Infrastructure as a Service IL0, IL2 and IL3 G-Cloud Lot1 IaaS

Transcription

1 Infrastructure as a Service IL0, IL2 and IL3 G-Cloud Lot1 IaaS Account Director: Name Surname

2 Contents Page: Introduction... 2 SCC Cloud Solutions... 2 Information Principles for the UK Public Sector... 3 Service Definition... 4 Overview... 4 Technical requirements - service dependencies... 8 Information assurance... 9 Details of the level of backup/restore and disaster recovery Service Management Overview Service Levels (e.g. performance, availability, support hours, severity definitions) Service Constraints Service Induction / Termination On-Boarding Off-boarding Data Restoration / Service Migration Data Extraction Termination By Consumers (i.e. consumption) By the Supplier (removal of the G-Cloud Service) Financial Summary Pricing Ordering and Invoicing Process Financial Recompense model for not meeting service levels Training Trial Service Appendix 1 Government ICT Strategy and Greening Government ICT Strategy European Green Datacentre of the Year Green Power Recycling Carbon Offset

3 Introduction Your business depends on the IT hardware and software provided from your IT organisation, and is typically provided within your private cloud, either on premise or provided to you by a market IT systems integrator. The world is changing and like Edison s electricity which was provided onpremise from your local power generator, IT hardware and software is being provided remotely, or off-premise, through Cloud solutions. This document provides the Service Description for SCC s Compute Service that forms parts of SCC s Infrastructure-as-a-Service offerings set within its Transform portfolio that also includes: IL2/3 Compute-as-a-Service IL2/IL3 Storage as-a-service IL2/IL3 Backup-as-a-Service. Further detail can be found at Alongside Infrastructure-as-a-Service (IaaS), SCC also provides additional capabilities and management services to form Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) offerings. Further detail can be found at SCC Cloud Solutions As the first pan-government accredited provider of a G-Cloud platform at IL2 and IL3, ( SCC is uniquely positioned to help you accelerate your cloud activities, with experience and capability across all cloud types (private, hybrid, community and public), combined with Information Assurance services that will support your migration to PSN. SCC has established a number of cloud services from IaaS, PaaS and SaaS, and through our partners who also utilise the SCC cloud services are developing a complete ecosystem of IT capabilities that will meet many of the demands of your business on your own IT service. The key features of the Infrastructure-as-a-Service service described in this Service Description are as follows: Accredited the entire infrastructure platform (hardware, software and network) is security accredited with pan-government accredited for a multi-tenanted environment. This means your own internal security approvals process is significantly reduced. SCC will support the remaining accreditation process with any new tenant to ensure full compliance and assurance of service according to the code of connections mandated by the PSN Authority. 2

4 Managed the tenancy is fully managed, reducing the burden on your organisations own internal IT staff meaning that the uptime availability provision is leveraged to ensure any failures are handled appropriate and in accordance with agreed procedures. This service is supported by a number of organisational features that further enhance the offering, our capability and differentiate SCC from a number of other IaaS cloud providers within the CloudStore. These features are: Solutions Provider SCC will own the IT solution to the business problem presented across all aspects of the IT service provision. As a solutions provider this means we will bring to bear our experience of building IT solutions across the last 40 years, to ensure the return on investment or critical spend is valued to its maximum. Security Practice SCC utilises its own Information Assurance Practice to support the delivery of IT solutions into the government marketplace, where security is heralded as one of the most important aspects of IT service delivery. Professional Services Practice this practice within SCC offers a wide range of IT skills and capabilities to support any implementation of an IT solution, and has experience within a large number of public sector projects over the last 40 years. Public Sector experienced specialists Understanding the business operation within the public sector is often paramount to achieving success. SCC offers a dedicated team of focussed individuals and excellence in helping our public sector organisations meet the demands within the IT service arena. Wider framework access for full solution delivery few requirements require simply hosted virtual servers. Additional infrastructure components and services are needed to deliver a full end to end solution. SCC has established many years of credibility in delivering through the other public sector frameworks that can be utilised to ensure every aspect of the resulting IT service meets the demands of the user. Financial stability a privately owned multi-billion pound organisation, SCC has many years of financial stability and investment capabilities that will ensure continuity of service throughout the life of the engagement with your organisation. Greening Government experience and credentials SCC are leading the way in responding to the Governments Greening ICT strategy and sustainable procurement agenda, by adopting CAESER (Corporate Assessment of Economic, Social and Environmental Responsibility), an online toolkit which helps companies to demonstrate a commitment to society and the environment. Information Principles for the UK Public Sector SCC Cloud services for the UK Public Sector support the defined Information Principles published where appropriate to the service being delivered. At the core of all of the SCC services are principles 1 and 2 in that all data is valued and is managed in line with the appropriate UK Public Sector Information Assurance guidelines that define the security controls for holding the data. Information Principles 3 through to 7 are considered and followed during the on boarding of systems in to the SCC Cloud infrastructure. These principles will be considered and followed in line with the appropriate UK Public Sector Information Assurance guidelines. 3

