, blade, Boundary Devices, Burst, burst resources, capacity management, case management, Central , CESG, Change
Management, changes, Classified, Cloud, clusters , CMDB, co hosting, Code of Conduct, Code of Connection, collaboration, Communication, Communications Electronics Security Group, complex, complexity, compliance, compute, computer, computers, Confidential, configuration, configuration management, configuration management database , configurations, consistent, Consultancy,
consultation, contended bandwidth, Content Management, core, cost effective, cost reduction, Counter measures, CPU, critical events, CRM, Crown to Crown, Customisation, customised, Cyber Security, daily, data, Data Centres, Data extraction, Data removal , Data Storage, data transfer, databases, dedicated, Deep Vetting, Defence, defend, deploy, Deprovisioning, detect, Detect Malware,
deter, develop , developer, development, device, Devices, Digital, Disaster recovery, documentation, downtime, dual hosting, DV, easy to use, EDM, EDRM, education, effective, effectiveness, efficiency, efficiencies, Elastic, elastic resources, Email, encrypted, encryption, Enterprise Delivery Model, Environment, ERM, ERP, Event Management, facilities, FCO Services, FCOS, first response,
flexibility, Foreign and Commonwealth Office Services, Foreign Office, Gigabyte, Gist, Global, Global Support Centre, Global Support Service Desk, Good Practice Guide (CPG)13, Government, Government Secure Internet, Green, GSAE, GSI, Guaranteed/Non Guaranteed, Hard Disk Drive, hardware, Hawkeye, HDD, Healthcare, high, Home Office, host, hosting, hosts, hour, Huddle,
Hypervisor, Hypervisor, IAAS, IDS, IL0, IL0-1, IL0-2, IL1, IL1-2, IL2, IL3, IL4, IL5, IL6, images, Impact Level, improve , improvements, Incident Management, Indicator, information, infrastructure , Infrastructure as a Service, integrated, Intelligence, International, intruder detection, Intruder Detection System, intuitive, investigation, ITIL, Key, KPI, legacy software, libraries, library, Linux, List x,
Local Council, log retention, low, maintenance, managed, management reports, memory applications, Memset, Microsoft, Microsoft, minimal risk, mission critical, Monitoring, month, monthly, National, network, networks, NHS, non dedicated, non-contended bandwidth, Off boarding, open source, Open Standards, Open Virtualisation format, open virtualization format, Openview Performance
Agent , Operating, operating system, operating system patches, Operations, Oracle, Overseas, OVF, OVPA, PaaS, Pan Government Accreditation, pay as you go, pay on demand, PAYG, Penetration, Performance, Performance KPIs, Persistence, PGA, platform, Platform as a Service, Police, Posts, Private Cloud, proactive, process, processing , Productivity, Proof of concept, protect,
Protected, Protective Monitoring, Provider, Provisioning, Provisioning, PSN, Public Cloud, Public Services Network, RAM, RAMDS, release management, reporting, request fulfilment, resilience, resist, resource, response, Response Times, restoration, risk management, Risk Management and Accreditation Documentation Set , risk mitigation, RMADS, SaaS, scalability, scale, scaleable, SCS,
Secret, secure, Secure Cloud Platform, Secure communications, Secure device, security, security analysis, Security Information and Event Management, Security Operating Centres, Security Policy Framework, Security Vetting, Self provisioning, self service, server, service, Service Level Agreement, service level management, Service Request, Severe, Sharepoint, SIEM, simple, single
hosting, Skyscape, SLA, snapshots, SOC, software, Software as a Service, Solution, sovereignty, Special Cloud Service, SQL Server, Standards, storage, store, subscription, supportable, suspicious behaviour, Sustainability, SV, Technical Boundaries, test, Thresholds, TIA 942 Tier 3 Data Centre, tool, tools, Top Secret, Trusted, Trusts, UK, Unclassified, Unified Management, Uninterruptible
Power Supply, Unix, unmanaged, upkeep, UPS , upscale, uptime, Vetted, Virtual, Virtual Machine, virtual machine builds, Virtual Private Network, Virtualisation Management Tools, Virtualised servers, Virus, Virus detection, Virus update, VM, VM hosts, VMWare, VMWare V Centre, VPN , W3C Standards, Windows,

        © Crown Copyright 2014. No part of this document may be reproduced in any form or by any means, electronic or mechanical, including photocopying, for any purpose other than for use by
                                                       the Foreign and Commonwealth Office without the express permission of FCO Services.

                                                          Further copies of this document are available on request from: FCO Services, Hanslope Park, Milton Keynes, Buckinghamshire, MK19 7BH

Version 5.0                                                                                                                                                                                                                                                                                                                                                          Page 20 of 20
You can also read
NEXT SLIDES ... Cancel