1 PSN Services Service Descriptions - Government Procurement ...

PSN Services Service Descriptions 

1 

Lot 1 – Communication Services 

Provision of Communications Services: supply, installation, maintenance, technical architecture and 

system design, project management, and support for equipment, commodity and managed service. The 

Lot scope includes: all traditional and IP based voice services; voice call packages; voice minutes; DDI, 

premium rate numbers; non-geographic numbers; 118 enquiries; call preference services, audio 

conferencing, desktop video conferencing and collaboration tools; web conferencing; Internet services; 

email and website services; co-location and hosting; on-line storage; security services; antivirus; email 

scanning and filtering; firewalls; intrusion and spyware detection; authentication and access 

management; web and application sign on services; web conferencing; messaging services; real time 

information services; desktop messaging; messaging via email, SMS, pager and mobile or fixed line 

telephone; provision of all elements of a complete solution. 

• Note that connectivity does not fall within the scope of this Lot.

PSN Services Service Descriptions .......................................................................................................... 1 

Lot 1 – Communication Services ........................................................................................................ 1 

Supplier Responses ............................................................................................................................. 3 

2 

Azzurri Communications Ltd .......................................................................................................... 3 

British Telecommunications PLC .................................................................................................. 11 

Cable&Wireless Worldwide ........................................................................................................ 209 

Cassidian UK ............................................................................................................................... 390 

Daisy Communications Ltd ......................................................................................................... 533 

Freedom Communications (UK) Ltd ........................................................................................... 608 

Fujitsu ......................................................................................................................................... 616 

Global Crossing ........................................................................................................................... 639 

KCOM Group Plc ......................................................................................................................... 721 

Logicalis UK Ltd ........................................................................................................................... 739 

NextiraOne UK Limited ............................................................................................................... 940 

Siemens Communications .......................................................................................................... 949 

Thales UK Ltd ............................................................................................................................ 1009 

Vodafone Limited ..................................................................................................................... 1021

Azzurri Communications Ltd 

3 

Supplier Responses 

Azzurri supply, install, maintain and support communications services that assist organisations to 

meet government objectives and drive increased efficiency, reliability, information security, agility, 

sustainability and deliver better service to citizens. 

Azzurri will provide advice on technical architecture and system design and will manage technology 

consolidation and integration of multiple services and suppliers into a single, holistic solution. We are 

accredited with key carriers, vendors and service providers. 

We are a communications service integrator and will blend technologies from different vendors, to 

create a communications environment that integrates different products and services which enable 

reuse of existing assets where possible, on either a commodity or managed service basis. 

Utilising our own project management methodologies, Azzurri has delivered communications 

services to Local and Central Government, NHS, Social Housing, Education and Charity sectors. Our 

experience and expertise includes communications audit and consultancy, comparison, planning, design, 

implementation, support, cost management and evolution and innovation. 

Our experienced network architects will assist with planning and specification, and we have PRINCE2 

and ITIL accredited project and support teams who will engage in the migration, implementation and 

support of our communications services. 

Azzurri has a virtual Network Operations Centre (NOC) that provides second and third line support 

for incidents reported through our contact centres. The NOC operates 24x7x365. The NOC utilises a 

monitoring package to capture events from the Customers’ deployed Services and to respond to alerts. 

Following the appearance of an alarm on the monitoring platform, the alerts are logged in our Service 

Management System and contact is made with the Customer where additional information is gathered 

and an action plan is agreed and put in place. 

Azzurri’s Service description for Lot 1 Communications Services is as follows: 

1. Traditional and IP based voice services; 

▪ The Service offers three IP telephony options based on different deployment models: 

i. On-site IP telephony – traditional on-site systems that will be owned by the 

Customer, where the management is provided by the Customer or Azzurri. 

ii. Hosted IP telephony – dedicated systems that are hosted and managed by Azzurri 

on behalf of the Customer. 

iii. IP Centrex – multi-tenant systems hosted by Azzurri and rented to the Customer 

on a per handset/feature basis. 

▪ The Service incorporates;

4 

i. Provision of traditional PSTN call delivery services and provides the capability to 

connect to a PSN compliant SIP based service from providers such as BT Openreach, 

BT Wholesale, Cable and Wireless and Gamma. 

ii. Provision of professional services to enable IP Telephony design, migration 

strategy and advice, and overall management of solution deployment. 

iii. Design and delivery of Unified Communications services such as instant 

messaging, user presence and desktop integration services. 

iv. Provision of traditional voicemail services and voicemail integration into user 

desktop environments in the form of Unified Messaging. 

v. Desktop Messaging Solutions. 

vi. Provision, advice, design and integration of CTI services and components such as 

third party software products that require telephony functionality. 

vii. Design and provision of remote working solutions to enable location independent 

working incorporating fixed voice services, mobile voice and data communications. 

viii. Design and provision of Fixed Mobile Substitution and Fixed Mobile Convergence 

solutions including standard carrier services such as Mobex which provides closed 

user group connectivity and Mobile Extension Zone (MEZ from O2) which provides 

reduced rate on-net call charge profiles. 

▪ The Service incorporates a support package for voice, data and mobile communications 

that provides; 

i. Standard support services: network availability and incident management 

services for hardware, software, mobility and connectivity with pre-agreed SLA 

response. 

ii. Software maintenance: full patching of software applications, for bugs; minor 

release and major upgrade licensing rights. 

iii. Managed Services: whereby Azzurri take on the day to day management of the 

Customer infrastructure to predefined boundaries. This service is tailored to 

individual Customer needs and can include transfer of staff undertakings (TUPE). 

iv. Remote management: whereby Azzurri provides proactive fault monitoring and 

detection, usage and activity based monitoring and reporting and security services 

such as intrusion detection. 

v. Access to Azzurri Innovations who are a specialist division of Azzurri that provide 

product technology consultancy, and bespoke software development within 

communication environments to integrate multiple communication architectures 

and platforms. 

2. Voice call packages; 

▪ Azzurri will provide the Customer with an audit and consultancy service that is available 

across data, voice and mobile estates which will provide;

5 

i. Azzurri Insight consultancy and discovery suite - commercial consultancy and 

audit Services to identify opportunities to reduce and recover costs, optimise 

delivery and improve management processes. This includes contract reviews, 

technology assessments, bespoke profiling, benchmarking and comparison against 

industry standards. 

ii. On completion of the commercial consultancy and audit exercise, Azzurri will 

offer Customers ongoing expense management services including a Telecoms 

Expense Management (TEM) service to ensure that ongoing provision, 

management, and reporting of the Customers’ communication estate is efficient 

and controlled. This service is chargeable and includes an online cost management 

tool to enable the Customer to create bespoke cost centre or business structured 

cost and asset management reports. 

▪ Upon completion of the audit and consultancy service, Azzurri can offer the Customer a 

range of voice call packages to complement their particular calling profile and call volumes 

from providers such as BT Openreach, BT Wholesale, Cable and Wireless and Gamma which 

are billed to the Customer directly by Azzurri. 

3. Call preference services; 

▪ Azzurri can provide a range of call preference solutions to enable Customers to operate a 

service that delivers calls according to their preference. 

▪ Azzurri can recommend to the Customer an appropriate call preference service for their 

particular calling profile identified during a commercial audit. It may then be possible to 

programme this preference as the default for the Customer as part of a communications 

solution deployment. 

4. Voice minutes; 

▪ Azzurri’s Calls and Lines Outbound Service allows the Customer to make outbound voice 

and data calls from a fixed PSTN/ISDN line to any destination over the public telephony 

network. 

▪ Azzurri can provide both a calls only service and a calls and lines service either as new 

orders or by migrating a Customer’s existing services from their current provider to Azzurri. 

▪ Azzurri deliver the Customer’s outbound calls over a public network selected by Azzurri 

through Carrier Pre-Select (CPS) or Indirect Access (IDA) via carriers such as Cable and 

Wireless and Gamma. 

▪ Outbound calls can be provided in conjunction with PSTN/ISDN Lines or via a PSN 

accredited SIP service provider. 

▪ In addition to the calls and lines inbound and outbound services that Azzurri provide, we 

also offer a number of enhanced services: 

i. Online call reporting. 

ii. Online Inventory.

6 

iii. Cost centre management. 

iv. Management reporting. 

v. Audit and cost reduction. 

5. DDI, premium rate numbers; 

▪ Azzurri will provide a range of DDi numbers and premium rate numbers. These numbers 

can be delivered via traditional ISDN based PSTN services or via a PSN accredited SIP service 

provider via providers such as BT Openreach, BT Wholesale, Cable and Wireless and 

Gamma. 

6. Non-geographic numbers; 

▪ Azzurri will provide an Inbound telephony service to the Customer upon request. This is a 

telephony service that provides the Customer with online access to a range of call routing 

features and management information for their inbound numbers. These services are 

provided by Azzurri utilising BT Openreach, BT Wholesale, Cable and Wireless and Gamma. 

▪ Azzurri will provide an Inbound telephone number for the Customer upon request. This 

may be a geographic inbound number, a non geographic 08XX or an 03XX number. When 

the Inbound number is dialled, the incoming call is routed according to the routing set up via 

the Azzurri provided web portal. The call routing is applied at network level and delivered 

according to the Customer’s preferences. All calls can be delivered to either a UK fixed 

line/mobile or a system announcement destination. 

▪ Azzurri’s Inbound portfolio comprises three options: 

i. Contact Point 

§ The Customer will have the ability to control setting up and changing their call 

routing according to opening hours/staff availability. 

ii. Contact Path 

§ The Customer will have the ability to route calls according to who the caller is, or 

by the caller’s location to the nearest office for example, and the ability to 

create such features as hunt groups. 

iii. Contact Pro 

▪ Number portability: 

§ Offers a suite of Inbound call handling tools, suited to a Customer which places 

high value on the Customer service provided to callers and those organisations 

looking to deal with incoming enquiries effectively without missing a call. 

Advanced call handling features can be tailored to the Customer’s needs and 

changed instantly via the web portal by them. 

i. Azzurri can port an existing inbound number from a Customer’s existing provider 

into the Azzurri network.

7. 118 enquiries; 

7 

ii. Azzurri Inbound numbers can be registered with the BT Directory Enquiries 

service. 

▪ Azzurri will recommend a range of 118 enquiry service providers to the Customer. 

▪ Azzurri will recommend to the Customer an appropriate 118 enquiry service for their 

particular calling profile identified during a commercial audit. It may then be possible to 

programme this recommended service provider as the default provider for the Customer as 

part of a communications solution deployment. 

8. Audio conferencing, desktop video conferencing and collaboration tools, web conferencing; 

Audio and Web Conferencing 

▪ Azzurri will provide an audio and web conferencing service from Arkadin who are a 

Conferencing Service provider (CSP) with global capability. 

▪ The service is formed of Carrier-grade conferencing bridges in multiple locations with a 

resilient, secure system platform and network to ensure continuous operation of services. 

▪ The service is available for worldwide access to enable telecoms costs to be centralised 

through toll-free access, shared through toll access, or dispersed through direct 

International access. 

▪ The service includes the availability of live operators for security, to place participants into 

their desired conferences, or for in-conference support by simply pressing *0 at any time of 

day 24/7/365. Accounts for new users can be created within 48 hours, or within 4 hours if 

urgent. 

▪ The service will support Managed Event calls. 

▪ Centralised management reporting will present usage data, costs and trends for one or 

many locations. 

Desktop Video and Collaboration 

▪ Azzurri will provide IP based desktop video and collaboration applications. 

▪ Azzurri will provide an integration service to facilitate the integration of desktop video and 

collaboration applications with board room/conference room video conferencing 

equipment and presence applications such as MS Lync and Lotus Sametime. 

9. Co-location and hosting 

▪ Azzurri will provide rack space, power and security management utilising the services of 

SSE Data Centres who are a UK based data centre hosting provider.

8 

▪ This service is formed of high capacity, high availability facilities offering modular suites, 

with communication and core fibre links across multiple carrier networks. 

▪ The suites supply a minimum of N+1 concurrently maintainable power infrastructure with 

uninterruptable power supply with high density cooling (2N CRAC units) backed up by both 

UPS battery systems and HV generator sets. 

▪ Security at the Data Centres includes anti-ram Vee gates, internal and external CCTV and 

bespoke security access systems. Early warning fire detection and active automatic fire 

extinguishing systems are provided. The sites are manned 24x7 by security staff, alongside 

in-house 24x7 on site mechanical and electrical engineering support and building 

management. 

▪ The sites utilise an Energy Efficient Infrastructure, including: 

i. 100 kW PV installation‚ green energy generation 

ii. Cold Aisle containment as standard 

iii. Modular fit out 

iv. Low drag pipe working 

v. Harmonic balancing of plant 

vi. Packing material disposal and recycling facilities 

10. Design, implementation, management and support of advanced data services: 

▪ Azzurri will provide a range of managed services, encompassing data, voice, video and 

converged networks. Our Managed Services contracts will be tailored to individual Customer 

requirements, with defined service inclusions and service boundaries. Depending on 

Customer specification, our Managed Services in relation to this lot cover; 

§ Provision and rentals associated with all PSTN connectivity/circuits. 

§ Customer Premises Equipment, routers, security appliances (e.g firewalls). 

§ Network management & Support 24 x 7 x 365. 

§ Provision of a Customer network management portal. 

§ The ability to host equipment or premise based hardware. 

§ Data hardware maintenance and support. 

§ Service Management, including; 

o Service reporting. 

o Change, order and billing management. 

o Service & Account Reviews. 

§ Implementation, including; 

o Project Management. 

o Implementation engineering.

9 

▪ Application management 

§ Azzurri can provide application level SLAs based on application performance. Azzurri’s 

pro-active monitoring solution provides: 

▪ On-line storage 

o Application analysis – whereby critical and core applications are mapped 

across the end to end path. 

o Application profiling – where appropriate metrics and thresholds are 

attributed to each core application. 

o Application test deployment – where we simulate core application 

monitoring deployed across participating paths in the network. 

o Application Visibility – where all monitors are compiled at a top level to 

provide clear information about performance per location. 

§ Azzurri will provide On-Line storage solutions that can be both on-net within the 

datacentre and off-net to an external dedicated supplier (SSE telecom). In addition 

Azzurri can provide cloud based archiving and offline backup solutions for servers 

and workstations.. 

▪ Security solutions 

§ E-mail, scanning and filtering 

o Azzurri will provide e-mail, scanning and filtering appliances, software, 

virtual appliances and Services to deliver a range of anti-spam and email 

security solutions that address the email protection needs from single 

individual to enterprise wide deployments. 

§ Data leakage protection. 

o Azzurri will provide data leakage protection that Identifies and routes emails 

containing sensitive information, offering both inbound compliance and 

outbound data leakage protection. For example, Azzurri can block receipt of 

EXE or MP3 files, or re-route outbound email and attachments containing 

Personal Health Information (PHI) terms to an approval box or trusted 

partner. These tools comply with regulations such as HIPAA, GLBA, PCI and 

SOX. 

§ Firewall Deployment 

o Azzurri will provide context based firewalls manufactured by either Cisco or 

a range of Next Generation firewall technologies from SonicWall, Palo Alto 

or Checkpoint 

§ Authentication and Access Management 

o Azzurri will provide both SSL and IPSec based VPN based Authentication and 

access. This is based on user profiles policy can be enforced dependent on

10 

§ Antivirus; 

▪ Internet services; 

individual users, the multiple devices that they use and the different 

locations where they may be deployed. Secure Remote Access products can 

be deployed on PCs, laptops, tablets, PDAs and smartphones to restrict 

access to sensitive information and prevent data leakage from those 

devices. 

o Azzurri will provide in conjunction with our firewall technology, Enforced 

Client Anti-Virus and Anti-Spyware, with a choice of McAfee® or Kaspersky® 

technology. This is designed to ensure that all endpoints have the latest 

versions of anti-virus and anti-spyware software installed and active, 

automatically delivering updated security definitions to the endpoint as 

soon as they become available. Additional protection for Windows®-based 

file, print, and Exchange servers is also available 

§ Azzurri will provide direct Internet Access services with fully diverse options for Active 

– Active, Active – Passive deployments. Internet access can be provisioned in 10Mb 

blocks up to and beyond 1Gb. Optionally Azzurri can provide a DDOS monitoring and 

scrubbing service ensuring that DDOS attacks on specific sites are mitigated. 

Internet services can be routed through individually provisioned firewalls or shared 

context based firewalls dependent on end user demands. 

11. Messaging via email, SMS, pager and mobile or fixed line telephone; desktop messaging; 

▪ Azzurri will provide IP enabled communications solutions that are capable of providing 

Unified Messaging. These Unified Messaging systems can integrate with platforms such as 

MS Outlook and Lotus Notes enabling users to receive messages via Email, SMS, pager, 

mobile, or fixed line telephone calls. Messages are deposited into a single message store 

that is accessible from a user’s desktop, tablet, Smartphone, or Web browser. Messages can 

be distributed to other recipients and can include written or verbal annotation. Messages 

can also be played back using text to speech enabling remote workers to be able to hear 

text based messages. Auto attendant, whereby a caller inputs either DTMF telephone digits 

or natural speech to gain access to services, fax, and speech driven applications are 

available. 

12. In addition to the above individual services, Azzurri will combine, as defined by the Customer, 

elements of the above individual services as a complete solution.

British Telecommunications PLC 

Required Services under Lot 1:- 

11 

REQUIRED SERVICES CONTRACTOR 

CAPABILITY 

Supply YES 

Installation YES 

Maintenance YES 

Provision of Communications Services: YES 

Technical architecture and system design, YES 

Project management YES 

Support for equipment, YES 

Commodity and managed service. YES 

Traditional and IP based voice services; YES 

Voice call packages; YES 

Voice minutes; YES 

DDI, premium rate numbers; YES

12 

tools; 

Non-geographic numbers; YES 

118 enquiries; YES 

Call preference services, YES 

Audio conferencing, YES 

Desktop video conferencing and collaboration 

YES 

Web conferencing; YES 

Internet services; YES 

email and website services; YES 

Co-location and hosting; YES 

On-line storage; YES 

Security services; YES 

Antivirus; YES 

email scanning and filtering; YES 

Firewalls; YES 

Intrusion and spyware detection; YES

13 

Authentication and access management; YES 

Web and application sign on services; YES 


Messaging services; YES 

Real time information services; YES 

Desktop messaging; YES 

Messaging via email, YES 

SMS, pager and mobile or fixed line telephone; YES 


The Contractor has presented the Service Descriptions under the following headings: 

o Functional Description - Describes the Contractor’s functional capabilities. This section 

addresses each of the following service lines individually: 

a) Calls And Lines – Voice Access 

b) Calls And Lines - Voice Call Packages 

c) Calls And Lines – Voice Minutes 

d) Calls And Lines - Premium Rate Numbers & Non-Geographic DDI Numbers

14 

e) Calls And Lines - Call Preference Services 

f) Calls And Lines – Smart Numbers 

g) Call Handling – Traditional Voice Services 

h) Call Handling – Hosted IPT Services 

i) Value Added Services - 118 Directory Enquiries 

j) Value Added Services - Audio Conferencing 

k) Value Added Services - Desktop Video Conferencing And Collaboration Tools 

l) Value Added Services - Web Conferencing 

m) Value Added Services – Managed Streaming 

n) Other Communication Services - Internet Service 

o) Other Communication Services - Co-Location And Hosting Services 

p) Other Communication Services - On-Line Storage Services 

q) Other Communication Services - Antivirus Services 

r) Other Communication Services - Email Scanning And Filtering Services 

s) Other Communication Services - Firewalls, Intrusion And Spyware Detection Services 

t) Other Communication Services - Authentication And Access Management Services

15 

u) Other Communication Services - Web And Application Sign On Services 

v) Other Communication Services - Mail And Messaging Services 

w) Other Communication Services - Real Time Information Services 

x) Other Communication Services - Desktop Messaging 

y) Other Communication Services - Messaging Via Email, SMS, Pager And Mobile Or Fixed 

Line Telephone 

z) Other Communication Services - Secure File Transfer 

aa) Other Communication Services - Unified Communications 

bb) Sustainability Services 

Relating to the provision of all elements: 

o Commercial Description - Describes the range of Contracting options under which the 

Contractor’s capabilities are offered. 

o Service Management Description - Describes the Contractor’s service management 

capabilities. 

o Business Continuity – Describes the Contractors approach to Hosted Services and Service 

Management

16 

o Partners and Suppliers - Describes the range of partners and suppliers that the Contractor 

works with. 

Functional Description - Voice 

A) Calls & Lines - Service Description for Voice Access 

The Contractor provides two types of direct connectivity to and from its voice services 

o Traditional PSTN (Public Switched Telephone Network) access 

o Including analogue PSTN, 

o Copper based access for basic rate ISDN2 and primary rate ISDN 30 (Integrated 

Services Digital Network) 

o Fibre based access, primary rate ISDN30 

o SIP (Session Initiated Protocol) Trunking 

o SIP trunk service is an *access agnostic **public telephony trunking service. 

*Access agnostic, customers can use a suitable QoS (Quality of Service) enabled Wide area 

Network (WAN) to connect to the service.

17 

**Public Telephony Trunking can be used instead of PSTN telephone trunk line service (such 

as ISDN30) but does not connect any end-users directly. End-user functionality is provided either 

by the IP-PBX that consumes the trunking service or by a hosted/network platform. 

The following functionality is supported: 

Number Porting – carry existing (geographic) phone numbers across from or port to 

other services providers. 

PSTN break-in –receive calls from the national, mobile and international networks. 

PSTN break-out – calls can be made to destinations normally reachable over the PSTN 

Transport and presentation of Calling Line Identity (CLI) of the originating number onto 

the terminating Customer Premises Equipment (CPE) e.g. PABX, CLI Phone or IP PBX. 

Support for Presentation Number screening. Uses CLI to control delivery 

Trunk level Call Admission Control – specifies the maximum number of simultaneous 

calls a particular trunk or site can handle. 

Trunk Group level Call Admission Control – controls maximum number of simultaneous 

calls presented to terminating CPE. 

Round Robin Trunk call distribution – Allows even load sharing for telephony traffic 

across multiple sites. 

Priority Based Trunk call distribution – Allows contractor/customer to define call 

routing over designated trunk.

18 

Access to Dynamic capacity – Allows contractor/customer to increase or decrease trunk 

capacity according to demand or timed event. 

Trunk level Call Barring features – Controls inbound and outbound call access. 

Call Diversion features – Call destination controlled by pre-determined access control 

list or customer configurable, using CPE, time of day or network access 

programming/dial plans 

Smartnumber service – enables alternate dial plan for all numbers in case of 

inaccessibility of primary answering location either on busy or no answer or 

predetermined time of day. 

Native SIP protocol support – allows removal / eliminates the need for on-site 

VOIP2TDM gateways as well as the need for premise based Session Border Controllers. 

Emergency Call Handling – All of the contractors services conform with: 

Condition 2 and 4 of the General Conditions of Entitlement, (which replaced the 

licence), 

The Universal Service Directive (USD) 2001 

B) Calls & Lines - Service Description for Voice Call Packages 

The Contractor provides as standard the following call pricing packages for voice: 

all calls inclusive package

19 

local & national calls inclusive package 

per port inclusive package 

combined fixed & mobile call package 

capped calls 

annual spend percentage reward 

no term commitment 

12, 24, 36 & 60 month annual spend commitment packages 

free connection charge inclusive 

reduced line rental call packages 

All of the Call Packages provided by the contractor are priced as follows: 

Standard commodity pricing (Published prices in the public domain and in 

accordance with OFCOM licence and regulation) 

Premier Value Contract government discount scheme (*PV contract) 

POA (Priced on Application) 

o Rate dependant on term, commitment and or volume 

Call packages included within a Contractors managed service.

20 

*The Contractor has signed a Premier Value (PV) contract with the Office of Government 

Commerce Buying Solutions later known as OGCbs and now known as Government Procurement 

Service (GPS) with agreed discount levels based on committed and actual usage and spend. This 

contract has been specially negotiated between the Contractor and GPS. 

All public sector customers can use these tiered rates without any individual spend 

commitment, as long as they meet the definition of a crown body or subsidiary (LA's, Health, 

Education, Emergency Services, Central Government or agency/legal entity acting on behalf of 

Public sector customer etc). 

This tariff provides a simple pence per minute call price for the following call types: 

o Local 

o National 

o Non Geographic (e.g. 0845) 

o Mobile 

o International 

These rates are subject to negotiation and provided by GPS. Rates are published via a 

GPS portal 

C) Calls & Lines - Service Description for Voice Minutes

21 

The Contractor provides the following types of Direct Dialled (DD) calls made from fixed line 

voice calls originating on the Contractor UK Network and terminating on the Contractor UK 

Network, and or on other fixed and mobile networks in the UK & International destinations. 

o local call - calls made to the same exchange area as the calling number 

o national call –calls made outside of the same exchange as the calling number but 

within the UK 

o UK & International Mobile Operators 

o Other UK Fixed Line Operators 

o non-geographic call 03x prefix 



o non geographic 09x prefix (‘Premium Rate’, ‘ValueCall’ services & ‘Televote’ services) 

o Emergency calls to 999 for local police, ambulance or fire services 

o Inland Operator Assistance, 100 

o International Operator Assistance, 155 

o Non-emergency call to 101 for local police services

22 

o Non-emergency call to 111 for local NHS services 

o UK & International Directory Services, 118 prefix 

o Specialised Services prefix 116, pan European Helpline numbers 

o Timeline 123 prefix, time announcement 

o PSN, 07x prefix 

o Paging 

o VoIP 

o Post-paid calls i.e. Charge card 

o Messaging Services 1471 & 1571 

o Special Services such as Call Waiting, Call Diversion, Three-way Calling 

o Payphones 

o Alarm call – set an alarm call - your phone will ring at the time set 

o Reverse Charges – 0800 REVERSE 

o Global & European Mobile Satellite systems, ship to shore & ship to ship. 

These options are currently all available 24/365 with a call success rate of 99.999%.

23 

The Contractors UK Network also provides a range of International calling options: 

o International Direct Dialling (IDD) – Direct International connectivity dialled from UK 

landline via the Contractor’s UK Public Switched Telephone Network 

o International Direct Connect (IDC) – Direct International connectivity dialled from 

customer sites into the Contractor’s international voice and data network. Designed 

for high volume international outbound traffic from a single site 

o One Voice – Direct connectivity into the Contractors global IP network, designed for 

high volume multi-site international outbound traffic 

o One Voice Mobile Anywhere – Intercepting outbound International calls from UK 

based mobiles and routing them onto the Contractors One Voice network to lower 

cost international dialling. 

The Contractors international connectivity variants also offers outbound voice and 

ISDN64kbit/s data calling to over 240 international destinations covering fixed international land 

lines, mobile telephones registered overseas or International satellite services such as Inmarsat, 

Iridium and MSAT. The Contractor also offers International Operator delivered services to 

destinations that are not capable of being dialled directly.

24 

D) Calls & Lines - Service Description For Premium Rate Numbers & Non-Geographic DDI 

Numbers 

The Contractor provides non-geographic DDI and Premium Rate numbers which are 

translated into either one geographic location (basic service) or a number of locations using 

advanced routing features combined into call routing plans (advanced service). This allows 

customers to divert incoming calls to a chosen set of locations and appear as either a specific 

location or national presence. 

The Contractor provides the following options: 

o Number ranges: allocated number ranges priced to allow customer choice and 

visibility of comparative offerings.(pence per minute (PPM), pence per call (PPC), call 

set up fees apply in addition, all caller prices are quoted excluding VAT), 

o 03xx; charged at the same rate that the customer would pay to call a geographic 

number using the same network at the same time. 030x numbers are solely for use 

by Government and ‘not for profit’ organisations. 

o 0800/0808; free to callers from land lines. Call charges and fees paid by 0800/0808 

bill payer 

o 0844; callers are charged at up to 4.255ppm from Contractor land lines. Other 

operators charges may vary. The Contractor has options of 0.851ppm, 1.702ppm, 

2.553ppm, 3.404ppm and 4.255ppm and 4.255ppc.

25 

o 0845; callers are charged at up to 3.36ppm from the Contractor land lines, 

residential call packages include 0845 as free for up to an hour whenever 

geographic calls are free, otherwise they are charged at up to 1.702ppm. Other 

operators charges may vary. 

o 0870; charged to the caller at the same rate that they would pay to call a geographic 

number using the same network at the same time. Other operators charges may 

vary. 

o 0871; callers are charged at up to 8.51pm from the Contractor land lines. Other 

operators charges may vary. The Contractor has options of 5.106ppm, 5.957ppm, 

6.808ppm, 7.659ppm and 8.51ppm and 8.51ppc. 

o 09xx; callers are charged at up to £1.50 per minute from the Contractor land lines. 

Other operators charges may vary. 

A range of options are available including pence per call, pence per minute or a 

combination thereof. Special services available via 09xx numbers are: 

o Televote: A high calling rate service using 2 to 30 09xx numbers to provide voting 

options while capturing data and providing statistics in near real time. 

o FIVA: is a flexible, interactive, high calling rate competition type service available 

through most Inbound number ranges although mainly used with 09xx.

26 

o Collect and Distribute: Specifically designed as a high volume call answering 

service, which allows the customer to collect information from a small 

percentage of callers (competitions, opinion polls, market research). 

o Call Director; allows the use of the contractors advanced features but accessed via a 

geographic number. 

The Contractor also has a range of international options:- 

o International Freefone, Free of charge for callers from overseas countries. The 

contractor provides a different toll-free number for each country. 

o Universal Freefone, Free of charge for callers from overseas countries. The 

Contractor provides the same toll-free number for each country. 

o International Shared Cost, Caller pays for an element of the call when calling from 

overseas countries 

o Terminating Abroad, Enables customers to have UK originated Freefone service 

terminated at an overseas destination. 

o Transit, Enables an incoming Freefone call to be switched in the UK and terminated 

at an overseas PSTN destination. 

Advanced Features: 

Call Routing features:

27 

o Time of Day: Routes calls according to the time of day 

o Day of Week: Routes calls according to the day of the week 

o Special Date: Day specific routing of calls (e.g. Holidays) 

o Proportional Call Distribution: Routes calls to different locations based on their 

percentage of total call volumes 

o Divert on Busy: Diverts calls to an alternative answering position if the primary 

answering location is busy 

o Geographic Based Routing: Routes calls according where they are made from 

o Switch: Stores a number of alternative routing plans which can be activated on 

demand either online or by phone 24/7 

Call Handling features: 

o Condition Based Routing: Routes calls to an alternative answering centre when the 

primary location is busy 

o Simple in Line Messaging (SILM): Allow clients to record a message and play it back 

to their callers. Max length is 30 seconds or 75 words. 

o Caller Provided Information: Callers direct themselves to the service they want 

without going through a switchboard.

28 

o Many Numbers to a Single Plan: Delivers multiple numbers into the same plan; helps 

to utilise plan routing 

o Caller ID (CLI): Routes calls according to their specific CLI 

o Dialled Number Feature: Uses the dialled number as the entry criteria to split 

permitting alternative call treatment 

o ISDN Feature: Routes calls based on the ISDN data of the call. 

o Payphone Feature: Routes calls on the bases of call originating from a Contractor 

registered payphone. 

o Statistics Feature: Allows users with Inbound Architect to gather stats on the 

behaviour of their call plans. 

Call Terminating features: 

o Announcement: Standard courtesy announcement to the caller in the eventuality of 

it not being possible to answer the call 

o Follow Me: For out of hours availability to direct calls to another number 

o Follow Me to Mobile: For out of hours availability where calls can be terminated on 

mobile ranges 

o Messagelink 1: Answers calls with a recorded message

29 

o Messagelink 2: Answers calls with a recorded message and allows callers to leave a 

recorded message 

o Engaged Feature: Plays permanent engaged tone. 

Reports & Controls Capability - Available through an Inbound Architect web portal: 

Reports: 

o Call Details Reports: aggregated effective/ineffective calls, formatted reports 

o Enhanced RawCall Data (ERD): series of records containing information about the 

calls, generates record for every call 

o Rapid Report: near real time call routing data; kept for 3 days 

o Inbound Analyst: free software available for ERD customers; superior analysing tool 

Controls: 

of call data 

o Lite Control: change the deliver to number; one change at a time, multiple changes 

can be scheduled (also available without Inbound Architect through Statistics 

Advanced Feature)

30 

o Simple Control: changes call routing on live Advanced plans; certain Advanced 

Feature settings only 

o Full Control: design, build, modify and implement Advanced call routing plans 

Common Intelligent Service Layer (CISL) details 

o The supporting technology of Inbound Contact is based on CISL with some services 

provided via Recorded Information Distribution Equipment (RIDE). Reliability is 

designed into the platforms by means of replication and redundancy. This currently 

results in the achievement of 99.999% reliability. The Contractors network is 

proactively managed 24 hours a day, 365 days a year. 

o CISL is the backbone of the Inbound Services supporting technology. It is a resilient 

IP based platform on which most of the Inbound products are provided. It provides 

service from 4 sites. The two main CISL A&B sites are Reading and Crawley while 

the C&D sites are Milton Keynes and Nottingham and all 4 CISL sites will have the 

same Network functionality. If any failure happens at one site, the other sites take 

the call traffic over immediately. 

o RIDE is a mass call termination platform that plays pre-recorded announcements and 

captures voice messages and data. This service is provided by 40 identical nodes 

spread across the UK, so that calls are answered as close to call origination as 

possible in order to minimise network congestion. Each node contains duplicated

31 

processors for security of service. But in the event of a problem with one node, calls 

can be handled at any of the remaining 39 nodes. 

E) Calls & Lines - Service Description for Call Preference Services 

The Contractor has designed a number of Call Preference Services for Public Sector 

customers. These are available to customers as either a Commodity or Managed Service. 

The Contractor provides the following Call Preference Services: 

Time driven rules: The Contractor manages the call routing according to rules based upon 

time of day and or day of the week. This allows the Contractor to route the call from originating 

(geographic) location to an alternate customer location or contractors network to either play a 

standard message or customer recorded message. 

Caller Line Identification (CLI) rules: The Contractor provides a service to routes calls based 

upon their CLI information (unique network information according to line origin and identity). 

This allows the Contractor to route a geographic and non-geographic numbers to any location 

based on customer requirement. 

Regulatory provision: The Contractor provides as part of its conformance with regulated 

services and the Civil Contingencies act the provision of services under the GTPS (Government 

Telephony Preference Scheme) and its replacement service EGTPS. This service supports the 

provision to Government-approved organisations, through a combination of dedicated lines 

and/or switching hardware and software, a means for essential users to have assured access via

32 

land-based lines to the Public Switched Telephone Network (PSTN) with a high probability of 

successful call completion, in the event of extreme congestion caused by emergencies, 

etc. Increasing focus on contingency arrangements, improved functionality of EGTPS. These Call 

Preference Scheme lines are subject to Central Government approval and registration. In order 

to protect the functionality and effectiveness of the new scheme, control will be exercised over 

the number of approvals granted. 

F) Calls & Lines - Service Description for Smart Number Services 

The Contractor provides a number of “SmartNumber” services, defined as on-demand 

telephony services that provide solutions for voice and business continuity requirements. 

SmartNumbers are provided as a total managed service, and can connect and interoperate with 

across legacy networks including hosted voice platforms and other service providers. 

The Contractor provides the following Smart number services: 

o Smartnumbers Proactive Recovery – A service that will automatically detect 

most line or PBX (ISDN or SIP) failures and re-route the call according to 

preconfigured customer requirements. The services will also re-route Direct Dial 

In (DDI) calls through to a secondary delivery route or to off-net numbers 

anywhere. The service allows nominated and authorised administrators to 

manually divert calls made to specific groups or to all incoming DDI numbers 

through a customer web based portal. This service is also used by the 

Contractor to deliver 999 call resilience and mitigate against the risk of losing 

local exchange infrastructure.

33 

o Smartnumbers Directed Recovery – A site specific service which when invoked 

diverts calls DDI by DDI away from the local serving exchange to alternative 

numbers based on predefined customer configurable plans. This service 

protects against line (SIP or ISDN) failure problems where a premise may 

become inoperable or inaccessible. 

o Smartnumbers Direct Connect – A service for ISDN30e, ISDN30 and Hosted Voice 

customers. The service provides equivalent capabilities to that provided by the 

Proactive Recovery service, but eliminates call delivery charges. The service 

allows connectivity to customer’s corporate-wide voice network directly to the 

contractor’s core network. The customers telephone numbers are elevated 

away from the local exchanges into the contractors network, removing 

geographic number and capacity limitations associated with delivering calls to 

customer’s corporate voice network via local exchanges. 

Smartnumbers services detailed above can be combined in any order to deliver 

customer continuity solution requirements’ 

G) Call Handling - Service Description for Traditional Voice Services 

Functional Description - Call Handling 

The Contractor provides both traditional TDM (Time Divisional Multiplexing) and IP (Internet 

Protocol) based voice services. This service connects UK Public Sector organisations through a 

single voice network including voice over internet protocol (VoIP) technology.

34 

The contractor can provide the following services as commodity or a managed service. 

o Traditional TDM Voice services 

o Hosted IPT 

o Centrex based Featurenet and Featureline 

o Hosted IP telephony service offers the same Centrex and VPN services over a 

quality of service enabled IP based Wide Area Network. 

Featurenet is one of the Contractors voice products providing a featured network service. 

The key components are: 

Featurenet 1000 

A VPN (Virtual Private Network) service that allows existing PABXs (Private 

Automatic Branch Exchange) to continue to handle on-site calls, while traffic between 

sites is routed through the Contractors managed network via digital or analogue access 

channels. Inbound direct dialling in (DDI) calls and outbound calls can, if required, be 

routed via the Featurenet1000 access channels. 


A network hosted service that allows access to advanced PBX (Private Branch 

Exchange) style features from a desktop instrument without the need for the provision 

of a PBX. The access lines are rented on a per line basis and can be enhanced by a range

35 

of network and line features. Traffic between sites is routed via the contractors 

managed network 

Featureline is a single site Centrex service that does not support the multi-site networking 

capabilities of Featurenet. It delivers a sub set of the Featurenet Centrex capabilities directly 

from the local serving telephone exchange. Featureline offers similar functionality to a small 

telephone system (PBX) but directly from the Contractors local serving telephone exchanges. At 

the customer's premises, Featureline is delivered as a standard PSTN exchange line with PSTN 

standard socket, a touch tone telephone or a telephone which is specifically designed for use 

with the Featureline service is required to use the service. 