5 Service Definition Overview SCC s Sentinel provides a secure, robust, Infrastructure as a Service offering across multiple Business Impact Levels. The Sentinel platform provides options from a Basic level accredited compute, network and storage resource, up to a fully accredited Managed Service Operating System platform with ITIL aligned Service Management, Disaster Recovery and Service Desk functions. The Sentinel Infrastructure as a Service Offering includes the following: Fully accredited, Network, Compute and Storage Platform Private Government Community Cloud Offering Pay as you go compute model Flexible environments Number of pre sized machine offerings available Additional customised sizing options available upon request Option to provide Burst and Elastic capabilities for CPU, Memory and Storage Multiple Operating Systems supported Four pre-defined Service models available for your environment providing varying levels of Service Management and Support - Basic, Standard and Enhanced Fully GPG 13 Compliant (DETER) Virtual Machine Ability to connect to the Sentinel platform via the Internet the GCF and the PSN Government Networks. Guest level back up each evening, with a standard 10 day retention period (limited to the boot partition) included. Disaster Recovery and Dual Site option providing two levels of compute availability Built upon industry standard components and services Option for Deployed Physical Asset (Hybrid Cloud) There are 4 standard size variations available within SCC s Sentinel Infrastructure as a Service offering. These are as follows: Memory (GB RAM) vcpu Storage Boot Partition Size (GB) Mini Small Storage PageFile (GB)

6 Medium Large Table 1 Additional infrastructure capacity can be added to each of the standard sizes available. This can be either via allocating dedicated resource to the virtual machine or to provide the virtual machine with the ability to burst its resources only when required, utilising the shared resources of the cloud platform and ensuring a true utility based compute model. The options available for expanding the standard infrastructure offerings are as follows: Service Component 1GB Memory Increment Elastic 100MHz Core Increment Burst 100MHz Core Increment Elastic Table 2 SCC s Sentinel platform is housed within its Tier 3+ Datacentre and provides resiliency at all levels of the infrastructure, providing a stable, reliable infrastructure platform. In order to provide additional levels of availability and redundancy, SCC provide the option for a dual site implementation, utilising SCC s secondary Data Centre as a cold standby facility for the customer s infrastructure. The following Table provides the options available for Single site and Dual Site Infrastructure options and the corresponding Availability Service Level Agreement: Infrastructure Option Availability SLA Single Site 99.9% Dual Site 99.95% Table 3 SCC s Sentinel platform provides four standard service models as part of its Infrastructure As A Service offering. Each of these Service Models aims to meet the different needs of its customers by providing varying levels of integration and support. The four options are as follows; 1. Entry - Providing a raw compute offering with little service wrap 2. Basic Providing a basic Infrastructure as a Service offering with support up to the hypervisor level, ideal for customer aiming to maintain their own IT support teams and monitoring capability. 3. Standard Provides a GPG 13 Protectively Monitored platform with Security Event 5

7 Management necessary to provide a secure platform up to the Operating System layer. This platform is ideal for customers who require a Pan Government Accredited Operating System, but have an in house or 3 rd party support organisation and wish to maintain a large level of control over their Operating System configuration and application support models 4. Enhanced - Provides a GPG 13 Protectively Monitored platform with a Managed Service wrap around the Operating System, providing full monitoring, alerting and break fix functions up to and including the Operating Systems. This platform is ideal for customers who wish to have SCC maintain their infrastructure and provide a Platform as a Service with a full Pan Government Accredited Operating System. This platform would still allow for in-house IT teams or 3 rd party application vendors to provide support for the middleware and application layers; however SCC would provide a fully resilient, stable and supported platform for those teams to focus on delivering the applications to their end users. SCC are able to provide the hosting and support of physical servers with its Deployed Physical Asset (DPA) service offering, This service enables a Hybrid Cloud Service offering of Physical and Virtual infrastructure all with the security of SCC s Sentinel Capability set. The DPA service is ideal for supporting systems that do not fit within SCC s virtualisation platform for various reason s these may include physical appliances, systems with specific license restrictions or hardware requirements or where it is necessary to support an interim architecture as part of a transformation to the cloud. The service and support offerings around the DPA solution is treated on a case by case basis and is dependent upon the requirements of the customer and the specific hardware that is to be supported. The following table provides a high level view of the service provided for each of Sentinel s four service offerings: Sentinel Service Offering Entry Basic Standard Enhanced Compute Service Availability N\A 99.90% 99.90% 99.90% Compute Business Impact Levels Disaster Recovery Availability Available Network Connection IL0 N\A Internet IL0, IL2, IL3 Guest VM's Optional Secondary Data Centre Copy % SLA Internet (IL0 Direct, IL2 and IL3 Indirect), GCF/PSN (IL3), PSN (IL2) OS Windows 2008, Red Hat Linux 5 and 6, SUSE Enterprise 11, Windows 2003 R2, Windows 2008, Red Hat Linux 5 and 6, SUSE Enterprise 11, * (Other OS versions are possible under the basic service offerings but will be reviewed on a case by case basis) OS Licensing SPLA SCC provided SPLA license or Customer provided (Windows SA required for customer Licensing) 6

8 Storage Infrastructure Burst Bespoke Infrastructure Sizing Standard OS Drive, additional Tier 3 Data Storage Available via separate Service offering N\A N\A Standard OS Drive, additional Tier 1, Tier 2 and Tier 3 Data Storage Available via separate Service offering Optional Memory and CPU Burst capability Optional Elastic (allocated) Memory, CPU and Storage available upon request (Max 8 vcpu s and 256GB RAM) OS Patching N\A N\A Critical Patches and Security Patches only. Update and deployment process and schedule to be agreed at Service take on OS Level Patches, Critical and Security Updates. Update and deployment process and schedule to be agreed at service take on OS Monitoring Hypervisor Availability Hypervisor Availability Hypervisor Availability, IaaS Alerts, Performance Threshold Alerts Operating System Monitoring, Performance Threshold Alerts, OS Service Alerts, Enterprise Application level monitoring including Exchange, Active Directory, SQL Services are not included as part of the baseline service but can be provided Break Fix Support Hypervisor Level Support Hypervisor Level Support Hypervisor Level Support, IaaS Platform Availability, GPG 13 Agent Support Hypervisor, IaaS Platform and Operating System Level Support. Enterprise Application level support including Exchange, Active Directory and SQL Services are not part of the baseline service offering API Access No Table 4 The following table provides the infrastructure sizes available for each of the service offerings: Sentinel Service Offering Entry Basic Standard Enhanced Mini X X X X Small N\A X X X Medium N\A X X X 7

9 Large N\A X X X Custom N\A X X X Table 5 Technical requirements - service dependencies The Customer will require network connectivity either via the Internet or via a Government Network in order to access the Sentinel platform. The Customer will be responsible for ensuring they meet the requirements of the associated Code of Connections. A migration on to the Sentinel platform will be possible once necessary due diligence and infrastructure sizing exercises have been undertaken. These exercises can be undertaken via SCC as part of a professional services engagement. As part of any migration on to the Sentinel service, the Customer would be responsible for the following activities: Where existing Virtual infrastructure is being migrated, provide SCC with a VMDK or OVF Image and/or license keys and any other information reasonably required to enable the initial server build. In the event the Customer wishes to implement any operating systems software which is not identified on the SCC supported operating system software list, then prior to such implementation the Customer must first agree such with SCC. Procurement, maintenance and management of any Customer data communications lines not identified in the Order Form and/or Agreement. Provision, maintenance and management, of any Customer software, operating systems, applications and data which resides on the Sentinel Infrastructure which is not within the scope of this Agreement. Administration, management and control of Users access to the Customers applications and/or data stored on the Sentinel Infrastructure. Should SCC determine that the Customers usage of the Sentinel Infrastructure is not compliant with best practice guidelines then the Customer must comply with SCC s reasonable requests for change. In the event The Customer requires the implementation of its own anti-virus software then this will be by mutual agreement with SCC. If SCC and the Customer agree to such implementation then the Customer shall ensure that anti-virus signatures are checked on a daily basis and anti-virus software upgrades, fixes, patches are installed as and when required, to minimise any degradation in the performance of the anti-virus software. 8

10 Information assurance The Sentinel platform is accredited to hold and process information at Business Impact Level 0, 2 and 3 (IL0, IL2 and IL3) IL0 IaaS Service This service shall be delivered at Business Impact Level 0, IL0. The IL0 IaaS platforms will not be connected to any of the Government Networks.. SCC shall have the right to disable or remove services that can be proven to cause a security risk to the community as a whole. This service is intended to provide a web tier capability with the option to connect to the IL2 Business Impact Level via a pre-approved IL0 to IL2 Gateway Service. IL2 IaaS Service This service shall be delivered at Business Impact Level 2, IL2. At IL2 the service shall be delivered from a pre-accredited infrastructure and shall be connected to an appropriate Government network or the Internet via the IL0 Gateway Service. It shall be the responsibility of the guest VM owner, SCC and the accreditor to ensure that code of connection compliance is adhered to and that the service meets and maintains the minimum requirements for an IL2 infrastructure service. SCC shall have the right to disable or remove services that can be proven to cause a security risk to the community as a whole. IL3 IaaS Service This service shall be delivered at Business Impact Level 3, IL3. At IL3 the service shall be delivered from a pre-accredited infrastructure and shall be connected to an appropriate Government network. In order to maintain IL3 compliance for the Standard and Enhanced Virtual Machines, SCC shall ensure hardening and patch compliance is maintained in line with the code of connection and CESG Good Practice Guides. It shall be the responsibility of the guest VM owner, SCC and the accreditor to ensure that code of connection compliance is adhered to and that the service meets and maintains the minimum requirements for an IL3 infrastructure service. SCC shall have the right to disable or remove services that can be proven to cause a security risk to the community as a whole. SCC are able to provide a data transfer capability between the IL2 and IL3 impact levels via the esecure cloud based middleware (Integration Platform-as-a Service - ipaas) solution that delivers an industry leading solution for connecting highly-secured back office systems to the Internet and cloud-based applications, enabling the secure transfer of data between systems. For further details on this service please see the Sentinel Secure Managed Impact Level Gateway Service Offering 9