The Contractor’s service is supported on a fully meshed TDM delivery, supported on 25 

Carrier Grade switches geographically dispersed around the UK. It currently offers a level of 

service with an availability of 99.999%. 

The Featurenet service is available in the following variants: 


Featurenet 5000 and 5000i 

Featurenet Call Centres 

Featurenet Call-In & Hosted Voice Connect 

Featurenet Embark 

Featureline

36 

Service Description for Featurenet 

Featurenet 1000 Virtual Private Network (VPN) 

The VPN service allows the provision of voice channels to connect to an existing customer 

PABX to handle on-site calls, while traffic between sites is routed through the contractors 

managed network via digital or analogue access channels. Inbound direct dialling in (DDI) calls 

and outbound calls can, if required, be routed via the Featurenet 1000 access channels. 

Customers select the Charging Option most suited to their particular needs, based on the 

number of Featurenet 1000 Access Lines on a Featurenet Site, and this Option will be applied to 

all Featurenet 1000 Access Lines at that Featurenet Site 

Changes from one Charging Option to another will be carried out at the Customer's request, 

but 3 months notice is required and will be charged on a per line basis 

Charging Options: 

Option A up to and including 31 channels. 

Option B greater than 31 channels. 

DDI (Direct Dial In) 

A DDI facility is available via Featurenet 1000 Access Lines. This Service allows for incoming 

calls from the public network to reach a specific extension within the organisation without 

operator assistance where the caller dials the public Directory Number to reach the extension

37 

There is a maximum ratio equivalent to 20 DDI's per Featurenet 1000 Access line. Customers 

existing DDI number ranges can be imported. A maximum of 5 DDI ranges and/or single 

numbers are permitted per Featurenet Site to handle incoming public network calls to a 

Featurenet 1000 Site 


The Featurenet 5000 service offers equivalent features of a digital PBX and includes private 

networking and requires no on-site PBX. 

Featurenet 5000 provides networked digital centrex lines, ISDN2 (Basic Rate Access) and or 

access channels to the contractors VPN. A Customer can control the allocation of lines to user 

extensions, their Class of Service and their access to different features through the Contractors 

Service Centre or by use of the Hosted Voice Manager application 

Customers can select from one of three options for each of their Featurenet 5000 Sites. 

Once an option is selected the Site must remain on that option until the expiry of the agreed 

minimum period. 

Option A is for Featurenet Sites of fewer than 121 lines. For new sites, this option is 

only available on a 12 month minimum period. 

Option B is for a Featurenet Site of between 121 and 960 lines and offers a 25% 

discount on the rental for Standard Access Lines at that Featurenet Site. For new sites, 

this option is only available for three or five year minimum contract periods. On-site 

SRU’s (Survivable Remote Unit) will normally serve such Featurenet Sites

38 

Option C is for Featurenet Sites of over 960 lines and offers a 40% discount on the line 

rental for Standard Access Lines at that Featurenet Site. For new sites, this option is only 

available for three or five year minimum contract periods. The On-site RSCS (Remote 

Switching Centre Suite for access) will normally serve such Featurenet Sites 

Featurenet enhanced capabilities 

Featurenet offers the following enhanced capabilities : 

Featurenet 5000i 

Voice/Data/Video 

Services 

Centres 

Featurenet Call 

Featurenet Call-In & 

Hosted Voice Connect 

Featurenet 5000i provides switched basic rate access 

(ISDN2) to Centrex sites. Basic Rate lines consist of two 

64kbit/s data channels for independent or bonded 

applications, such as file transfer, video conferencing, LAN 

interconnect etc. 

Featurenet 5000 provides the following services 

supporting call centre requirements: 

Uniform Call Distribution 

ACD Automatic Call Distribution) 

MIS (management Information Statistics) 

CTI (computer Telephony Integration) capabilities 

Featurenet Call-In and Hosted Voice Connect provide the 

ability for users on a site which is not directly connected to 

the Featurenet network to become part of that network. This 

is via a standard PSTN phone line connection from the 

registered number to Featurenet. Connectivity is achieved by 

dialling a short code (12821) followed by an access code and a

39 

Mail 

Featurenet Voice 

Featurenet 

Smartnumbers 

Featurenet Management 

private or public number. The registered number is validated 

for access to the customers private network and the call is 

delivered to the private or public number dialled. 

The Voice Mail (VM) service provides the following 

features: 

Integration between email, voicemail and fax 

Management of voicemail via a web portal 

Click to call the message sender or send a SMS or an 

email 

Callers have the option to ‘Press 0’ and have their call 

transferred to a predefined individual or team 

Alerts can be sent by email or SMS or via a Message 

Waiting Light on certain handsets 

Unlimited capacity of saved messages supports 

regulatory compliance requirements 

Usage reporting via Management Information reports 

Interworking across any telephone network 

The Featurenet service supports all variants of 

SmartNumbers The contractor provides a number of on- 

demand “SmartNumber” services, that provide solutions for 

voice and business continuity. 

Featurenet provides a web based self-service management capability: 

Featurenet Manager provides authorised customers with the ability to control and analyse 

the performance and functionality of the Featurenet 5000 network via on-line tools.

40 

Performance and network management data can be accessed securely online, by authorised 

users with an Internet-enabled PC. 

reports: 

Management Reports - Customers can download the following network management 

Graphical Costed 

Usage reports 

Textual Costed 

Usage reports 

Reports 

Time to Answer 

Incoming Call 

Statistic Reports 

Includes: 

o call costs by site 

o Off-net Call Charges 

o On-net/Off-net Ratio reports 

Provides: 

o Highest call charge/s 

o longest duration call 

o most frequently dialled number 

o outgoing call summaries 

Available in both textual and graphical format. 

Reports detailing uniform call distribution and contractors 

performance. 

Billing Analyst – This is an optional set of tools to analyse and control telephony expenses., 

It can be accessed securely online, by authorised users with an Internet-enabled PC. The service 

provides a breakdown of billing information, site by site, to enable and interpret records by 

spend or patterns. The Contractors Billing Analyst tool is free for One Bill Plus customers, with 

consolidated bills delivered via CD-Rom.

41 

Featurenet Standard Functions. 

The Contractor’s Featurenet 5000 service provides more than 350 user features, the most 

common key features are: 

Call Diversion: Directs calls to another extension or external number. This can be all 

calls, calls on busy only, or calls on no reply only 

Call Offer: Lets another extension user within the customers network who is engaged 

on a call know that they are needed urgently. 

Call Pick-Up: Allows users to answer a call to another line in the same location from an 

alternative phone. 

Call Transfer: Transfers a call to another line extension or to an external number, 

including mobiles. 

Caller Return: A 1471 service, which identifies the CLI number of the last caller. 

Call Waiting: Audio and or visual signal indicating to caller and recipient that the caller 

is waiting. This enables recipient the option to place the call on hold and answer the 

waiting call. 

Code Calling: Allows users to store numbers within the contractors system to retrieve 

and dial the number with a truncated code. i General Interrogation: identifies with 

audio or visual information the current settings of key features.

42 

Reminder Call: Allows users to set audible reminder based on 24 hour time and date. 

The system will ring the extension at the programmed time and give voice 

announcement. 

Repeat Last Call: Allows users to dial a code or use pre-programmed button on 

handset or console to re-dial the last number the user dialled. 

Ring Back When Free: Identifies a dialled number that was busy or engaged either a 

call to an engaged line, extension or external number and will ring the requestors 

extension when ring tones are detected. This service does not work with all external 

phone numbers or if network facility has been barred 

Ring Back When Next Used: Sets up a call between requestor and destination that was 

previously not answering by detecting when that destination is next used 

Three-Way Calling: Allows three calls to share the same voice path. The calls can be 

on line extensions and/or to external numbers. 

Withhold Your Number: Prevents the CLI originating from users phone being 

presented to dialled number either per call basis or permanent. Excludes presentation 

to emergency services where CLI is still presented. 

Featurenet Optional Functions 

Bypass Number*: Provides users with a second phone number. Callers using it will 

bypass any activated Call Diversion.

43 

Call Barring: Controls destination of dialled number can be barred by type or 

geography e.g. Premium rate calls, International calls, or National calls. 

Call Minder: Takes messages when users are busy on the phone or away from their 

desk. 

Caller Display: Displays CLI of caller or extension number on the users telephone 

handset, requires a telephone handset with a suitable display 

Direct Call: Automatically connect to a pre-programmed number after a short pause 

when the telephone handset is lifted. 

Hunt Group: Allows one dial in number to automatically be distributed to a defined 

number of Featurenet extensions. 

Local Link: Extends the Featurenet service across a maximum of five locations in the 

same local telephone exchange area. 

Remote Diversion: Allows users to activate Call Diversion (see ‘Standard features’) 

from remote location by use of an access code and programming features. 

Featurenet Voice Mail Features 

Voicemail Solution A range of features supported, including: 

generic, daily and absence

44 

greetings, 

mailbox blocking 

message forwarding, 

secretarial access, 

Internal voice messaging 

services. 

Voice2email Options for user notification of new 

received messages by email, to the telephone 

the user is currently registered to using out call, 

or via message waiting indication (MWI), Short 

Message Service (SMS) or Short Data Service. 

(SDS). 

Graphical User Interface Access to all messaging services from an 

intuitive on-screen browser interface. 

Active Call Screening Allows a user to listen to a voicemail that is 

being left and decide whether to interrupt the 

recording and speak to the caller directly or 

simply to allow the voicemail to be recorded 

normally. 

Unified Messaging Provides integration with customer’s

45 

existing email environment by delivery of the 

voicemail as an attached audio file. Provides 

access to all message types through users email 

inbox 

Class of Service Profiles Extensive range of features and access can 

Featurenet Smartnumbers 

be enabled or disabled for each individual or 

group of users. The service supports different 

time zones. 

A number of “SmartNumber” services, defined as on-demand telephony services that 

provide solutions for voice and business continuity requirements. SmartNumbers are provided 

as a total managed service, and can connect and interoperate across legacy networks including 

hosted voice platforms and other service providers. 

The Contractor provides the following Featurenet Smartnumber services: 

Featurenet Smartnumbers Standard– Provides a single number which identifies 

users across multiple locations, including delegation to individuals and teams. Supports 

mobile workers not in one fixed location 

Featurenet Smartnumbers Virtual Team – Allocates a single number to a team. It 

manages calls and messages to one team number The service allows access across 

multiple offices, to mobiles or fixed home numbers

46 

Featurenet Smartnumbers Virtual Queue – The Featurenet ACD service enables 

incoming calls from any location to be resolved by call centre agents according to 

business rules that customer defines. It supports industry standard call management, 

virtual contact centres, dispersed offices and aligned agencies. 

Featurenet Smartnumbers Messaging – Manages customer fax and voicemail 

services. The hosted service, allows access to messages from any telephone handset 

from any national or international telephone network. Fax and voice messages can be 

delivered to individuals or group email accounts. 

Featurenet Smartnumbers Announcement – Allows a recorded public 

announcement or broadcast message to be delivered via a telephone number 

(geographic or non-geographic). Callers dial the contractor’s announcement number to 

hear the message. Administrators can record announcements using any telephone 

handset. 

Service description for Featureline 

Featureline offers similar functionality to a small telephone system (PBX) but directly from 

the contractors Digital Local Telephone Exchanges. This is known as a Centrex service. At the 

customer's premises, Featureline is delivered as a standard PSTN exchange line with PSTN 

standard socket, a touch tone telephone handset is required to use the service. A telephone 

handset which is specifically designed for use with the Featureline service is available. 

The following features are provided within tariff:

47 

Call Diversion: Directs calls to another extension or external number. This can be all 

calls, calls on busy only, or calls on no reply only 

Call Offer: Lets another extension user within contractors network who is engaged on 

a call know that they are needed urgently. 

Call Pick-Up: Allows users to answer a call to another line in the same location from an 

alternative phone. 

Call Transfer: Transfers a call to another line extension or to an external number, 

including mobiles. 

Caller Return: The Contractor provides a 1471 service, which identifies the CLI number 

of the last caller. 

Call Waiting: Audio and or visual signal indicating to caller and recipient that the caller 

is waiting. This enables recipient the option to place the call on hold and answer the 

waiting call. 

Code Calling: Allows users to store numbers within the contractors system to retrieve 

and dial the number with a truncated code. General Interrogation*: identifies 

with audio or visual information the current settings of key features. 

Reminder Call: Allows users to set audible reminder based on 24 hour time and date. 

The users extension will ring at the programmed time and give a voice announcement. 

Repeat Last Call: Allows users to dial a code or use pre-programmed button on 

handset to re-dial the last number the user dialled.

48 

Ring Back When Next Used: Sets up a call between requestor and destination that was 

previously not answering by detecting when that destination is next used 

Three-Way Calling: Allows three calls to share the same voice path. The calls can be 

on Featureline extensions and/or to external numbers. 

Withhold Your Number: Prevents the CLI originating from the users phone being 

presented to dialled numbers on either a per call basis or permanent. Excludes the 

presentation to emergency services where CLI is still presented. 

The following feature is also available as a chargeable extra: 

Caller Display: Displays CLI of caller or extension number on the users telephone 

handset, requires a telephone handset with a suitable display. 

H) Call Handling - Service Description for Hosted IPT 

The Contractor’s Hosted IPT services are based on technology from 2 suppliers:- 

o Genband: appropriate for large enterprise deployments. 

o And 

o Cisco: appropriate for medium sized and commercial deployments.

49 

This section concentrates on the commonalities between the two services, not an 

exhaustive list of the features of each. 

The Contractor’s hosted service is a scalable, business grade, Unified Communications 

application. The service is interconnected to the PSTN via centralised carrier trunks or per site 

to local PSTN and provides the following capabilities; 

See Figure 1 in ‘BT_PSNS_Appendix1_Award Questionnaire_SectionB_v2.0 graphics’ 

The Hosted IPT Service provides customers with the capability to transmit voice traffic over 

a QoS-enabled LAN & WAN connection. This allows organisations with a suitably equipped IP 

infrastructure to make and receive IP calls from the desktop to compatible destinations over 

their LAN/WAN using IP telephones. Such calls between a customer’s sites do not attract 

additional usage charges. 

There are two IP Based Voice family member products:- 

Line Appearances, an IP Centrex product 

IPT Trunks a VoIP trunking service.

50 

Line Appearances provide access to a host of advanced PBX style features from a desktop IP 

instrument without the need for the provision of a PBX. The service is rented on a per line 

appearance basis and can be enhanced by a range of network and user features. Call traffic 

between the customer's sites is routed over the customer's IP data network. The service also 

provides inbound direct dialling in (DDI) facilities and PSTN breakout. 

IPT Trunks provide a VPN service which allows existing suitably configured PBXs to continue 

to handle on-site calls, while traffic between the customer's sites is routed over the customer's 

IP data network. Signalling and network protocol converters (Voice Gateways) may be required 

depending on the PBX configuration and signalling type. The service can also offer inbound 

direct dialling in (DDI) facilities and PSTN breakout. 

Whilst there are differences in how each system supports a given feature, they both 

provide the following capabilities: 

o On-net (IP Phone to IP Phone) calling 

o On-net (IP) calls can be made to other Hosted IPT Service users within the customers 

network. These calls are zero-tariff, and can be made by dialling the on net number (as 

described in “dial-plans”). 

o Off-net (IP Phone to PSTN) calling 

Full PSTN break-in and breakout is available as part of the service.

51 

o Calls to the PSTN, voice only, are priced independent of distance. A nominal minimum 

charge applies to each call 

o Customers outbound call traffic will be routed to the PSTN from the core network. This 

will allow customers to rationalise the number of access links to sites and take more 

control over the scale of the network. PSTN access is provided within the network, with 

no need for additional gateways or PSTN lines. 

o Outbound calls will be supported from the core IP network and will provide least cost 

routing into the PSTN. 

o Local number dialling is supported. 

Off-net (PSTN to IP Phone) calling 

Calls inbound to the customer site will be routed through the IP network. This will enable 

the customer to take advantage of a more consolidated model in their access. 

Managed Dial Plan 

o The dial plan will include support for DDI. 

o The managed dial plan will provide interfaces to other managed voice networks, 

including other Mobile network operators. 

o The dial plan will deliver forced on-net calls so that even if users dial the full toll PSTN 

number calls will be routed over the VPN to manage costs as effectively as possible.

52 

o As part of a Customer migration, the dial plan will provide a transparent service across 

the managed voice service. 

o The Hosted IPT service will support both public and private numbering formats plus 

translations between these numbers. Initially only geographic public numbers (from the 

01xx.. and 02xx.. ranges) will be supported. 

o The private number format consists of a Site Location Code (SLC) followed by an 

extension number. The SLC is used to identify a single site whilst the extension number 

identifies the single point within that site. Extension numbers can be from 2-7 digits long 

and SLCs from 1-7 digits long. A uniform private number format must be used within a 

customer’s network otherwise post dial delay will occur. 

o All lines with PSTN access will have available the entire national and international public 

dialling plan for calls dialled with the full public number. 

User secure log on to IP Handset for Hot-desking (Extension Mobility) 

o IP Telephony has the capability for users to log on to any suitable IP “device” retaining 

access to their feature set in line with their profile and being able to use the same 

phone number(s) regardless of their location.

53 

Support for screen based operator consoles 

o Enhanced Operator functions and multi position centralised answering functions will be 

supported from a 3rd party system interfacing as a standard IP terminal to the network. 

Centralised Voicemail 

The service supports a centralised voicemail service for the users. Users are able to access 

the mailbox remotely from both on and off net locations as well as from their “station”. Two 

levels of service are offered, VIP and Standard, which provide different levels of service. 

The core functionality provided is as follows: 

o Direct Replay: If enabled, messages are played in FIFO (Urgent, New then Saved) order 

immediately after the message count. 

o Urgent Delivery Option: If enabled, a caller option to mark a new message as Urgent. 

o Different greeting options for extended absences, extension busy, out of hours, and 

recording of user name. 

o Message Forwarding and Group Lists: Facility that allows the user to forward a message 

to another mailbox, mailboxes or group lists of mailboxes within the customers dial 

plan.

54 

o Call Answer Menu Options: Dependent upon mailbox settings, a ‘Call Answer Menu’ is 

played that offers the option leave a message, connect to alternate extension and 

transfer to the operator. 

o Extended Message Save: If enabled, a saved message can be re-saved by the mailbox 

owner, resetting the message retention period. 

o Message Auto save: If the user hangs up after a message is listened to, the message will 

be automatically saved if the Auto Save option is set. 

o Single ‘Retrieval’ code e.g. 1571 for all users. 

Customer ACD/ Basic Call Centre Capability 

Hosted IPT Service supports customer requirements for basic call centre 

functionality.Specific ACD features cover six main areas: 

Agent Set Features. 

Supervisor Set Features. 

Queuing and Call Handling Features. 

Enhanced Call Centre Features. 

Management Information System. 

System configuration.

55 

The Contractor’s service offers two key types of service; 

IP Centrex lines to phone 

Trunking capability for PBX connectivity. 

These services are brought together in a Customer dialling plan with telephony call package 

options. The trunks service provides public access and termination as well as creating a private 

network bridge to Centrex Users. The trunk types provide interfaces to both traditional and IP 

PBXs. In delivering integration between legacy switches and IP Centrex lines the service 

facilitates a hybrid solution enabling a gradual migration strategy. The IP PBX interface provides 

an option for early IP PBX adopters desiring a Centrex rental model or additional resilience 

where there is a high density of Users. 

The service offers: 

o A Recurring Monthly Charge Payment Model. 

o Upgrades within product. 

o Carrier grade Central Break-In and Break-Out (CBIBO) (where available) with Public 

Number Provision and Number Porting. 

o An Emergency Service Location compliance (CBIBO). 

o Compliance with other applicable Public Service regulatory obligations, data privacy etc.

56 

PBX connectivity to traditional and IP PBXs. 

The Contractors IP Voice Platform has PoP sites through-out the UK. This central 

infrastructure is maintained by the Contractor and provides Line and Trunk Appearance services 

to connect phones, PCs and Customer PBXs to the service. 

Lines - The appearance of a line in the form of a telephone number on a line button on a 

phone. Single line phones may have no buttons so the line appearance would simply be the 

phone’s telephone number. The ‘line’ as such is a number associated with an allocation of IP 

network bandwidth on the Customer’s data network. 

Trunks - Trunks provide the capability of making simultaneous calls e.g. ten simultaneous 

calls could be carried on ten concurrent trunks worth of bandwidth. 

Beyond line and trunk appearances, there are optional line configurations, such as Hunt 

Groups, Pick-up Groups, Shared Lines as well as optional features such as Voice Mail, Auto- 

Attendant Console and Operator Console. For trunks, the signalling type is an important 

attribute providing configuration options such as Presentation CLI (or Automatic Number 

Identification - ANI) and associated features like Direct Dialling In (DDI) and number pools.

57 

Customer Self Administration 

Customers will have access to an optional web based self-care interface. This interface 

allows local and remote administration of features from any suitable web enabled 

device. Access is via the Contractor’s PSN Portal. 

The service supports an individual users control of their own feature set, for example the 

setting up of diverts or voicemail. 

One Cloud Portfolio 

The Contractor currently provides two hosted Voice technical capabilities as part of its One 

Cloud portfolio. 

Genband 

o The One Cloud Service transmits voice traffic over a QoS-enabled LAN & WAN 

connection. This customers with a suitably equipped IP infrastructure to make and 

receive IP calls from the desktop to compatible destinations over their LAN/WAN using 

IP telephones. Such calls between a customer’s sites do not attract additional usage 

charges. 

o Calls may be made between the IPT platform and the PSTN for local, national, mobile, 

and international destinations. The hosted service supports the operation of call centre

58 

functionality using the Automatic Call Distribution features of the Genband’s carrier 

class CS2000 switch. 

o Integrated and advanced IP contact centre functionality, including facilities such as work 

force management, sophisticated call treatment and skills based routing are available 

from other services provided by the Contractor. These are currently deployed at the 

scale required by some of the major UK Government agencies and are CESG approved. 

Cisco - The service is interconnected to the PSTN via centralised in-country carrier trunks or 

per site to local PSTN carriers in others. 

o Cisco Systems is the vendor for the solution, integrating Cisco and 3rd party equipment 

and services, providing a single solution for the Contractor to manage. Customer 

administrators are able to self-provision and handle moves and changes for non-billable 

aspects of the service. 

One Cloud global 

The Contractors structured solution based on Cisco’s Hosted Unified Communications 

Service – (HUCS) is One Cloud global. HUCs can provide Government departments with a 

controlled step towards the enhanced services available in the world of IP telephony solutions. 

The diagram referred to below provides an overview of the Hosted IP Telephony-Cisco 

network. It shows established PoPs in the UK integrated into the UK PSTN and the reach to the 

EMEA region with local break-out to PoPs in the USA that serve the Americas. The Global 

Managed Voice (GMV) network is a shared resource with Onevoice that both share US domestic

59 

egress to a US Toll carrier. This network architecture opens a path to further integration with 

Onevoice services that have an extensive Global reach. Local Break-Out provides a method for 

local access within the Americas beyond the US. 

The Customer WAN can be exclusively the Contractors or part 3rd party. However, it must be the 

Contractors to at least 2 Customer hand-off points from where the 3rd party MPLS distributes 

media and signalling to other Customer sites i.e. the Customer’s MPLS must peer with the One 

Cloud global PoP. Consideration must be given to CPE access for configuration and maintenance. 


IL3 Portfolio 

For organisations that require voice services approved to IL3 the Contractor uses technology 

provided by Siemens. This hosted IPT service has comparable functionality to the One Cloud 

portfolio, offering both line appearance and IP trunks. Its features and capabilities are optimised 

for IL3 applications. 

Functional Description Value Added Services 

The Contractor has a number of capabilities in voice services beyond the provision of standard voice 

services. These include: 

o 118 Directory enquiries.

o Audio conferencing. 

o Desktop video conferencing and collaboration tools. 

o Web conferencing. 

o Managed streaming. 

60 

I) Value Added Services - Service Description for 118 enquiries 

service. 

The Contractor provides two distinct 118 Enquiry Services which cover: 

o UK and Eire Directory Enquiries. 

o International Directory Enquiries. 

Both of these services are available 24 hours a day 365 days a year as an operator managed 

UK and Eire Directory Enquiries Service Functionality - For UK Directory Enquiries there are 

two levels of service available, standard and enhanced. 

The Contractor’s standard Service provides: 

o Access to UK and Eire residential listings and dialling codes. 

o Access to UK and Eire business listings and dialling codes.

61 

o Search by name. 

o Up to two enquiries per call. 

The following additional services can be provided as a part of the enhanced service: 

o Search by business type for UK businesses. 

o Results sent to mobile phones via SMS. 

o Connection to the requested number. 

o Unlimited enquiries per call. 

o Welsh language service. 

International Directory Enquiries Service Functionality - The International Directory 

Enquiries service is provided only as a standard service, and provides: 

o Access to residential and business listings and international dialling codes. 

o Unlimited enquiries per call. 

o Results sent to mobile phones via SMS. 

o Connection to the requested number, if required.

62 

J) Value Added Services - Service Description for Audio Conferencing 

Audio conferencing built into an internal telephone system is usually limited in terms of size, 

functionality and support. That capability will be described in submissions concerning telephone 

networks and servers. This section refers to the Contractor’s capability to provide larger and 

scalable audio conferencing services. 

Audio conferencing services are split into two different types of services. “Reservationless” 

and the “Managed” or “Booked” calls service where calls are pre-booked and reserved for a 

specific time and date. The Contractor offers both commodity and managed services. 

Audio Conferencing Reservationless audio service 

Service outline 

The ‘reservationless’ service is an “always on” facility where users have their own meeting 

room and can launch conferences themselves with no prior booking or notification. The parties 

to the call will include the Chairperson, and the participants the chairperson has invited to 

attend that call. Each will be given the same telephone access numbers for the meeting, but 

they have different PINS. The meeting will only commence upon the entering of the 

chairperson’s PIN, with participants joining before the chairperson being placed in a holding 

area where they will hear music on hold. 

In most cases the service is designed on a “pence per minute” charging basis, with no 

commitment to call volumes or spend levels required.

63 

Size of call - The service is usually configured to a maximum of forty Participants in any one 

conference call. However, where required, and requested, this participant capacity can be 

increased to 90 or more. 

Service Hours - Following registration of users with an Account, the service can be used by 

an organisation’s own employees as well as with participants from external organisations. No 

advanced booking is required and the services are available 24 x 365. 

PINS - Each account owner will receive personalised account details including their 

Chairperson PIN, without which no meeting can commence, and the participants PIN which is 

provided to any parties invited to join the call. Although these PIN’s remain constant it is 

possible for the service to be enhanced to enable the chairperson to add a further PIN, unique 

to each meeting, if required. 

Requirements - The service is network agnostic and participants do not have to be on the 

Contractors network to be able to participate in audio conferences. All that is required is for 

each user to have access to a touch-tone dialling dual tome multi frequency (DTMF) telephone. 

Where web enhanced access to the service is required, participants require a PC, connection to 

the internet and an appropriate web browser. 

The Contractor reserves the right acting reasonably to change the system requirements but 

will give as much notice as possible before doing so.

64 

Access methods 

The service can be accessed by dialling into the Service using either a Toll or Toll-Free access 

numbers provided by the Contractor, or by the Chairperson dialling out to participants from 

within the conference call. 

Toll Dial-In Access 

Participants dial-in using an in-country toll access number, enter the Chairperson or 

Participant passcode provided by the Chairperson followed by ‘#’. The Participant pays the 

transport cost from their calling location to the Contractor toll access number. The 

Chairperson’s Account is charged for any additional Global Access charges where relevant to 

cover the international connection to the Contractors audio conferencing bridge. 

Toll Free Dial-In Access 

Participants dial-in using an in-country toll-free access number, enter the Chairperson or 

Participant passcode provided by the Chairperson, followed by ‘#’. The Participant does not pay 

any transport cost for accessing a local in-country toll-free number, though there are exceptions 

depending on the network being used - some mobile operators for example charge for calls to 

Toll Free numbers. The Chairperson’s Account is charged for any additional Global Access 

charges where relevant to cover in-country toll-free number and the international connection, 

where applicable, to the Contractor’s audio conferencing bridge. 

Dial-Out Access 

Dial-Out access to the service is available as an optional feature. Available to the 

Chairperson only, this is initiated by a DTMF command on the telephone keypad once in the 

conference call, via web conferencing audio integration, or by the Mobile Controller or Desktop

65 

Controller capabilities. The Chairperson validates their dial-out request by providing the 

Participant passcode before being prompted to enter the number to be dialled. The Chairperson 

is then returned to the audio conference and the new Participant will be joined to the audio 

conference if they accept the invitation. Additional charges will apply to this feature. 

Click to Conference 

The Click to Conference feature requires integration with Customer software and an 

Internet Protocol link between the Customer’s and Contractor’s networks. 

Features of the service 

The following sections describe the in-conference features available to Participants and the 

Chairperson during a call. All features are performed using the telephone keypad. Certain 

features can be configured or disabled by default or for each individual user upon agreement 

with the Contractor. 

All Participants 

DTMF 

Control 

*0 Operator 

Function Operation 

Assistance 

*4 Adjust Line 

Volume 

Call for help at any time and a Conference 

Coordinator will offer assistance 

Allows Participant to equalise the volume of 

their phone line

66 

DTMF 

Control 

*6 


Self Mute 

#0 Conference 

Help Menu 

Chairperson Only 

DTMF 

Control 

#1 Participant Roll 

#2 

Call 

Count 

This option will silence the Participant’s line, 

but they will still be able to hear everyone else. 

On line menu listing features available to the 

Participant. 


Participant 

#3 Chairperson 

Dial Out 

Plays back all name recordings 

to the audio conference for security 

or awareness. 

Indicates the total number of 

Participants on the audio 

conference. 

The Chairperson can dial out to 

add additional Participants to the 

audio conference. The Chairperson 

validates their dial-out request by

67 

DTMF 

Control 

#9 Chairperson 


Hang-up On/Off 

(Conference 

Continuation) 

keying in the Participant passcode 

before being prompted to enter the 

number to be dialled. The 

Chairperson is then returned to the 

audio conference and the new 

Participant will be joined to the 

audio conference if they accept the 

invitation. Additional charges will 

apply to this feature. 

This feature allows participants 

to continue on a conference call 

after the chairperson has left. 

Although this feature can be set as 

part of the default bridge settings, 

#9 also allows the feature to be 

turned on or off for an individual 

conference call. 

## End Conference Ends the audio conference and 

ejects all Participants from the audio

68 

DTMF 

Control 

*2 Stop Audio 


Message 

*5 Mute/Un-Mute 

*7 

all Participants 

Conference 

Lock and Unlock 

conference. 

Stops any system message, e.g. 

Roll Call, part way through playback 

if too long or requested in error. 

Places the audio conference in 

presentation mode (mutes all 

Participants.) 

Conference locking prevents 

anyone, including the Conference 

Co-ordinator, from gaining access to 

the audio conference. 

*8 Recording Initiates or stops recording of 

Recording Facility 

the audio conference call. 

During the conference call, the Chairperson presses * then 8 on their telephone keypad to 

start or stop recording of the meeting. There is a separate charge per conference for this

69 

feature. This facility may be disabled completely for all Accounts set up for a Customer’s Users if 

the Customer requests this at the time of order placement. 

Accessing a Recording 

When the meeting ends, the Chairperson will receive an e-mail with a web link to a website 

where they can download the recording. They will be required to enter both the Chairperson and 

Participant passcodes and a security verification code to access the recording. 

The Chairperson can then download the recording onto their computer in .WAV format. The 

recording will be stored on the system for 30 days and will then be automatically deleted. 

Conference customisation and web control 

Mobile Controller 

An application that, once downloaded via a link from the Contractor’s website onto a 

compatible mobile device, allows the Chairperson to control and manage the ‘reservationless’ 

audio service in real time. Provision of this application is subject to agreement and adherence to 

an end user licence agreement. Mobile Controller is a chargeable feature if used to monitor or 

initiate a dial out connection to an audio conference based on when the first person joined the 

audio conference to when the last one disconnects. This charge is in addition to charges for any 

audio connections to a conference initiated using Mobile Controller. 

Microsoft Outlook Add-in 

An add-in application that, once downloaded via a link from the Contractor’s website onto a 

compatible PC, allows the user to add their Audio Conference details and access numbers into e- 

mails and calendar invitations.

70 

Desktop Controller 

An application that, once downloaded via a link from the Contractor’s website onto a 

compatible PC and added to the Outlook Add-In, allows the Chairperson to control and manage 

the ‘reservationless’ service – Global Access Service in real time. Provision of this application is 

subject to agreement and adherence to an end user licence agreement. There are no additional 

charges for using the Desktop Controller feature, although any audio connections to a conference 

initiated using Desktop Controller will incur charges. 

SUPPORT SERVICES 

In Call Support - *0 

A Conference Co-ordinator will provide a single point of contact for support and assistance 

during the audio conference by pressing * followed by 0. The Participant requesting assistance 

will be taken out of the main conference and the assistance function will not impact on the 

conference call. This facility is available 24 x 365. 

Disaster Recovery 

The Contractor will provide additional facilities to the customer for use in the event of the 

loss of service of the Contractors ‘reservationless’ audio conferencing bridge. This will typically by 

managed in Disaster Recovery Mode or Transfer of Service, but the Contractor reserves the right 

to use alternative methods to restore service to the Customer: 

Disaster Recovery Mode 

Disaster Recovery will comprise transfer and delivery of the ‘reservationless’ services from 

the normal audio conference bridge to suitable alternative audio conferencing bridge "Disaster

71 

Recovery Bridge" in a separate location. This process will be invoked in the event of a serious 

infrastructure or network access problem affecting the normal audio conference bridge and will 

be managed in accordance with the Contractor’s standard operating procedures. 

Transfer of Service 

The conference access numbers for the affected services will be re-routed to the Disaster 

Recovery Bridge at the start of Disaster Recovery. 

The *0 element of the Helpdesk will be re-routed to the Disaster Recovery Bridge in order to 

be able to provide in-call support during the disaster recovery period. 

This will be reversed when transferring back to the normal bridge at the end of the disaster 

recovery period. 

Adoption and Awareness 

A key element of the Contractor’s service is access to the adoption and awareness 

programme. This is a non- chargeable addition to the service where the Contractor works with 

the customer to agree a communication and training strategy to existing and potential users of 

the service. An example is outlined below. 

Awareness - Announcement emails 

- Posters incl. door sign 

- Open days/Webinars 

Welcome - Welcome email with users account details (Engage 

users only)

72 

Training - Dedicated mini-site with end user support 

material i.e. user guides 

- A web based tool online training 

In-life Education - One educational message per month or quarter 

- Short messages that cover key issues 

“Managed” or “Booked” Audio Conferencing Service 

Service Outline 

Booked Audio Conferencing Services are provided where there is a requirement for calls 

with more participants than can be accommodated using the ‘reservationless’ service, or where a 

confirmed date and time are required with bridge capacity being specifically allocated for that 

call. Calls can be booked for as few as three participants, to in excess of 2,500. There are three 

variations of the service available to suit the specific customer requirements, with calls being 

either automated entry or attended by an operator as requested. 

Access 

o Automated entry conferences up to 20 participants and with limited available features. 

o Attended entry conferences up to 20 participants and with more available features. 

o Automated and attended entry conferences over 20 participants with full feature set 

available. 

Participants must access the service via a DTMF telephone.

73 

Web enhanced access to the Service is available. Participants require a PC, connection to the 

Internet and an installed web browser of Netscape 4 or Internet Explorer 4 or above. 

The Contractor reserves the right to change the system requirements but will give as much 

notice as possible before doing so. 

Conference Scheduling 

To schedule a booked audio conference call, users are required to book the time slot and 

conference features which they require for their audio conference, together with confirmation 

of the number of participants required. A booking for an audio conference can be made by 

calling the Help Desk or via an on-line booking facility. 

If a User wishes to use Global Access for the audio conference this will need to be requested 

at the time of booking. 

Call Entry and Features by Service 

The following Call Entry and Features are available on each service component. 

Call Entry 

Automat 

ed –max 20 

Attend 

ed – max 

Automated X X 

Attended X X 

20 

20+

74 

Count 

Access Methods 

Automat 

ed –max 20 

Attend 

ed – max 

Dial In X X X 

Dial Out X X 

Non-Chargeable Features 

Help X X X 

Listen-Only X X X 

Conference Roll Call and Participant 

20 

X X 

Security X X X 

Pre-registration X 

Contractor VantagePoint X 

Communication Line X 

Chargeable Features 

20+

75 

Automat 

ed –max 20 

Attend 

ed – max 

Operator Dial-out X X 

Conference Monitoring and 

Moderation Features 

Question and Answer Sessions X X 

Voting / Polling X X 

Conference Monitoring X X 

Recording X X 

Replay X X 

Replay Plus X X 

Transcription X X 

Translation. X X 

Playback X X 

Interpretation X X 

20 

20+

76 

Automat 

ed –max 20 

Attend 

ed – max 

Live Meeting or WebEx Support X X 

Call Entry 

There are two modes of entry into Audio Event Conferences as follows. In each case 

separate PIN codes will be provided by the Supplier for Presenters and Attendees. 

Automated Entry 

The Participants are provided with the access details for the conference along with a 

PIN code (or two PIN codes if Pre-registration is chosen for the call). When entering the 

conference the Participants will be prompted by the system to enter these codes using 

their DTMF phone and will be admitted to the appropriate sub-conference. 

Attended Entry 

The Participants are provided with the access details for the conference along with a 

PIN code. When entering the conference the Participants will be greeted by a 

Conference Coordinator and prompted by supply the PIN code and any personal details 

– e.g. Name, Company – specified at the time of booking. 

Access Methods 

The Contractor is responsible for providing all access numbers, and routing Participants to 

the conference call. The following access methods are available: 

20 

20+

77 

Dial In 

The following access methods are available on Automated and Attended entry calls: 

o Geographic PSTN number. 

o 0800 UK Freephone number – additional charge applies. 

o Global Access on a range of in-country toll and toll-free access numbers – additional 

Dial Out 

charges apply. 

The following access methods are available on Attended entry calls at additional charge. 

o Dial Out by a Conference Coordinator to any telephone number, anywhere in the 

world. 

All numbers to be dialled to and Attendee or Presenter details for the person being 

contacted must be provided at the time of booking the call. The Conference Coordinator will 

enter the person into the conference once they have provided the appropriate security codes 

for the call. The Contractor is not responsible for ensuring the attendance of any Participants in 

the conference and if the Participant is not available at the telephone number and time shown 

on the booking the Conference Coordinator is not responsible for tracing their whereabouts. 

Presenter and Attendee 

All Participants will be either Presenters or Attendees in the conference depending on the 

pass codes which they use to enter. The Contractor will provide the Presenter and Attendee 

sub-conference entry and security details. Users are responsible for ensuring that the

78 

appropriate PIN codes are circulated to the correct Participants following booking of the 

conference to ensure correct operation of the conference. 

Presenter Sub-Conference 

The Presenter details allow access into the Presenter sub-conference. In this sub- 

conference the Presenters can talk to each other and the Conference Coordinator prior to the 

main conference call. Once the main conference call is ready to commence, the Conference 

Coordinator will introduce the Presenter sub-conference into the main conference call following 

which the Presenters will be heard by all Participants. The Conference Coordinator will 

announce the start of the conference with a statement agreed with the Presenters relevant to 

the purpose and content of the conference. 

Attendee Sub-Conference 

The Attendee details allow access to the listen only sub-conference and are able to listen to 

the main sub-conference. On entry to the call they will hear music on hold, until the Conference 

Coordinator starts the main conference call. These Participants are in listen only mode can only 

be heard during questions and answers if they are invited to participate by the Conference 

Coordinator. 

Features - Features described below are available to enhance the audio conference: 

o Help Participants can get help from a conference Co-ordinator during the conference 

by pressing “*0.” This feature is available to all Participants at any time.

79 

o Listen Only (Self Mute). This function is available to those Participants who are in the 

Presenter sub-conference whose lines can be heard by all Participants in the call. 

o Conference Roll Call and Participant Count. A Conference Coordinator can list the 

name of each Participant into the conference allowing all Participants to be aware 

of who else is on the call. Alternatively, a Conference Coordinator can advise how 

many Participants are on the call. 

o Security. The Chairperson can request that the conference be secured (locked) when 

all Participants have joined. 

o Pre-registration. When booking a conference, Pre-registration can be requested as 

part of the call set up. The Conference Coordinator will gather the additional 

participant information required with call registration. The Chairperson will be sent 

a template e-mail to send to potential Participants. This will instruct Participants to 

click on the Pre-registration web link included in the invite to pre-register for the 

Audio Event Call.. Organisers will be able to view who has registered for the 

conference by accessing a dedicated website and review any additional information 

that was requested. Participants who pre-register will receive an iCal appointment 

to place in Outlook with call details. After the conference has taken place the 

Chairperson can immediately identify who has and hasn’t attended the 

conference. The report can be printed or exported as a CSV file. 

o Web View - It is possible to provide a web view of the Participants on the call and in 

the question queue. This allows the speaker to adjust their message to their

80 

audience as well as to prioritise the order in which they take questions as well as 

choose to not take a question from a certain participant. 

o Communication Line. A dedicated phone line for Presenters to the Conference 

Coordinator can be requested for support purposes in the event of any technical 

difficulties so that the Conference Coordinator can talk to the Presenters. 

o Operator Dial-out. The Chairperson can at any time request that a Conference 

Coordinator dial out to another party and bring them into the conference. 

Conference Monitoring and Moderation Features 

o Question and Answer Sessions Typically used after a lecture or a presentation, 

Participants can use their telephone keypad to signal that they wish to ask a 

question. The questioner’s identity is displayed to the co-ordinator who allows 

questions to be asked one at a time. Tone dialling telephones are required by 

Participants. 

o Voting/Polling. The Chairperson provides multiple-choice questions and then 

Participants key in the appropriate digits to signal their answer to each question. 

The results will be collated and delivered to the customer. Participants need DTMF 

telephones for voting. 

o Conference Monitoring. Monitoring of the audio conference for sound quality is 

provided by the Co-ordinator during the call.

81 

o Recording. The phone conference will be recorded onto either a 90-minute audio 

cassette or onto a Compact Disc, and posted by first class post. Additional copies 

can also be supplied. All Participants will be advised at the start of the audio 

conference that it is being recorded. This feature must be requested at time of 

booking. (Note: the CD can be recorded in .wav, MP3 or Windows Media file 

formats and these formats are also supplied via email) 

o Replay. The conference can be digitally recorded and then made available at a later 

date. When the recording is available, the customer distributes the telephone 

number and recording number to allow access. 

o Replay Plus. In addition to the standard Replay feature, participants can also be 

asked to record their names, company names or other information before listening 

to the recording, and/or comments, feedback etc. after listening to it. 

o Transcription. The phone conference can be recorded and a typed transcript 

delivered by post, fax or e-mail. 

o Translation. The typed record can be translated into another language for the 

customer. 

o Playback. Pre-recorded tapes or CDs supplied in advance by the Customer can be 

played into the Conference at any point upon request. 

o Interpretation. An interpreter can be brought online for all or part of the audio 

conference. A list of available languages can be provided on request to the 

Contractor.

82 

o Conference Support Work. If additional work (such as faxing agendas), is 

required the Contractors Help Desk will provide further information and associated 

costs on take up of the service. 

o Webconferencing Facilities. The Contractor provides a set of web-based services 

Support 

which can be used for presentations and collaborative calls. If assistance is required 

from the Conference Coordinator before, during and after the meeting to upload 

presentation material to the selected web-conference, drive slideware and interact 

with the webconferencing console, this must be selected at the time of booking. 

Routes for support can be either *0 (star zero keyed when in an Audio Conference will bring 

a Conferencing co-ordinator into your call to assist with a problem as it happens), or toll-free 

helpdesk and technical support. Both these routes have escalation paths to Disaster Recovery 

processes. 

Web conferencing management information 

The Contractor makes management information available monthly and the format and build 

is agreed and reviewed with the customer. The Account Performance Report features a number 

of comparative metrics over the previous year (by month) and includes, minutes, participants, 

expenditure etc. 

Management information can also be extracted from the monthly VMBOL (View My Bill 

Online) Billing information, VMBOL is an Internet based Billing tool which breaks down the bill to 

each individual call and can determine how many participants and how long they participated in 

a call, what the individual costs were, and all information can be exported to Excel for

83 

manipulation and internal billing purposes (this via cost-centres associated with each contact if 

required) 

K) Value Added Services - Service Description for Desktop Video Conferencing and 

Collaboration Tools 

Desktop Video - Range of Capabilities 

Desktop Video is a very broad product line, which can encompass both Software as a Service 

(SaaS), through to a full hardware on premise deployment. The Contractor can offer both 

Commodity and Managed Solutions in the following key areas: 

SaaS led desktop Video 

o These services are usually based on web conferencing led tools– specific services 

can integrate fully to the Contractor’s Phone Conferencing services. The video 

however is generally not ‘standards based’, so video conferences can only occur 

between other users utilizing the same tools. 

IM and Presence led desktop Video. 

o These services usually lead with client software on the desktop/tablet for IM and 

Presence. This client software is generally standards based or proprietary, If 

standards based then please see bullet point below “Standards based led Desktop 

Video”.

84 

o If proprietary then the Contractor can offer on premise hardware to allow 

proprietary video calls to call standards based video endpoints, therefore allowing 

access to the services described below. 

Standards based led desktop video 

The Contractor can provide hardware which can be sold as a pure on premise deployment, 

with installation and support, or wrapped in a Managed Service via strategic staffing. 

Features 

o SaaS led desktop Video. 

o IM and Presence led desktop Video. 

The Contractor can provide the necessary on premise hardware to convert the proprietary 

protocols to standards based protocols. Example features shown below: 

o Conversion of RTV (Real Time video) to H.263 CIF or H.264 720P. 

o Maintenance support of on premise hardware for conversion. 

o Installation of on premise hardware for conversion. 

o Bridging services for desktop video endpoints to join as a guest the Contractor’s video 

bridging and gateway services.

85 

Standards Based Led Desktop Video 

The Contractor can provide the necessary on premise hardware to offer desktop video 

conferencing from the major manufactures. Example features shown below: 

o Installation of on premise hardware. 

o Maintenance support of on premise hardware. 

o Bridging services for a desktop user to join as a guest the Contractor’s video bridging and 

gateway services. 

o High fidelity audio over Internet. 

o Up to HD resolution through standards-based H-264 video. 

o Users can share their PC desktops. 

Service Management - Dedicated Account management support with regular reviews. 

The Contractor provides customers with Dedicated Account and Service Managers. 

Desktop Video Conferencing Implementation Services 

The installation programme focuses on: 

o On site readiness. 

o Technology components. 

o Equipment shipping. 

o Receiving and delivery.

86 

o Physical setup. 

o Configuration 

o Testing 

o Operational training. 

For most installations a project manager is appointed by the Contractor to ensure all 

coordination and communication is smoothly handled. 

For transition of existing equipment onto the new service, the Contractor’s migration/on- 

boarding process methodology ensures that this is handled smoothly. An on-boarding team 

leader who will manage the process will be appointed. A site registration for all sites is input into 

the Contractor’s system to create an asset register. 

Installation Example Scope of Services - Site Preparation: 

o Installation scheduling coordination with customer designated contact. 

o Technical/configuration review – (including network). 

o Confirmation with customer to ensure site readiness prior to installation date. 

Shipment Tracking 

o Confirm equipment order receipt by manufacturer. 

o Monitor equipment shipment status by tracking number. 

o Contact customer to confirm delivery. 

On Site Installation 

o Unpack equipment from original shipping containers. 

o Conduct visual inspection for damage. 

o Verify completeness of equipment delivery. 

o Install components (includes installation in cart if purchased/provided).

87 

Testing 

o Connect equipment to in place network. 

o Dress cables. 

o Install auxiliary cameras, system control peripherals, microphones and other 

provided accessories (using provided standard cables and extenders). 

o Perform power up, initial system configuration and system diagnostics. 

o Confirm system is functioning properly in local loop-back configuration. 

o Place and receive a remote video call (functional network required). 

o Loop back testing will be performed in the event network is unavailable at the time 

of installation. 

o Return visits to perform testing after network installation is subject to Time & 

Material rates. 

Training 

The Contractor provides the following system orientation training with all equipment 

installations at no additional charge: 

o Overview of system components. 

o System power on/off instructions. 

o Place & Receiving Calls. 

o Types of calls system can place and receive. 

o Placing calls. 

o Calling from the Speed Dial List. 

o Manual dialing. 

o Answering calls. 

o Using the address book. 

o Adding a site. 

o Dialing

88 

o Deleting a site. 

o Using local cameras. 

o Using and setting presets. 

o Using remote cameras. 

o Instructions on performing a loop back test. 

o How to contact The Contractor for support. 

Support Initiation 

o Initiate Warranty/Maintenance agreement. 

o Provide Help Desk contact information. 

o Conduct Quality Assurance functionality review within one week of installation. 

Installation Acceptance 

The Contractor requests customer site contacts review and sign a completed Project 

Installation Certificate (PIC) to ensure installation has been completed to the customer’s 

satisfaction. 

Support Options 

Maintenance 

The chart referred to below outlines the various services and the level of support provided. 

See Figure 3 in ‘BT_PSNS_Appendix1_Award Questionnaire_SectionB_v2.0 graphics’

89 

Video Global Help Desk 

The Contractor offers a 24 x 365 Help Desk support as a single point of contact. Our field 

service and Help Desk technical staff are certified and trained on all products supported by the 

Contractor. 

There are 5 options for Maintenance Service. These are: 

o One Care Remote. 

o One Care On-site. 

o One Care Remote Plus. 

o One Care On-Site Plus. 

o Time and Materials. 

One Care Remote 

The Contractor will provide telephone support and remotely coordinate repair and materials 

necessary to enable the covered products to perform correctly in accordance with their 

warranties, specifications, End User manuals, descriptions and/or other related documentation, 

and to timely resolve each problem or error. 

o Free Phone Help Desk Telephone Support - Provides customer access to the Help Desk 

which is available 24 x 365 for telephone assistance regarding user questions, trouble 

call reporting, usage or maintenance assistance. The Help Desk technicians utilise

90 

trouble call tracking and database software for problem resolution and escalation 

procedures. The Help Desk will continue to track and manage resolution on the call 

ticket until the trouble has been fixed and tested. 

o Failed Part Replacement - The Contractor will remotely assist the customer in 

determining the defective part to be replaced for any Covered Product. Following the 

Contractor’s diagnosis of the failure, replacement parts are shipped on a priority basis in 

accordance with the manufacturer’s published lead time. 

o Software - One Care Remote provides software protection for Covered Products with the 

provisioning of updates, bug fixes and patches unless excluded by the manufacturer for 

a particular Covered Product. 

One Care On-Site - One Care On-Site Maintenance includes all features described under One 

Care Remote, and adds the following features: 

The Contractor Service Representative Services (for part replacement) 

o If telephone Help Desk troubleshooting and isolation procedures as per the Contractor 

Service escalation procedure do not resolve the problem, the Help Desk will dispatch a 

Contractor Authorised Service Representative for replacement of suspected failed parts 

on the Covered Products. Following the Contractor’s diagnosis of the problem, this 

service is delivered on-site in coordination with the arrival of the replacement of the 

faulty part at the Customer’s Site. 

o On-Site Support - If on-site replacement does not resolve the suspected trouble issue, 

the Contractor Authorised Service Representative will remain on-site at no additional

91 

charge to further isolate and resolve the problem (if a Covered Product is still suspected 

to be the source of the problem). If the Contractor determines that no Covered Product 

is the source of the problem, the Contractor Authorised Service Representative may stay 

on-site to assist other vendors, network carriers or in-house wiring personnel at time 

and materials rates. 

One Care Remote Plus & One Care Onsite Plus One Care Plus includes (in addition to the 

features described for One Care Remote & One Care Onsite) the following features: 

o Network Trouble Resolution - In the event of a network trouble issue, the Help Desk will 

provide telephone or email coordination with network providers and/or the customer’s 

IT support staff to promote resolution of network and/or networking equipment issues. 

o Remote Equipment Monitoring (REM)- This service proactively monitors the status of a 

Covered Product in a remote centric manner in order to determine when it may become 

inoperable or incapable of supporting a video conference application. The nature and 

extent of REM Service varies depending on the device being monitored. The REM 

Service can monitor the status of a range of devices, including but not limited to: 

Video conferencing endpoints. 

Video conferencing bridges. 

Video conferencing infrastructure equipment. 

Routers (router interface only).

92 

IP/ISDN networks (via video conferencing endpoints). 

o Certification - If the Customer selects One Care Plus, the Covered Products are 

subject to a device certification performed by the Contractor. Certification is carried 

out remotely. 

o Proactive Monitoring - Once the certification is completed, the Contractor will start 

proactively monitoring the status of a Covered Product. This will be carried out in a 

remote centric manner. 

o Monitoring Covered Product Status - The Contractor will provide access to the web 

based tool web portal accessible via the public internet. The Customer will be able 

to use the web based tool to access the REM Service interface. The REM Service 

interface will allow the customer to view the status of each of its Covered Products 

that is being monitored by the REM Service. This Service is available on a 24 x 365 

basis. 

o REM Reporting - The customer will be able to use the web based tool portal to 

access the reporting platform. This Service is available on a 24 x 365 basis. A number 

of reports related to the REM service are available and can be exported to various 

formats to allow customers to customise the output of the standard reports. The 

reports available include: 

Open Tickets. 

Closed Tickets. 

Ticket List.

93 

Ticket Statistics. 

Ticket Monthly Counts. 

Tickets by Site. 

REM Service Performance. 

o Network Connectivity between the Customer & the Contractor - In order for the 

Contractor to provide the REM Service, network connectivity must be put in place to 

securely allow REM Service traffic to pass from the customer’s Covered Product to 

the Contractors management tools. 

o Dual Monitoring - The Contractor will not provide the REM Service for any Covered 

Product that is being simultaneously monitored by another application, such as but 

not limited to Tandberg management suit (TMS) and Polycom global management 

system (GMS). 

Time and Material Services 

The Contractor provides time and material services (remote and/or on site). Customers can 

request time and material services through the Help Desk call process. Time and materials 

service tickets are processed on a “first come first served” basis with no guarantee of resolution 

times. 

o One Call Maintenance – The Contractor One Call Portfolio is defined as providing a 

single point of contact for Level One helpdesk support and dispatch management to

94 

customer’s in-house and 3 rd party maintenance providers. The Contractor provides 

three levels of One Call support: 

One Call. 

One Call Plus. 

One Call Custom. 

o Return On Investment (ROI) enhancement and tracking programs - The Contractor has a 

number of service options which ensure that the objectives behind the investment can 

be tracked and reported on. This approach allows organisations to facilitate end user 

adoption of new services and to track the tangible environmental impact that the video 

conferencing solution is delivering. 

o Training and adoption - The Contractor provides: 

Introduction to videoconferencing, and methodologies for best utilising video. 

Introductory courses / support materials for de-mystifying the new technology and 

usage. 

Training for our online and reporting suite. 

Guidance on technology acceptance, processes, and the Contractor’s service support. 

Insight on Best Practices, including innovative ways other clients have used video 

throughout their organisation to successfully achieve business objectives.

95 

o Three levels of program support: The Contractor branded, Co-branded, and Custom 

Branded: 

The Contractor branded means that all the materials will have the Contractor logo, 

look, and feel. 

Co-branded materials will include both the Contractor and client on all marketing 

collateral. 

Custom branded marketing collateral will be designed according to the customer’s 

brand, inclusive of their logo, colours, etc. 

The appropriate level will be agreed as part of the scoping for a particular project or 

deployment. 

Items include materials such as quick reference guides, user guides, equipment 

guides, door hangers, posters, tent cards, and guidelines for our web based tool. 

The Contractors Education & Adoption Program 

The Contractor program covers emails, flyers and marketing material that can easily be 

branded. The Contractor recommends that video training sessions are recorded so that users 

and new users can catch up and learn how to use the systems. 

The Contractor will provide the Customer with an education and adoption program to 

launch a new video conferencing service. A dedicated Marketing Manager will work with the 

Customer to develop a Communication Plan that includes implementation and on-going 

educational and training initiatives.

96 

The Contractor will employ tried and tested communication techniques for the Customer to: 

o Promote the benefits of conferencing. 

o Educate and train employees on the new conferencing service. 

o Highlight best practices. 

o Provide on-going education. 

o Request feedback from end users in order to constantly improve the service. 

The Contractor offers customised and branded materials at different levels according to the 

Customers’ requirements. 

The campaign approach to launch the service and drive adoption consists of the following 

core elements: 

Awareness - Announcement emails 

- Posters incl. door sign 

- Open days/Webinars 

Welcome - Welcome email with users account details (Engage 

users only) 

Training - Dedicated mini-site with end user support material 

i.e. user guides 

- A web based tool online training 

In-life Education - One educational message per month or quarter 

- Short messages that cover key issues 

Launch Process: 6 to 7 weeks 

The launch process involves five stages: 

o Define: Agree communications, target audience, key messages, branding. 

o Draft: The Contractor creates the communications design. 

o Approve: Customer approval, review feedback process. 

o Launch: Customer to launch communications.

97 

o Feedback: Capture feedback from users and make any changes. 

The Contractor Education and Training Services 

The Contractor understands that customer training is critical to the overall success of an 

enterprise conferencing solution. When users feel comfortable and confident with the 

technology, adoption rates are elevated. Additionally, when more conferencing users embrace 

unified collaboration, organizations enjoy significant benefits, such as increased productivity and 

reduced travel costs. 

The Contractor’s educational training services focuses on the techniques of effective 

conferencing as well as system operation itself, with the goal of “minimising the effects of the 

technology”. All customer-training is directed through our in-house Educational Services team 

and offers options for training to be delivered via video or on site at the customer’s location. 

End User Training Course Content 

End user training conducted for a room system is a two hour session designed to be most 

effective with up to eight participants per session. Desktop End User Training is a one hour 

session for up to three participants per session. 

User training sessions are conducted over video however may also be provided at the 

customer’s location. The key elements of the training course are: 

o Identifying and operating system components. 

o Powering the system on/off. 

o Dialling point-to-point/dialling into a bridge. 

o Dialling an audio call over video (when applicable). 

o Performing within a multipoint conference (when to use “mute”, how to start a 

meeting, multipoint etiquette). 

o Operating and pre-setting near and far end camera control. 

o Previewing and sending peripherals within a meeting for presentations. 

o Working with a VCR, document camera or other peripheral.

98 

o Sending “Freeze Frame Graphics” or snapshots. 

o Creating materials for PC/MAC use. 

o Incorporating video etiquette into a meeting environment. 

Technical and Administrator Training 

Technical or Administrative Training is conducted at the customer’s location at the end of 

the installation. System components are reviewed, network connections are identified and 

explained and system menus are demonstrated to acquaint the administrator(s) with the 

system. Each course includes customised training guides for all class participants. 

The Security Framework 

Security for PSN 

The IL2 Service proposed for PSN is delivered from the Contractor’s standard conferencing 

platform, used to deliver video conferencing and telepresence services across all the 

Contractor’s business customers. This platform will be assured to IL2 by a CAS(T) audit and 

submitted for accreditation by the Pan Government Accreditor as part of the PSN certification 

process. 

The Contractor has also provided videoconference solutions for a number of Government 

organisations with similar Security requirements. Although these do not offer desktop video as a 

service, they do show that the Contractor can offer standards based Video Conferencing to an 

IL2 level

99 

Solution 1 

The Video Conference service, as utilised by existing Government organisations via the 

Contractor, provides videoconferencing accredited at RESTRICTED (IL3). The service comprises 

infrastructure across a number of locations for resilience supporting approximately 330 

endpoints of various types operating as either Standard Definition or High Definition. There are 

a number of Telepresence systems also within the estate. 

The service can operate in a fully automated manner with users booking online through to 

call launch at a future date for the selected systems. A dedicated helpdesk is provided to assist 

with bookings, call launches and problems as required. The helpdesk is the single point of 

ownership for all operations within the service. The service operates predominantly using H.323 

(IP) although an H.320 (ISDN) capability is maintained. 

The managed service is provided by a dedicated Contractor Team based in Preston. The 

Team are located in an access controlled area and are dedicated solely to the service provided 

for the Government organisation, the staff are security cleared to SC or higher. The equipment 

providing the service is located in secure premises and is physically separated from other 

infrastructure equipment. The equipment provided is not used for any other customer. 

Solution 2 

This solution is based on IL3 and IL5 Security levels. 

The service provides a Managed Service based on Internet Protocol (IP) and ISDN providing 

conferencing capability at RESTRICTED and SECRET levels, allowing for either point to point or 

multi-point video conferencing.

100 

The service comprises infrastructure supporting over 400 endpoints, with a mixture of 

Standard and High Definition. 

The solution is delivered by the Contractor on behalf of the MOD under a single supplier 

agreement. The Contractor delivers secure voice, data, LAN interconnect, and other WAN 

Defence industry partners also benefit from this Contractor service. 

The Contractor has developed a complete range of tailor-made, integrated video- 

conferencing and audio-visual services. It’s all been built to rigid security standards. 

The service offers IP and ISDN service instances point-to-point and multi-point video- 

conferencing at several high security levels between users at the protective markings of. 

o RESTRICTED (including NATO RESTRICTED). 

o SECRET (including US-Allied SECRET and NATO SECRET). 

Suppliers Certification 

The Contractor Capabilities: Video Manufacturer Certifications: 

CISCO (includes TANDBERG). 

The Contractor is a Cisco direct reseller and holds the following 

certifications/specializations for Cisco TelePresence technologies: 

o Cisco GOLD Reseller. 

o ATP - Cisco TelePresence. 

o ATP - Cisco TelePresence Global. 

o Managed Services Master.

101 

o Global Certified Partner. 

POLYCOM 

The Contractor has been a Cisco/TANDBERG reseller for over 15 years. 

The Contractor is a Polycom reseller and holds the following certifications with 

Polycom: 

o Platinum Authorized Reseller. 

o Certified Service Provider. 

o Advanced Telepresence VNOC Provider. 

LIFESIZE 

The Contractor has been a Polycom reseller for over 15 years. 

The Contractor is a LifeSize direct reseller and holds the following certifications with 

LifeSize: 

o National Authorised Reseller. 

The Contractor has been a LifeSize reseller for over 4 years. 

Additional certifications: 

The Contractors Service Technicians have certifications in the following 

competencies: 

o CTS 

o AMX 

o Crestron 

o Cisco – BSCI, Cisco – ONP, Cisco | BSCI, Cisco CCENT, Cisco CCNA ,Cisco CUVC, 

o CIW, CompTIA A+, CompTIA Network +

102 

o Extron EAVA. 

o Madge CP. 

o Polycom CMA, Polycom CVE, P olycom HDX, Polycom MGC, Polycom 

RMX, Polycom CMA, Polycom SE200. 

o Radvision 

o Tandberg TCEP, Tandberg TCES, Tandberg TCTA, Tandberg TCTE, Tandberg TCTS, and 

Tandberg TMS. 

o The Contractor is an alpha and/or beta testing partner for endpoints, MCUs, 

software, etc. 

The Contractors Sales & Design Engineering Technicians have certifications in the 

following competencies: 

o Networking: A+, Net+, MCD, MSCE, CCNA. 

o ClearOne: Certified Technical Specialist. 

o TANDBERG (now Cisco): TANDBERG TCAP, TANDBERG TCTE, TANDBERG TCTMSS. 

o CTS InfoComm: CTS, CTS-D. 

o Extron: EAVA Extron Certification. 

o Cisco: Cisco CSE; Cisco Account Manager. 

o Polycom: VSG Video Sales Solutions, VSG Infrastructure Pre-Sales, VSG Video Pre- 

Sales Technical. 

o LifeSize: Certified Professional, Certified Expert, Technical Professional. 

L) Value Added Services - Service Description for Web Conferencing 

The Contractor’s web conferencing applications enable the sharing of documents and 

applications through the Web enabling communication through interactive online

103 

meetings. The Service provides a broad range of web conferencing services that build on the 

real-time functionality and capabilities of a dedicated delivery network. This is a private global 

network, created with a carrier-class information-switching architecture. Customers can choose 

from a range of applications dependant on their requirement. 

o Meetings: Users can give presentations, demonstrate software, view and annotate 

documents electronically. Teleconferencing is integrated to the service where the user has 

an appropriate webcam. The service has options to include additional features such as 

record and playback, integrated video, the ability to edit any document collaboratively and 

the ability to share applications or a Participant’s entire desktop. 

o Large events: For communications events such as press briefings, product announcements 

and marketing events. This application combines interactive meeting capabilities with 

planning, training, logistics management and real-time support services. It includes online 

confirmation, notification, and instruction, customised Participant registration, high- 

resolution text and graphics, the ability to demonstrate a broad range of applications in real- 

time, audience feedback collection via polling, white board interaction, guided web 

browsing, live chat, recording and archiving of seminars for on-demand playback, and end 

user reports. 

o Training sessions: Training and e-learning applications. With this application, participants can 

coordinate training schedules from announcement to enrolment to follow-up, deliver live 

instruction from a variety of sources directly to learners' desktops, and give presentations 

that include audio, video and interactive multimedia. Participants are able to

104 

administer tests, organise multiple simultaneous breakout sessions, and record, edit, play 

back and archive entire sessions for future use. 

o Remote desktop support: Remote Support is used by customer service organizations to 

provide remote hands-on support for system or software application problems. It allows 

service agents to support end-users through a web browser. The Service can be configured 

with a custom user interface to simplify support interactions for both the support agent and 

the end-user. 

o Enterprise edition: This application integrates the four service options outlined above to 

create a comprehensive solution tailor made to fit specific requirements 

Web Conferencing features 

The current Service features are set out below. Note: the Contractor reserves the right 

without notice to upgrade the Service to a later version which may result in these features and 

their descriptions changing. 

Generic Service features 

o Feature o Detail 

Share documents, Share and control documents, applications, and desktops

105 


applications, or 

desktops 

Rich multimedia 

experience 

Video and video 

conferencing 

remotely in real time without uploading files to a server. 

Collaborate on content to view, annotate, and enlarge 

documents or graphics. Switch between different sharing 

modes without transitions or distractions. 

Incorporate multi-media into presentations: PowerP 

int, Flash animations, and audio and video. 

Real-time visual reference. Simulate face-to-face meeting 

with Participants from multiple locations with multi-point 

video. 

Supported on all Centres with exception of Event Centre. 

Supported Platforms: 

o Windows, Macintosh (Full support). 

o Linux, Solaris (View only). 

Min. Network Requirements 128Kbps (256Kbps 

Recommended). 

Resolutions: SQCIF, QCIF, CIF SQCIF, QCIF, CIF. 

Max Resolution (pixels) 352 x 288 (CIF).

106 

suite 

access 


Desktop integration 

One-click meeting 

Network-Based 

Recording (NBR) 

Max Frame Rates (per sec.) 15fps (SQCIF, QCIF) 10fps (CIF) 

Transport Protocol TCP Port 80, SSL 443. 

Maximum Participants 500. 

Video Codec H.264. 

Additional Features: 

o Frame Rate Control. 

o Resolution Control. 

o Video Snapshot. 

o Congestion Control. 

Initiate meetings instantly from MS Office, MS Outlook, 

Lotus Notes and other instant messaging solutions. 

Start a meeting and invite Participants instantly from 

desktop. 

Available on request with all Centres with Committed 

Charges. Allows the Host to record the web and audio 

conference on the server with the following specification:

107 


File Formats: Advanced Recording Format .arf. 

Recording Conversion: .arf to Windows Media .wmv and 

Flash .swf. 

Recording Resolution 1024x768. 

Audio Recording: the Contractor Reservationless service. 

Recording Player: Network Recording Player. 

File Size: Typically 15MB to 40MB per Hour of Meeting 

Time; Results Vary by Meeting Content. 

Max Recording Length: 12 hours. 

Storage / Distribution: Saves to “My Files,” able to stream, 

download, and/or publish the recording URL. 

PowerPanels Deliver full-screen views for Participants whilst using 

controls to manage meeting activity privately behind the 

scenes. 

Chat Interact with the audience of the web conference through 

an online chat between Host and a Participant, or Host and all 

Participants.

108 


Annotation Pointers and real time annotation tools to provide 

additional commentary and collaboration. 

Firewall friendly Work through most firewalls without opening additional 

Security 

ports. 

The solution offers 128-bit SSL (Secure Socket Layer) transport to provide a high level of 

security for meeting sessions. The service encrypts network traffic associated with the meeting 

session with SSL. This applies not only to session content within an active meeting session, but 

also to traffic generated from the solution Web page accesses before and after the actual 

meeting session. This includes traffic arising from API calls. Thus, SSL encrypts the session 

creation, listing, joining processes, as well as feedback submission. 

Additionally, in-session content shared using the Document/Presentation Sharing mode is 

encrypted using U.S. National Security Agency authorized 256-bit AES (Advanced Encryption 

Standard) encryption prior to transmission. This ensures that such content is encrypted even if 

cached on intervening network devices.

109 

During a session, information is switched in real time rather than uploaded to a central 

server. , At the end of the session, all such data dissipates. 

The solution offers a number of in-meeting security options, including: 

Support 

Assignment of passwords to a session. 

Option to create private meetings or un-list them so that attendees must know 

the unique meeting key and optional password to join. 

Display of the attendee list. 

Ability to expel uninvited attendees (both browser and telephone). 

Ability to lock a meeting or event. 

Routes for support can be either *0 (star zero keyed when in an Audio Conference will bring 

a Conferencing co-ordinator into your call to assist with a problem as it happens), or toll-free 

helpdesk and technical support. Both these routes have escalation paths to Disaster Recovery 

processes. 

Web Conferencing Management Information 

The Contractor makes management information available monthly and the format and build 

is agreed and reviewed with the customer. The Account Performance Report features a number 

of comparative metrics over the previous year (by month) and includes, minutes, participants, 

expenditure etc. 

Management information can also be extracted from the monthly VMBOL (View My Bill 

Online) Billing information, VMBOL is a Internet based Billing tool which breaks down the bill to 

each individual call and can determine how many participants and how long they participated in 

a call, what the individual costs were, and all information can be exported to Excel for 

manipulation and internal billing purposes (this via cost-centres associated with each contact if 

required).

110 

Web Conferencing Partners 

The Contractor partners with both CISCO WEBEX and Microsoft in respect to web 

conferencing services offered and supported. 

M) Value Added Services - Managed Streaming Services 

Streaming, or webcasting, enables the delivery of high impact, rich-media messages 

including video, audio and presentations to more attendees. The technology takes audio and 

video content and transmits it efficiently over the internet or an organisation’s corporate 

intranet. This can be accessed by anyone with a personal computer and a web browser. 

Streaming can be delivered either “live” or “on demand”. It requires no infrastructure 

upgrades or hardware and the service includes end to end management before, during and after 

the event. 

Streaming integrates seamlessly with all of the conferencing services offered by the 

Contractor to enable the benefits of true unified collaboration. 

Event Management service options: 

The Contractor will tailor the streaming event to meet customer requirements. Services 

available include: 

Pre-call consultation and access tests.

111 

Preparation and organisation. 

Running the conference. 

Custom productions. 

Post event debrief. 

Co-ordinating of AV equipment. 

On-site management of the event. 

Managed Streaming Options 

“Live” 

The Contractor provides a URL as part of the booking confirmation. This link becomes live 15 

minutes before the scheduled start time of the event. The organisation booking the event e- 

mails this to the participants wanting to watch the stream. At the time of the conference the 

participants click on the URL and enter their registration details if requested to do so. 

“On Demand” 

The Contractor provides a URL as part of the booking confirmation. After the conference has 

finished the organisation booking the event e-mails this to the additional participants wanting to 

watch the stream. They simply click on the URL to watch. On demand content is usually available

112 

within 1.5 times the event duration. For example, for a two hour live event the on demand 

stream will be available approximately three hours after the event finishes. 

Confirmation Process 

After booking, the organiser will receive a confirmation email. This will confirm all of the 

streamed details including information about the features requested e.g. Presentation package, 

the date and time of the streamed conference and the URL for viewers to use to watch the 

stream. 

An optional registration page enables the event organiser to collect valuable information 

from viewers before they access the content of the stream. There is also an optional Presenter 

package to enable the organiser to produce and present the streaming session with a variety of 

tools. These include question and answer sessions and voting by the viewers to gauge 

understanding. It is also possible to create an index of archived presentations for fast and easy 

navigation. 

Bandwidth Management 

To manage corporate bandwidth more effectively the intranet solution uses software 

peering technology to deliver the stream. This is done via a desktop client that utilises an 

organisation’s existing Local Area Network thus optimising the Wide Area Network bandwidth 

demands, removing the need to add more bandwidth or buy additional hardware. The more

113 

computers that connect to the stream the more efficient the desktop client becomes, with 

reduced load and a higher built in redundancy across the network. 

Functional Description for Other Communication Services 

The following basket of other communication services are described below: 

o Co-Location And Hosting Services. 

o On-Line Storage Services. 

o Antivirus Services. 

o Email Scanning And Filtering Services. 

o Firewalls, Intrusion And Spyware Detection Services. 

o Authentication And Access Management Services. 

o Web And Application Sign On Services. 

o Mail And Messaging Services. 

o Real Time Information Services. 

o Desktop Messaging. 

o Messaging Via Email, SMS, Pager And Mobile Or Fixed Line Telephone. 

o Secure File Transfer.

114 

o Unified Communications. 

N) Other Communication Services - Service Description Internet services 

The Contractors Internet Connect UK Service provides Ethernet Access based services to 

connect the customer to the Internet. As such all bandwidth speeds are sold as Ethernet (Layer 

2) speeds and internet connectivity. The service includes Domain Name Registration and 

Primary and Secondary Domain hosting as follows:- 

o Primary DNS names are hosted for any domain that the customer owns. Sub-domains 

of customer-owned domains are treated as separate domains 

o Secondary domain name service for name and address resolution. 

.The Contractor can register with the appropriate registration authority the customer’s 

requested domain name, subject to that name’s availability. 

DNS 

IP and application services 

Primary DNS 10 primary DNS names are included and hosted free of charge 

Secondary 

charge 

Summary of Key Features 

250 secondary DNS names are included and hosted free of

115 

o Service delivered on a range of bandwidth ( 2 Mbps - 10Gbps) bearers with “Flex” 

capability, 

o A managed router is provided as standard, as part of the service. This device provides 

isolation between the network and any of the Customers own equipment and defines 

the Contractors service boundary. 

o Resilience options - Failover & Load balancing (the Contractor recommends the latter 

option). 

o Disaster Recovery options are available. 

o Static routed IP addresses. 

o Domain name registration and administration. 

o DNS (Primary and Secondary name servers). 

o Clean-feed, provided as a standard feature, blocks access to Internet sites included on 

the Internet Watch Foundation (IWF) list. 

Throughput considerations 

The effective throughput is affected by the protocol being used and where the throughput 

is being measured from. For example the IP layer throughput will be different to the Ethernet 

layer throughput due to the overheads associated with delivering the IP packet over the 

Ethernet access.

116 

The IP throughput can vary based on the type of IP applications being run e.g. IP Telephony 

traffic has far greater overheads compared to FTP traffic due to the nature of the voice 

application driving the need to package the voice data into small IP packets to be sent over the 

IP network quickly and at regular intervals as opposed to the FTP traffic that is typically sending 

large (non real-time) data across the network in large IP packets. 

The service can potentially achieve an IP throughput of up to 98% however this may 

decrease based on applications being used over the Internet Access connection. 

This is not just applicable for the Contractors services, any Ethernet (layer 2) Internet 

Access service purchased from any other ISP will also be subject to the same bandwidth 

throughput considerations. 