11 Details of the level of backup/restore and disaster recovery For the Basic, Standard and Enhanced Service offerings, the Virtual Machines shall be backed up to disk each day and backups will be retained for 10 days as part of the core service offering. This backup shall be limited to the standard boot partition of the virtual machine and will not include additional Persistent (Data) storage connected to the service. Backup of additional Application data is provided under SCC s Secure Backup Service available under GCloud. Backup will be to disk only. Backup of the OS to tape is offered as an additional, separate service. Recovery of a VM Image from backup shall be actioned within 4 Hours from the point of request by The Customer through the SCC Service Desk. The time taken to recover a Virtual Machine will be dependent upon the size and the complexity of the restore process for the specific machine. Additional levels of backup service can be provided as part of the Secure Backup Service offering. The following table provides an overview of the backup service provided: Sentinel Service Offering Entry Basic Standard Enhanced Compute Service Availability N\A 99.90% 99.90% 99.90% Disaster Recovery Availability N\A Optional Secondary Data Centre Copy % SLA Backup N\A Operating System Level Backup, VMDK Image Disk Level Data Backup N\A Optional via Secure Backup Service Description, including Application Level backup for specified Enterprise Applications Backup to Tape N\A Optional via Secure Backup Service Description Table 6 Where a customer has selected the 99.95%, higher availability service, the VM Image shall be replicated in real time to a secondary data centre. Compute resource shall also be allocated at the secondary site, providing a cold standby Disaster Recovery solution. In the eventuality that the primary site fails, and a Disaster is declared, the service shall be restored at the secondary datacentre. 10

12 Service Management Overview Service Provision SCC provide support wrap for the four levels of IaaS offerings (Entry, Basic, Standard, Enhanced). SCC will provide a Customer Service Manager (CSM) for the Basic, Standard and Enhanced service offerings. The CSM will be the key contact and escalation point for SCC s service offerings. The following table provides an overview of the scope of the support wrap provided for each IaaS offering: Sentinel IaaS Support Offering Entry Basic Standard Enhanced Customer Service Manager N\A Service Manager Assigned Customer Service Manager, Service Update meetings, Key Service Contact, Off-boarding Requests Reporting N\A Monthly Billing Monthly Billing, Basic Capacity and Availability Reporting Monthly Billing, Basic Capacity and Availability Reporting, Service Reports, IaaS SLA Reviews Service Desk Support Service Provisioning and 24x7 Service Desk Service Provisioning and 24x7 Service Desk Service Provisoning and 24x7 Service Desk Service Provisoning and Service 24x7 Desk Event Management N\A N\A Security Information and Event Management Security Information and Event Management, Operating System Event Management and Alerting Incident, Problem & Change Management N\A Hypervisor Support Only Up to Operating System Including Operating System Minimum Billing Unit Month Free\Trial Option No 11

13 Services available to other suppliers so they can use them to provide services to government? No Yes Table 7 Sentinel Service Desk SCC provides a 24 x 7 secure service desk from our Tier 3+ Datacentres. The Sentinel Service Desk is a single point of contact for all customer interactions. The Sentinel Service Desk provide incident, problem and change management limited to Sentinel service offerings. Additional service management offerings will be determined on case by case basis and charged separately. For Sentinel Service Offerings, Sentinel Service Desk will log incidents, assign unique reference number and manage through to incident life-cycle. An incident being defined as an unplanned outage or loss of quality to the Sentinel service offerings. The primary objective of incident management is to return the services to customers within the service levels. Incident Management includes Handling incidents that are escalated from the customer support organisation and within scope of Sentinel Service Offerings Handling incidents reported by Sentinel automated monitoring processes Incidents that fall outside of Sentinel service offerings will be the responsibility of the Customer Service Desk. The primary objectives of problem management are to prevent (re)-occurrence of incidents by eliminating their root cause. Sentinel Service Desk will carryout trend analsyis on recurring incidents and process error information of relevant hardware and software suppliers. When after a defined period of time no permanent solution has been found or implemented, a problem is flagged as Known Error. Problem management includes root cause analysis (RCA). RCA is executed to find the root cause of the problem. If the root cause is found and it is possible and sensible to remove the root cause this will be done. Problem Management and RCA s may lead to the implementation of changes when necessary for a permanent fix. The focus of change management is to manage changes in controlled way, such that impact of changes are correctly understood by the Sentinel and its customers. A change may impact single or multiple customers hosted on Sentinel. Therefore, changes require assessment against the impacted CIs and support from other ITIL processes. The Sentinel internal CAB is scheduled once a week, which involves CSM, Sentinel Platform Manager and SCC Information Assurance, such that they inform the end-customer for possible impact or outage. Customer Responsibilities 1. Manage incidents, problems and changes relating to customer specific services not within the scope of Sentinel Service Offerings 2. Report and provide Sentinel Service Desk will all information it may reasonably require in order to resolve the Incident 12