Access options 

The Contractors Internet Connect UK offers a range of access/speed choices: 

Speed Access Technology 

2-10Mbps EFM Ethernet In the First Mile 

10Mbps, 

100Mbps, 500Mbps, 1Gbps 

& 10Gbps 

(Copper) 

Ethernet (Fibre)

117 

Service speeds 

The Contractors Internet Connect UK service speeds can be changed within 72 hours. 

Service speeds start at 256Kbps. 

Bearer Access Service Increments 

10Mbps & 100Mbps 1 Mbps increments 

, 1Gbps 10 Mbps increments 

Resilience options 

The Contractor has the following standard resilience options. 

Service option Description 

Failover In normal operation all the traffic goes over one primary access 

circuit. In the event of a failure, the traffic fails over to a secondary 

access; which, if available has been diversely routed. 

Load balance Load balancing differs from Failover by sharing the traffic in 

Security 

normal operation over the two physical accesses, diversely routed if 

available. In the event of an access failure, all traffic is routed over 

the remaining access.

118 

Service 

The Contractors Internet Connect UK offers the following 

Accreditation BSI 7799 / ISO 27001 

Illegal content 

Denial of 

Cleanfeed uses the Internet Watch Foundations managed black 

list to prevent users from downloading illegal content. 

Service Optionl, Cleanfeed can be turned off. 

Internet Connect UK proactively monitors and protects the 

Contractors core network against Denial of Service attacks. 

Proactive Service Option, Distributed Denial of Service monitoring and 

mitigation service. This service mitigates against traffic DDoS 

attacks, DoS floods, Protocol Misuse, Worms and behaviour 

anomaly based attacks. 

Contractors indicative access delivery lead times 

Service Target Service Lead-Time 

2 Mbps 40 working days, subject to survey 

10Mbps and 100Mbps 45 working days, subject to survey 

500 Mbps 70 working days subject to survey 

1 Gb 70 working days, subject to survey

119 

10 Gb 90 working days, subject to survey 

2Mbps - 10Mbps EFM 30 working days, subject to survey 

CPE 

Included in the service is a monitored Cisco router. 

Service Option: Customers can choose to supply, manage and or use third party or customer 

owned CPE. 

Contention 

The service is un-contended (1:1) in the Contractors Internet Connect UK network. The 

bandwidth selected by the customer is always on.

120 

Peering 

Internet Connect UK has extensive peering, through the Contractors UK (AS2856) and 

International (AS5400) backbone. 

Broadband access 

The Contractors Total Broadband products provide access options for mobile and home 

workers or individuals with light usage requirements. The Contractors Business Total Broadband 

service has two access technology services with a variable rate 20Mbps (maximum) and a 

40Mbps fibre optic service. 

The 20Mbps uses new 'rate-adaptive' ADSL technology to automatically provide and 

maintain the fastest broadband speed a phone line can physically support. The actual maximum 

speed depends on a range of factors, including the customer's proximity to their telephone 

exchange, the quality and length of any telephone extension lines in their home, and the speed 

of their computer and modem. A customer living close to their exchange could get the full 20MB 

speed, whilst those living further away might achieve lower maximum speeds of 6Mb, 4Mb, or 

2Mb. The 20MB service is also subject to local availability. 

The Contractor also provides Infinity for business (Super-fast Broadband) that is a fibre optic 

access service. Current download speeds of up to 40Mbps are available. Future download 

speeds of up to 100 Mbps are targeted today and the Contractor is testing access speeds up to

121 

100Mb for release within the near future. This also means that the Contractor can provide 

super-fast upload speeds as a proportion of the download speed. 

The Contractors Business Broadband connection offers the following key features: 

Infinity for business (Super-fast Broadband) 

flexible option for connection including Free connection (time limited) 

Up to 40Mb download and 10Mb upload 

Unlimited Wi-Fi access 

Total Broadband Advance Support (Fibre) 

flexible option for connection including Free connection (time limited) 

Up to 20Mb download and 2Mb upload 

Total Broadband Advance Support 

As Advance but Unlimited Usage and Premium Support (covering BB and PC’s) 

Total Broadband Advance 

50GB Usage, Hub, Free UK Phone Support, Unlimited Wi-Fi access 

Total Broadband Office Unlimited 

Unlimited Usage, Unlimited Wi-Fi access 

No Hub 

Paid for UK Phone Support, (free online support),

122 

Total Broadband Office 

10G Usage, Unlimited Wi-Fi access 

No Hub. Online Service, 

Satellite Broadband Mobile 

The Contractor’s service can provide a vehicle-mounted broadband IP connection. This is 

achieved via a small self-deploying motorised antenna, antenna controller, and satellite modem. 

The connection can be used for web browsing, email and other Internet Protocol (IP) 

applications. 

Virtual Private Networks (VPNs) can be supported via protocols such as Internet Protocol 

Security (IPSec) for secure connection to a corporate network. Alternatively, for even greater 

security, the customer has the option for a dedicated private connection from the satellite 

network hub bypassing the public Internet. 

The satellite modem functions as a router and provides an Ethernet interface, delivering IP 

connectivity over the satellite back to the satellite hub which has high levels of resilience against 

power failures and other events. The Contractors support desk is manned 24/7 with expert 

assistance available on call. 

Connectivity is provided from this service to the Internet or to a customer-dedicated 

backhaul such as a leased line or multiprotocol label switching (MPLS) circuit.

123 

Virtual Private Networking (VPN) 

The Contractors Satellite Broadband Mobile supports use of Virtual Private Networks (VPNs) 

using the IP Security (IPSec) protocol. Note that use of IPSec encryption will mean traffic cannot 

be accelerated by compression techniques across the satellite network and this will normally 

result in lower throughput speeds. However the Contractors GatewayVPN product can be 

combined with this service to provide fully end-to-end accelerated VPN tunnels over satellite 

whilst maintaining a high level of customer security which avoids the cost of a dedicated 

backhaul from the hub to a customers corporate headquarters. 

Dedicated backhaul 

Alternative connectivity is available for customers that do not require to connect via the 

Internet. The Contractor can provide dedicated backhaul such as a multiprotocol label switching 

(MPLS) circuit or a leased line. 

Customer equipment 

The Contractor provides the satellite equipment required including a self-deploying 

motorised 75 or 90 cm satellite antenna, which needs a clear view of the southern sky, 

unobstructed by trees or tall buildings to lock onto the network. Exceptionally, some locations 

may require a larger 1.2 m antenna. A self-deploying motorised antenna mount and controller 

and a satellite modem unit are also supplied.

124 

The system can be powered from the vehicle battery – via an inverter – or from a separate 

battery/inverter, or from an external 230-volt mains power supply where available. 

Key features 

Speed: a choice of service peak speeds and the option of a pool of dedicated bandwidth 

dedicated to customer sites; both help optimise service levels 

Connectivity options: connecting either to the Internet or via an optional secure VPN 

tunnel over the internet into your private network 

Availability: designed to exceed 99.5 per cent in most locations, boosts efficiency and 

minimises downtime. 

Remote management: the Contractor can change your service speeds quickly and without 

intervention at remote sites. 

Fixed pricing: the connection is “always-on,” with no dial-up or per-minute charges. The 

monthly service price provides predictable costs. 

Convenience: the self-deploying antenna makes accessing the Internet or corporate 

network simple and is available 24/7. 

O) Other Communication Services - Service Description for Co-Location and Hosting Services

125 

Co-location services - The Contractors Locate Solutions, is a high level standard 

specification, custom built and local data centre offering that resides within the telephone 

exchange portfolio throughout the UK. The Locate team utilise the Contractors wealth of 

experience at running high availability environments to design and maintain the facilities to a 

bespoke SLA. The Contractors “Locate” Solutions offer a range of products from a Single Rack in 

a shared European Telecommunications Standards Institute (ETSI) environment to a dedicated 

Data Centre within one of the Contractor’s exchanges. 

The Contractors Locate Solutions are usually able to offer a site to within 20kms of a 

customer's desired location. Contract length is flexible but usually five years. 

Lead time for delivering Locate Solutions vary from a 12 week deployment for a single rack 

solution, to an eight month build time for the larger data centre depending on requirements. 

Locate Solutions Data Centres 

The Contractor is a key supplier of business continuity services and has developed a 

complete, one-stop solution that is designed to meet the needs of organisations of all sizes. The 

Contractor has a vast selection of versatile facilities which can be used for the reliable and 

secure hosting of IT and communications equipment. 

Locate Data Centre solutions provide:

126 

o Secure facilities at Contractors telephone exchanges – enabling customer equipment to 

be co-located with the network. 

o The diverse selection of sites in the UK – a nationwide spread that ensures that the 

contractors facilities are within easy reach of customer locations 

o A managed and monitored service in a secure environment. 

The Contractor can: 

o Source a suitable site 

o Supply, move and install customer equipment 

o Manage IT services – either remotely or onsite 

o Install the racks o Install and manage the cable connections 

o Provide complete telecoms connectivity 

Data suite components the complete data suite includes the following elements: 

o A raised floor 

o Power distribution units 

o Environmental monitoring 

o VESDA (Very Early Smoke Detection Apparatus)

127 

o Ironwork and cable trays (underneath the floor) 

o Air handling units 

o Inergen (inert gas fire suppression that lowers oxygen levels) 

o Associated office space(if required) 

Benefits 

o Flexibility – Ability to change : re-scale operations to reflect the customer changing 

requirements through to relocating data centre services to a different location. 

o Resilience to power outages: The contractor offers uninterruptible power supply and 

the data centre suites are also backed-up by a generator. 

o Security – The facilities are protected by a sophisticated electronic security system, 

managed from a central access control centre controlling access to authorised card 

holders 

o Environmental control - The Contractors approach use services that provide minimal 

environmental impact such as fresh air, modular cooling systems. 

Locate Single Rack, part of the Locate Data Suite, provides the facilities to house customer 

communications equipment in a rack in one of the Contractors telephone exchanges.

128 

include: 

The Contractor offers: 

o A monitored, safe and secure environment 

o A wide choice of sites throughout the UK 

The design, construction and maintenance of the communications rack. This could typically 

o a standard 600x600 45u lockable rack 

o Ironwork and cable runs 

o Dual power feeds, backed up by UPS (uninterruptible power supply) 

o 24x7 access to authorised personnel 

Key benefits include: 

o Lower costs: fixed charges; no major capital investment. 

o Performance: a minimum 99.67% power availability target. 

o System and data security: a sophisticated electronic security system. 

Hosting Services

129 

The Contractor’s Managed Hosting service is the provision of a fully inclusive hosting service 

within one of the Contractors data centres. The core service comprises of a data centre, 

common front end, connectivity and the necessary servers, storage devices; and services 

required to provide a managed service to the Customer. The Contractor provides all the 

necessary equipment to the customer or agent acting on behalf of the customer. 

These include : 

Data Centre 

Common front end 

Network Connectivity 

Managed services 

The Data Centre 

The contractors Data Centre services provides service options from the provision of power, 

cooling and space through to a complete managed service. Within a managed environment it is 

possible to connect the Customers devices to their network with a secured connection. 

The contractors Data Centres have built-in business continuity backed by network, server 

and storage SLA’s and aligned with ITIL processes & ISO 20000/27001 principles. 

The Contractor’s Managed Data Centre services are complemented by its Application 

Assured Infrastructure (AAI) service. AAI provides consultancy audits on application environment

130 

and impacts of IT changes and offers continuous monitoring and optimisation of application 

performance from desktop to data centre. 

The On-net Hosting service provides access to the Contractors MPLS network. The 

service enables IP Clear Customers to more easily and cost-effectively connect into their DCS 

Hosting Platforms via shared MPLS connectivity. The infrastructure is already in place and can be 

configured by the Contractor to provide a faster delivery. Data Centres are inherently resilient 

with multiple high bandwidth connectivity having a 99.55% to 99.99% target availability. 

The Contractor offers business continuity and disaster recovery solutions to provide a full 

end-to-end solution covering everything from PBX backup to intra-data centre data storage and 

retrieval networks and professional services for business impact analysis, risk and vulnerability 

assessments. 

Common Front End 

The Common Front End is the collective term used to describe the proven service design pattern 

for shared switches and routers incorporated into the data centre 

Network (connectivity) 

The Contractor standard network options are , Internet and MPLS 

Note: availability of these services are not present at all data centres.

131 

Internet Bandwidth is available in a number of options: 

a traffic allowance or dedicated capacity at some data centres and 

fixed, burstable and pay-as-you-use at other sites. 

Some data centres also have access to the MPLS network (On Net Hosting). This allows for 

very cost effective connectivity between the Contractors data centre and the Customers' MPLS 

network. 

Managed Services (servers, storage devices) 

The Contractor 

offers a set of products, locations, services CPE and resilience options to support a 

wide range of Co-location and hosting services; 

is vendor agnostic and can provide connectivity and services including a number of 

partners that give flexibility in supporting a variety of applications, servers, hardware, 

operating systems and Web and database servers. 

Hosting services 

The Contractors Web Hosting service provides an Internet website service including: 

Website hosting, creation, and maintenance of applications;

132 

include: 

E-chat and integrated messaging 

Customer communication and Website promotion applications. 

E-Shop provides E-commerce facilities within a website, allowing credit card 

transactions and other forms of payment. 

The Contractor also provides a bespoke corporate website service which has features that 

Website design and creation 

Website security testing 

Worldwide content distribution services, 

E-commerce gateways 

Performance testing and optimisation 

The services use the infrastructure of the Contractor’s managed hosting service. 

P) Other Communication Services - The Service Description for on demand storage services 

The Contractors solution is On Demand Compute. This is a web-based system that allows 

customers to create and manage their own infrastructure and access the service through the 

Contractors Compute Selfcare portal.

133 

Through the portal the customer controls the creation, modification and management of 

the Compute requirements through a series of easy to follow menus allowing the customer to:- 

add /remove virtual servers 

modify firewall sets. 

The service is based on a modular, layered architecture, which offers both scalability and 

virtualisation at each of the main layers. The layers include: 

Network layer – This includes the provision of firewall services; virtual ‘service’ load 

balancing; and virtual networks and switches. 

Storage layer – This enables the customer to allocate data space and includes virtual 

application storage (fast); virtual shared storage (slow); and snap backup and restore. 

Computing layer – This enables the customer to create, customise and control small, 

medium and large virtual servers via the portal. Options include high availability and additional 

value add services. 

Security layer – The security layer underlies the other three layers and provides multiple 

tiered firewall services, virtual load balancing and virtual SSL (Secure Sockets Layer). 

Features and functions 

The Contractor provides a suite of globalised data centre services that provide:

134 

o Automation – Full Automated Service Delivery and Service Assurance 

o Autonomics – Self Healing / Self Defending 

o Autonomy – Customer Self Service and Change Control 

The following features are provided as standard: 

o System Compatibility – A complete Application Hosting Environment supporting 

Microsoft Windows compatible applications. 

o Service Level –On Demand Compute is underpinned by an ITILv3 Service Wrap to 

known and agreed security levels, delivered to a known Service Level Availability target 

of 99.95%. 

o Standard Configuration - Virtualised instance(s) are configured to standard build 

templates, allowing fast turnaround of orders and changes. 

o Quick provisioning –On Demand Compute offers virtual servers built within five working 

days. Most in-life service changes take from 4 hours. 

o Managed service – The infrastructure supporting the customer’s service will 

be managed, and the virtual machines monitored for availability. 

o Storage flexibility – The customer can increase the storage up to a total of 2048Gb per 

virtual server or group of virtual servers. 

o Backup and Restore – Customers have a choice of backup schedules for application 

storage and can also restore backed-up drives. 

o Control of Resource – On Demand Compute enables customers to control many aspects 

of their service. These include adding and removing virtual servers, adding storage, 

increasing Internet bandwidth and adding and changing firewall rule sets. 

The service has an option for a “private cloud” service using dedicated servers and 

infrastructure within the Contractor’s data centres. The service is the same as offered with the 

On-Demand compute product, but based on dedicated hardware 

The following features are provided as standard:

135 

o System Compatibility – An Application Hosting Environment supporting Microsoft 

Windows compatible applications. 

o Service Level – an ITILv3 Service Wrap, delivered to a known Service Level Availability 

target of 99.95%. 

o Standard Configuration - Virtualised instance(s) are configured to standard build 

templates, allowing fast turnaround of orders and changes. 

o Provisioning – A new collection of virtual servers can be built within five working days. 

Most in-life service changes take from 4 hours. 

o Managed service – The infrastructure supporting the customer’s service is managed, 

and the virtual machines monitored for availability. 

o Storage flexibility – The customer can increase the storage up to a total of 2048Gb per 

virtual server or group of virtual servers. 

o Backup and Restore – Customers have a choice of backup schedules for application 

storage and can also restore backed-up drives. 

o Control of Resource – enables the Customer to control their service. This includes adding 

and removing virtual servers, adding storage, increasing Internet bandwidth and adding 

and changing firewall rule sets. 

Q) Other Communication Services - Service Description for antivirus services (internet protection 

and control)

136 

Comprehensive Web protection and control 

Web Security.Cloud helps defend against Web-borne threats. To protect against email and 

instant messaging related risks including links to malicious sites sent through instant messaging 

services, email-borne malware, spam, data leaks, and potential lawsuits caused by the 

distribution of inappropriate content. This is achieved by preventing malicious content located 

on requested destinations from being passed to the customers systems, filtering Web traffic 

requests to potentially dangerous sites, and inspecting download responses for all Web content. 


Symantec.cloud Web security and control 


Threat intelligence is shared across communication protocols for increased 

protection. 

Web Security.Cloud consists of two core components:

137 

o Uniform Resource Locator (URL) Filtering – All Web requests are verified against a 

sophisticated policy engine and URL categorisation database containing over 80 

categories to ensure appropriate content remains accessible while restricted content is 

carefully controlled. The policy engine is highly flexible and intuitive, enabling the 

Customer create policies and monitor behaviour for specific users and groups. The 

Customer can also place time and volume consumption based limitations on Web use to 

help prevent misuse and protect corporate bandwidth. 

o Multi-layered Security – Multiple commercial antispyware and antivirus engines scan 

the clients Web content for malware. These defences operate at the internet level to 

block threats before they reach the Customers network. The engines are continually 

updated by Symantec.Cloud to ensure accurate detection of the latest known 

threats. Proprietary Skeptic heuristic technology additionally guards against new and 

converging threats which can target Web users via other protocols such as email and 

instant messaging. 

Web URL Filtering 

Web URL Filtering enables the Customer to set up a rich set of policy rules for Web traffic 

requests to adhere to when submitted by a user. Policy rules are individual rules set up in order 

to identify the action to be taken when the administrator defined conditions are matched by a 

user’s Web request. There are over 80 URL categories to select from when creating rules and a 

URL Category Lookup tool to aid in the accurate and rapid creation of policies. 

Web URL Filtering is supported by a database of over 67 million URLs and the categorisation 

database offers multiple category support for a single URL. This ability helps to address the

138 

challenges of dynamic content, such as portals and Web 2.0 sites. This means that a Customers 

policies will be consistently enforced. Users can be protected from sites that are acceptable one 

day and contain content or files which should be blocked the next. 

Rules are configured using the Symantec.Cloud user interface, known as ClientNet. The 

ClientNet online portal enables the Customers administrators to configure, monitor and obtain 

reports about their services. Using ClientNet, rules can be configured for select users, groups, 

categories, file types, specific blocks of time or by bandwidth consumption levels. 

The ability to block certain undesirable file types from being downloaded can be particularly 

useful to aid in protecting corporate bandwidth and productivity. Files such as streaming media 

that tend to be large or consuming can be blocked completely or halted by the bandwidth levels 

they consume. 

Web URL Filter rules can be configured to apply to specified users, groups of users and can 

be applied to specific blocks of time. This assists Customers in creating policies which help 

monitor and enforce user compliance with their Web Acceptable Use policy regardless of their 

time zone. Additionally, the Customers administrators can take advantage of the service’s quota 

capability which allows for limits to be placed upon end-user browse time and bandwidth 

consumption levels. These capabilities are particularly useful for Customers interested in 

minimising challenges such as lunch hour browsing. 

Web Security.Cloud is provided with default rules, based on best practices, that can be used 

to block traffic to Web pages with URLs that are known to contain content in the multiple 

categories. Some examples of the categories the Customer can use include Adult/Sexually

139 

Explicit, Criminal Activity, Spam URLs, and Spyware. Customers have the ability to either use the 

default rules or to configure custom rules to reflect their own Web Acceptable Use Policy. 

Web URL Filtering rules are made up of the following components: 

o Conditions – A defined set of conditions that must be met in order to trigger the rule 

and its corresponding actions. 

o Time – An administrator may select periods, days or blocks of time in which the rule 

should be observed and enforced. 

o Groups – Select user groups may be specified within a rule. This allows for granular rules 

to be created based on Active Directory groups or custom groups defined by the 

Customer. 

o Quotas – Quotas can be used to select daily allowances that reset at 00:00 in the time 

zone(s) they are configured for. Quotas can be set by days of the week, selected hours 

of the day and applied to specific users or groups of users. Both time-based and 

bandwidth-based options are available. 

o URL Categories – These consist of several choices that filter out commonly visited sites 

which are inappropriate for work use, viewing in the workplace environment or which 

impact user productivity. Examples include: Sports, Adult/Sexually Explicit, Social 

Networking, Shopping and Web-based E-mail. 

o Specific URLs – Specific sites can be blocked which are deemed inappropriate or are not 

in keeping with the Contractor Web Acceptable Use Policy or allowed. For example the

140 

Travel URL Category may be blocked, but the Customers corporate travel agency’s 

Website may be allowed. 

o Content Types – This is a useful way of preventing streaming media and larger file types 

from being downloaded or accessed in order to protect bandwidth, storage and 

productive Web use. Rules can be configured for specific MIME (Multipurpose Internet 

Mail Extensions) types and categories as well as custom file types and categories. 

o Action – The Customers administrators are able to define the action that is performed 

when a Web request meets the conditions of a rule. 

Policy Stack and Processing 

Once rules have been created using ClientNet, each policy rule is placed into a rule ‘stack’ 

which is then evaluated in order from top to bottom. When the Hosted Web Security service 

proxy receives a request, it passes the request to the policy engine for processing and validation. 

In order for a rule to be called on, the criteria of each rule above it must be examined 

first. For example, the client may have policy rules to block users from downloading content by 

URL categories or specific URL/IP addresses. In this case, the policy engine will first check if the 

requested IP/URL matches any rules which ask for that specific destination to be blocked. If a 

match is identified, the page will not be retrieved and the user will be redirected to a block page 

notifying them of the action taken by the service. If no match is found, a subsequent rule 

requiring MIME or File type content to be checked would be called upon next. The requested

141 

object would then be checked separately from the other objects on the page and would be 

allowed or disallowed based on the findings presented to the engine. 

The policy engine avoids the need for confusing exception-based block or allow lists from 

being inserted into each rule. It also allows for the use of a number of detailed rules that can 

handle business exceptions based on their order within the stack. 

When the Web Security.Cloud service identifies a Web traffic request which matches a 

policy, it will follow the default or custom rule set defined by the customers service 

administrator. Possible actions include allow, block, log, allow and log, block, and block and log. 

Web AntiVirus & AntiSpyware 

After passing through Web URL filtering, Web traffic requests are then transferred to Web 

AntiSpyware and AntiVirus services for analysis. The hosted service enables threats to be 

detected at the internet level in order to identify and block inappropriate content or malware. 

Web Security.Cloud starts by searching for known Web-borne threats. Web traffic requests 

are routed through multiple, commercially available, signature-based scanners in 

parallel. Traffic passed through the service is scanned for malicious content including viruses, 

trojans, spyware and adware. 

The scanners examine the requested traffic target for known threats that match virus 

signature files. If the scanner response is unknown, the process continues in the next scanner to

142 

look for any malware matches. The scanners are automatically and continuously updated to 

ensure that the most current virus definitions are being used. 

If a Web page request, or a request for a file to be downloaded from the Web, is perceived 

by Web AntiVirus or Web AntiSpyware to contain a potential threat, it is blocked and not 

delivered to the end-user. The end user will then receive a block page which can be customised 

to suit specific customer needs. The block page assists in making the end user aware of what 

has happened, and why action was taken by the service. 

Skeptic Heuristic Technology 

In order to detect new, ‘zero hour’ threats, Web Security.Cloud utilises predictive heuristic 

technologies built into a proprietary defence layer called Skeptic. Skeptic is used to 

determine if the requested Web traffic target contains any components of malicious 

code. Skeptic’s multiple patented technologies and thousands of rules are applied to analyse 

and detect new and emerging threats. 

To provide enhanced performance, when a new item of malware is identified by Skeptic, a 

signature is created to enable faster identification of the item for future instances of the 

threat. Unlike commercial anti-virus scanning engines, Skeptic cannot be downloaded and 

tested by cyber-criminals for exploits. 

Skeptic, also has access to information shared by the MessageLabs Email Security.cloud and 

Instant Messaging Security.cloud services to assist in the detection of converging threats 

(threats that leverage more than a single protocol). This extends the ability of Web

143 

Security.Cloud to efficiently address the evolving nature of threats. For example, threats that 

use URLs which link to malware and are sent within emails, but are executed using the Web. 

Skeptic proprietary heuristic techniques leverage the processing power of a cloud-based 

solution to protect the customer against treats spanning email, web and IM. 

An overview of Web Security.cloud functionality. 



Simplify management 

Web Security.Cloud uses a single, integrated management console for email, Web, and 

instant messaging. The console helps to simplify administration and lower total cost of 

ownership while providing increased visibility into user behaviour.

144 

Web Security.Cloud includes several reporting options to inform administrators of the 

service’s effectiveness and actions. Insight into the Customers end-user behaviour and service 

performance is enabled by the services dashboard, summary, detailed and scheduled reporting 

options. Reports are configurable to help provide the Customer with visibility, accountability 

and confidence in the effectiveness of the service. 

The Dashboard provides an at a glance view of the current service performance levels and 

notable activities. Dashboard graphs and charts show statistics for selected periods of time and 

include a summary of the volume of Web usage volume, blocked requests, filtered requests and 

top five blocked categories. Available timeline views range from 24 hours up to 12 months of 

service activities. 

Summary reports provide status updates and metrics in a convenient PDF format. The 

summary report contains graphs, tables, and key statistics on Web volume, user activity, 

blocked threats and blocked Web page requests which violated the Customers policy. These 

reports can be customised to reflect a fixed or custom date range, and data for these reports is 

available from the previous day to the last 12 months of the use of the service. 

Detailed reports are useful for in-depth service data analysis. Data can be downloaded in 

the Common Separated Values (CSV) format providing detailed service statistics. These CSV files 

can also be exported for more detailed analysis and to create custom reports. 

Data in the detailed reports includes information on the performance of individual aspects 

of the service (Web AntiVirus and AntiSpyware performance, Web URL Filtering performance, 

User browse time by URL category, User browse time by individual URL, User bandwidth usage 

by URL category, User bandwidth usage by individual URL Bandwidth by user, Browse time by

145 

user, the number of URLs visited by specific users, browse time or bandwidth by URL category or 

individual websites). 

Detailed reports can also be customised by specific users, groups, IP (or IP range) date 

ranges and domains. The date ranges available include the last 60 minutes, 12 hours, previous 

day, last 7 or 30 days. 

Audit Reports enable the client to view detailed information on individual users and are 

provided in a PDF format. Audit reports include the same customisations that are available with 

the detailed reporting option. It is also possible to specify additional report criteria for more 

granular data (Categories, rules triggered and destination URLs) 

Scheduled reports are available to supply regularly updated information about the activities 

of the service. These reports are sent by email to the Customers service administrators and can 

be configured to supply information either globally or by domain. The frequency of the report 

can be customised and scheduled to occur on a daily, weekly, or monthly basis. 

Flexible Web Acceptable Use Policies (AUPs) 

Web Security.Cloud helps the Customer enforce Web acceptable use policies. 

Roaming User Agent 

Web Security.cloud has an optional roaming user agent capability (known as Smart Connect) 

that helps the Customers administrators to enforce their organisation’s policies and protect 

users who are outside the corporate network. 


146 

An overview of Smart Connect Roaming Agent functionality. 

Smart Connect uses a locally installed agent-based technology that works in conjunction 

with the Web Security.Cloud service infrastructure to protect roaming Web users. 

The agent draws from the following capabilities to protect users and enforce policies 

without noticeable delay: 

Network Environment Discovery – Smart Connect understands differences in end user 

networking environments and adjusts its behavior accordingly. For example, the agent forwards 

traffic in a passive state when in a captive portal (such as a Wi-Fi hotspot), to allow payment 

authorisation. Once the payment process is complete, the agent automatically switches to an 

active state by redirecting the user Web traffic to the Symantec Hosted Services infrastructure. 

Location awareness – Smart Connect uses a geographic location capability to identify a 

user’s location and then connect them to the recommended infrastructure Point of Presence 

within the Symantec.cloud global infrastructure. This helps to ensure the best possible 

performance can be provided. 

End user transparency – Smart Connect provides a consistent sign-on experience regardless 

of whether the user is roaming off-LAN or connecting through a Web gateway within the 

customers corporate LAN environment. 

Added security – Smart Connect protects Web browsing via a Secure Sockets Layer (SSL) 

channel that is established between the agent and Symantec.cloud infrastructure. All

147 

communication occurs once both agent and infrastructure have mutually authenticated using 

X.509 digital certificates. 

Smart Connect not only provides protection against Web-borne malware for users when 

they are outside of the corporate network, but also reduces the risk of a system becoming 

compromised and bringing malware back into the Customer’s network. 

Reduce IT time and costs 

Implementation of Web Security.Cloud is fast and easy. There is no software or hardware to 

buy, install or configure which makes the upfront cost of deployment far less than an in-house 

system. This enables the Customer to achieve a simpler network with less hardware. 

The hosted services are operated at the Internet level and managed by 

Symantec.cloud. The services provide the ability for the Customer to configure each service to 

suit organisational policies and needs. Symantec.cloud’s online portal, ClientNet, provides a 

single, central interface for the Customer to access and control hosted services. 

Once installed and configured to suit specific client requirements, the hosted services run in 

the background providing 24/7 protection. Symantec.cloud will manage all ongoing 

maintenance such as updates, capacity planning, and service performance. 

Increase end-user productivity 

Web security.cloud assists in optimising network bandwidth to process securely filtered 

Web traffic. Symantec.cloud’s globally distributed architecture supports minimal latency and

148 

enables the Customers end users to engage in secure, high quality web browsing with minimal 

delay. 

Web Security.cloud services help to protect organisations from Web misuse and help to 

prevent wasted bandwidth and reclaim end-user productivity. 

Continuous and automated hosted service updates help to eliminate the loss of the client 

employee productivity associated with downtime and unacceptable Web usage. Employees are 

free to focus on legitimate Web activities that help to drive business. 

R) Other Communication Services - Service Description for email scanning and filtering services 

Cloud-based Email AntiSpam and AntiVirus Protection 

The Contractor provides antivirus services through it partnership agreement with 

Messagelabs (Symantec) 

Email Security.cloud includes an email antivirus service (known as Email AntiVirus.cloud) 

that provides multi-layered protection to stop one hundred percent of known. The multi- 

layered architecture consists of proprietary Skeptic heuristic technologies combined with 

multiple commercial scanners.

149 

Email AntiVirus.cloud delivers ‘zero-hour’ protection by identifying and combating new virus 

threats in real time. Another unique feature of the service is a ‘link-following’ capability which 

utilises commercial scanners and Skeptic technology to check every URL within customers email 

for malware or virus-bearing destinations. The service is configurable, with a range of actions 

for identified viruses and malware. Support is offered for all email messaging platforms 

including Microsoft Exchange, Domino, Groupwise, and Linux. 

Email AntiVirus.cloud is backed by a Service Level Agreement that offers a performance 

level of of 99.999% 

Email AntiVirus.cloud and Email AntiSpam.cloud 


Email Security.cloud also includes an email AntiSpam filter service (known as Email 

AntiSpam.cloud) that provides customers with a proven, industry-leading spam filtering

150 

solution. The spam filter service uses multiple layers of protection including Skeptic heuristics to 

protect against both established and emerging spam techniques. Protection is provided by 

scanning within the email header, subject and body, as well as supported Microsoft ® Office, 

PDF attachments and compressed file types. Word list thresholds allow customers 

administrators to determine how often keywords or phrases can occur before a rule is 

triggered. The service also offers extended character list recognition of keywords or phrases in 

non-western characters so emails can be scanned for inappropriate content regardless of their 

geographical, cultural or linguistic source. Symantec.cloud scans email at the internet-level and 

blocks 99 percent of spam before it enters the customers network. 

See Figure 10 in ‘BT_PSNS_Appendix1_Award 

Questionnaire_SectionB_v2.0 graphics’ 

Email AntiSpam.cloud provides multiple layers of filtering. 

As a hosted solution, implementation of Email Security.cloud is a very simple and quick 

process. With no software or hardware to buy, install or configure the customer can achieve a 

simpler network with fewer servers/appliances. 

All Symantec.cloud services are provided at the Internet level and managed by the 

Contractor and Symantec.cloud. The customer can configure each service to suit organisational 

policies and needs. Symantec.cloud’s online portal, ClientNet, provides a single central location 

for the customer to access and control all of the information for their hosted services.

151 

The hosted service leverages an advanced cloud-based infrastructure consisting of 15 highly 

available data centres located across 4 continents. The data centres providing this global 

infrastructure footprint are load-balanced and housed in secure, well-established 

telecommunications centres located at major Internet exchange points. The load-balanced data 

centres make it possible for Symantec.cloud to handle Internet traffic spikes and to deliver 

redundancy and resilience. The Symantec.cloud servers also run at an average of 33 percent of 

their maximum capacity allowing for unexpected spikes in traffic. 

The Clientnet online portal provides the ability to centrally manage and control hosted 

services on site or from virtually any internet enabled location. 

See Figure 11 in ‘BT_PSNS_Appendix1_Award Questionnaire_SectionB_v2.0 

graphics’ 

The Email Security.cloud AntiVirus and AntiSpam services are configurable using the 

ClientNet interface. A range of actions are available for identified viruses and malware. The 

AntiSpam service enables the Customer administrators to select from custom and/or public 

block lists, as well as choose the appropriate actions for mail identified by these filters. 


152 

The ClientNet management interface allows for flexible AntiSpam and AntiVirus 

configuration 

ClientNet provides the Customer with a dashboard view providing summary data on how 

the service is performing such as levels of spam and viruses stopped. 

Once installed and configured to suit specific Customer requirements, the hosted services 

run in the background providing 24 x 365 protection. Symantec.cloud services will take care of 

all ongoing maintenance such as updates, capacity planning, and service performance. 

Continuous and automated hosted service updates help to eliminate the loss of the user 

productivity associated with downtime and reading and deleting unsolicited messages. 

Flexible Reporting 

Email AntiSpam.cloud comes with a range of flexible reporting options including dashboard 

summary, detailed, and scheduled reports. Reports can be scheduled for automatic delivery 

with selected data points, a PDF summary report can be downloaded, or detailed spreadsheets 

can be downloaded. 


153 

Reports display performance by service and are configurable to the user level 

for detailed per-user analysis 

Prevent data loss and reduce exposure to legal risk 

Email Security.cloud - Email Content and Image Control Services 

With the potential for confidential data loss to result in litigation, regulatory fines, or loss of 

reputation and business, Email Security.cloud aims to provide the Customer with reduced 

exposure to legal risk. The content scanning services also help to ensure that any of the 

Customers proprietary and confidential documents, content and images do not leave the 

organisation without authorisation or are mistakenly distributed to incorrect recipients. 

Delivered as hosted services, Email Content Control.cloud and Email Image Control.cloud 

solutions are quick and easy to set up, automatically updated and backed by a service level 

agreement. 

Email Security.cloud allows customisable control over all email content entering and leaving 

the Customer. The Content Control services allow the Customer to put measures in place that 

allow authorised users to receive and send sensitive content, while un-authorised users will be 

stopped at the network perimeter from either sending or receiving the same content. Email 

Image Control.cloud allows the Customer to create preventative filters to control and monitor 

intellectual property or confidential information contained in images or diagrams thus helping 

to safeguard the most valuable pieces of the Customers information from falling into the wrong 

hands. Flexible customisation of hosted service settings provides the Customer with the ability 

to enforce compliance with acceptable usage policies.

154 

Identify and block inappropriate email content and images 

Email Security.cloud uses content and image control services to provide protection against 

both email content and images of an offensive or inappropriate nature to ensure they do not 

reach user inboxes. 

The Email Content Control.cloud scans emails and attachments for confidential or 

inappropriate text-based content within emails and attachments sent or received by the 

Customers employees. Scanning and analysis is performed on all email components including 

the header, subject, email body and attachments. Comprehensive rule-building processes allow 

the Customer to quickly and easily establish policies and actions for matching email 

content. The service scans within subject, header and body as well as PDF, Microsoft ® Office and 

compressed file attachments. Content that matches the Customer created rules is subject to a 

range of configurable actions while approved messages pass through to their intended 

recipients. A customisable word list threshold allows the Customers administrators to establish 

how many occurrences of keywords or phrases must be present before a rule and action are 

applied. The service also provides extended character list recognition to allow for rules and 

actions to be applied to non-western characters. 

The Email Image Control.cloud service scans emails and attachments to identify, control and 

block inappropriate images contained within emails and Microsoft ® Office and PDF documents 

attached to or embedded in emails entering or leaving the clients network. Multi-layered 

technologies have been designed to detect adult or other inappropriate image 

content. Powered by an Image Composition Analysis scanning engine, the service is particularly

155 

suited for the detection of pornographic images. The service is highly configurable, allowing the 

Customer to determine sensitivity levels, actions and approved sender and recipient 

lists. Signature databases are also customisable to allow the Customers administrators to create 

local databases of images that are proprietary or specific in nature. An additional feature 

delivering further increased accuracy is the optional global image signature database. This 

database is submitted by the MessageLabs client community and maintained by 

Symantec.cloud. The feature offers the Customer access to a database of images that are 

emerging as newly discovered inappropriate images. 