14 3. Ensure an Incident Owner or a nominated deputy is available during Working Hours 4. Provide the necessary resources to ensure that any changes to the Agreement are addressed and agreed with Sentinel via the Change Control Procedure in a timely manner 5. Provide details of forthcoming change that may impact the Sentinel service provided by SCC 6. Liaise with SCC incident and problem management teams where required to aid incident and problem resolution activities 7. Provide any required integration and communication functions between various 3 rd parties eg application vendors, business users 8. Ensure all users understand and comply with the various processes, policies and procedures of The Customer and as may be agreed between the parties from time to time Service Changes The primary mechanism for service management shall be through the SCC Customer Service Manager where Customers can request changes for the service. In addition, service status and billing reports can be made available in a pre-agreed format via a Customer Service Manager, should this be required. Connections All data centre operations conform to ISO2001/2, ITIL and the Code of Conduct for Data Centre Operations. Additionally SCC maintains Code of Connection agreements with Government network services providers such as GCF, PSN & IGSOC. Service Levels (e.g. performance, availability, support hours, severity definitions) The Services shall be provided by SCC in accordance with the following Service Levels; Sentinel Service Offering Entry Basic Standard Enhanced Service Availability (Single Site) Service Availability (Dual Site) N\A 99.9% 99.9% 99.9% N\A 99.95% 99.95% 99.95% Hours of Support Hours 24 Hours 24 Hours Incident and Problem Management Levels Escalation Process Level Table 8 SCC s service incident and escalation levels are defined within the tables below: 13

15 Incident Management SCC shall determine the Incident Priority in accordance with the following criteria: Priority (Severity) Description 1 - (Critical) An incident which involves service not available or a serious mal-function of the service with impact on Sentinel s direct delivery to single or multiple customers Total loss of service to all users and no work-around available Loss of functionality resulting in Sentinel Customer users/workgroups being unable to continue with normal business processing Unavailability of one or more supported services Sentinel down 2 - (High) An incident which involves service not available with impact on Sentinel s single or multiple customers or a serious mal-function of the service with potential impact on Sentinel s direct delivery to customers Partial loss of service and work-around available Loss of functionality which severely impedes all or some Sentinel services Customers users/workgroups being able to continue with normal business processing Partial loss of availability of one or more supported service 3 (Medium) An incident that involves degradation or risk to quality of service with impact on one or more Sentinel customers Issue not impeding Sentinel customers users/workgroups from being able to continue with normal business processing Potential to cause more serious issue if not investigated and addressed 4 - (Low) An incident for which the final resolution is outside the control of Sentinel and Sentinel has used all reasonable endeavours to mitigate the impact of the incident to the Customer. Sentinel shall advise the Customer of the likely resolution date and shall notify progress against this date. General Service related questions and requests for information. Table 9 The following table provides an maximum time before a response to an incident is provided by Incident management: 14

16 Priority-(Severity) Response Time 1 - (Critical) 30 Mins 2 - (High) 60 Mins 3 (Medium) 4 Hours 4 - (Low) 72 Hours Table 10 Incident Escalation Process There may be occasions where The Customer requires additional resource or focus to be applied to an Incident. In such circumstance the escalation procedure below shall apply; UK Service General Manager SCC Operations Manager Head of DCS Operations Level 4 Customer Service Manager SMTC Platform Manager Level 3 SMTC Service Desk and ITIL Team Leads SMTC Operations Team Leads (e.g. NOC, SOC, IA, etc) Level 2 SMTC Service Desk & ITIL Teams SMTC Operations Teams Level 1 Figure 1: Escalation levels within SCC The escalation activities and response timescales shall be as detailed in the table below. For avoidance of doubt the response timescales below are indicative only and do not supersede or replace the applicable Service Levels or SLA Targets specified in above. Escalation Level Response Activity Escalation to Next Level Timescales Level 1 The Sentinel Service Desk or Sentinel operations representative will acknowledge the Incident and advice on tests and actions required in order to resolve the Incident, consulting as necessary with other SCC representatives and/or 3rd parties. Should the SCC representative be unable to resolve the problem or provide an action plan suitable to Priority 1: 30 Minutes Priority 2: 3 Working Hours Priority 3: 6 Working Hours 15