Clean inboxes enable the Customers end users to remain focused on work and not 

distracting, offensive or inappropriate content and images. Email Image Control.cloud and Email 

Content Control.cloud services help to protect the users from offensive, unwanted images and 

content from both a productivity and legal perspective. 

S) Other Communication Services - Service Description for Firewalls, intrusion and spyware 

detection services 

The Contractors Managed Firewall service protects the perimeter of an organisation’s 

private network at the point it meets the Internet. It enforces their security policy, and ensures 

tightly controlled access from the Internet to their resources, according to the organisation’s 

needs – for example, public web servers, remote access for their users, etc. 

The operator provides protection for the organisation’s network

156 

The Contractor provides a range of offerings as part of its managed firewall service, from 

design and policy definition, through implementation, to full 24 x 365 proactive management, 

monitoring and reporting. The service is managed by highly specialised engineers and analysts in 

the Contractors accredited Security Operations Centres (SOCs). 

Firewall technology 

The Contractors Managed Firewall service uses technology from Check Point and Cisco. 

The service is based on dedicated hardware appliances that are specifically designed for this, 

in order to provide the most stable and secure solution. 

The service protects an organisation’s private network from Internet-sourced threats. 

Hackers download routinely available software and then scan organisations’ networks for 

vulnerabilities 

The Contractor recognises a balance is required when connecting to or through the internet 

so that the benefits can be realised whilst the risks are mitigated. To this end, great care is taken 

to understand each organisation’s business requirements and ensure these are implemented as 

best-practice configuration. Therefore the Contractor can define access permissions tightly and 

accurately. 

Key areas of firewall functionality include: 

o Site -to-Site IPSec VPNs: to establish secure connectivity between an organisation’s 

sites over the Internet; where this is a more appropriate networking option for the 

organisation than dedicated private network connectivity.

157 

o Remote Access IPSec VPNs: to provide access for an organisation’s users whilst they are 

away-from-base, to defined resources on their network. The Contractor will interface 

with each organisation’s authentication methodology – e.g. Radius. 

o DMZs (De-Militarised Zones): provide the best security for an organisation’s key 

applications, enabling them to be accessible from the Internet under tightly-defined 

conditions, whilst denying access from the Internet to other resources on their 

network. 

o Intrusion Prevention (Check Point SmartDefense): this is an option that will scan traffic 

for a range of known attack signatures, and deny that traffic where appropriate. 

CPE Options 

There are 3 CPE options, for Customers to choose from:- 

Contractor Takeover 

The Contractor can, takeover management and monitoring of certain customer installed CPE 

solutions. 

Client Owned 

The Contractor will provide the Customer with a specific CPE kit list which will meet the 

contractors standard solution designs, so that they can procure and purchase the CPE 

themselves. The Contractor will then install, configure and provide on-going management and 

monitoring of the solution.

158 

CPE Take Over 

The Contractor can take over the management / maintenance until the vendor no longer 

supports it. Maintenance for these devices is bought on a yearly basis, with the minimum 

contract being for one year. 

Features and benefits 

Features: 

The service includes expert deployment and is tailored to match each customer’s specific 

requirements. 

o Optimised policy configuration: the contractors experts specialise in firewall 

configuration and will implement best-practice approaches for security and technical 

performance. Firewalls are proactively tested as further assurance of security, both on 

set-up and following in-life changes. 

o Network configuration: the contractors managed firewalls will support multiple DMZs 

(“De-Militarised Zones”) to best-protect key applications, such as Internet-facing web 

servers. It will also provide a range of IPSec VPN options to enable secure 

communications over the Internet, for example with an organisation’s firewalls on other 

sites to create a private network, or to provide inbound remote access. 

o Service installation: The Contractor can deploy complex solutions to customers’ sites 

globally, with project management and service commissioning. 

� The contractors service includes management, as well as global 24 x 365 

support. 

o Service management: The Contractor’s accredited security team will proactively 

manage customers’ firewalls 24 x 365. The management processes include in-life policy 

updates and application patches. 

o Onsite support: The Contractor’s IT support partners can provide onsite attendance 

around the world, to replace faulty equipment and restore service. 

o Reporting: detailed reports can be accessed through a secure customer portal, 

providing information on system health and threat activity. These can be used to 

analyse user activity and provide assurance of hacking prevention. 

o Vendor relationships: The Contractor has strategic relationships with key vendors, 

enabling competitive pricing and the best support.

159 

o Flexible and scalable offerings: The Contractor offers a range of scalable, hosted or 

customer-premise solutions, designed to meet each organisation’s full range of 

requirements. 

o Service resilience and reliability: Our resilient solutions help protect against prolonged 

service downtime. 

T) Other Communication Services - Service Descriptions for authentication and access 

management services 

follows: 

The Contractor provides a number of authentication and access management services as 

o URU service 

o Fraud reduction service 

o Authentication management service 

o Bespoke professional services 

URU service 

The Contractors Assure URU service is an innovative web-based service to help 

organisations fight identity fraud and attempted money laundering. It provides an easy way to 

verify identity details taken from a variety of paper documents. This data is checked against 

some of the most comprehensive and reliable data sources available in the UK, in real time, 

providing an easy-to-understand response which can be used to decide whether to accept the 

consumer’s application.

160 

As the system is automated, the service avoids any lack of consistency due to the 

subjectivity of operatives. 

Key Features 

o easily-accessible online service, 

o securely hosted and managed by the Contractor. 

o compares submitted name, address and other consumer information (e.g. driving 

licence, passport details) against a wide range of databases, cross-checking the data 

o providing an easy-to-understand summary of the results, 

o Typically completed within 3 seconds per enquiry. 

Fraud reduction Service 

The Contractors Assure Fraud Reduction service is an automated fraud screening service, 

for alerting Customers in real time to the risks of payment transactions. 

It is provided as a web service that integrates directly with the Customers’ e-commerce 

application and provides risk scores alerting the Customer to accept, reject, or review the 

transaction. 

The service assesses the risk of a transaction by screening the transaction against the 

Customers’ fraud profile and validating information related to the consumer, the transaction, 

and past behaviours against third party anti-fraud services.

161 

Key Features 

o Contractor hosted service 

o Fraud profile against multiple anti-fraud services 

o Risk scores are returned to client 

The Contractors Assure Fraud Reduction works by taking the supplied and derived 

parameters associated with each transaction submitted to the online application and processing 

them through a series of rules and policy checks, each of them contributing to an overall risk 

score. The parameters examined will include: 

o the origin of the transaction (using IP geo-location) 

o the user’s transaction history 

o the device used to originate the transaction (using device recognition technology) 

as well as supplied parameters such as: 

o the card used in the transaction 

o the value of the transaction 

o the delivery address 

o the email address

162 

o the velocity of the transaction v’s earlier transactions from the same originator 

The context-based, fine-grained risk analysis allows the service to make intelligent real-time 

decisions about the risk associated with online transactions. Those determined to be ‘high-risk’ 

can be blocked, quarantined for later prioritised review, or automatically ‘stepped up’ to 

perform further validation of the end-customer’s identity details. Every risk-assessed transaction 

can be re-reviewed (prior to any goods being shipped or monies being paid out) via an online 

reporting and case-handling interface. 

Risk assessments are performed in real-time and based on user behaviour, location and 

device recognition as well as transaction-specific parameters, all of which are transmitted to the 

Contractors Fraud Reduction service in simple web calls. The Contractors Assure Fraud 

Reduction returns risk scores in real-time along with full details of how the risk score was 

determined so the customer’s application can make a fine-grained transaction handling 

judgment. 

The Contractors Assure Fraud Reduction works in collaboration with the Customer’s existing 

fraud tools such as Verified by Visa, MasterCard SecureCode, Address Verification Service, and 

CVV checks. 

The Contractor has built its solution around a service bus architecture. This means that the 

Contractor can add additional anti-fraud measures to the service as they become available, 

without impacting established customer interfaces. Currently the Contractor can include a risk 

assessment of the card used in the transaction, an identity verification check via the Contractors

163 

Assure URU and IP address geo-location checks. The service bus aggregates the returns from the 

services called to ensure that a single, comprehensive risk assessment is returned to the client 

application for every transaction. 

Authentication Management service 

The Assure Authentication Management service provides online authentication of one time 

passwords generated by software or hardware tokens. The service supports a range of one-time 

password tokens, including OTP via SMS, knowledge based authentication, image based 

authentication, and other authentication options. 

The Contractor provides a service for 

o issuing and managing strong authentication tokens; 

o the provisioning, rollout, end-customer issuance, and on-going authentication of both 

software and hardware tokens. 

The Contractor’s service uses ActivIdentity’s 4Tress platform. ActivIdentity provides access 

to a wide range of authentication mechanisms and supports channel by channel authentication 

policies. 

Key Features 

o The platform architecture is resilient and operates on a 24x365 basis. 

o Managed firewalls protecting all access to the platform.

164 

o Network-based Intrusion Detection (NBID) across all network interfaces to the platform. 

o Physically secure server farms. 

o Signature Host-based Intrusion Prevention (HBIP) across all platforms. 

o Hardened operating systems. 

o All operational and administrative access to the production platforms is carried out the 

Contractors staff and requires token-based 2FA authentication. 

o Tamper-evident audit logs. 

o Users access an individual customer instance of the authentication application with data 

held in separate backend schema on a per-customer basis 

o Assure Authentication Management is accessed using synchronous web-service calls. 

o Dedicated network connections option. 

The Contractor has capabilities in providing managed Single Sign-On Services and Federated 

Identity Management. The Contractors Identify Access Management services are consultancy 

and professional services led projects utilising ‘Quick Start’ assets. The Contractor has 

partnerships with several suppliers that include Oracle (Oracle IDM) and Computer Associates 

(CA Site minder).

165 

Key Features 

o A single Sign-on Service that allows access to customer secure applications that can be 

tailored for an individual customer or for a community of customers 

o Service designed to fulfil the Service levels for customers’ specific business 

requirements. 

The capability can provide application sign-on services for an individual enterprise or a 

community of organisations and users for single or two factor authentication including One 

Time Passwords. 

Federation services are capable of supporting the integration of different trust domains and 

supporting a range of industry standard federation standards e.g. Security Mark-up Language 

(SAML), WS-Federation and Liberty Alliance. 

U) Other Communication Services - Service Description for web and application sign on services 

services 

The Contractor provides the following services supporting its web and application sign on 

o Logical Access Integration 

o Single Sign On 

Logical Access Integration

166 

The Contractor’s Logical Access Integration service offerings are designed to consolidate the 

digital access components of an organisation's security infrastructure. 

The Contractor will ensure and enforce more consistent security policies throughout your 

enterprise, applications, desktops, PCs and remote workers, with a wide range of multi-vendor 

resources and capabilities. 

The service will Identify users and permit access or transactions. 

Logical Access Integration offerings provide both web-based applications and hardware 

backed by globally trusted identity and access management resources and expertise. 

Single Sign On (SSO) 

This is a managed service provided by the Contractor on a bespoke basis that reduces the 

number of passwords required, providing a single and secure access point to an organisation's 

applications. Single Sign On delivers: 

o Faster, easier and more convenient user access 

o Reduced incidents of forgotten passwords 

o Less costly intervention through the helpdesk 

o Increased security with improved provisioning and de-provisioning 

o Enhanced support for remote workers 

o Easier auditing of access controls for regulatory compliance

167 

The Contractor works with multiple suppliers to deliver a variety of SSO solutions. These 

include ActivIdentity, Oracle, Passlogix and Sun to ensure compatibility with an organisation's 

existing applications and desktop. This enables the following capabilities: 

o Enterprise Single Sign On: deploy SSO software to individual PCs to remember user 

names and passwords, particularly where applications cannot be easily web-enabled. 

o Web Single Sign On: a web-based service that creates a centralised repository of users 

and their authorisation details so organisations can manage access. 

o Federated Single Sign On: enables users to access resources located in other security 

domains or organisational domains. 

V) Other Communication Services - Service Description for mail and messaging services 

Secure mail 

The Contractors Assure Secure Mail is a subscription-based service that enables 

organisations to benefit from high-level email encryption technology without having to install 

complex software or hardware. The service supports commercial confidential email messages to 

any email address in the world, and enables secure intra-office communication. 

Integration 

The only software needed to install is the plug-in, which is compatible with Microsoft Outlook, 

Outlook Express and Lotus Notes email clients. It is a short integration process, and once 

installed, its single-click operation ensures that there is no need for complex training. Assure 

Secure Mail can also be used with a BlackBerry or similar portable device, so mobile workers can 

send and receive information securely.

168 

Managed infrastructure 

Encrypted messages are managed through a secure infrastructure platform. The number of 

service users can be increased or decreased by your system administrator.. 

Single click operation 

The ‘secure’ button, on the ‘compose’ screen of the email client, enables users to send 

encrypted mail to any other email address. Reading encrypted mail sent by another subscriber 

requires the user to. 

Message Pickup Centre 

Users receiving an encrypted email are instructed to visit the Message Pickup Centre. This is a 

secure website that requires the recipient to enter a unique password, which will then enable 

the recipient to read the encrypted message and view any attachments online. The Message 

Pickup Centre can feature corporate branding, and enables email users across the globe to 

receive messages encoded by Assure Secure Mail 

Assure Secure Mail is based on the industry-trusted standards PKI (public key 

infrastructure), X509 and S/MIME (Secure/Multipurpose Internet Mail Extensions). This enables 

it to support digital signatures for sender authentication, message integrity and non- 

repudiation, which is not possible with PGP (Pretty Good Privacy)-based services. 

Simple installation 

Installation of Assure Secure Mail across the customer organisation is delivered as a pre- 

packaged Microsoft Installer (MSI). The MSI can then be installed using common enterprise 

application management tools such as Microsoft SMS (Systems Management Server) or 

Tivoli.The software does not have to be installed on each machine separately, and has an

169 

automatic update function is builtin. User-controlled encryption 

The Assure Secure Mail enables the user to be responsible for their communications. 

End-to-end encryption 

Assure Secure Mail offers true end-to-end encryption. Messages must be secured on the 

desktop of the sender, and unlocked on the recipient’s computer. Continuous encryption is the 

rule, rather than the exception, so any stored messages must be decrypted each time they are 

read. 

Administration 

Administrators using a simple user interface can add, suspend, remove users, and view and 

manage credentials. Bulk enrolment across your enterprise is available using a CSV (comma 

separated value) file with the email address, first name and last name of the proposed users. 

Secure Content Management 

Available as an add-on to the service, Secure Content Management is designed to reside in an 

enterprise or hosted email messaging environment. A universal application programming 

interface for third-party email hygiene and filtering solutions enables scanning of both inbound 

and outbound encrypted messages. Plug-in extensions mean that individual hygiene and 

filtering solutions can be added quickly and efficiently. 

Message Exchange 

The Contractors Assure Message Exchange is a web-based service that provides a highly 

secure means of sending sensitive data to groups via email. It uses public key cryptography and

170 

digital signatures to ensure emails are not intercepted or tampered with in transit. Routing 

messages through this portal enables customers to safely share information with authorised 

colleagues, partner organisations, suppliers and clients across the globe. 

When a secure message is sent, recipients are notified with an alert to their nominated 

email account. Members can have their own personal Assure Message Exchange inbox, while 

non-members and recipients outside your organisation are directed to a secure message pick-up 

centre. Assure Message Exchange, has no impact on user desktops and existing email messaging 

services, and is ideal for closed user communities. 

A management console is available to system administrators to enrol or disable end-users 

and reset passwords. Assure Message Exchange can also be configured to give all users within a 

messaging community equal service feature rights. Alternatively, the service can assign certain 

end-users a reduced service, such as basic read-only access, at a reduced subscription rate. 

Becoming a member requires simple web registration. Once registered, users are assigned 

authentication keys to access. Assure Message Exchange. Members can: 

o Access their personal Message Exchange inbox by entering their email address and 

authentication password. 

o Use point-and-click folder navigation to compose and open encrypted messages. 

o Receive email notification in their inbox each time they are sent an encrypted message 

and simply click the link to be taken directly to the Assure Message Exchange portal. 

o Collect, reply, forward and store all their encrypted messages and attachments.

171 

o Send encrypted messages to non- Assure Message Exchange members, who are directed 

to a secure message pick-up centre to read and reply to the sender, depending on their 

Assure Message Exchange access rights. 

The Contractors Assure Message Exchange helps customers create a highly secure, 

collaborative environment for sharing confidential information electronically. Using data 

encryption techniques – including public key cryptography and digital signatures – and a secure 

web portal to send and receive private messages, customers can: 

o Set up group collaboration and communities of interest in which you can exchange 

information without risking data integrity. 

o Use strong password authentication and reminders to ensure confidential information 

does not fall into the wrong hands. 

o Ensure emails are tamper-proof using digital signatures that prevent sender identity 

spoofing. 

o Keep secure messages encrypted, even when they are stored in the Assure Message 

Exchange portal, preventing data leaks from internal or external threats. 

o Generate audit trails to review, track and monitor Assure Message Exchange 

communications to comply with data security regulations.

172 

Assure Message Exchange is available as an on-premise or managed and hosted service. 

Requiring no end-user training, its flexible management console and easy-to-use web portal, 

enable customers to: 

o Assign hub community members full service privileges while restricting spoke users to 

read-only or reply-to-sender rights. 

o Deploy secure service quickly with bulk enrolment options for large user groups, while 

easily expanding or reducing the user base as required. 

o Rely on redundant hosted capabilities to enable uninterrupted service. 

o Increase brand recognition with a service that can be branded with customer logo 

throughout. 

Enables the exchange of confidential information with colleagues and clients without 

putting data integrity at risk. Assure Message Exchange uses trusted public key infrastructure 

and secure/multi-purpose Internet mail extensions that enable communities of interest to: 

o Keep private data secure: send sensitive information by email to interested parties 

through a secure encryption service to safeguard data. 

o Prevent unauthorised access: mitigate the risk of internal and external threats to data 

security with password protection of encrypted emails. 

o Know who you’re dealing with: ensure emails are sent to and received from authorised 

users with digital signatures that authenticate sender identity.

173 

o Encryption best practice: protect the privacy of confidential emails, even when “at rest” 

in the mail store, as data remains encrypted. 

o Meet compliance regulations: safeguard corporate intellectual property and 

use clients’ private information responsibly. 

o Gain a competitive edge: increase data security to improve brand reputation. 

o Reduce operational costs: email sensitive data instantly and with confidence, 

eliminating communication delays and the need for couriers or postal services. 

W) Other Communication Services - Service Description for real time information services 

The Contractor’s IPTV service consists of the following components: 

o Acquisition and encoding of real-time TV signals from Terrestrial TV, Satellite and Private 

sources 

o Transmission of live video from outside events and press conferences 

o Provision of private and temporary TV studios, including production facilities and 

experienced staff 

o Encoding of video into live streaming formats including Windows Media and live MPEG-2 

Transport Stream (MPEG-2 TS) 

o Quality of Service engineering of existing IP networking equipment

174 

o Video recording and storage, including content distribution for replay 

o Provision of websites for both internal and external use containing live video 

The Contractor will provide service using equipment from Cisco and Motorola. 

The Contractor can also supply, via reseller agreements with major providers, News and 

Financial Information Services delivered in real time over high performance dedicated 

infrastructure. 

The Contractor can design and operate custom build XML based services reporting on Real 

Time information feeds available to the Contractor and or the Customer. These can include 

Twitter and RSS feeds. 

X) Other Communication Services - Service Description for desktop messaging 

The Contractors Secure Message Exchange (SMX) is a web-based portal that allows 

communities of interest to exchange information privately. The messages use trusted Private 

Key Infrastructure (PKI) and Secure Multipurpose Internet Mail Extensions (S/MIME) for 

encryption and digital signatures. 

o Registered members of SMX can securely send, receive and reply to encrypted 

messages, including data attachments 

o Non-members receive and reply to encrypted messages via a secure web-based message 

pick-up centre

175 

o SMX members are notified once they receive an encrypted message via email 

The messages stay encrypted when stored on the SMX web based portal. Messages are 

digitally signed, such that a user can be sure that the message has originated from the right 

person. The logging facility enables messages to be tracked back to their originator, confirms 

that the message has been read and allows searching based on dates, times and subject. The 

service also allows users to confirm that their message has been received and read. A key 

escrow facility allows administrators to recover the encryption key of staff who are no longer 

employed. 

SMX is a “Cloud” Solution that does not require any additional client software or hardware. 

The enrolment process involves the administrator sending an email request for enrolment to the 

user. The user then self-enrols from a web interface. Users can be enrolled in bulk with groups 

pre-set up for distribution within communities. 

The appearance of Secure Mail can be modified to display the Customer’s logo and branding 

Direct communication between client and user within a branded environment. 

Y) Other Communication Services - Service Description for messaging via email, SMS, pager and 

mobile or fixed line telephone 

The operators integrated SMS Hubbing is a service for mobile operators to exchange 1 way 

machine to peer and 2 way person to person SMS. Traditionally mobile operators have needed 

to sign individual interconnect agreements in order to exchange international SMS, but by

176 

interconnecting with an SMS Hubbing partner, customers can benefit from the range of 

connectivity using just a single agreement with the Contractor. The Contractor is also able to 

manage these relationships on behalf of the customer. The Contractor will sell SMS Hubbing as a 

White Label Service in partnership with Tyntec. 

This outbound SMS service provides reliable and secure SMS sending to practically all GSM 

networks worldwide through a single messaging interface. 

The Contractor’s SMS Hubbing service provides bulk handling of text messages to multiple 

mobile service provider networks. The messages can be sent via Short Message Peer to Peer 

Protocol (SMPP) or via a web browser interface. 

The service comprises: 

o 1-way service to mobile. 

o 1-way service from mobile 

o 2-way service for interactive applications. 

SMS Hubbing can also be combined with the Contractor’s One Managed Microsoft service to 

create bespoke solutions covering a variety of communications channels. 

Target consumers: 

SMS MT (one way messaging)

177 

1. Anyone who is interested in increasing their international footprint and in parallel creating 

revenues with their subscribers by offering quality SMS – without worrying about the 

logistics needed to provide such a service 

2. Targets: Carrier for reselling to Enterprises (e.g. Banking, Airline area), Aggregators, 

Marketing campaign companies, Mobile Network Operators (MNOs) and Mobile Virtual 

Network Operator (MVNOs) 

3. Operators and Aggregators need reliable sending facilities, insight into the transmission 

path and clear status feedback for every message sent 

SMS IMT (two way messaging) 

1. Large Carriers seeking a cost effective alternative to the maintenance of countless roaming 

agreements for SMS 

2. Carriers facing interoperability due to inter standard roaming and/or Mobile Number 

Portability (MNP) 

3. New entrants seeking operability right away 

4. Targets: MNOs, MVNOs, Carrier for reselling 

5. Operators need a reliable hub to connect to – with standardised access points and an easy 

to manage tool for setting up connections including checking the status of existing 

connections 

Contractors capabilities

178 

SMS MT 1 way 

o TynTec’s platform has proven reliability throughout its 6-year existence and billions of 

SMS sent / received to >300 customers across vertical sectors worldwide 

o TynTec can provide message status feedback for all stages of the sending process 

o TynTec’s messaging platform provides 1 interface (available for HTTP or SMPP) realising 

1 contract and 1 bill for reaching 540 networks 

SMS IMT 2 way 

o TynTec’s Hubbing platform offers SS7 or SMPP access and a web-based connection 

control portal 

o TynTec’s Hubbing platform provides 1 interface = 1 contract = 1 bill – for reaching 508 

networks TynTec supports Hubbing customers with customised reporting for all aspects 

of message handling 

o MNOs and Carrier may combine IMT and MT to optimise the coverage 

o Genuine GSMA OC-compliance 

o Maximum 2-way coverage by peering with other SMS hubs 

o Only successfully delivered SMS are invoiced 

o Only outgoing SMS are invoiced

179 

o Using sophisticated Anti-Spam filtering, using Tyntec’s unique and individually written 

software 

o SMPP / SS7 conversion provides flexibility 

o Large scale SMS messages can be sent within low latency times 

o All message types and all originator types are supported within all networks 

o Delivery Receipts are provided for each message in real-time, sourced directly from the 

handset. 

o Full Mobile Number Portability check is already included in this service. All messages 

reach their destination, regardless of the existence of ported numbers 

o Reliable, secure carrier-grade service, minimal configuration changes à Short time to 

market 

o Web-based portal allows an easy partner management 

o Provide SMS Hubbing solution to customer without additional investment 

o High quality SMS Hubbing for customers 

Z) Other Communication Services - Service Description Secure File Transfer

180 

The Contractors managed Secure File Transfer Service uses the MOVEit solution from 

Ipswitch. The Contractor has a partnership agreement to deliver manage and supply solutions 

and service in partnership with Ipswitch 

Services offered: 

MOVEit EZ® is a unique secure transfer client that moves files on a scheduled, automated, 

firewall-friendly basis between Microsoft Windows Vista Business Edition, 2003, XP, 2000, ME, 

and NT desktops and a MOVEit DMZ secure transfer server, with minimal user involvement. 

MOVEit EZ uses of the HTTPS (HTTP over SSL) protocol enables MOVEit EZ to communicate 

through a single firewall port (443). This is the same port that Web browsers use for secure 

connections, so it is almost always open. 

MOVEit EZ is easy-to-install, easy-to-use, and easy-to-support. 

The MOVEit Central solution manages workflow and allows for machine to machine 

transfers, this includes the moving of files between the different MOVEit DMZ servers for the 

different impact levels. MOVEit DMZ provides person to person ad-hoc transfers initiated via a 

web interface or through Microsoft Outlook integration. 

MOVEit DMZ server, MOVEit Central super-client, and the other clients that make up the 

MOVEit secure transfer, processing, and storage software family are described below. The 

solutions are MOVEit DMZ and MOVEit Central, which work together. 

MOVEit Central Super-Client is an enterprise transfer and processing engine. IT staff use it 

to pull, process, and push files on an automated, scheduled, event-driven or on-demand basis

181 

between internal and external systems, including MOVEit DMZ. This is done using easily created 

tasks (no scripting or programming required) that can move files with a variety of secure and 

other methods, and that can automatically process the files using built-in functions and custom 

VBS scripts. 

MOVEit DMZ Server is an enterprise secure transfer and storage portal. 

Programs and users can securely exchange files, messages, and Web postings through MOVEit 

DMZ, which encrypts and securely stores them until picked up. MOVEit DMZ enables uploads 

and downloads by MOVEit and third-party clients.

182 

MOVEit Central Features 

o Task and event driven automatic “pull, process and push” files between internal and 

external systems, including MOVEit DMZ servers 

o Secure including FTP over SSH2 (SFTP), FTP over SSL (FTPS) for TLS-P, TLS-C, and IMPLICIT 

transfers (including Passive and encrypted transfers to/from NAT networks), HTTP 

(HTTPS), and S/MIME encrypted email. MOVEit Central also offers optional secure file 

transfers using AS1 (SMTP/POP3), AS2 (HTTPS) and AS3 (FTP and FTPS). 

o PGP Option to encrypt, encrypt and sign, decrypt and manage keys using a built-in, 

commercial PGP software module licensed from Veritas. 

o Remote Administration using MOVEit Central Admin program, 

o Email Notification 

o Encrypted Storage of user names, passwords, and VBScripts using the strong 256-bit AES 

encryption in its built-in FIPS 140-2 validated cryptographic module. 

o Comprehensive Audit Trail 

o API Interface Option 

o Failover Option 

MOVEit DMZ Security Model

183 

This Contractor Service offers FIPS 140-2 Validation. Files, messages, passwords, and other 

sensitive data handled by MOVEit DMZ are protected by its built-in FIPS 140-2 validated 

cryptography. 

o Encrypted Storage. Every file and message handled by MOVEit DMZ is securely stored 

using its strong, built-in, FIPS validated 256-bit key AES encryption. 

o OS Security Independence. 

o End-to-End Encryption 

o No Push Capabilities. By design, MOVEit DMZ cannot push files to other systems. 

o No Open Ports 

o Tamper-Evident Audit Trail. 

o tight administrative control over what each user can 

MOVEit DMZ Server Features 

o MOVEit DMZ provides a secure exchange-point through which a Customers internal and 

external users and systems can exchange files and messages using Web browsers and 

MOVEit and third-party AS2, AS3, HTTPS, FTPS, and SFTP/SCP2 secure file transfer 

clients 

o Multi-Factor Authentication using passwords, SSL hardware and software certificates, 

SSH Public keys (“fingerprints”), and/or IP addresses/address ranges.

184 

o File Non-Repudiation using sender and recipient authentication, and FIPS 140-2 

validated SHA1 integrity checking of each file exchanged with MOVEit DMZ 

o Guaranteed Deliver which includes Non-Repudiation and automatic retry of transfers 

o Email Notification 

o User Groups and Group Admins 

o Comprehensive Trail based on secure records 

o Reporting Capabilities including 90+ pre-defined, customizable reports 

o External Authentication option 

o Secure Messaging option 

o API Interface option. 

o Multiple Organizations option 

o Multi-Lingual Interface option 

o High Availability option. 

MOVEit DMZ Microsoft Outlook integration 

The Ad Hoc Transfer module enables secure person-to-person file transfer using the 

convenience of a Web browser or Microsoft Outlook. Authorised MOVEit DMZ Enterprise users 

can send files to anyone in the world with an email address – quickly, easily, and securely.

185 

AA) Other Communication Services - Service Description Unified Communications 

The Contractors Unified Communications and Collaboration based on Microsoft technology 

enables collaboration more efficiently with employees, suppliers, customers and business 

partners. By enabling the communications infrastructure, mobility, desktop and applications to 

work together, users can take part in almost any kind of communication, with anyone, at any 

time. The Contractor possesses the blend of skills and expertise required from both the IP 

communications and IT services worlds, for truly unified communications. 

The contractors Gold Partner accreditation with Microsoft enables us to provide a tailored 

and flexible service to meet a customers specific requirements. 

Microsoft BPOS provided by the Contractor and the Contractors MS Managed Services 

provides a fully integrated array of communications services, including: 

o Office Communications Server: provides instant messaging and presence as well as VoIP 

(voice over Internet Protocol), and audio, video and web conferencing. It is a secure, 

scalable, enterprise-grade service that seamlessly integrates with other Microsoft 

products.

186 

o LiveMeeting: enables multiple users to participate in online meetings, training and 

events using interactive tools that integrate with existing systems and productivity 

applications. 

o Microsoft SharePoint: provides an intelligent portal that connects users to enable more 

efficient working and distribution of information throughout the 

customers organisation. It also integrates information from various systems into one 

service through federation services and enterprise application integration. 

o Microsoft Exchange Server 2007 (or later) Unified Messaging: delivers all messages, 

including voicemail, email and fax messages, into a single mailbox. 

The Contractor is an early adopter of Microsoft Lync and is deploying Microsoft Lync 

managed services 

The Contractor and Microsoft combined solutions are supported by the Contractors Unified 

Communications and Collaboration (UCC) Professional Services. This enables the Contractor to 

offer a comprehensive UCC service. The Contractors UCC Professional Services include: 

o Contractors UCC Quick Start service: provides customers with the right tools to embark 

on the road to unified communications and collaboration.

187 

o Audit and performance analysis: The Contractors specialists assess the 

customers specific requirements, develop a tailored roadmap, leading to pilot 

implementation. 

o Design, implementation and integration: following the pilot implementation, the 

Contractor can further customise Microsoft products to meet the customers specific 

infrastructure, directory, platform and voice integration requirements. 

o Project management: critical for a successful implementation and on-going 

maintenance. 

o User training and adoption: training to achieve appropriate training level and skills and 

develop maximum return on investment. 

o Business Premium Care: provides maintenance and support services from the 

Contractors UCC professionals and can include an engineer permanently on site. 

Key benefits 

Opting for tailored applications enables the following: 

o Integration a range of UCC applications throughout the customers organisation via the 

contractors implementation services. 

o Control of communication technology through transparent, collaborative approach to 

systems reporting and management.

188 

o Benefit from the Contractors Business Premium care service, providing maintenance and 

support services from experienced UCC professionals. 

o Seamless communications by consolidating the customers existing systems into one fast, 

easy-to-operate, Microsoft-based package. This can include voice, email, calendaring, 

instant messaging, presence and audio, video and web conferencing. 

o Improved ability to respond via various communication forms through converged voice 

and data. 

o Quickly solve any problems with the Contractors one-touch service desk manned by UCC 

professionals experienced at supporting Microsoft products. 

BB) Sustainability Services 

The Contractor provides two core Sustainability packages: Equipment And Power Efficiency 

Package; and Efficient Working Package. 

Equipment and Power Package - In totality the equipment and power in Lot 1 can add up to 

a substantial environmental footprint. The Contractor's solution and product portfolio for Lot 1 

is designed to reduce carbon emissions where possible and adhere to a 'zero to landfill 

policy.' Products and services in the Contractor's supply chain are strictly vetted to ensure 

compliance to Sustainability standards and codes of practice where they apply (e.g. EPEAT, 

Energy Star, ISO27001).

189 

Efficient Working Package -The Contractor recognises under Lot 1 that many of the services 

offer opportunities to improve HMG's Sustainability Performance. The Sustainability Services 

described below are available to the Customer across the engagement lifecycle as professional 

services or as part of an on-going customer engagement dialogue. 

Services - The Contractor offers a range of Sustainability Services, the scope of which are 

agreed on a case-by-case basis to accommodate the specific requirements of the Customer 

under each call-off. These include:- 

o Inventory Carbon Footprinting: the Contractor has developed methodologies and tools 

to estimate the use-phase and embodied carbon emissions of equipment supplied 

under the contract. Reports can be provided on a periodic basis (e.g. annually) giving 

insights into the carbon profile of the solution over time and identifying carbon hot 

spots worthy of more attention. Similarly, where taking responsibility for or replacing a 

legacy service the Contractor may be able to offer a carbon footprint analysis of the old 

versus new services. 

o Service Carbon Footprinting: the Contractor is able to offer full service carbon 

footprinting, and estimate the carbon emissions associated with the use of shared 

network services and operational activities including planning, building, 

maintaining/supporting and customer services in addition to those associated with the 

equipment inventory. 

o Carbon Impact Assessments / Sustainability Impact Assessments: the Contractor’s 

Sustainability Consultants are able to work with customers to assess their wider

190 

business operations and identify opportunities to reduce their carbon emissions and/or 

improve their sustainability performance through deployment of additional IT services. 

o Redundant Equipment Recycling Services: the Contractor is able to offer secure recycling 

of redundant equipment, balancing the need to minimise environmental impact with 

the removal of data. Where reuse is not an option due to data security issues, assets are 

recycled with typically 99% reconstituted into raw materials and zero landfill achieved 

through incineration of the remaining materials. The recycling service will comply with 

both the Environmental Protection Act and the Data Protection Act, along with the 

WEEE Directive, ISO 9001, ISO 14001 and ISO 270001. 

Relating to the provision of all elements: 

Contracting Options 

The Contractor offers a range of contracting options to supply Communication services. The 

Contractor recognises that some organisations regard IT as strategically core to their business and insist 

on an in-house capability whilst other organisations regard IT as non-core and have a preference to out- 

source. The Contractor has therefore structured its portfolio to cater to the contracting needs 

demanded by the varying requirements within the market place. 

The Contractors capability covers the following procurement options to meet the differing needs of 

customers within the Public Sector. 

3 rd Party Product Supply

191 

3 rd party HW and SW sourcing and delivery which takes advantage of the 

Contractors existing negotiated pricing. 

Professional Services (Rate Card or Fixed Price) 

Project Management (Prince2) and Programme Management 

Solution Planning and Design and Design Assurance (TOGAF) 

Field Force Deployment – Selection of; Basic Cleared (BC), Security Cleared (SC) 

and Developed Vetting (DV) personnel. 

Testing and Commissioning 

Customisable design, delivery and maintenance of service for bespoke solutions. 

Customer Support for Enterprise Bespoke Solutions (Input based pricings) 

Maintenance (Break and Fix) – geared to Time to Repair – and a Basic Cleared 

(BC), Security Cleared (SC) and Developed Vetting (DV) Field Force. 

Dedicated On-site Support – performing maintenance, moves and changes, 

patching and re-configuration. 

Proactive CPE Remote Monitoring (IL2 to IL6) 

Service governance (ISO 20000 principles) model – dedicated or shared resource 

model

192 

Agency Management – providing a menu of Governance Functions (Cost Plus) 

Bill Payment 

Licence management 

Full service/asset inventory management – including reconciliation management 

Supplier optimisation services 

Service Governance – ISO 20000 principles 

Managed Enterprise Service (Output and performance based pricing) 

End-to-end service management governed to ISO20000 principles – IL0 to IL6 

Customised bespoke SLA derived architecture 

Contractor owned Assets – typically dedicated to one customer 

Core elements hosted in either the Contractors or the Clients Locations. 

Hosted Services (Commoditised Pricing) 

End-to-end service management governed to ISO20000 principles 

Common Service Level derived architecture 

Contractor owned Assets – shared by 2 or more customers 

Core elements hosted in the Contractors Locations

) 

) 

) 

) 

) 

The table below is a summary of the commercial options that apply to Lot 1 

Capability 

a 

b 

c 

d 

e 

193 

Voice Access 

Voice Call 

Packages 

Voice Minutes 

Premium Rate 

Numbers & Non- 

Geographic DDI 

Numbers 

Call Preference 


Party 

and 

3 rd 

Product 

Supply 

Yes 

Yes 

Yes 

Yes 

Yes 

onal 

Professi 


mer 

Custo 

Support 

for 

Enterprise 

Bespoke 

Solutions 

Agency 

Management 

ged 

Mana 

Enterprise 


sted 

Ho 

Service

) 

) 

) 

) 

) 

) 

) 

) 

) 

f 

g 

h 

i 

j 

k 

l 

m 

n 

194 

Smart Numbers 

Traditional Voice 


IPT Services 

118 Directory 

Enquiries 

Audio 

Conferencing 

Desktop Video 

Conferencing And 

Collaboration Tools 

Web Conferencing 

Managed 

Streaming 

Internet Service 

Yes 

Yes Yes Yes Yes Yes 


Yes 






s 

s 

s 

s 

s 

s 

s 

Ye 

Ye 

Ye 

Ye 

Ye 

Ye 

Ye

) 

) 

) 

) 

) 

) 

) 

) 

o 

p 

q 

r 

s 

t 

u 

v 

195 

Co-Location And 

Hosting Services 

On-Line Storage 


Antivirus Services 

Email Scanning 

And Filtering Services 

Firewalls, 

Intrusion And Spyware 

Detection Services 

Authentication 

And Access 

Management Services 

Web And 

Application Sign On 


Mail And 

Messaging Services 









s 

s 

s 

s 

s 

s 

s 

s 

Ye 

Ye 

Ye 

Ye 

Ye 

Ye 

Ye 

Ye

) 

) 

) 

) 

a) 

b) 

w 

x 

y 

z 

a 

b 

196 

Real Time 

Information Services 

Desktop 

Messaging 

Messaging Via 

Email, SMS, Pager And 

Mobile Or Fixed Line 

Telephone 

Secure File 

Transfer 

Unified 

Communications 

Sustainability 


Migration Services 






Yes 

The Contractor offers a range of migration services that supports a client moving from one service 

model to a new service model. These include both Transition and Transformation Services. 

s 

s 

s 

s 

s 

Ye 

Ye 

Ye 

Ye 

Ye

197 

Transition Services – The take-on and operation by the Contractor of an existing 

service model. Typically either an in-house service model or one supplied by 

another operator. This would include: 

o Elements of Agency Management 

o Transfer of in scope staff (TUPE) 

o Knowledge Transfer 

o Processes and procedures(Service, commercial, finance) 

o Technical and Infrastructure 

o In-Flight Projects and Service take-on 

o Elements of a Managed Enterprise Service Model 

Transformation Services - The move from an in-house or other operators service 

model to a Contractor Managed Enterprise Service or Contractor Hosted Service. 

Service Management Capability 

An effective service management operation will provide the basis and the foundation that shall 

ensure that users are supported during the transition process to a Contractor supplied service and that 

they are migrated effectively into business usual service operation. The Contractor provides a range of 

Service Management options to address the needs of customers of varying scale and complexity. The 

Contractor is compliant with the framework principles of ISO20000 and aligned to ITIL v3 best practice.

198 


The Contractor offers a service management capability to support its PSN services. 

Contract and Service Governance 

Service Desk 

Service Availability 

Service Transition and Transformation 

Management Information (MI) 

Contract and Service Governance 

The function of the Contract and Service Governance Team is to ensure services are delivered in 

accordance with our framework and call-off commitments. This would cover: 

Contract Assurance ensuring the service is delivered to the agreed terms 

Design Assurance ensuring the underlying platform Solution supports the agreed 

functional requirements and conforms to agreed standards 

Delivery Assurance ensuring the service is deployed in line with our committed 

delivery time-line 

Service Assurance ensuring the supplied operating model fulfils our service 

management commitments

199 

Security Assurance ensuring the service is compliant with all agreed security 

standards 

The Contractor has a global team of Service Managers that work on accounts where customers opt 

for a ‘managed service’. Service Managers manage the day-to-day relationship with our customers. 

They take overall responsibility for customer satisfaction, with responsibilities including: 

Monitoring service performance 

Major incident management and escalations 

Service development plans & other service documents 

Support for new business and change requests 

Continual development of customer experience 

The Contractor offers a range of Governance Options over and above that provided as standard. The 

range offered under this framework includes: 

Hosted Services The Contractors Central PSN Contract Team 

Agency Managed Services Shared Contract Team 

Bespoke Enterprise Services Shared or Dedicated Contract Team 

Managed Hosted Enterprise Shared or Dedicated Contract Team



The Contractors service desk is able to process both incidents and operational change across 

the range of contracting options. The key attributes of this capability are as follows: 

200 

Front-line capability – 1 st line staff with sufficient knowledge to resolve up to 90% 

of service issues and up to 100% of standard service changes. 

First line capability with access to, and in some cases co-located with, 2 nd and 3 rd 

line specialist skills – capable of dealing more complex incidents either within one 

service (2 nd line) or across a range of services (3 rd line). 

Shared Service Desks: 

o serving multiple customers over a narrow range of services – typically for 

Hosted Services 

o serving a limited customer set over wide range of services – typically of 

Enterprise Bespoke or Agent Management services 

Service Desk access ranging from 8x5x250 to 24x365, depending upon the 

requirements of the customer 

Multi-channel interface for raising incidents and changes and receiving updates, 

including by telephone, fax and online.

201 

Escalation chains for customers to use if they are unhappy with the progress of 

their change or incident 

For Hosted services our service desk will have direct access to our Service Operations Centres (SOC) 

who provide a 24x365 platform monitoring capability and specialist technical support capability. The 

SOC will provide support to the Service Desk for the resolution of in depth incidents, and the pro-active 

monitoring and maintenance of the network 

The Contractors SOC will be responsible for the day to day management, administration and 

operation of our shared platforms that support our Hosted Services: 

monitoring of the performance and integrity of the systems to ensure the Service 

Levels are being met 

proactively monitoring all Communication Services Equipment to ensure that it is 

in good working order including, but not limited to, the identification of any 

security, capacity and availability related incidents and problems 

investigating alarms raised and undertake remote diagnosis and corrective action 

platform Administration covering housekeeping and routine maintenance

The Contractors standard service levels are as set out in the table below. Bespoke arrangements 

can also be made to cater for customers who have different requirements or who require a dedicated 

service desk. 

PSN 


levels 

202 

Maintenance Respon 

Level 1 Business Premium 

Care 

se Target 

Fix 

Target 

2 Hours 5 

hours 

Level 2 Business Care 2 hours 8 

Hours 

Level 3 Standard Care 4 hours 18 

Addition 

al options 

available on 

request 

Service Availability 

hours 

Hours of Operation 

24x365 

Mon-Sun including 

Bank Holidays 

08:00-21:00 

Mon-Fri 

08:00-17:00

The Contractor offers a range of service performance measures and service credits to accommodate 

varying Customer requirements: 

Hosted Services are based on a mixture of 

availability and/or time to repair measures 

Agency Managed Services are as that agreed 

directly between the customer and supplier. 

Managed Hosted Services and Bespoke 

Enterprise Services are based on a mixture of 

availability measures (for Core Services) and repair 

time measures (for end-user services). These tend 

to be more varied than that for Hosted Services 

Reporting 

203 

Typically availabilities of 99.75% to 99.9% 

measured over a 3 month cycle 

Target levels are agreed between the 

parties in an appropriate format. 

Typically availabilities of 99.5% to 99.99% 

measured over a 3 month cycle 

The Contractor offers a range of reporting options that can be accessed on-line or delivered 

periodically. Online delivery is via a portal that can also be used to view progress of incidents and 

changes. 

This reporting is able to address: 

Service Performance and Major Incidents 

Inventory of Services

Business Continuity 

204 

Service Usage 

Service Utilisation 

Service Charging 

The Contractor is aware that the physical, logical, and operational threats to businesses arise from 

three main sources: 

o Acts of nature - such as fire and floods 

o Accidents - such as plane crashes and system failures 

o Deliberate acts - such as terrorism, theft and industrial action 

Each business will have its own particular set of potential threats to continuous operation, but all of 

these issues have the potential to cause serious disruption, no matter the size of the organisation. 

The Contractor’s propositions 

The Contractors analysis of customer needs across all industry sectors indicates strongly that in 

order to thrive in the digital networked economy, every organisation has to have a strategy that will 

address security in three key areas of its business. These are: 

o Networks and IT infrastructure - Businesses today are highly dependent on their networked 

IT/ICT infrastructure to provide services to their customers, partners and suppliers, as well as to 

support their internal processes. 

o Applications and information - Businesses must ensure that information (and the applications 

that use it) is accessible and usable by authorised entities, on demand, and without undue 

delay.

o Compliance and governance - Governance, legal and regulatory pressures are compelling 

businesses to provide transparency and accountability. 

Making full use of the combined global resources, delivery capabilities and assets the Contractor has 

developed business focussed, repeatable propositions in each of these areas. These propositions are 

designed to help customers meet the challenges of securing their businesses and achieving compliance 

across the organisation, in a cost-effective and efficient manner. 

205 


In terms of Business Continuity, the Contractor offers networked solutions that help prevent 

downtime and serious disruption to mission-critical business processes. Our solutions help ensure that 

networked IT assets and infrastructure are available to authorised users at all times – on demand and in 

a cost effective, efficient manner. The Contractors approach to BCM is very much a consultative process, 

which works in line with the Business Continuity Management Lifecycle from the Business Continuity 

Institute Good Practice Guidelines. 

The Contractor provides operational resilience and risk management by addressing all the layers of 

a client’s business environment, including: critical processes, networks, platforms, data and applications, 

and crucially, the people involved at each layer. Our services are scalable, recoverable, secure, and 

designed to meet industry, governmental and global compliance requirements. 

The Contractor applies this methodology to the provision of its own products and services.

Suppliers and Partners 

The Contractor has relationships with existing Suppliers and Sub-Contractors who assist in the 

delivery of services throughout the response. 

These include:- 

Lot 1 - Technology & 

Service Partners 

206 

Typical Role 

Avaya (and Nortel) o Voice Equipment (IPT) Solutions and Services 

o Network Equipment Solutions and Services 

o Network Security Equipment Solutions and Services 

Cisco o Voice Equipment (IPT) Solutions and Services 



o Storage Area Network Equipment (IPT) Solutions and Services 

o Unified Communications solutions 

o Desktop Conferencing Applications 

o Desktop video 

o Video Conferencing integrator range 

o Profile all-in-one Video Conferencing units 

o Telepresence immersive range

207 

o Infrastructure: bridges, gateways, management, firewall traversal 

Genband o Voice Equipment (IPT) Solutions and Services 

Lifesize o Desktop Conferencing and Unified Communications solutions 



Microsoft o Unified Communications solutions 

Other Mobile 

Operators 

o Exchange Software 

o Operating System Software 

o Security Software 

o Web Services Software 

o Fixed-To-Mobile (FTM) Gateways 

Polycom o Desktop Conferencing and Unified Communications solutions 



o Media Centre all-in-one Video Conferencing units

208 

o Immersive range including OTX and RPX 

o Infrastructure : bridges, gateways, management, firewall traversal 

Siemens o Voice Equipment (IPT) Solutions and Services 



Symantec o Internet Security Software, Solutions and Services

Cable&Wireless Worldwide 

The Contractor where required and agreed with the Customer in the Call Off Order shall 

provide the supply, installation, maintenance, technical architecture and system design, project 

management, and support for equipment, commodity and managed service of all the 

Communications services relevant to the scope of Lot 1 as described in the table below; 

The following table shows the Contractors service description relevant to the scope of 

services within the Communications service Lot 1. 

Scope 

209 

Lot 1 – Communication Services 

IP based voice services, desktop 

messaging; messaging via email, SMS, 

pager and mobile or fixed line telephone 

The Contractors Corresponding 

Service Description 

CAAS) 

IP based voice services IP Trunk 

Voice call packages; voice minutes TDM Voice 

DDI, premium rate numbers; non- 

Managed Telephony (MIP PBX & 

geographic numbers Inbound Call Management 

Traditional TDM based voice services PBX Maintenance

210 

118 enquiries Directory Enquiries and Operator 

Audio conferencing, desktop video 

conferencing, web conferencing Audio & Web Conferencing 

E-Mail Services, messaging services Mailbox Service 

Collaboration tools, desktop 

messaging; messaging via email, SMS, 

pager and mobile or fixed line telephone Collaboration 

Website services; co-location and 

hosting; on-line storage Hosting 

E-mail scanning and filtering Security - E-Mail Filtering 

Authentication and access 

management, web and application sign 

on services 

Firewalls; intrusion, antivirus and 

spyware detection 


Security - Managed Authentication 

Security - Managed Security 

Infrastructure Service 

Security services and antivirus Security - Protective Event 

Monitoring Service

211 

Security services Security Practice 

Internet services Internet 

Application acceleration APM 

Real time information services and 

messaging via email, SMS, pager and 

mobile or fixed line telephone STORM 

The Contractor can provide a number of Services described below. These Services can, 

where feasible and applicable for the Service, be offered at IL0, IL2, IL3 and IL4, where required 

and agreed with the Customer in the Call Off order. 

MANAGED TELEPHONY (MIP-PBX) SERVICE OVERVIEW 

This Service Description covers the Contractor’s Managed IP-PBX (MIP-PBX) service. MIP- 

PBX offers Customers their own dedicated platform(s), hosted on their own premises or in the 

Contractor’s data centre(s) according to particular needs, for example IL3+ security 

requirements. The Contractor’s MIP-PBX service extends to providing Unified Communications 

capabilities including telephony, voicemail, audio-conferencing and Instant Messaging & 

Presence services. 

The Contractor evaluates potential technology vendor partners on an on-going basis in 

order to be able to offer Customers innovative and best-of-breed solutions. The solution(s) 

offered to a Customer will therefore depend upon the Customer’s specific requirements and

the features offered by the Contractor’s technology vendor partner chosen at the time by the 

Contractor. 

The Contractor provides an ITIL-based framework of services necessary to capture and 

define the solution requirements, to design, install, monitor, maintain and manage the solution, 

and to provide the required end-user equipment such as telephones, soft clients and gateways. 

High-Level Service Offering 

Managed IP-PBX” (MIP-PBX): Fully managed enterprise-grade PBX and Unified 

Communications services for Customers on their own dedicated platform(s), hosted on their 

own premises or in the Contractor’s data centre(s). 

MIP-PBX Service Description 

MIP-PBX offers PBX and Unified Communications Services to Customers on a Capex basis 

with a monthly management charge. The services will run on a particular technology platform 

chosen by the Contactor as most suitable to meet the Customer’s requirements from a 

functionality and cost perspective. 

The platforms are either hosted on the Customer’s premises or in the Contractor’s data 

centre(s), according to particular needs, for example IL3+ security requirements. The platforms 

are fully maintained by the Contractor at the initially deployed software and hardware releases. 

The Customer has the option to request upgrades of hardware or software, or both, and the 

Contractor shall provide a quotation to undertake such work. 

212

The Contractor shall offer a range of End User devices including fixed IP-handsets, wireless 

IP handsets and soft-clients. Customers shall also have the option to use their own devices, 

subject to them being compatible with the Services. 

MIP-PBX is offered as a fully managed service, with the following options available 

213 

End-User Licences 

PBX Features 

Voicemail Options 

Audio Conferencing Options 

Operator Console Options 

Call Logging 

IM & Presence Options 

Video Telephony 

Connectivity Options 

PSTN trunks 

Handsets and Soft Clients 

Resiliency Options 

Professional Services 

PBX Maintenance Services 

End-User Licences 

The Customer shall purchase a Licence for each End User which shall define the services and 

capabilities the End User shall be entitled to use. The scope and content of the Licence shall 

depend upon the chosen technology vendor and shall cover the following features as a 

minimum: 

Telephony (PBX) Features

214 

Voicemail 

Instant Messaging & Presence (IM&P) 

Telephony (PBX) Options 

MIP-PBX shall support a comprehensive range of telephony features including Call Hold, Call 

Transfer, Call Pick Up, Group Working, Short Code Dialling, Manual Diversion, Memory 

Functions, Remote Call Logging, Audio Conferencing and Centralised Operator). There shall be 

further optional features to choose from including: 

Assistant/Manager 

Extension Mobility 

Click-to-Call 

Multi-Line Appearance 

Single Number Reach 

Desk & Mobile Pick Up 

Single Business Voicemail 


Voicemail Box 

Voicemail Access 

Security features 

SpeechConnect and Auto Attendant 

Visual Voicemail (viewing voicemail messages like email on suitable IP Phone Displays) 

Message Waiting Indication 

Optional SpeechView (speech to text transcription) 

Optional Integrated Email and Voicemail with SMS notification 

Optional live recording of conversations.

Audio Conferencing 

The Contractor shall provide a fully featured Audio Conferencing Service, offering both 

Reservationless and Operator Attended conferencing capabilities and optional integrated web 

conferencing. This scalable solution shall be offered in a variety of commercial models to suit 

the needs of most organisations. The Contractor shall also offer dedicated hardware located on 

the Customer’s premises where Customer conferencing volumes deem such a solution to be 

more beneficial. These components shall be managed by the Contractor. 


The option of one or multiple operator consoles shall be offered. The consoles can be 

distributed around the Customer’s estate to support local as well as centralised operator 

functionality. 

Call Logging Options 

The Contractor shall offer options for the Customer to have the capability to view, analyse 

and manipulate their call data which allows them to manage their user estate, check for 

fraudulent use and identify high cost areas. 


215 

Enterprise-grade Instant Messaging: Secure, rich-text IM, Group Chat, Subscriber 

History, Multi-device IM, Media Escalation, Persistent Chat Rooms. 

Rich Network Presence: Always-on telephony presence, always-on calendar presence, 

network-based presence aggregation from multiple sources and clients, third-party 

presence applications, network-enforced presence policy. 

Standard, Blocked, Do Not Disturb and custom presence notifications. 

Control who views presence information. 

Escalate to Group Chat.

216 

File transfer. 


End Users with a suitable soft client or video-enabled handset shall be able to make point- 

to-point video telephony calls to other End Users on the MIP-PBX network. 

Connectivity 

MIP-PBX Services require the presence of a suitable WAN to provide data links between the 

Customer sites and where applicable the Contractor’s data centres. The WAN must comply 

with prerequisites (in terms of bandwidth, jitter, delay, QoS, VLANs, etc.) necessary to support 

the CaaS real-time multimedia services. 

PSTN Network Services 

Access to the PSTN shall be via centralised SIP Trunks offered as a separate service by the 

Contractor. TDM PSTN connectivity is also supported depending on the solution design. 


The Contractor shall offer a selection of End User devices including Featurephones and soft 

clients to cater for End User needs ranging from basic telephony in public places through to 

executive devices, soft-clients and video-enabled endpoints. 

The Contractor shall offer a “Bring Your Own Device” option whereby the Customer sources 

their own IP Feature phones to use with the MIP-PBX service. These may be devices that are 

listed above or from other approved third party suppliers.

The Contractor shall offer the option of supporting the connection and the use of older 

analogue devices by means of gateways deployed at the Customer’s premises. 


MIP-PBX offers the option of being deployed with a resilient architecture whereby end- 

points can be associated with two platforms operating in a load-sharing or main/standby mode. 

The Contractor shall also offer resiliency options to operate in the event that MIP-PBX 

becomes unavailable to End User sites (due to a failure of part or all of the WAN, for instance): 

217 

Local Site Survivability Mode – ability to support voice services between users on the 

local site. 

Inter-Site Survivability Mode – ability to support voice services between users within the 

Customer’s estate (subject to inter-site WAN being available). 

PSTN Break-Out Survivability – ability to call external users. 

PSTN Break-In and Out Survivability – ability to call and receive calls from external users. 


The Contractor shall offer Professional Services in respect of designing the Customer’s 

solution, project management and programme management of any element of the solution 

including the transition from their existing solution over to MIP-PBX. This shall include a range 

of training options for End Users. 


The Contractor offers a PBX Maintenance service option that provides maintenance cover 

primarily for legacy TDM-based PBX networks. This service, delivered via a Sub-Contractor,

offers a useful complement to MIP-PBX in supporting the existing PBX network during the 

transition period over to MIP-PBX. 

Service Provision 

The Contractor shall provide: 

218 


Discovery Days 

Customer 

Experience & 

Solution Design 

Platform 

Deployment 

On-Site Transition 

Initial face-to-face discussions with Customer’s to 

determine overall business goals, understand the 

current infrastructure and business processes, and 

explore possible options, understanding where they 

want to get to in the short, medium and long term. 

Output from this process shall be a strategic 

document proposing an optimum service and a 

roadmap to the end state. 

Deeper analysis of the Customer’s existing structure 

and how it is to be transformed into the new solution. 

Specifically, this shall define the requirements, explain 

how it is to be developed, identify the connectivity 

options, and explain how it shall be delivered and 

what it shall include. 

� Procuring and deploying the platforms 

(hardware and software) 

� Arranging and configuring Contractor’s Data 

Centre accommodation – space, power, 

cooling, management and monitoring (for 

deployments within Contractor’s Data Centres) 

� Systems Configuration – enabling reporting, 

billing, etc. 

� Testing – testing the various elements of the 

MIP-PBX service for correct operation. 

� Deployment – activation of the environment for 

use. 

The deployment of MIP-PBX services shall require a 

level of activity at each Customer location. The 

activities vary based on the particular services 

required, however typically the following steps shall be

Project 

Management 

Service Management 

219 

undertaken for each on-site transition: 

� On-Site Survey – validating the On-Site Design 

and assessing installation practicalities for the 

deployment. 

� Readiness validation – confirming Connectivity 

(WAN and LAN) and that dependencies are in 

place prior to installation & deployment. 

� Shipping, deployment & testing of End User 

devices. 

� Installation – installation of any equipment 

needed on-site including End User devices. 

� Deployment – migration and activation of the 

site for use in the live environment. 

� Service Readiness Testing – validating 

operation and supportability of the location. 

When transitioning the existing estate, or even 

implementing a significant change to the existing 

services offered, the Contractor’s Project Managers 

shall help plan, organise, secure and manage the 

resources required to deliver this capability. 

Project Management services may extend beyond the 

Contractor’s direct organisation and include, where 

agreed, the management of nominated 

teams/resources within the Customer’s organisation 

as well as their existing third parties. 

The Contractor offers MIP-PBX as a fully managed service. Provision shall be made via 

Helpdesks and processes for Customers to request changes and to obtain assistance, support 

and advice in using their MIP-PBX services. The operations services shall ensure that any 

requirements shall be responded to and any issues with a Customer’s services shall be quickly 

identified and resolved. 

Key elements in the Service Management portfolio are:

220 

Service Desk – manned by the Contractor’s Service Desk Analysts who will support the 

Customer. 

Used to manage, track and update Incidents and Requests. 

Used to escalate Incidents and Requests where necessary. 

Used to manage orders, service changes and Moves, Adds and Changes. 

Used to request management reports. 

Available 24x7. 

Service Desk calls shall be answered in under 20 seconds 90% of the time. 

Emails shall be automatically acknowledged as received by return and then 

responded to within 24 hours. 

New account requests received on working day 1 shall be actioned and welcome 

email sent to End User by close of business on working day 3. 

Password and PIN changes shall be completed in less than four (4) hours. 

Account amends and deletions shall be completed in less than 24 hours. 

Incident Management Process – Will resolve service interruptions or degradations 

reported by a Customer. The Incident reporting process shall be the only available 

method of officially logging an Incident and SLA tracking. Incidents shall be reported via 

telephone and entered on the system by the Contractor on the Customer’s behalf. A 

unique incident ticket number shall be generated for the purpose of tracking, which will 

be sent to the user when the request is submitted. This receipt shall be timed and 

dated. 

The Contractor shall seek to resolve incidents at the first point of contact, namely 

the Service Desk. More complex incidents shall be escalated internally to second and if 

necessary third-line resources. 

Responses as per the SLA shall be communicated by phone or by email/SMS to the 

user as requested by the Customer. For clarity, the Customer ‘user’ might be an 

individual, the Administrator or the Customer’s internal IT Helpdesk. Although the latest 

information regarding an incident shall always be available on contact, any regular 

updates regarding the incident shall be made to the email address of the individual who 

raised the incident (or optionally using SMS).

221 

Incidents shall be classified by the Contractor at a ‘priority’ level which shall then 

determine the times for both responding to and resolving the fault. 

Moves, Adds, Changes & Deletions (MACD) Service – Will manage soft changes to the 

Customer’s estate and services. The MACD Service team shall integrate with the 

processes inside a Customer’s organisation for outsourcing the day-to-day MACD 

management of their Communications Services. 

Reporting – MIP-PBX offers a range of standard reports that enable Customers to review 

their usage of the services and the performance of their services. Standard reports can 

be scheduled to be produced and emailed to pre-defined Customer recipients. All 

reports can be requested via the Service Desk. A selection of example report 

requirements is given below: 

Service Monitoring 

Estate Inventory Reports 

Incident Reports 

Financial Management Reports 

Capacity & Performance Reports 

Order Reports 

Service Usage Reports 

.End User Helpdesk –optional service providing a contact point for the 

Customer’s End Users: 

Seeking assistance with using specific capabilities and End User devices. 

Confirming the services that the Customer is contracted to receive. 

Seeking support on any aspects of the service. 

Responding to “How do I …?” queries. 

Resetting account-access such as Voicemail PINs, Self-Service Logins, etc. 

(subject to the user confirming their identity). 

Availability: Standard from Monday to Friday 09:00 to 17:00, with options to 

extend to 6 days 09:00 to 17:00 or to 24/7. 


Password and PIN changes shall be completed in real-time (subject to successful 

user validation). 

The Contractor shall proactively monitor platforms on a 24x7 basis. The Contractor shall 

take the necessary action to rectify any problems found as a result of any alarms generated or 

any detected performance degradation.

Use of Sub Contractors 

Contractor may use sub contractors in the supply of the MIP-PBX services, depending upon 

which technology partner is preferred. These will be either Mitel or Cisco for the provision of 

hardware. 

MANANAGED TELEPHONY (CAAS) SERVICE OVERVIEW 

This Service Description covers the Contractor’s “Comms-as-a-Service” (CaaS), Managed IP 

Telephony and Unified Communications Service. The CaaS model offers an on-demand, 

subscription-based pay-as-you-go service, running on carrier-grade platforms owned and 

hosted within two of the Contractor’s data centres to deliver high availability SLAs and 

continuously updated feature sets. The Contractor’s CaaS service extends to providing Unified 

Communications capabilities including telephony, voicemail, audio-conferencing and Instant 

Messaging & Presence services. 

The Contractor provides an ITIL-based framework of services necessary to capture and 

define the solution requirements, to design, install, monitor, maintain and manage the solution, 

and to provide the required end-user equipment such as telephones, soft clients and gateways. 


Comms-as-a-Service (CaaS): Fully managed PBX and Unified Comms services offered on a 

flexible subscription basis from the Contractor’s platforms in their data centres. 

CAAS Service Description 

“Comms-as-a-Service” (CaaS) offers PBX and Unified Communications Services to Customers 

on a subscription-based pay-as-you-go basis. The commercial model is predominantly Opex 

222

ather than Capex – End Users subscribe to particular services and features they need on a per- 

user-per-month (PUPM) basis. Additionally up-front consultation, design and set-up charges 

will be applicable. 

The services run on the Contractor’s dual resilient platforms hosted within two (2) data 

centres. The platforms are fully maintained by the Contractor with the Contractor maintaining 

software and feature releases. 

The Contractor shall offer a range of End User devices including fixed IP-handsets, wireless 

IP handsets and soft-clients. Customers shall also have the option to use their own devices, 

subject to them being compatible with the Services. 

CaaS is offered as a fully managed service, with the following options available: 

223 

Feature Packs 

PBX Features 


Audio Conferencing Options 


Call Logging 



Connectivity Options 

PSTN trunks 


Connector Options 


Professional Services

224 

PBX Maintenance Services. 

Feature Packs 

The Customer shall purchase a subscription for each End User to one or more Feature Packs 

that define the services and capabilities the End User shall be able to use. The Feature Pack 

subscriptions can be purchased, adjusted or ceased during the contract period. 

Feature packs shall include options for the following: 

Telephony (PBX) Features 

Voicemail 

Instant Messaging & Presence (IM&P) 

Video Telephony. 

Additional Feature Pack options shall be made available where the CaaS service is extended 

to include other services such as Video Conferencing, Contact Centre and Managed Media 

Recording as the Customer requires. 

Services not offered directly by CaaS, such as Microsoft Lync, may be supported by means 

of a Connector (see Connector options below). 

Telephony (PBX) Features 

CaaS shall support a comprehensive range of telephony features, including those offered by 

the current MTS service (Call Hold, Call Transfer, Call Pick Up, Group Working, Short Code 

Dialling, Manual Diversion, Memory Functions, Remote Call Logging, Audio Conferencing and 

Centralised Operator). There shall be several Telephony (PBX) Feature Packs to choose from 

including:

225 

Basic Voice – all basic PBX Telephony features, supported on a limited range of basic IP 

fixed handsets or analogue handsets (via gateways). 

Standard Voice – as Basic Voice plus additional features (including Assistant/Manager, 

Extension Mobility, Click-to-Call, and Multi-Line Appearance) supported on the full range 

of End User devices 

Mobility Voice – as Standard Voice plus additional features including Single Number 

Reach, Desk & Mobile Pick Up and Single Business Voicemail. 

The Feature Packs include PSTN network access, and as such this does not have to be 

ordered separately. 

CaaS shall support several codec types including G.711, G.722 and G.729. 

Voicemail Features 

Voicemail Box 

Voicemail Access 

Security features 

SpeechConnect and Auto Attendant 

Visual Voicemail (viewing voicemail messages like email on suitable IP Phone Displays) 

Message Waiting Indication 

Optional SpeechView (speech to text transcription) 

Optional Integrated Email and Voicemail with SMS notification 

Optional live recording of conversations. 


The Contractor shall provide a fully featured Audio Conferencing Service, offering both 

Reservationless and Operator Attended conferencing capabilities and optional integrated web 

conferencing. This scalable solution shall be offered in a variety of commercial models to suit 

the needs of most organisations.

The Contractor shall also offer dedicated hardware located on the Customer’s premises 

where Customer conferencing volumes deem such a solution to be more beneficial. These 

components shall be managed by the Contractor. 


The option of one or multiple (up to 100) operator consoles shall be offered, capable of 

supporting in excess of 30,000 End Users. The consoles can be distributed around the 

Customer’s estate to support local as well as centralised operator functionality. Supported 

features include: 

226 

A customised operator keyboard as standard for each operator position 

Each DDI, CLI or Queue can be set a priority – the organisation defines how important 

each call is. 

Emergency overflow and busy overflow. 

Out-of-hours queues. 

Call Parking with Recall timer – limitless number of calls parked. 

Call Hold. 

Camp-On – the facility to be able to “camp” a call on a busy extension for a given time. 

Timers for Transfer Recall, Camp-On Recall and Hold Recall. 

Queue Flagging – for Operator to identify incoming calls. 

Unlimited queues with queue colour Indicators. 

Multiple search facility, up to seven (7) fields searchable from a choice of 13 fields – all 

of which can be user defined, directory shrinking display – only valid names shown to 

operator when part of name typed. 

Keyboard or Mouse Operated. 

4,000-extension Busy Lamp Field (real-time monitoring of extensions). 

Speed Dials. 

Unlimited queues. 

Send calls to voice mail.

Call Logging 

227 

Unlimited calls on hold. 

The Contractor shall offer options for the Customer to have the capability to view, analyse 

and manipulate their call data which allows them to manage their user estate, check for 

fraudulent use and identify high cost areas. 

IM & Presence Features 

Enterprise-grade Instant Messaging: Secure, rich-text IM, Group Chat, Subscriber 

History, Multi-device IM, Media Escalation, Persistent Chat Rooms. 

Rich Network Presence: Always-on telephony presence, always-on calendar presence, 

network-based presence aggregation from multiple sources and clients, third-party 

presence applications, network-enforced presence policy. 

Standard, Blocked, Do Not Disturb and custom presence notifications. 

Control who views presence information. 

Escalate to Group Chat. 

File transfer. 


End Users with a suitable soft client or video-enabled handset shall be able to make point- 

to-point video telephony calls to other End Users on the CaaS network. 

Connectivity 

CaaS Services require the presence of a suitable WAN to provide data links between the 

Contractor’s data centres and the Customer sites (and also between the sites themselves). The 

WAN must comply with prerequisites (in terms of bandwidth, jitter, delay, QoS, VLANs, etc.) 

necessary to support the CaaS real-time multimedia services. 

PSTN Network Services

Access to the PSTN is included within the Voice Feature Packs and does not have to be 

ordered separately. Access to the PSTN shall be via the Contractor’s WAN and the Contractor’s 

platforms. 


The Contractor shall offer a selection of End User devices including Featurephones and soft 

clients to cater for End User needs ranging from basic telephony in public places through to 

executive devices, soft-clients and video-enabled endpoints. 

IP Featurephones 

Cisco 3905 

Cisco 6901 

Cisco 6921 

Cisco 6941 

Cisco 6961 

Cisco 7911G 

Cisco 7931G 

Cisco 7942G 

Cisco 7945G 

Cisco 7965G 

Cisco 7975G 

Cisco 7985G 

Cisco 8961 

Wireless 

Cisco 7921G 

Cisco 7925G 

Video 

228 

Cisco 8945 

Cisco 9951 with video camera option 

Cisco 9971 with video camera option

Conference 

Cisco 7937G 

Soft Clients 

Cisco Unified Presence Client (required for video, IM&P and soft phone) 

CUCI-Lync (when used in conjunction with Microsoft Lync Connector) 

The Contractor shall offer a “Bring Your Own Device” option whereby the Customer sources 

their own IP Featurephones to use with the CaaS service. These may be devices that are listed 

above or from other approved third party suppliers. 

The Contractor shall offer the option of supporting the connection and the use of older 

analogue devices by means of gateways deployed at the Customer’s premises. 

Connector Options 

A connector is an interface that enables defined interactions between CaaS and an external 

system or component. Where the Customer deployment requires it the connector will include 

physical hardware or connectivity. The need to order one or more connectors from the 

connector library shall be identified by the Contractor during the initial consultation period, or 

after the service has gone live via an agreed change control process. 

The Connector library shall include: 

229 

PBX Connector: Used to provide inter-working between the Customer’s existing PBX 

network and CaaS during the service transition period. The connector interface shall be 

available in several options to support both TDM (as E1 circuits running Q.931, QSIG or 

DPNSS protocols) and IP (H.323 or SIP protocols). 

Microsoft Lync Connector: Used to provide inter-working of voice and collaboration 

services between the Customer’s CaaS network and a Microsoft LYNC network.

230 

Corporate Directory Connector: Used to enable the use of a Customer’s corporate 

directory system (e.g., using LDAP) as the source of contact data in the CaaS services. 

Third Party SIP Trunk Connector: Used to enable the use of SIP trunks from third parties 

such as carriers, mobile networks and conferencing service providers. 

Contact Centre Connectors: Used to enable CaaS inter-working with certain Contact 

Centre applications – including Genesys and Cisco Contact Centre Enterprise. 


The Contractor shall offer resiliency options to operate in the event that CaaS becomes 

unavailable to End User sites (due to a failure of part or all of the WAN, for instance): 

Local Site Survivability Mode – ability to support voice services between users on the 

local site. 

Inter-Site Survivability Mode – ability to support voice services between users within the 

Customer’s estate (subject to inter-site WAN being available). 

PSTN Break-Out Survivability – ability to call external users. 

PSTN Break-In and Out Survivability – ability to call and receive calls from external users. 


The Contractor shall offer Professional Services in respect of designing the Customer’s 

solution, project management and programme management of any element of the solution 

including the transition from their existing solution over to CaaS. This shall include a range of 

training options for End Users. 


The Contractor offers a PBX Maintenance service option that provides maintenance cover 

primarily for legacy TDM-based PBX networks. This service, delivered via a Sub-Contractor, 

offers a useful complement to CaaS in supporting the existing PBX network during the transition 

period over to CaaS.



231 


Discovery Days 

Customer 

Experience & 


CaaS Platform 

Configuration 

Connector 

Configuration 

Initial face-to-face discussions with Customers to 

determine overall business goals, understand the 

current infrastructure and business processes, and 

explore possible options, understanding where they 

want to get to in the short, medium and long term. 

Output from this process shall be a strategic 

document proposing an optimum service and a 

roadmap to the end state. 

Deeper analysis of the Customer’s existing structure 

and how it is to be transformed into the new solution. 

Specifically, this shall define the requirements, explain 

how it is to be developed, identify the connectivity 

options, and explain how it shall be delivered and 

what it shall include. 

� Network Configuration – building the 

technology instances to support the Customer 

estate (e.g., sites, dial-plan). 

� Systems Configuration – enabling reporting, 

billing, etc. 

� Feature Pack Configuration. 

� Testing – testing the various elements of the 

CaaS service for correct operation. 

� Deployment – activation of the environment for 

use. 

Note – many of these configuration activities shall be 

transparent to the Customer. 

Integration of the Customer estate with the CaaS 

environment shall require a joint effort between both 

parties. Deploying Connectors shall entail the 

following stages: 

� Connector Build – implementation required to 

support integration with the Customer estate. 

� Integration Testing – testing the Connectors 

with elements of the CaaS service for correct 

operation.

On-Site Transition 

Project 

Management 

232 

� User Acceptance Testing – working with a key 

representative in the Customer organisation to 

ensure that functionality matches the designed 

expectation. 

� Deployment – activation of the Connector for 

use in the live environment. 


operation and supportability of the connector. 

The Detailed Connector Design(s) shall be a key input 

into this activity. 

The deployment of CaaS services shall require a level 

of activity at each Customer location. The activities 

vary based on the particular services required, 

however typically the following steps shall be 

undertaken for each on-site transition: 

� On-Site Survey – validating the On-Site Design 

and assessing installation practicalities for the 

deployment. 

� Readiness validation – confirming Connectivity 

(WAN and LAN) and that dependencies are in 

place prior to installation & deployment. 

� Shipping, deployment & testing of End User 

devices. 

� Installation – installation of any equipment 

needed on-site including End User devices. 

� Deployment – migration and activation of the 

site for use in the live environment. 


operation and supportability of the location. 

When transitioning the existing estate, or even 

implementing a significant change to the existing 

services offered, the Contractor’s Project Managers 

shall help plan, organise, secure and manage the 

resources required to deliver this capability. 

Project Management services may extend beyond the 

Contractor’s direct organisation and include, where 

agreed, the management of nominated 

teams/resources within the Customer’s organisation 

as well as their existing third parties.


The Contractor offers CaaS as a fully managed service. Provision shall be made via 

Helpdesks and processes for Customers to request changes and to obtain assistance, support 

and advice in using their CaaS services. The operations services shall ensure that any 

requirements shall be responded to and any issues with a Customer’s services shall be 

identified and resolved. 

Key elements in the Service Management portfolio are: 

233 

Service Desk – manned by the Contractor’s Service Desk Analysts who will support the 

Customer. 

Used to manage, track and update Incidents and Requests. 