17 The Customer, the Incident will be escalated to the respective team leader of either the Sentinel operations or Service Desk & ITIL team. Priority 4: Not Applicable Level 2 Level 3 Level 4 The respective team leader will determine a suitable action plan and agree it with the Customer or Sentinel Platform /Customer Service Manager. Third party manufacturers and/or suppliers may be contacted for additional technical support. If unresolved following Level 2, the Incident will be escalated to the Sentinel Platform Manager and Customer Service Manager who will involve all necessary resources, both internally and externally, to attempt to provide an acceptable resolution for The Tenant. If unresolved following Level 3, then Head of DCS Operations will take responsibility for the Incident and involve all necessary senior and management resources, both internally and externally, to ensure an acceptable resolution for The Customer.SCC Operations Manager will also be informed, who will further liase with all necessary escalation resources. Priority 1: 1 Working Hour Priority 2: 4 Working Hours Priority 3: 8 Working Hours Priority 4: Not Applicable Priority 1: 2 Working Hours Priority 2: 5 Working Hours Priority 3: 9 Working Hours Priority 4: Not Applicable N/A Table 11 Service Constraints The service shall be allocated a maintenance window between the hours of 23:00 and 06:00 and the window shall be allocated during service initiation. The service shall be Change Managed in accordance with SCC change schedules, change boards will sit weekly and changes shall be carried out during the subsequent change window. Configuration changes that cause a reboot/downtime but are deemed urgent shall not impact Availability metrics and SLAs and the associated charging mechanism. SCC will not provide any application or middleware level support as part of the service offerings described within this agreement. The ability to add move or change the number of VMs in the Customer solution shall be achieved via the Service Change request process and may be subject to appropriate financial approvals. VMs shall be decommissioned via change control and images will be shut down. The images will be left in place for a further 24 hours after which point they will be deleted. As part of any decommissioning process all virtual backups will be destroyed and any physical backups will be returned to the Customer or destroyed. Decommissioned machines shall be quarantined and can be restored to full operational state 16

18 within 24 hours of being decommissioned. Exclusions SCC will provide service and support for all aspects of the service as defined within scope of the service. The Service Levels Agreements (SLA s) will measure SCC s success in the delivery of those services. Where external factors influence SCC s ability to deliver against the contractual defined Service then SCC will not be liable for failure to meet the associated SLA s. These include but are not limited to the following circumstances: 1. 3 rd Parties, not engaged by SCC, fail to deliver services in accordance with their contractual commitments 2. 3 rd Parties use the Sentinel environment outside recommended best practice 3. Where the workload or the levels of utilisation of the Virtual Machines cause the system to become unresponsive or suffer from poor performance and where those levels of utilisation are deemed outside of the forecasted demand or sizing criteria of the service 4. Where customer requested configuration changes cause application downtime 5. Application Configuration causes Operating System instability 6. Application Level and End User Testing of all patches and security updates 17

19 Service Induction / Termination. On-Boarding The scope of this process covers the steps required to establish a new virtual machine within the SCC environment. The process caters for 3 integration scenarios: Integration of an existing virtual machine from within the Customers estate Integration of an existing physical machine from within the Customers estate Creation of a new VM within the SCC environment from an existing Sentinel Template 18

20 In all cases an initial discovery phase is required to determine the platform and resources that must be allocated from the environment to the Virtual Machine in order to define the setup activities and charges. The information established in discovery shall specify: CPU Resources Memory Resources Network Interfaces Storage Requirements Setup activities and resources. This information shall be supplied by the Customer either based on the existing server requirements or via a previously executed capacity planning exercise. Existing servers shall need to be encapsulated within VMware virtual machine files (VMDK files) or OVF files for incorporation into the platform. Existing VMDK or OVF files can be provided by the Customer directly for incorporation into the platform, should this be required (supported operating systems only) Other virtual machine formats are to be converted to VMDK or OVF prior to presentation. Physical servers must be migrated to VMDK or OVF format using an appropriate tool (e.g. VMware Converter) For the latter two options SCC can provide a chargeable service to create the VMDK files. Where data has been encapsulated within the VM file, the IL level must be assessed to ensure that an appropriate data transfer mechanism (i.e. encryption and security measures) is employed during the transfer of the virtual machine file to our environment. Transfer shall be achieved through providing the VM file on removable disk media (magnetic or optical) or transmission over a suitable network connection. When new virtual machines are to be created, SCC shall deploy the server within the environment from a library of hardened approved server templates. The resulting virtual machine shall then be validated to ensure that it has been correctly integrated within the environment. Compliance with Vendor software licensing terms may require SCC to apply additional licensing charges. It should be noted that while the scope of this process caters for the virtual machine only, the potential for invoking both storage and backup on-boarding processes exists in order that full integration can be achieved and that full compliancy can be achieved for The Customer offboarding process. The storage and backup services have their own separate service descriptions. 19

21 Off-boarding The scope of this process covers the steps taken to remove a virtual machine from the SCC environment and return the virtual machine file to the customer. The virtual machine shall be assessed to determine if there is any data encapsulated within the virtual machine file and, if so, determine the IL applicable to the data. This will ensure that appropriate measures (security, encryption etc.) are applied when transferring the virtual machine file back to the Customer. The virtual machine file, together with the associated virtual machine configuration file shall be supplied to the Customer using either removable disk or optical media encrypted as appropriate and provided by the customer. 20