Used to escalate Incidents and Requests where necessary. 

Used to manage orders, service changes and Moves, Adds and Changes. 

Used to request management reports. 

Available 24x7. 


Emails shall be automatically acknowledged as received by return and then 

responded to within 24 hours. 

New account requests received on working day 1 shall be actioned and welcome 

email sent to End User by close of business on working day 3. 

Password and PIN changes shall be completed in less than four (4) hours. 

Account amends and deletions shall be completed in less than 24 hours. 

Incident Management Process – Will resolve service interruptions or degradations 

reported by a Customer. The Incident reporting process shall be the only available 

method of officially logging an Incident and SLA tracking. Incidents shall be reported via 

telephone and entered on the system by the Contractor on the Customer’s behalf. A 

unique incident ticket number shall be generated for the purpose of tracking, which will 

be sent to the user when the request is submitted. This receipt shall be timed and 

dated. 

The Contractor shall seek to resolve incidents at the first point of contact, namely 

the Service Desk. More complex incidents shall be escalated internally to second and if 

necessary third-line resources.

234 

Responses as per the SLA shall be communicated by phone or by email/SMS to the 

user as requested by the Customer. For clarity, the Customer ‘user’ might be an 

individual, the Administrator or the Customer’s internal IT Helpdesk. Although the latest 

information regarding an incident shall always be available on contact, any regular 

updates regarding the incident shall be made to the email address of the individual who 

raised the incident (or optionally using SMS). 

Incidents shall be classified by the Contractor at a ‘priority’ level which shall then 

determine the times for both responding to and resolving the fault. 

Request Management – Will actively process and track fulfilment requests both for 

requests for a new site and for change requests to existing sites. Fulfilment requests 

received via the Service Desk shall be tracked and managed according to their respective 

SLAs. A list of possible requests shall be defined with pre-agreed pricing and an assured 

lead-time. 

Moves, Adds, Changes & Deletions (MACD) Service – Will manage soft changes to the 

Customer’s estate and services. The MACD Service team shall integrate with the 

processes inside a Customer’s organisation for outsourcing the day-to-day MACD 

management of their Communications Services. 

Reporting – CaaS offers a range of standard reports that enable Customers to review 

their usage of the services and the performance of their services. Standard reports can 

be scheduled to be produced and emailed to pre-defined Customer recipients. All 

reports can be requested via the Service Desk. A selection of example report 

requirements is given below: 

Estate Inventory Reports 

Incident Reports 

Financial Management Reports 

Capacity & Performance Reports 

Order Reports 

Service Usage Reports. 

End User Helpdesk –optional service providing a contact point for the 

Customer’s End Users: 

Seeking assistance with using specific capabilities and End User devices. 

Confirming the services that the Customer is contracted to receive. 

Seeking support on any aspects of the service.

Service Monitoring 

235 

Responding to “How do I …?” queries. 

Resetting account-access such as Voicemail PINs, Self-Service Logins, etc. 

(subject to the user confirming their identity). 

Availability: Standard from Monday to Friday 09:00 to 17:00, with options to 

extend to 6 days 09:00 to 17:00 or to 24/7. 


Password and PIN changes shall be completed in real-time (subject to successful 

user validation). 

The Contractor shall proactively monitor and test the service platforms on a 24x7 basis. The 

Contractor shall take the necessary action to rectify any problems found as a result of the 

proactive testing, any alarms generated or any detected performance degradation. 

Capacity Management 

CaaS is built with scalability to meet individual Customer requirements. There shall be a 

standard 10% capacity contingency to allow Customers to flex their requirements without the 

need to wait for capacity upgrades. PSTN access is inclusive and automatically catered for in the 

volume of user subscriptions. 


There are no sub contractors in the supply of the CaaS services. 

IP TRUNK SERVICE OVERVIEW 

The IP-based Voice Public Switched Telephony Service provides IP voice connections from 

the Contractor’s Switched Network to the Customer premises’ IP PBX or IP Contact Centre 

Equipment.

The Contractor shall provide and manage all aspects of the Service and will be the single 

point of contact for all service queries. 

High Level Service Offering 

The Service will be made up of the following components. 

236 

Lines: IP Voice Virtual Trunks between the Customer’s data network and the 

Contractor’s data network and IP ‘softswitch’ 

Minutes: Call charges 

Numbers: Geographic & non-geographic DDIs 

Number portability: Import and export 

Calling & network features: Call Barring, CLI Presentation 

Phonebooks and directory listings 

Web-based Cost Reporting and Management Tool: Call Management Network. 

Service Description (Applies for all service offerings) 

The IP Trunk Service shall enable Customers to place and receive inbound and outbound 

voice telephony calls. 

The Customer’s IP PBX or IP Contact Centre will integrate with the Contractor’s softswitches 

using the Customers WAN. The Contractor’s softswitches will be fully resilient and will be 

located in geographically diverse Contractor network sites. The softswitches connect to the 

Contractor’s PSTN and therefore with BT, other licensed operators (OLOs) in the UK, and 

carriers in more than 170 countries. 

The Infrastructure that supports the service is supported 24 hours per day, seven (7) days 

per week from dual UK Network Operations Centres.

The service will provide a number of service features including but not limited to: 

Feature Name Function / Benefit 

Changed Number Announcement Lets callers know you have changed 

Connected Line Identification 

Presentation 


Restriction 

237 

your number 

Shows the number you have 

connected to 

Blocks the number you have 

connected to 

Caller ID Presentation Shows your telephone number to the 

called party 

Caller ID Restriction Blocks your Telephone Number from 


the called party 

The Contractor shall, if requested, provide Professional Services to design and deliver the 

service. 

Technical Characteristics 

The Service shall support the following line types: 

Both-way lines

238 

Both-way lines with DDI. 

The Service shall support the following signalling protocols; 

H323 

SIP. 

The Service shall support the following voice codecs: 

G729 

G711. 

Access Method 

The Contractor shall supply the Service over the Customer’s WAN or via the PSN 


Single Trunk connected to Single Session Border Controller 

Dual Trunks connected to Single Session Border Controller 

Dual Trunks connected to Dual Session Border Controllers 

Service Approach 

The Contractor will provide: 

Configuration of the softswitch to interwork with the Contractor’s IP Voice 

infrastructure to the agreed solution design 

Configuration of the new or ported numbers or DDIs on the access circuits as requested 

by the Customer. 

All necessary wiring and equipment up to the Service Demarcation Point. 

Requests for new Customer IP-Trunk or Configuration Changes to an existing Customer IP- 

Trunk shall be processed and approved via the Service Change Request Procedure. Charges for 

such changes shall be made in accordance with an agreed Change Control Procedure. 

Agreed Delivery Date

Following the preparation of the Customer IP Voice estate by the Customer, the Contractor 

will implement the Service or a Configuration Change for the particular Customer IP Trunk (as 

applicable) by the Agreed Delivery Date. 

The Contractor shall only provide service to those IP Voice estate types it has tested and 

knows to be compatible with the Service. 

Service Management/Reporting/Service Operations (In-Life) 

The Contractor shall, if requested, provide a monthly service platform report to the 

Customer, the content of which shall be agreed in advance between the Customer and the 

Contractor. 

The Contractor will support e-billing reports for non-geographic Inbound Call Management 

numbers. 

The Contractor will carry out fault management that will use reasonable endeavours to 

restore service operation to agreed service levels. 

The Contractor will provide fault support 24x7. The Customer will report any suspected 

faults in the service to the Contractor and provide the following details: 

239 

The name of the service affected 

Address details of the site(s) affected 

Telephone number(s) of the site(s) affected. 

The Contractor will log the fault and attempt to contact a nominated Customer 

representative to provide updates on progress until the fault is resolved. The Contractor will

carry out root cause analysis (where appropriate to the severity of the fault) and provide 

resolution details for individual faults, including details on the fix to the fault and its cause. 

Once this has been provided, the Contractor will agree with the Customer to formally ‘close’ a 

fault. 


There are no sub contractors involved in the supply of this service. 

TDM VOICE SERVICE DESCRIPTION 

Service Overview 

A TDM-based Voice Public Switched Telephony service providing ISDN and Analogue PSTN 

line connections from the Contractor’s Switched Network to the Customer premises PBX or 

Contact Centre Equipment. 

The Contractor shall provide and manage all aspects of the service and be the single point of 

contact for all service queries. 

The service may be delivered either directly from the Contractor’s exchange using the 

Contractor’s Network, or via the BT local loop using Wholesale Line Rental and Carrier Pre- 

Selection. 


Lines – ISDN and Analogue 

Minutes – Call Charges 

240

Numbers – Geographic and Non-Geographic, as well as Geographic DDIs 

Number Portability – Import and Export 

Calling and Network Features – Call Barring, CLI Presentation 

Short code ‘extension-to-extension’ dialing and reduced call charges between closed user 

group sites if the Voice VPN option is chosen 

Phonebooks and Directory Listings 

Web-based Cost Reporting and Management Tool – Call Management Network 

Service Description (Applies for all Service Offerings) 

The TDM Voice Service shall enable Customers to place and receive inbound and outbound 

voice telephony calls. 

The service will be provided on the Contractor’s switched voice network. The Contractor’s 

switched voice network is based on Time Division Multiplexing (TDM) supported by the 

Contractor’s SDH transmission. The network interconnects with BT, other UK OLO and carriers 

in more than 170 countries directly and is supported 24x7, 365 days a year from dual UK 

Network Operations Centres. 

The service will provide a number of service features including, but not limited to: 

Feature Name Function/Benefit 

241

Changed Number 

Announcement 

242 

Lets callers know you have changed your 

number 

Advice of Charge at end of Call Lets you know how much the call just cost 

Anonymous Call Rejection Lets you reject a call where CLI is withheld or 

not available 

3-Way Calling Joins three parties together for a simple 

conference call. 

Basic Divert Diverts calls to a main number or range to an 

alternative number or range 

Bypass Number Lets you override a call divert and reach the 

diverted number 

Call Barring Bars outgoing calls to national, international, 

premium rate and operator services 

Call Divert Divert calls to an alternative number 

Call Forwarding – Busy, No 

reply, Unconditional 

Forward calls on busy, no reply or all 

conditions 

Call Waiting Warning beep to let you know another caller


Presentation 


Restriction 

243 

is attempting to call 

Shows the number you have connected to 

Blocks the number you have connected to 

Caller ID Presentation Shows your telephone number to the called 

party 

Caller ID Restriction Blocks your telephone number to the called 

party 

Cost Centre Codes Tags each outbound call with a code so the 

cost can be cross-charged to a department or 

division of the business 

Divert on Circuit Failure or Busy Re-routes the call if line is busy or out of 

order 

Malicious Call ID Marks the call as malicious to aid tracing 

Presentation Number Presents a preferred number for your 

Customers to call you back on

Short Code Dialling Store numbers on the network for access via 

244 

a short code 

Last Number Announcement Displays identity of last caller 

Time and Date Date and time stamp of each call 


The Contractor shall, as an option, provide professional services to design and deliver the 

service. 


The Service shall support the following Line Types: 

Incoming only 

Incoming only with DDI 

Outgoing only 

Both-way 

Both-way with DDI 

Primary Rate and Basic Rate ISDN lines 

Single and Multi-line Analogue lines. 

The Service shall support the following ISDN Signalling Protocols: 

ISDNQ931 

ISDNQ931e 

ISDN DASS 

DPNSS. 

The Service shall support the following ISDN Circuit Presentation Types:

245 

G703 and G704 Framed or Unframed 

75ohm Balanced or Unbalanced 

RJ45 Connector or BNC type connector 

Channelised higher order bearers are also available subject to agreement. 

Access Method 

The Contractor will supply the Service using the most appropriate of the following delivery 

methods: 

Own fibre connection 

Own copper connection 

Own microwave radio link 

Third party fibre connection 

Third party copper connection 

Wholesale line rental 

Carrier pre-selection. 


The Contractor will support the following Service resiliency options: 

Dual Parented – Two access circuits, hosted off two separate exchanges, delivered via 

two separate network access points. Both circuits run in load-sharing mode with all 

traffic picked up by the other exchange if either fails. 

Diverse Routing – Two network access connections with both routed via separate cables 

into separate building entry points. 

Disaster Recovery – Pre-defined Incoming call routing plans that are invoked to re-route 

calls to alternative destinations should one or more Customer sites become inaccessible 

due to a major emergency (for example: fire, flood, act of terrorism or civil unrest). 

Non-Resilient – A single access circuit connecting the Customer’s PBX to the Contractor’s 

Switched Network. 

Service Approach 

General;

246 

The Contractor will provide: 

(a) Access circuit(s) between the network access node and Customer premises 

(b) Line termination equipment at the Customer premises 

(c) Configuration of the access circuits on the switched network 

(d) Configuration of the new or ported numbers or DDIs on the access circuits 

as requested by the Customer 

(e) All necessary wiring and equipment up to the Service Demarcation Point. 

Requests for new Customer sites or Configuration Changes to an existing Customer site 

shall be processed and approved via the Service Change Request Procedure. Charges for 

such changes shall be made in accordance with an agreed Change Control Procedure. 

Agreed Delivery Date 

Following the preparation of the Customer Sites by the Customer, the Contractor will 

implement the Service, or a Configuration Change for the particular Customer site as 

Applicable, by the Agreed Delivery Date. 


The Contractor shall, if requested, provide a monthly service platform report, the content of 

which shall be agreed in advance between the Customer and Contractor. 

The Contractor will support e-billing reports for non-geographic Inbound Call Management 

numbers. 

The Contractor shall carry out fault management that will use reasonable endeavours to 

restore service operation to within agreed service levels. 

The Contractor will provide fault support 24x7. The Customer will report any suspected 

faults in the service to the Contractor and provide the following details:

247 

Name of the service affected 

Address of the site(s) affected 

Telephone number(s) of the site(s) affected. 

The Contractor will log the fault and attempt to contact a nominated Customer 

representative to provide updates on progress until the fault is resolved. The Contractor will 

carry out root cause analysis (where appropriate to the severity of the fault) and provide 

resolution details for individual faults, including details on fault fix and cause of fault. Once this 

has been provided the Contractor will agree with the Customer to formally ‘close’ a fault. 


There are no sub contractors in the supply of this service. 

INBOUND CALL MANAGEMENT SERVICE OVERVIEW 

Inbound Call Management is a service that enables callers to contact an organisation using a 

variety of geographic, non-geographic and premium rate numbers. 


The Contractor’s Inbound Call Management service offers: 

Premium rate 

Non-geographic numbers 

Porting. 

Service Description (Covering All High Level Service Offerings) 

The Contractor’s Inbound Call Management services will offer the following Inbound Call 

Management numbers: 

0800 / 0808, 01 and 02 (calls routed non-geographically),

248 

03 

0843 / 0844 

0845, 0870, 0871, 0872, 0873 

09 

International freephone. The international freephone service enables callers overseas to 

dial a local toll-free number to connect to a site in the UK. 

Inbound Call Management numbers will be capable of being delivered in a variety of ways. 

Calls will be routed by the Contractor’s Intelligent Network and will be delivered directly to a 

specified phone line or routed to variable destinations using criteria stored in a call plan routing 

script. Example call plans include routing by time of day or day of the week. 

The Contractor will deliver all calls either to a UK PSTN telephone number (which are 

numbers beginning with either 01 or 02), to mobile telephone numbers or, where regulation 

permits and the contractor agrees to do so, to international telephone numbers. Onward 

connection to mobile and international telephone numbers attracts a per minute call delivery 

charge. 

Calls to premium rate numbers are delivered to UK exchange lines directly connected to the 

Contractor’s network. This enables the Contractor to securely route the call directly to a circuit 

provided by the Contractor, eliminating the opportunity for a caller to dial a PSTN number and 

bypass the use of the premium rate number. 

Inbound Call Management numbers differ due to way in which the cost of the call is divided. 

The cost of calls made to 03, 0870, 01 and 02 numbers is shared between the Customer 

and the caller.

249 

The cost of calls to 0843, 0844 and 0845 numbers is shared between the Customer and 

the caller, but out-payment revenue share may be available depending on the volume of 

minutes and the charging point. 

The cost of calls made to 0871, 0872, 0873 and other premium rate numbers is paid for 

by the caller. The Contractor will support out-payment revenue share depending on the 

volume of minutes and the Customers charging point. 

The cost of calls made to UK and international freephone numbers is paid by the 

Customer. 

Depending on availability, the Contractor is able to provide memorable numbers (gold or 

silver), which are non-geographic numbers that are classified by the Contractor as being easy 

for callers to remember. 

Inbound Call Management numbers that have been allocated to the Customer by other 

network providers can be ported to the Contractor’s Intelligent Network. If the Customer 

moves to another provider and wishes to retain the number that the Contractor has allocated, 

the Contractor will port the number to another network provider on request. 

A call routing script controls the way that calls are delivered. This is a systematic and logical 

scheme for routing calls received by the Contractor’s Intelligent Network based on a variety of 

circumstances including time of day, day of the week, ratio of calls and area of origin. 

Optionally, the Contractor will provide the Customer with access to the Inbound Call 

Reporting tool, which is a web-based software tool that enables the Customer to view and 

analyse live and historic call statistics about the Customers Inbound Call Management service 

usage. 

Service Provision – Approach (Delivery inc where applicable Design and Build)

An Inbound Call Management number will be reserved for a period of six months – subject 

to that number not already being allocated or reserved by any other Customer – and is 

available for allocation by the Contractor. The number will revert to being generally available 

for all of the Contractor’s Customers if they do not subsequently order the reserved number to 

make it live on the Contractor’s network. 

Inbound Call Management services are ordered by completion of the appropriate order 

form and submission of this to the contractor. 

If there is no call plan, the Contractor will implement or reconfigure an existing non- 

geographic number within 24 hours of receipt by the Contractor of the request, subject to 

agreeing the request is a chargeable fast track order. 

Where a call plan is required or exists, implementation or reconfiguration will take up to 20 

working days from receipt of the order by the Contractor. 

The Contractor will set up agreed call plans and, if requested, will provide the Customer 

with a self service application to allow the Customer to download a current call plan, and 

amend and upload this. Any amended call plans will be automatically sent to the Intelligent 

Network for processing and implementation. 

The target lead time for international freephone is dependent on the carriers within the 

countries in which the Inbound Call Management services are being set up. As a guide only, 

services are provided within 30 days of receipt by the Contractor of an order. 

250


The Contractor shall, if requested, provide a monthly service platform report to the 

Customer, the content of which shall be agreed in advance between the contractor and the 

Customer. 

The Contractor offers e-billing reports for non-geographic Inbound Call Management 

numbers. 

The Contractor shall carry out fault management that will use reasonable endeavours to 

restore service operation within agreed service levels. 

The Contractor will provide fault support 24 hours a day, 7 days a week. 

The Customer will report any suspected faults in the service. The Contractor will log such 

faults and attempt to contact the Customer’s representative to provide updates on progress 

until the fault is resolved. The Contractor will carry out root cause analysis (where appropriate 

to the severity of the fault) and provide resolution details for individual faults, including details 

on the fix and the original cause of fault. Once this has been provided the Contractor will agree 

with the Customer to formally ‘close’ a fault. 

Use of Sub-Contractors 

There are no sub contractors in the supply of this service. 

PBX MAINTENANCE SERVICE DESCRIPTION 

The Contractor’s PBX Maintenance provides the capability to delegate responsibility for 

maintaining existing PBXs and other telephony equipment to the Contractor charged on a per- 

251

port basis. It is available, as standard, as a break/fix service and a monitoring service. Backup 

battery support is also available. 


252 

Break/Fix Maintenance service 

PBX Maintenance Plus service 

Battery care. 


Break/Fix Maintenance Service 

The Break/Fix Maintenance service comprises the following basic elements, which can be 

combined in any way to deliver the service to the Contractor: 

Estate audit, where necessary (at an additional charge) 

New and replacement equipment procurement, installation and configuration 

Inventory management 

Single per-port charge 

Single point of contact 

Choice of four service levels 

Reactive fixing of faults resulting from daily use and normal wear and tear, remotely 

where possible, including fitting and testing of replacement equipment 

Engineer site visit if the fault cannot be fixed remotely 

Technology refreshes and software upgrades as required and contracted with 

manufacturers 

Moves, adds and changes 

Customised plan for migration to IP telephony. 

PBX Maintenance Plus Service 

The PBX Maintenance Plus service provides, in addition to the options available in the 

Break/Fix maintenance service, a remote monitoring facility to monitor the Customer’s

equipment for alarms 24x7. The PBX Maintenance Plus service requires additional monitoring 

devices either fitted, or with access, to the Customer’s equipment. 

Types of Equipment Covered (both Break/Fix and PBX Maintenance Plus Services) 

The Contractor will investigate support options for the Customer’s estate at the pre-sales 

stage. Any PBX types or models that are outside the Contractor’s capability to support that 

equipment will be excluded from the PBX Maintenance Service. 

Handsets are specifically excluded from the service and are not normally considered as part 

of the maintained estate. A handset replacement service can be supplied, as an option, as an 

alternative to maintenance and repair. 

Equipment Ownership (both Break/Fix and PBX Maintenance Plus Services) 

Under the PBX Maintenance Service, the Contractor maintains the Customer equipment. 

The Customer will own the equipment and remain responsible for decommissioning and 

disposal of equipment, where necessary. 

The Contractor will, where requested, procure equipment on the Customer’s behalf and 

supply quotes for purchase, installation, configuration and testing. 

Access Lines and Port Cabling (both Break/Fix and PBX Maintenance Plus Services) 

Access to the PBX to and from the PSTN, and cabling between the PBX and the port 

telephone handset or device are not included in the PBX Maintenance Service. 

Battery Care 

253

The Contractor will supply, as an option, a Battery Care Service, under which the Contractor 

will carry out the following: 

254 

Check batteries for age, case distortion and electrolyte leakage 

Check the charger output voltage 

Perform discharge or temperature tests to check the condition of the batteries. 

Discharge tests will be chargeable 

Estimate remaining battery life 

Provide a report detailing the current condition of the batteries and their estimated 

remaining life. 

The Battery Care Service includes regular inspection of backup batteries, but does not 

include the cost of battery replacement. Where a battery is found to be losing electrolyte, or 

that the case is distorted, or if the battery has exceeded its estimated life, the Contractor will 

replace it in accordance with the manufacturer’s instructions. 

Technical Characteristics for all Service Offerings 

Standard Room Requirements 

The Contractor is responsible for providing a room that meets the following requirements: 

A minimum of three 13 amp mains power outlets, within two metres of the PBX system 

(each additional cabinet will need at least one additional socket) 

A dedicated switched and fused mains power supply ring. 

Telecoms earth (10mm2 and directly connected to CMET) within two metres of the PBX 

system and with one metre of spare coiled cable for termination 

Interfaces to existing cabling infrastructure, where applicable, within five metres of the 

PBX system 

A load-bearing wall, where applicable 

Network access – i.e. a network termination point (NTP) within five metres of the PBX 

system

255 

A directly connected analogue exchange line for remote maintenance, connected within 

five metres of the PBX system 

A direct analogue exchange line for call logging, if applicable, connected within five 

metres of the system. 

If the standard room requirements are not met, there will be an additional charge for 

delivery of services. 


Estate Audit 

The Contractor will produce a bespoke quotation for each PBX Maintenance Service. To 

provide a quote, the Contractor will require details of the equipment to be maintained, 

including the PBX type, location, manufacturer, age, features, software releases and options 

required. Where the Customer is unable to provide sufficient detail for a quotation to be 

produced, the Contractor can arrange for an estate audit to be conducted. There will be an 

additional charge for this service. 

For the PBX Maintenance service, certified Category 5 wiring must be installed at the 

Customer’s site. The Contractor can also undertake an audit of the Customer’s existing cabling 

network to ascertain its capability to support IP Voice. 

Minimum Order Quantity 

The minimum order quantity for each site is 25 ports. The minimum order across all sites is 

250 ports. 

Project Management

If any of the following circumstances apply, additional project management support may be 

required: 

256 

Multiple sites 

One or more sites has more than 500 ports 

An interface with a third party supplier is required. 

The number of project management days assigned to the Customer will depend on the 

complexity of the requirements and will be quoted for separately. 

Out-of-Hours Installation 

All installations will be carried out within normal working hours; these are Monday to 

Friday, 0900 to 1700. If installation outside of normal working hours is required, there will be an 

additional one-off charge. The charge varies depending on the installation type. All charges will 

be fully detailed in the quote for the work. 

Ordering Additions to the service 

Once a PBX Maintenance service has been established, additions can be ordered at any time 

during the period of the contract. These will be quoted for separately, taking into account the 

nature of the additional equipment and the work involved. 

added. 

A Maintenance Acceptance Test (MAT) will be arranged and the additional equipment 

Additions to the original specification are at the discretion of the Contractor and, depending 

on the nature of the additional equipment required, it may be necessary for the Contractor to 

re-quote for the entire PBX Maintenance service and ask the Customer to sign a new contract.

If it is necessary for engineers to perform a site visit to install additional equipment, a site 

visit charge will apply. 

Moves, Adds and Changes (MACs) 

Soft MACs 

The Contractor will carry out all soft moves and changes associated with PBX maintenance. 

These might include: 

257 

Changing and moving extension numbers 

Changing voicemail boxes 

Altering the configuration of hunt and pickup groups. 

Soft MACs will be done remotely via the modem provided with the PBX, wherever possible. 

MAC requests will be submitted via email and will be completed by close of business on the 

following day. The Customer will be notified when the changes have been made. 

The Customer will buy soft MACs in bundles of 100, 200 or 500. When 90% of the purchased 

bundle has been used, the Contractor will advise of the need to buy a further bundle. 

A soft MAC is required per port. A soft MAC can comprise of up to five separate events on 

the same port. 

Hard MACs 

A hard MAC is defined as: 

The supply and installation of minor equipment (e.g. line cards or telephones) 

The connection of analogue or digital circuits 

Automatic Call Distribution (ACD) programming

258 

Network reconfiguration 

Powering the system down/up 

Application and peripheral reconfiguration. 

Hard MACs can be ordered via email on a template supplied. An engineer will be dispatched 

to the site to carry out the work. Lead times are subject to stock levels and the nature of the 

request. Hard MACs are not included in the bundled soft MACs purchased. Hard MACs will incur 

a one-off charge for the engineer’s visit and for the hours spent on the work. Costs for hard 

MACs will be quoted separately. 

Project Moves and Changes 

If a large number of moves and changes (more than 50 within a period of five working days) 

are required, a project MAC can be requested. This may involve both soft and hard MACs, and 

will be quoted for separately. 

Moving Site 

If the Customer moves site during the term of the PBX Maintenance contract, the 

Contractor will need to uninstall the PBX system and reinstall it at the new location. Both the 

uninstallation and reinstallation are chargeable. 

Fault Reporting and Resolution 

Service Level Options 

PBX Maintenance offers four levels of service for fault management: 

Level 1 – Service available five days a week, Monday to Friday (excluding public and 

bank holidays), between 0900 and 1700. There is no obligation to complete work 

outside normal working hours.

259 

Level 2 – Service available five days a week, Monday to Friday (excluding Public and 

Bank Holidays), between 0900 and 1700. There is no obligation to complete work 

outside normal working hours. 

Level 3 – Service available 24x7x365. 

Level 4 – Service available 24x7x365. 

Different service levels can be selected for different sites. An additional maintenance charge 

is payable if an engineer needs to visit the site outside the hours covered by the service level for 

that site. 

Service Level 1 is included in the standard monthly port rental for PBX Maintenance. All 

other options incur an extra monthly charge per port. 

A fault qualifying for PBX Maintenance is a fault on any of the Contractor-maintained 

equipment which prevents calls being made or received. It does not include faults with access 

lines, internal cabling or network faults. 

Fault Priority Levels 

Each fault is allocated a priority level as follows: 

Priority Level 1 — Loss of service: problems that severely affect business-critical services, 

leading to significant loss of business, which therefore require immediate corrective action. 

Priority Level 2 — Loss of quality: degradation of a system or service performance that 

impacts Customer service quality or impairs control or operational effectiveness. 

Priority Level 3 — Not service or performance-affecting: minor problems that do not 

significantly impair the functioning of the system or service to Customers. The problem is

tolerable during normal operations. 

Restoration SLAs by type of fault are as follows: 

Service Level 

Option 

260 

Fault 

Priority 

Target 

Response 

Time 

Target Service 

Restoration Time 

Service Level 1 P1 4 hours 1 working day 

Service Level 2 P1 4 hours 4 working hours 

Service Level 3 P1 4 hours 8 hours 


Service Level 1 P2 4 hours 2 working days 

Service Level 2 P2 4 hours 4 working hours 







Remote Access for Fault Identification and Resolution 

Fault identification and resolution via remote access to the PBX is a standard part of the PBX 

Maintenance Service. The Customer will need to supply, at its expense, the appropriate access 

lines for the PBX and remote access codes for the Contractor. The access line can be either an 

indirect analogue line or a direct connection. The Contractor can supply new lines if they do not 

currently exist. Any PBX that either cannot or does not have an appropriate access line that

allows remote access for fault identification and resolution will incur additional charges to 

support. 

Engineering Support Outside Contracted Hours 

Where a PBX is supported with either Service Level 1 or 2 and an engineer is required 

outside the hours covered, this service is available, subject to availability. There will incur an 

additional charge. 


The Contractor uses the following sub contractors in the delivery of this service; 

261 

Maintel - To provide PBX maintenance. 

Mitel Networks Ltd - Provision of hardware and PBX services 

DIRECTORY ENQUIRES SERVICE OVERVIEW 

The Contractor’s Operator Service portfolio provides capability for callers to access a 

number of services for either information or assistance purposes, using either dedicated 

support agents, and/or an Interactive Voice Response (IVR) system. 

The Contractor provides the call handling service using dedicated support agents based at 

two (2) UK locations. This provides service continuity in the event of the any single site failure. 


This service provides assistance to callers for the following numbers: 

100 – Operator Assistance 

101 – Single Non-Emergency Numbers 

111 – NHS Non-Emergency Number

262 

118*** – Directory Enquiries 

999 / 112 – Emergency Services. 


A further breakdown of each of the above services is provided below for clarity 

100 – Operator Assistance 

In this service, calls made from the Customer are put through to a live agent for handling. 

These can then be onward connected if possible, as required by the Customer. 

101 – Single Non-Emergency Number 

All calls to this number are delivered to the Contractor’s platform. The caller’s location is 

determined and an option provided through an IVR application for the caller either to be 

connect to their local authority as designated by the number the call has originated from; or to 

fallback to a live agent in the event that the caller’s location cannot be determined. 

111 – NHS Non-Emergency Number 

All calls to this number are delivered to the Contractor’s platform and automatically routed 

through to the appropriate NHS Direct authority. 

118*** – Directory Enquiries. 

Calls to 118*** numbers provided by the Contractor are delivered to our call handling 

agents who provide the required information and offer a number of options, including optional

SMS, onward call connect and multiple call enquiries. These calls can be charged on a per call 

and/or per minute basis as designated by the Customer. 

The Contractor’s own branded Directory Enquiries number is 118 099 

999 / 112 

Calls to these numbers are delivered directly to one of the Contractor’s call agents. 

Supporting systems within the OSDQ operation enable the agent to determine the caller’s 

location by either the address (for a fixed line service), or Cell ID (for a mobile service). These 

calls are then routed through to the appropriate emergency authority with the call handler 

staying on the call for a short period to ensure that this is picked up and that there are no 

subsequent issues or enquiries raised by the emergency authority. 


Services are managed by a number of platforms, as detailed below. 

101/111 

The integrated Voice Response technology automatically identify the caller’s location and 

provide the functionality to either route the call accordingly or refer this to one of the 

Contractor’s live agents. The capability is provided in conjunction with the Sub-Contractor 

SciSys with SLAs ensure the Contractors service levels are met. 

100, 118*** and Emergency Services 

263

This is supported by dedicated agents located at two (2) call centres (Birmingham and 

Glasgow). All agents are fully trained and operate on a 24/7 basis. Capability exists for either 

site to continue as a standalone operation in the event of failure of the other site. 

The emergency services platform utilises the OASIS platform. This platform identifies the 

caller’s location and passes the call through to the appropriate emergency service authority 

together with the required location information. 

In order to identify the caller’s location, the Contractor requires mobile 999/112 calls to be 

delivered in an agreed format to enable the cell ID to be identified. Where Customers use the 

Contractor’s 999 service from a fixed line, details of their address must be entered onto a 

Contractor-managed database at the time the service is provided and updated in the case of 

any change of location. 

For the 118*** service, the Contractor accesses a number of third party databases in order 

to provide callers with the required information. These databases provide numbers for both UK 

and overseas Customers. In addition to providing the number information requested, the 

Contractor also enables Customers to choose other options such as onward call connect, 

multiple enquiries and SMS confirmation. 


Monthly performance statistics are available for the 100, 101, 111, Directory Enquiries and 

Emergency Call services, which provide information regarding call numbers, average handling 

times, performance against SLA etc. 

264

Use of Sub-Contractors 


265 

Scisys - Provide IVR capability for our 101 service. 

Capita - Provision, training and allocation of call agents at our DQ/999. 

AUDIO AND WEB CONFERENCING SERVICE DESCRIPTION 

The Contractor offers a range of Audio and Web Conferencing services including self- 

launched, operator and Web-based sharing applications. The services are provided through the 

Contractor’s global conferencing infrastructure. The platform shall be accessed by via 

Freephone and geographical dial-in numbers from both UK and global locations, and any 

Internet-connected PC/Laptop in the case of Web Conferencing. 


Reservationless Audio Conferencing 

Reservationless Web Conferencing 

Cisco WebEx, which includes: 

Cisco WebEx Meeting Centre 

Cisco WebEx Event Centre 

Cisco WebEx Training Centre 

Cisco WebEx Support Centre 

Operator-Assisted Audio Conferencing 

Operator-Assisted Web Conferencing. 

Services Description 

Reservationless Audio Conferencing 

Reservationless Audio Conferencing is an automated, user-managed Audio Conferencing 

service which requires no reservation. The Reservationless Audio Conferencing platform

supports up to 125 connections on a single call and is accessible via a range of global dial-in 

numbers. 

Reservationless Audio Conferencing offers an array of features and functionality that shall 

be controlled using telephone keypad commands. Select features shall be controlled via the 

Online Reservationless Call Manager interface. Call Leaders shall be capable of customising one 

or all calls based on the features they need. 

Reservationless Audio Conferencing shall offer a variety of vertical integration options. 

Vertical integration capabilities provide the ability to integrate Reservationless Audio 

Conferencing with the Contactor’s and any third party’s applications, including: 

266 

Cisco WebEx Web Conferencing 

Microsoft Office Live Meeting 

Adobe Connect 

IBM LotusLive Meetings 

Calendar and contacts through Microsoft Outlook 

Microsoft Office Communicator Server 

Microsoft Lync Online. 

The Contractor will confirm support for additional applications on request. 

User accounts are set up on a named-user basis. Each account holder (Leader) will receive a 

unique Conference Code and secure Leader PIN. Each Leader is provided with one or more 

telephone dial-in numbers, depending on requirement, which they give to Participants to 

access the conference.

To initiate/join a conference call, the Leader (account holder) and Participants dial into the 

Reservationless conferencing platform via telephone. Each caller is required to enter a 

Conference Code. The Leader will enter a further code unique to the Leader. Additional 

complementary services to which the Leader has subscribed will also be available to the Leader. 

Reservationless Audio Features 

267 

Feature Description 

Auto-Continuation Allows Participants to stay on the conference call 

without Moderator attendance. 

Change Leader Allows the Moderator to change their PIN using DTMF 

PIN via DTMF tones. 

Conference Prevent conference calls that have not been 

Breakdown disconnected properly from continuing indefinitely by 

ending the conference once it has reached a set 

duration and number of Participants limit. 

Custom/Branded Record a custom welcome message that is played to all 

Greetings 

Participants who join the conference. 

Custom Entry Turn specified prompts off that are played after users 

enter the conference code or Leader PIN in order to 

quickly enter a conference. 

Dial-Out During a live conference, users are able to dial-out to 

domestic Participants and bring them into the call, or 

users are able to contact the operator to dial-out to 

international Participants. 

Dual Call Flow Owners shall have a primary and secondary language 

Language Prompts choice for the call flow. 

Entry 

Reduce the number of entry tones played when a 

Announcement conference call has started. Quick Start must be 

Limit 

disabled and more than five to ten Participants are on 

music hold. 

Entry/Exit Options Decide how conference Participants are announced 

when they join or leave the conference call. Choose 

from the following options: tone, name announce, name 

and tone, or silence. 

Force Disconnect Clear the conference by disconnecting all Participants 

from the call while the Moderator stays connected. This 

feature is useful when the Moderator has scheduled

ack-to-back meetings. 

Group 

Silence all Participants’ lines by pressing a keypad 

Mute/Unmute command on the telephone. Group mute/unmute helps 

reduce background noise and limits interruptions during 

the conference. 

International The Contractor will supply five methods to connect 

Dialling 

international Participants to a conference call, including 

links through the Contractor’s international call centres, 

toll and toll-free access numbers, a dial-out option, or a 

permanent dial-in number. 

Language Prompts The Contractor will supply multiple language prompts 

for the welcome message/greeting and bridge prompts 

heard when dialling into and participating in a 

conference. 

Leader Express Start the conference by consecutively entering your 

Entry 

conference code followed by * and your Leader PIN 

followed by #. 

Leave and Join a Participants can leave the conference they are 

Conference attending and join a new conference without hanging up 

and redialling the same dial-in number. 

Lecture Mode Mute all Participants during the conference to reduce 

background noise. Participants will not have the 

capability to unmute their lines. 

Lock/Unlock Lock the conference call to prevent additional 

Participants from joining. 

Mobile Assistant Control and access the conference call from mobile 

phones. 

Multiple Leaders The ability to have multiple Leaders on the conference 

call, with access to all Leader controls. 

Online 

Manage the call online at www.cw.com, by scheduling, 

Management starting, presenting and archiving the conference on the 

web. 

Operator 

Create, edit and schedule meetings with pre- 

Assistance determined conferencing information from an Outlook 

toolbar. 