22 The Customer shall be responsible for validating the integrity of the returned virtual machine file note that this step refers to the confirmation that a valid VM file has been supplied. SCC will not be responsible for ensuring that the virtual machine encapsulated within the file is correctly configured for any environment outside of SCCs service provision. Where a software license for the operating system or layered software within the VM file has been rented from SCC under a License Agreement the license key shall be removed prior to the return of the VM file. SCC will then destroy all live and backup copies of the virtual machine file within our control in line with CESG guidelines and provide written confirmation to the Customer that this has been performed. Any On Boarding or Off Boarding process is not part of the Monthly unit rate and will be undertaken as part of a project activity. Data Restoration / Service Migration Where data needs to be restored to the operational service from a backup, this shall be requested by the customer through the SCC Service Desk. Recovery of data from backup shall be actioned within 4 Hours from the point of request by the customer through the SCC Service Desk for the Basic, Standard and Enhanced Services. The time required to restore the data will be dependent upon a number of factors including; the amount of data being restored and the complexity of the data restore process. Data Extraction Suppliers will provide a simple and quick exit process to enable consumers to move to a different supplier for each of their G-Cloud Services and/or retrieve their data. Suppliers will commit to providing details of this, clearly and unambiguously in the Service Definition for each service. This will include, but not be limited to: The data standards that will be in use (within the service). A commitment to returning all consumer generated data (e.g. content, metadata, structure, configuration etc.) and a list of the data that will be available for extraction. Where there is a risk of confusion, data that will not be available for later extraction will also be published. The formats/standards into which data will be able to be extracted and preferably a list other common services/technologies to which an export/import mechanism is available. This service provides a secure disk storage service, delivering many different data standards. SCC commit to returning all Customer owned, generated data, via an agreed and contracted format as part of a separate project activity. Data can be extracted to CD and tape, where appropriate from a capacity perspective. However, we could agree other mechanisms 21

23 with Customers on a case by case basis. A price for the extraction of consumer generated data (or the migration to another service provider s service). Confirmation that the Supplier will purge and destroy (as defined in security accreditation for different ILs) consumer data from any computers, storage devices and storage media that are to be retained by the Supplier after the end of the subscription period and the subsequent extraction of consumer data (if requested by the consumer). Data Extraction shall be charged dependent upon the amount of data and media to be extracted to. All data at rest contained within the SCC platform shall be purged or destroyed with standard service, volume, LUN deprecation procedures. All data leaving the SCC platform shall be purged or destroyed using CESG approved white spacing prior to shipping. Where a physical drive from a drive set fails then that drive shall be destroyed in accordance with CESG procedures. Termination By Consumers (i.e. consumption) A G-Cloud service shall commence on the Effective Date and shall, unless specified otherwise in the Order Form, continue for the Initial Term and shall remain in force thereafter unless and until terminated by either Party giving to the other not less than 30 days written notice, but shall be subject to earlier termination as referenced within the Termination/Consequence of Termination section of the standard SCC G-Cloud terms and conditions. By the Supplier (removal of the G-Cloud Service) A G-Cloud service shall commence on the Effective Date and shall, unless specified otherwise in the Order Form, continue for the Initial Term and shall remain in force thereafter unless and until terminated by either Party giving to the other not less than 30 days written notice, but shall be subject to earlier termination as referenced within the Termination/Consequence of Termination section of the standard SCC G-Cloud terms and conditions. 22

24 Financial Summary Pricing The following table provides the pricing for the IaaS service offerings: Sentinel IaaS % Availability Impact Level 0 Sentinel IaaS Service Offering Price Per Month Entry Basic Standard Enhanced Mini Small Medium Large Sentinel IaaS % Availability Impact Level 0 Sentinel IaaS Service Offering Price Per Month Basic Standard Enhanced Mini Small Medium Large Sentinel IaaS % Availability Impact Level 2 Sentinel IaaS Service Offering Price Per Month Basic Standard Enhanced Mini Small Medium Large

25 Sentinel IaaS % Availability Impact Level 2 Sentinel IaaS Service Offering Price Per Month Basic Standard Enhanced Mini Small Medium Large Sentinel IaaS % Availability Impact Level 3 Sentinel IaaS Service Offering Price Per Month Basic Standard Enhanced Mini Small Medium Large Sentinel IaaS % Availability Impact Level 3 Sentinel IaaS Service Offering Price Per Month Basic Standard Enhanced Mini Small Medium Large There is a minimum billing interval of 1 month for all listed IaaS Service offerings. Ordering and Invoicing Process SCC will provide ordering of G-Cloud services via an Account or Customer Service Manager. A list of G-Cloud services can be compiled with quotations for those specific services. Once The Customer is satisfied that the requirement is met, it can then be converted into an order. Once the services are enabled and confirmation of the ordered G-Cloud services is delivered to The Customer a monthly invoice in arrears will be generated against the order. 24

26 Should The Customers usage of the Service increase beyond the contracted volumes during any period then this will be retrospectively invoiced, at the next month end, as additional services. Financial Recompense model for not meeting service levels Service Credits 1.1 Subject to Clause 1.3 below, in the event that SCC fails to meet the SLA Target for the applicable Service Level, then the Service Credit mechanism in Clause 1.2 shall apply; 1.2 SCC shall provide a rebate of 1% of the Monthly Charge for this Service, which is applicable over the Report Period for every 1% below the SLA Target to a maximum of 10 % rebate. The applicable Service Credit shall be deducted off the next invoice due to The Customer. 1.3 Payment by SCC of Service Credits to The Customer shall be in full and final settlement of SCCs liability to The Customer for failure to meet the Service Levels during the Report Period. 1.4 Service Levels will only be calculated against Storage Availability and not against Application availability. Service penalties against the loss of storage availability will not include other machines or applications impacted by that loss. 1.5 Service Credits will not be applied where it is determined that SCC are not responsible for the cause of the breach in Availability performance. Training There is no training required within this secure storage service. Trial Service There is no option to consume this service for a trial period. 25

27 Appendix 1 Government ICT Strategy and Greening Government ICT Strategy SCC are leading the way in responding to the Governments Greening ICT strategy and sustainable procurement agenda, by adopting CAESER (Corporate Assessment of Economic, Social and Environmental Responsibility), an online toolkit which helps companies to demonstrate a commitment to society and the environment. CAESER constantly review changing and emerging standards to quickly establish and ensure that our operations and our supplier s operations are compliant and not exposed. It enables us to monitor new developments in UK and International CSR legislation that focus on the supply chain. The CAESER system helps to ensure adherence to the requirements of new and current legislation, allowing us an avenue to positively monitor and engage with suppliers responsible for the products available under this framework agreement. To provide the basis for best practice in line with the Government supply chain agenda, we work alongside leading UK Government departments and International organisations to promote acceptable standards, current trends and initiatives. These organisations include the UK Global Compact, the International Labour Organisation and the Global Reporting Initiative. In addition to CAESER, we also use the FTSEGood Index and UNSPSC Codes to identify and monitor risk within the supply chain. We also have preference for suppliers that are members of Electronic Industry Citizenship Coalition (EICC) where a code of practice governs labour, health and safety, environmental management systems and ethics exists. Practical steps taken by the business ensure that the operations of the business have a minimal impact on the environment; these steps further support the supply chain methodologies. European Green Datacentre of the Year 2011 The SCC Data Centre is an award winning carbon zero facility. We have provisioned some unique technologies to achieve that level of sustainability, as well as investing in eco-friendly projects within Kenya. Within the Data Centre Environment SCC operates a Carbon Off-set programme enabling a zero carbon rating, across both our Data Centre infrastructures. The primary offsetting project we run is through an organisation called CO2Balance.com building low carbon villages in Kenya. SCC are also members of the Carbon Reduction Commitment energy efficiency scheme. SCC Customers, who utilise our Data Centre services, are in turn able to advertise this credential within their ecostatements published to their Customers and Suppliers. SCC also utilise additional ecological Data Centre technologies, such as external chillers, which use external, ambient air temperatures to cool water to a level that can in turn be used within the data centre CRAC units. This enables SCC to reduce their cooling costs by up to 40%, which is then relayed to our Customers in reduced bills for their power and cooling usage. Variable Refrigeration Flow (VRF) Air Conditioning is an advanced cooling technology, which allows us to independently cool each data room, enabling us to minimise heat loss and create energy savings of up to 30% over conventional systems. 26

28 Floor pressurisation systems, which streamline cooling within lower utilised Data Centres to where the floor pressure is, i.e. the full racks. We are therefore not flood cooling via the under floor voids, but focussing the cooling in the areas that need it. This system also controls the output from the air-conditioning units, helping manage the cooling used into the data hall. Green Power During 2013, SCC will be switching its energy supply contract to a pure green power contract to further increase its commitment to supporting a strong CSR policy. Recycling SCC can manage your IT recycling for you, providing a cost-effective and secure solution with environmental reporting to support your CSR. This will help you avoid the damaging consequences of serious deliberate or negligent breaches of the Waste Electrical and Electronic Equipment (WEEE) directive. The WEEE Directive was introduced into UK Law in January 2007 and aims to reduce the amount of electrical and electronic equipment being produced, while promoting the secure reuse and recycling of IT equipment. Many companies underestimate security issues surrounding end-of-life data and focus on protecting live assets. However, unprotected disposal significantly increases the likelihood of a detrimental data breach, with information being far easier to access, and can be equally as harmful to your organisation, as not recycling at all. As part of our IT recycling services, we offer state of the art shredding and separation technologies that safely destroy your redundant IT equipment, optimising the recycling and recovery of original raw materials. SCC recycle on average 20% of the IT we recover and remarket up to 80% to create a revenue stream for the customer. This offsets your costs and supporting your Corporate Social Responsibility (CSR). We can guarantee the secure and environmental disposal of your IT waste, as we operate a 0% landfill policy, allowing us to effectively manage your WEEE compliance. 27