Phone Commands Control the conference with touch tones on the 

telephone keypad. Moderators have the ability to mute 

lines, lock the conference, request operator assistance 

Post-Conference Create an attendance roster of the Participants with an 

Emails 

email record of which Participants were on the phone 

and/or web. Record the total conferencing minutes to 

anticipate call budgets. 

Private Participant Privately announces the number of Participants on the 

Count 

conference call at any Participant’s request. 

Project Accounting Charge back for billable hours by using PAC Codes. 

268

269 

Codes (PAC) The Contractor shall capture the expense centre, 

department or location, and the information will appear 

on the Customer’s monthly invoice. 

Quick Start Begin the conference call by allowing Participants to 

enter the conference before the Moderator starts 

Record and 

Playback 

speaking and before the call officially begins. 

Digitally record Reservationless Audio calls for 

Participants who were unable to attend or for 

Participants who would like to listen to the conference 

call again. For 24/7 availability, the recording shall be 

accessed on the internet or by dialling a toll-free 

number. Users may also purchase a CD, a 

downloadable link and/or a transcription of the 

recording. 

Record 

Pause call recording in progress and then resume the 

Pause/Resume recording when the Moderator is ready to continue. 

Roll Call Prompt Participants to record their name as they join 

the conference call. Any time during the conference, 

names shall be replayed privately to any conference 

Participant. 

Security Passcode The Moderator can select and distribute the security 

passcode for every conference they host. For security 

reasons, a security passcode shall not match the 

Leader’s Conference Code or Leader PIN. 

Self-Mute/Unmute Allow Participants to silence their own lines by pressing 

a keypad command on their telephones. Self 

mute/unmute reduces background noise from, for 

example but not limited to: cell phones and speaker 

phones. 

Sub-conference Pre-selected guests can join a private discussion during 

the conference call. Sub-conferencing allows 

discussion of side issues and other non-public 

Third Party 

Conference Start 

information. 

Participants can bypass the hold music and start the 

conference as the Leader if the Leader is running late 

or unable to host the call at the last minute. 

Waiting Room Participants can be placed on music hold until the 

Moderator is ready for them to join the conference call. 

Reservationless Web Conferencing 

Reservationless Web Conferencing is a multimedia upgrade for Reservationless Audio that 

combines Audio and Web Conferencing features. This service allows Moderators to manage all

aspects of a meeting via the web, deliver PowerPoint® presentations virtually, share any 

document or applications in real-time, take Participants on guided Web tours, conduct real- 

time surveys, quizzes and votes for immediate feedback, and record the voice and web 

elements of a meeting for playback later. 

Reservationless Web Conferencing is an automated, user-managed service which requires 

no reservation. It is comprised of two components: Voice and Web Conferencing service with 

connection via the Internet and telephone; the web portion supports any major browser. 

Moderator functionality is supported on the Windows operating system. For Participants, 

browsers from Windows or MAC-based devices are supported. 

Each Owner/named account holder will be provided a Conference Code (meeting room 

number) and confidential Leader PIN code which allows the Leader to securely open and close 

the web and/or voice portions of a meeting to the Participants. A single meeting supports up to 

125 voice connections and 125 web connections. 

Meeting invitations sent from within Outlook and Lotus Notes are supported. Meeting 

invitations will automatically populate with the meeting access details and are available in 

multiple languages. 

270 


Reservationless 

Meeting Room 

Integration with 

Reservationless 

Audio 

All Moderators receive their own meeting room. Users 

host remote meetings without making reservations. 

Use Reservationless Audio to automatically dial out to 

user

271 

Conferencing 

Active Speaker Moderators and Participants can view who is currently 

speaking in conference via the active speaker icon, or 

determine background noise coming from the specific 

Microsoft Outlook 

and Lotus Notes 

Integration 

Quick Invite via 

Instant Messenger 

Easy Participant 

Access 

Mobile Access with 

iPhone 

Customisable 

Meeting Interface 

Participant audio line. 

Send Participants invitations from Outlook or Lotus 

Notes Calendar. 

Invite Participants to an in-progress meeting using one 

of the following Instant Messenger applications: 

MSN/Windows Live Messenger 

Lotus SameTime Instant Messenger 

Microsoft Office Communicator Instant 

Messenger 

Participants can join from all major browsers and 

operating systems. For presenter capabilities and 

desktop video, Participants must download the 

Reservationless Web application prior to joining the 

meeting. 

Moderators and Participants can join the audio 

conference from the iPhone. Moderators have onetouch 

controls to manage audio Participants (dial 

me/out, mute/unmute), chat with meeting attendees and 

open/close meeting room doors. 

Configurable meeting interface options. 

Reservationless Web stores the panel display for each 

subsequent meeting. 

Participant List View the voice and web connectivity status of 

Participants via the Participant panel in an online web 

meeting interface. 

Audio 

Participants can listen to the audio conference using 

Broadcasting their computer speakers. 

Desktop VoIP Users can join audio via Voice over IP. The integrated 

Connection duplex VoIP connection ‘softphone’ is accessed from 

within the web user interface. Users listen and speak in 

conference via computer speakers and 

microphone/headset. 

Full Screen Mode Set Participants to Full Screen 

Recording Record the audio and/or web portion of a meeting for 

later playback. 

Show PowerPoint Uploaded PowerPoint presentations can be shown via 

Presentations Presentation mode; thumbnails of slides can be viewed 

via the slide preview bar. The presentation slide 

transitions and animations are preserved.

272 

Application 

Sharing 

Allows sharing of application or desktop from a 

computer. Moderators can grant control to authorised 

Participants to edit shared documents while in the 

meeting. 

Web Tour Web tours can be conducted in a meeting which allows 

Participants to navigate and click on the live website. 

Desktop Video Moderators and Participants can view and broadcast 

live video in a meeting using a standard desktop video 

webcam. Participants can control whose video to view, 

or Moderators can control the video broadcast view. 

Full Screen Mode Set Participants’ view to Full Screen so the presentation 

or application that’s being shared fits their entire 

screen. 

Chat Send instant messages to an individual or a group 

without interrupting the meeting. 

Survey/Quiz/Poll Gain feedback from Participants using polling questions 

and publish results in the meeting. Gather feedback 

and test the Participants’ knowledge by creating 

surveys and quizzes that can be displayed in the 

meeting or upon meeting exit/entry. Use reports to track 

survey and quiz responses in Conference Manager. 

Emoticons Participants can provide instant feedback to the 

Moderator via a variety of emoticons included in the 

meeting interface. 

SSL Encryption Enhanced meeting security is provided via 128-bit SSL 

encryption. 

Security 

Add an additional layer of security with Moderator- 

Passcodes created security codes unique to each meeting. 

Close Meeting Prevent unauthorised access to conferences and limit 

Room Door disruptions by closing the door in the meeting interface. 

Stored Documents Upload and access PowerPoint Presentations, surveys, 

quizzes, polls, images, web tours and files that can be 

used in meetings. 

Online Reporting View detailed reports from meetings with information on 

duration of the meeting, number of Participants, 

Participant name and survey/quiz results. 

Archived 

After the meeting Moderators can access and playback 

Recordings hosted or zip archives. Moderators can send 

Participants archive email links and choose to 

password protect them. Detailed reports show who has 

accessed the recorded conference and how long it was 

viewed. 

Cisco WebEx

Cisco WebEx Web Conferencing, provided by the Contractor will provide a suite of solutions 

available either individually or combined, delivering web collaboration and online remote 

meeting capability. 

Solution options include: 

273 


Cisco WebEx Event Centre. 


Cisco WebEx Support Centre. 

The Contractor will also support, as an option, the integration of its audio solutions with 

Cisco WebEx Meeting Centre, Event Centre and Training Centre. 

Audio integration will enable users to send meeting invites with audio details automatically 

included, and to control the audio portion of the meeting from within the Cisco WebEx 

interface, including: 

Schedule and send invitations that automatically populate with the user’s 

Reservationless Audio Dial-In information 

Start instant meetings with the Reservationless Audio information included 

‘Call-in’ or ’call-back’ options for attendees 

View attendee connections, status and type (phone and web) 

Mute/unmute any/all connections; mute attendees upon entry 

Active Talker to see who is speaking. 


Cisco WebEx Meeting Centre share a PowerPoint presentation, demonstrate software, 

show web site navigation and transfer files.

Core WebEx Meeting Centre functionality will provide: 

274 

Integration with Reservationless Audio Conferencing 

Documents, applications, desktop sharing 

On-demand record, edit and playback 

Anyone can Share 

Microsoft PowerPoint with transitions and animations 

Chat, polls, notes, annotation tools 

Multimedia content sharing 

Whiteboarding 

Power Panels, floating icon tray 

File transfer 

Multipoint video 

Automatic configuration 

High capacity 

Display of flexibility Integrated audio options; Active Talker 

Integrated scheduling with Outlook, Lotus Notes 

Available in ten languages 

24x7x365 live End-User support. 

Cisco WebEx Event Centre 

Cisco WebEx Event Centre provides an online auditorium for up to 3,000 attendees. 

In addition to WebEx Core features listed above, WebEx Event Centre includes: 

Advanced custom registration 

Multiple panellists 

Polling, threaded Q&A 

Attention indicator 

Custom enrolment 

Custom email templates

275 

Audio broadcast 

Lead scoring and reporting 

Lead track ID management 

Flash-based attendee interface 

Lead score and prioritised questions. 


Cisco WebEx Training Centre delivers live, interactive training sessions allowing the user to 

share presentations, software and websites, test and poll Participants, and hold breakout 

sessions. 

In addition to WebEx Core features listed above under the WebEx Meeting Centre 

description, WebEx Training Centre includes: 

Advanced custom registration 

Multiple panellists 

Polling, threaded Q&A 

Attention indicator 

Instant feedback indicators 

Hands-on labs 

Testing and grading 

Breakout rooms 

Predefined breakout sessions. 

Cisco WebEx Support Centre 

Cisco WebEx Support Centre provides operational staff capabilities to view, diagnose and 

solve problems online in real-time. The Service will provide the capability to transfer End User 

files for off-line analysis and, with end user permission, the capability for the operational staff

member to run the End User’s desktop and download patches or updates to the End User’s 

computer. 

Core Functionality: 

276 

Web Automatic Call Distribution (ACD) 

Click To Connect 

System info 

Reboot/reconnect 

Advanced file transfer 

Log on as an administrator. 

Operator Assisted Audio Conferencing 

Operator Assisted Audio Conferencing is an operator-assisted, reservations-based service. 

The Customer will be required to pre-book such calls by contacting the Contractor’s 

reservations desk. Operator Assisted audio services are available as: 

Operator Assisted 

Provides a reservations-based Audio Conferencing service where the operator greets 

Participants as they dial in and place them into the meeting. Call size is restricted to 25 

Participants. Standard operator-assisted features include: Direct Entry, Email/Fax Confirmation, 

Entry/Exit Tone, Leader First, Leader Last, Name Announce, Music Entry, Password, Roll Call, 

and Dial In and Dial Out options. 

Direct Entry 

Provides a reservations-based Audio Conferencing service with operator assistance. 

Participants dial in and are placed straight into a meeting on hold with music. Speakers dial in

via a different number and are greeted by an Operator. The Operator is available to assist with 

Participant control if required. Call size is three to over 10,000 Participants. 

Direct Event 

Provides a reservations-based Audio Conferencing service with operator assistance and 

Participant pre-registration via the Internet. Accepted registrants receive the event call access 

details via email, including a unique registrant ID required to access the call. Participants dial in 

and are placed straight into the meeting or on hold with music. Speakers dial in on a different 

number and are greeted by an Operator. Call size is 25 to 1,800 Participants. 

Premium Event 

Provides a reservations-based Audio Conferencing service with operator meet and greet. . 

Participants dial in and will be greeted by an Operator who places them into the meeting. Call 

size is three to over 10,000 Participants. 

The features available to add to Operator-Assisted call types are listed below: 

Premium and Value-Added Features 

277 

Online Reservations – Provides the facility to reserve a conference online. 

Toll-free Reservations – Provides the facility to reserve a conference over the 

phone via a Freephone number. 

Event Services – Provides specialist event service packages. This Option 

includes enhanced registration, full event management and use of branding. 

Event Registration Services – Provides the facility to track Participant 

attendance, with options for Participant information gathered at time of registration, 

email reminders and custom-scripted messages. 

Recurring Call Scheduling – Provides the facility to schedule recurring events. 

Project Accounting Codes (PAC Codes) – Provides information on conferencing 

use.

Email Confirmation – Provides confirmation of the conference details by fax or 

email. 

Text Reminders – Provides the facility to send Participants event reminders by 

SMS. 

Streaming – The option to stream a conference via the Internet and to archive the 

conference for later playback. 

Encore – The option to digitally record the call for post-conference playback. The 

user will access recording by dialling a toll, toll-free or International Toll-Free 

(ITFS) number. 

CD/Taping – The option to capture the recorded event on a CD, cassette, 

microcassette or DAT. 

278 

Digital Recording (WAV) – The option to record the call as a WAV file. 

Transcription – The option to receive a written record of the audio content in 

email or hard copy format. 

Translation – The option to translate calls into other languages, presented in a 

written document. 

International – The option to allow entry to international Participants. 

Dial Out – The option for an operator to dial out to conference Participants. 

Lecture Mode – Provides the facility to mute all Participants’ lines during the 

presentation. 

Music Entry – The option for music on-hold until the conference begins. 

Entry/Exit Tones – The option to play a tone when a Participant enters or exits 

the conference. 

Roll Call – The Facility to announce all Participants who have joined the call. 

Leader First/Last – The option where the Leader joins the call first or last. 

Sub-Conference – The facility to allow speakers and coordinators to join a private 

meeting room before the conference begins. 

Communication Line – The facility to allow a Moderator to speak with an operator 

outside of the main conference. 

Promotional Tape – The option for organiser-specific content to be played to 

Participants whilst on hold. 

Interpretation – The option for either consecutive or simultaneous interpretation 

Custom Script – Option for an organiser-specific message to be read by an 

operator before, during or after the conference. 

Group Mute/Unmute - The option to allow groups to silence telephone lines.

Self-Mute/Unmute – The option to allow Participants to silence their own 

telephone lines. 

Leader View – Provides a web-based interface to show a real-time view of the 

Participants on the call. 

Polling – Provides the facility for questions to be asked and for Participants to 

respond using telephone keypads. 

Question and Answer Session – The facility to allow Participants to speak to all 

on the conference. This facility is coordinated by the operator. 

Participant Report – Provides Participant details, ’on-the-line’ times, phone 

numbers and up to four additional pieces of information. 

Operator-Assisted Web Services 

The Contractor’s Operator-Assisted Web Services will provide an extra service available in 

addition to Operator-Assisted Audio. The Contractor’s Event Managers will be the point of 

contact for all streaming event and web requirements. Event Services are available in three 

core packages and offer service support before, during and after the event. These include: 

279 

Consultation 

Coordination 

Training 

Rehearsals 

Live event moderation 

Report delivery. 

Event service packages are available as follows: 

Operator-Assisted Web Premium Package 

Pre-Event Support 

Event planning and preparation, scheduling, best practices and tips (checklists by request), 

content management (for example: uploading presentations, polling questions), Registration 

support, Custom event scripting, presenter training and event walk-through.

Event Rehearsals 

Live event support, event moderation, speaker introductions and transitions (based on 

Customer request), presenter and attendee technical support, Q&A/chat management, 

optional recording assistance. 

Post-Event Support 

Conduct post-event speaker debrief, report compilation and delivery, optional file creation and 

editing services. 

Operator-Assisted Web Express Package 


Event coordination – initial needs assessment and plan, scheduling (audio/web, public or 

private), invitation/announcement assistance, upload content (for example: presentations, 

question sets), conduct event run-through with presenter(s) (one hour). 

Live Event Support 

Provide event monitoring and support (two hours), record and/or broadcast live event. 


Post-event report package, recorded event management. 

Operator-Assisted Web-Ready Package 


Event coordination – initial needs assessment and plan, scheduling. 

280


Event moderation, speaker introductions and transitions (based on Customer request), 

presenter and attendee technical support. 


Report compilation and delivery. 



All accounts will be established on a named-user basis. Each account holder (Leader) 

receives a unique Conference Code and secure Leader PIN. The Leader is provided with a range 

of telephone dial-in numbers which they give to Participants to access the conference. 


Provide event monitoring and support (two hours), record and/or broadcast live event. 


Post-event report package, recorded event management. 


Call Support Team 

The Contractor’s Audio and Web Conferencing support desk will be available via phone, 

Internet and e-ail 24x7x365. 

281

The Contractor will assign an operator for all operator-assisted call. The operator will 

contact the call host/presenter at least 24 hours prior to the call to confirm call requirements 

and features. 

Call Support Team Members 

Reservationists – The Contractor will supply a dedicated 24x7 reservation line. 

Event Service Operators – The Contractor will supply, as an additional option, a call event 

operator. 

Reservations 

The Contractor’s reservations desk is accessed 24x7x365 by telephone or email. 

Support Hours 

The Contractor’s Event Services group supports events and event-related professional 

sessions during in-region business hours: EMEA team, between 0745 and 2000 GMT. 

Events and/or professional sessions which occur outside support hours will be subject to an 

additional charge. 

Reporting 

Reservationless Reporting 

The Contractor will supply an online account management portal allowing the Customer to 

manage accounts, access online reports and/or make reservations. 

282

The online portal will support two levels of access: End User/Owner and Administrator. 

Operator Assisted Reporting 

The Contractor will provide an online reporting feature for post-event analysis. This will 

include: 

283 

Identity information 

Access to webcast modules 

Content 

Poll responses 

Questions (in a live environment) 

System details 

Access times as they pertain to webcast delivery. 

Reports can also be generated for email reads, click-throughs and email forwards. 

Reporting requirements will be determined with the Customer, with data collection and 

analytics requirements for the project defined, and the ability to deliver assessed, at the time of 

request. 

Reporting details are available for viewing via the online portal and are downloadable in 

CSV file format. 

More Reporting 

Through the online portal, Customer administrators will have the facility to run reports and 

view invoices online. Reports include:

284 

Audio and Web Usage Activity (for the last four months: Participant count, charges and 

features) 

Greatest Attributes Report (top 50 owners with highest number of conferences, costs, 

etc.) 

Stewardship Report (comprehensive report on all products: usage, costs, conferences 

held for current calendar year) 

Minute Report (available at company, account or owner level; calls up most recent four 

months of activity) 

Billing information will be updated monthly following an invoice. 

The Customer will be able to select online reports and download in HTML or CSV file format. 



Intercall (Genesys) – To provide audio and web conferencing. 

MAILBOX SERVICE DESCRIPTION 


The Contractor shall provide an enterprise class Mailbox Service based on Microsoft 

Exchange 2010 which shall include: 

Inbox 

Calendar 

Contacts 

Tasks 

Folders 

Mobile Access.

The Contractor’s Mailbox Service, offers a unified platform for all End Users with the 

appropriate controls to separate Customers. The system is an adaptation of Exchange, 

providing web portal administration and enabling Customers to retain control of End User 

management. Portal controls shall be managed using role-based access, with administrators 

controlling aspects such as the creation of new End Users and the editing or deletion of 

accounts. This common service shall enable a single, unified security policy to be applied to all 

users across multiple governmental departments. 


285 

Mailbox 


Base service 

The Mailbox Service shall deliver email functionality to End Users by providing mail storage, 

transport services, hygiene services and journal services as well as a user administration portal 

providing user management functionality. 

Mail storage shall be provided using a quota system; the solution can support different 

quota options 

Transport services shall provide the capability for End Users to send and receive email 

messages within the Mailbox Service and also to and from external users 

Hygiene services shall provide protection from viruses or malware in email messages 

and where possible clean or remove infected message parts 

Mailboxes shall be provided to store both IL2 and IL3 data with clear separation 

between the hardware used for the different Impact Levels. 

Enhanced service

End Users shall have access to additional functionality. This shall be subject to charges in 

addition to the base Mailbox Service call-off. The additional functionality available shall include: 

286 

A 90 day deleted item retention period, allowing for the recovery of deleted items and 

discovery of items for up to 90 days following their deletion. The solution shall also be 

configured to support longer retention periods if required by the Customer. 

Definition of custom retention policies. 

Access to the Mailbox Service shall be made available over the PSN network for client and 

web access, and via the Internet for mobile access (BlackBerry/ActiveSync). Device encryption 

shall be required on mobile devices used to access the Mailbox Service. In addition, mobile 

devices used to access IL2 and IL3 mailboxes shall be limited to those approved by CESG. 

Mailboxes shall be protected using Exchange 2010 data replication to provide four copies of 

each mailbox database to protect for local server failure as well as complete site failure. 

A delegated administration portal is provided to allow Customer administrators of the 

Mailbox Service to manage their End Users’ accounts without requiring access to Exchange 

management tools or having any experience of using them. The web-based portal shall provide 

role-based access to allow distribution of End User management tasks, including: 

Create user account 

Set user permissions 

Reset password 

Suspend or reinstate account 

Unlock account 

Verify End User identity. 

Technical Solution

Infrastructure of the Mailbox Service 

The Mailbox Service shall be deployed into a shared hosting environment supporting other 

secure application services. Infrastructures for IL2 and IL3 are completely separate. A Disaster 

Recovery (DR) environment shall also be provided at a second geographically separate data 

centre. The DR site shall be deployed based on a single line of kit (N resiliency). 

Performance Metrics 

End Users shall have access to their mailbox data via the out-of-the-box Exchange access 

protocols: primarily Outlook Web App and Microsoft Outlook for desktop access, and Microsoft 

ActiveSync for mobile access (IL2 only). Additionally, BlackBerry access shall be provided for 

access to IL2 and IL3 mailboxes if required. The service for each access method shall be 

delivered using the standard out-of-the-box functionality with no customisation or bespoke 

coding. 

The client access methods shall all provide access to the mailbox and global address list, and 

shall be differentiated in use: 

287 

Microsoft Outlook is the End User client installed on End User desktops. It provides 

access to the user’s own mailbox, calendar, tasks, contacts, address books and notes, as 

well as access to other users’ data that has been shared with them. 

Outlook Web App (OWA) is a browser-based email client that provides an email and 

calendar functionality. Sharing with other users is limited to the calendar functionality. 

Embedded in OWA is the Exchange Control Panel (ECP) which provides administration 

facilities for both users and administrators. Subject to the correct permissions, ECP 

allows for: 

o User updates of contact information (address, telephone etc.)

288 

o Application to join a distribution group 

o Creation of distribution groups 

o Setup of mail rules 

o Changing preferences for spelling, calendar display, message format etc. 

o Configuration of block and allow lists 

o Searching for email across multiple mailboxes 

o Creation of external contacts 

o Management of other user information. 

BlackBerry is the brand name of a range of email devices from Research In Motion (RIM) 

that provides the End User with a copy of their email and calendar, as well as access to 

contact information via searching in the global address book (GAL). 

Exchange ActiveSync (EAS) is Microsoft’s synchronisation protocol primarily used with 

Windows Mobile devices and other vendors smartphones via license. Depending on the 

vendor’s implementation it allows synchronisation of the user’s mailbox (including subfolders), 

calendar, contacts, tasks and the ability to search the GAL. 

Resilience and Service Level Targets 

The Mailbox Service shall be delivered from two geographically separate data centres 

initially, with one being the primary (active) site and one being the DR (passive) site. All data 

shall be replicated between the two sites providing data availability following a site disaster. 

The primary site shall include additional redundancy to limit the requirement for activation of 

the DR site. The Mailbox Service shall have an Availability Service Level Target of 99.99% during 

each Service Measurement Period 

Technical Interface and Standards 

The Mailbox Service shall be accessible using: 

Outlook 2007 and later versions 

Internet Explorer

289 

Mozilla Firefox. 

The browser versions supported are n and n-1, where n is the latest version released six 

months ago. The service may work on other browsers however the Contractor has not 

conducted testing on browsers other than those listed above 

details 

Interface Information 

Customer Via Outlook Web Apps (HTTPS), Outlook thick client using 

Interface physical 

Interface protocol 

standards 

Source Platforms 

Supported for Migration 

Outlook Anywhere or via the Contractor’s Service Desk (telephone 

or email) 

N/A 

HTTPS 

Microsoft Exchange 2003, Exchange 2007, Exchange 2010, 

GroupWise 8 and Mirapoint. 

review. 

Additional source platforms may be supported but would need

Customer Interface Requirements 

Customer hardware 

required 

Customer software 

required 

290 

PC or equivalent for required Customer software 

Web browser to access service interface. 

Other client software as appropriate to Customer requirements 

and Service capabilities (e.g. Outlook Client).

Technical Standards 

Industry standards ISO/IEC 15408 (Common Criteria). 

291 

The Contractor’s internal lockdown and build standards (based 

on industry best practice). The administration portal is developed 

using the following World Wide Web Consortium (W3C) 

standards: XHTML 1.*, CSS 2.1 and JavaScript 1.6. 

The custom code is Microsoft ASP.Net Ajax which generates 

XHTML 1.0 (Transitional) compliant code. 

Protocol standards HTTP, HTTPS, IP (RFC 791), SMTP (STD 0010 and RFC 2821), 

Proven 

compatibility with 

Internet Mail (RFC 2822) 

Standards-compliant SMTP Relay Software: Exim, Sendmail, 

Microsoft Exchange, Lotus Notes (with any required SMTP 

modules installed and configured) 

The Mailbox Service shall be based on Microsoft Exchange which is designed to provide 

accessibility for people with disabilities. The custom portal shall be developed using the W3C 

Web Accessibility guidelines, aiming for AA compliance. The Contractor shall ensure that the 

Mailbox Service is accessible by the Customer through a range of methods, including standards- 

compliant Internet browsers, client-based email software and mobile devices. The Mailbox 

Service shall be accessible from both thick and thin clients with no loss of functionality.

Migration Delivery Mitigation 

The Contractor shall provide tools, documentation and support services to enable End Users 

to migrate email documents (including email messages, contacts, tasks and calendar entries) 

from common industry email platforms into the Mailbox Service. This process requires careful 

planning and support to ensure it is achieved in a robust and secure way. The Contractor does 

not recommend providing End Users with the tools to perform migrations themselves and 

suggests that this is done in conjunction with the Contractor. 

End User migrations shall be managed as projects using PRINCE2 methodology. In order to 

support large-scale email migrations the Contractor shall have a migration team and shall use a 

suite of supporting documentation and scripts. This team shall work closely with the Customer 

to prepare it for a migration including how to deal with access to local .pst files and applications 

that are integrated with their local mail exchange. 

The Contractor shall use a tool from Transend to support migrations of Customers to a 

common target platform. Advantages of this tool include: 

292 

No requirement for Active Directory trusts between source and target platforms 

No modification of source mailboxes by the migration process (read only access) 

No source ‘admin’ permissions required for Exchange migrations. 

The tool the Contractor uses shall ensure that replies to migrated emails do not result in a 

non-delivery report (NDR). This is known as replyability.

If End Users carry out their own migrations they do not have the benefit of address re- 

writing. When the Contractor migrates End Users the email addresses in their mail and calendar 

are updated for their migrated colleagues allowing users to reply seamlessly and so integrity of 

attendee information for meetings is also maintained. 

The main factors used in calculating the cost of migrations include: 

293 

Number of source domains 

Number of End Users 

Whether the source is a common mail service 

Bandwidth between the source and destination. 

The Contractor’s migration communication strategy ensures all parties are aware of the 

schedule, processes, risks and issues. The Contractor can tailor reporting outputs to meet the 

Customer’s requirements. The Contractor shall confirm the scope and costs associated with any 

migration from common email platforms to the Mailbox Service with the Customer prior to 

signature of the Call-Off Form. 

The Contractor shall provide support services to enable End Users to migrate email 

documents (including email messages, contacts, tasks and calendar entries) into the Mailbox 

Service. The portal shall provide access to training material and the Contractor shall provide 

“train the trainer” sessions where necessary. 

The Contractor shall confirm the scope and costs associated with any migration from 

uncommon email platforms to the Mailbox Service with the Customer prior to signature of the 

Call-Off Contract.



294 

Microsoft – for provision of software and licensing. 

COLLABORATION SERVICE DESCRIPTION 


The Contractor’s Collaboration Service shall provide End User productivity tools at both IL2 

and IL3. This accredited service shall provide an integrated knowledge management and 

communication solution for users across and within Government bodies. 

The service shall provide secure community workspaces, with document management, 

storage, forums, wikis, skills profiles, instant messaging, and presence awareness along with 

voice and video options. The service shall enable: 

Customers to build and search an accessible knowledge pool 

Multiple communication options, including instant messaging with presence awareness 

and online meeting spaces 

A ‘pay as you go’ model to provide visible and predictable costs without the need for 

capital investment 

Secure information sharing. 


The Secure Collaboration Service comprises three core service offerings: 

Collaboration: Profiles, Skills & Connections 

Collaboration: Secure Communities 

Unified Communications: Microsoft Lync 

Service Description

The service allows users to find and share information securely through appropriate role- 

based access controls. The solution shall deliver an End User-centric service through use of 

tagging, rating, activity flows and contacts, thereby improving the ability to find appropriate 

information. Components of each service offering is summarised below: 

295 

Collaboration: Profiles, Skills & Connections 

o Connect with other users 

o Find users based on profile/skills 

o See contacts’ activity 

o Search and view public content. 

Collaboration: Secure Communities 

o Public and private communities 

o Document management 

o Wikis, blogs, forums, polls 

o Intuitive and customisable. 

Unified Communications: Microsoft Lync 

o Instant messaging 

o Presence awareness 

o Requires thick client 

o On-net voice and video. 

If required by the Customer, the Contractor shall provide the secure collaboration Service 

on a pay per End User per month basis, with no upfront cost. 

Basic Secure Collaboration Space 

The Contractor’s secure collaboration service shall provide an integrated knowledge 

management and enhanced communication solution for users, both across and within 

Customers

The Contractor shall provide access for Customers to register their End Users. The 

Collaboration Service shall link colleagues, allowing them to access information and share 

profiles and experience if they choose to. 

End Users shall be able to work across and within Customer boundaries, using, for example 

document sharing, managing projects online and connecting with people. 

Collaboration Technical Solution 

The collaboration platform comprises a number of components as outlined below: 

Collaboration: Profiles, Skills, Connections & Secure Communities 

296 

Telligent Evolution Enterprise 

Microsoft SharePoint. 

Advanced Unified Communications 

Microsoft Lync. 

Delegated Administration 

A custom web portal for administration and enhanced control. 

Users will be allocated an average 250MB storage limit, although this average can be shared 

across each Customer’s user base. Options are also available to procure additional storage. 

Access to the Collaboration Service shall be made available via web browser. 

A delegated administration portal is provided to allow Customer administrators of the 

Collaboration Service to manage their End Users’ accounts without requiring access to back-end

management tools. The web-based portal shall provide role-based access to allow distribution 

of End User management tasks, which shall include: 

297 

Creation of user account 

Setting of permissions 

Resetting of passwords 

Suspension/reinstatement of user account 

Unlocking of user account 

Verification of End User identity. 

Infrastructure of the Collaboration Service 

The Collaboration Service shall be deployed into a shared hosting environment supporting 

other secure application services. To ensure complete separation between the security levels 

there are separate infrastructures for IL2 and IL3. A Disaster Recovery (DR) environment shall 

also be provided at a second geographically-separate data centre. The DR site shall be deployed 

based on a single line of kit (N resiliency). 

Resilience and Service Level Targets 

The Collaboration Service shall be delivered from two geographically-separate data centres 

with one being the primary (active) site and one being the DR (passive) site. All data shall be 

replicated between the two sites, providing data availability following a site disaster. 

Additionally, high availability architectures have been used in the primary site to limit the 

potential for requiring the DR site to be activated. This design enables the Collaboration Service 

to meet the Availability Service Level Target of 99.99% during each Service Measurement 

Period.

Technical Interfaces and Standards 

The Collaboration Service shall be accessible using: 

298 

Internet Explorer; 

Mozilla Firefox. 

The browser versions supported are n and n-1, where n is the latest version released six 

months ago. The service may work on other browsers however the Contractor has not 

conducted testing on browsers other than those listed above 

Details 

Interface Information 

Customer Via browser (HTTPS), Lync thick client or via the Contractor’s 

Interface Physical 

Interface Protocol 

Standards 

Service Desk (telephone or email). 

Also, to receive service alerts and other communications, a 

Government-secure email account 

N/A 

HTTPS

Customer Interface Needs 

Customer Hardware 

Required 

Customer Software 

Required 

299 

PC or equivalent for required Customer software. 

Web browser to access service interface. 

Lync thick client to access the Lync service. 

Technical Standards (without prejudice to Schedule 11 (Standards) of the Framework 

Agreement) 

Industry Standards ISO/IEC 15408 (Common Criteria). 

The Contractor’s internal lockdown and build standards (based 

on industry best practice). The administration portal is developed 

using the following World Wide Web Consortium (W3C) 

standards: XHTML 1.*, CSS 2.1 and JavaScript 1.6. 

The custom code is Microsoft ASP.Net Ajax which generates 

XHTML 1.0 (Transitional) compliant code. 

Protocol Standards HTTP, HTTPS, IP (RFC791), SMTP (STD0010 and RFC2821), 

Customer Configurables 

Internet Mail (RFC2822).

The delegated administration functions shall provide the following Customer configurables 

for approved End Users: 

300 

Creation of user account 

Setting of user permissions 

Resetting of passwords 

Suspension/reinstatement of account 

Unlocking of account. 

Collaboration Service Approach 

The Contractor shall manage the Collaboration Service through the use of best practice 

operating model that is aligned with ITIL v3. The operating model shall combine dedicated and 

aligned shared functions to deliver the Collaboration Service, technical and account 

management requirements. 

Collaboration Service – Stakeholder Roles and Responsibilities 

The roles and responsibilities for each of the key Collaboration Service stakeholders are 

outlined below: 

Role 

Contractor 

Provisioning and management of the Collaboration Service 

Overall management of the engagement process from start to finish 

Incident, problem and change management 

Reduce the occurrences of repeatable incidents by effective investigation 

and resolution of root causes 

Manage and plan service capacity to meet current and predicted 

performance requirements and agreed Service Level targets 

Provision of service meeting the agreed security requirements 

Upgrades and patching for Contractor-managed devices 

Service reporting 

Communication of change and outage windows 

Code of Connection input

Role 

Customer 

301 

Full management of the Contractor-delivered services and devices 

Production of a Customer information pack detailing the interfaces and 

any Customer configuration required 

Publication of standard interface options and mechanisms for PSN 

Provide Managed Security Services to HMG standards (e.g. GPG13). 

Provide any additional security required between PSN and the Customer’s 

environment 

Change approval (Customer changes) 

Respond to requests for approval, authority to proceed or assistance in a 

prompt and timely manner 

Acceptance of any change or outage windows 

Code of Connection completion 

Code of Connection adherence 

Provide the Contractor with access to appropriate members of the 

Customer’s staff 

Provide such documentation, data and/or other information that the 

Contractor reasonably requests, provided that such documentation, data 

and/or information shall be available to the Customer and shall be 

authorised for release by the Customer 

Provide access and use of the Customer’s premises, facilities, including 

relevant IT systems as shall be reasonably required by the Contractor 

Filling roles, where defined, in the governance structures and participating 

in the associated meetings and reviews relating to the Collaboration 


Defining rules where business rules, or changes to business rules, require 

implementation and testing by the Contractor and defining such rules in a 

format as agreed between the Contractor and the Customer 

Ensure that End Users and other integrated service providers are made 

aware of their obligations to adhere to the necessary operating 

procedures and practices that the Contractor provides and such other 

obligations that may be required for the purposes of data security and 

data protection. 

Information Governance 

Use reasonable endeavours to ensure that the Customer’s staff do not 

knowingly introduce viruses or use illegal software that might adversely

Framework 

Authority Role 


302 

affect the Collaboration Services. 

Change approval (framework or community-wide changes) 

Code of Connection authoring 

Code of Connection approval 

Provision of Accreditor resource 

Accreditation of the Collaboration Service. 

Testing 

Supporting the Contractor’s test team with user acceptance testing as 

appropriate. 

Information Governance 

Cooperating with the Contractor on the production of the security policy. 

Standards 

Communicating to the Contractor, in a timely manner, all changes to any 

of the standards that the Contractor shall be obliged to adhere to in the 

delivery of its Services. 


Microsoft – for provision of software and licensing. 

HOSTING SERVICE DESCRIPTION 

General Description 

The Contractor shall provide a range of hosting services, allowing Customers to outsource 

some or all of their hosting requirements.

The Contractor’s Hosting Service includes a portfolio of computing, security, storage and 

infrastructure components that can be integrated to provide a secure and managed 

environment from which to deliver a wide variety of web-based and other applications. 

Customers can choose to take either dedicated services, where the computing, infrastructure, 

storage and security resources are wholly provided to meet the requirements of an individual 

Customer, or equally they can consider the use of shared or cloud-based services, where the 

resources are shared between different Customers. 

The Contractor supports a number of technologies within the Hosting Services portfolio, 

including Virtualisation, which enables Customers to share physical computing platforms and to 

obtain optimum utilisation of hardware. 

The Hosting Service shall provide one or more locations in the UK with a physical 

environment that Customers or their authorised agents can utilise. The Contractor operates 

sites are categorised as Critical National Infrastructure, meet or exceed Tier III and will offer up 

to 99.99% availability with respect to power and environmental controls. 


The Contractor’s Hosting Service shall include the following sub-categories of service: 

303 

Collocation 

Secure Managed Hosting 

Website services 

Infrastructure-as-a-Service 

Flexible Computing.

Detailed Description 

Collocation 

The Contractor’s Collocation Service provides data centre facilities. Three locations are 

capable of supporting the Hosting Service up to IL4 (Impact Level 4 – 4 – 4 for Confidentiality, 

Integrity and Availability). The Contractor shall support a range of options including dedicated 

rooms, caged areas and shared hosting suites. 

The Collocation Service includes the following elements: 

304 

Provision of secure building space 

The choice of multiple secure data centre facilities as described above 

The provision of environmental services appropriate to support and run Customer 

equipment. 

Standard power and cooling densities per rack are up to 2.4KW. Dedicated power and 

cooling solutions are also available subject to Customer requirement. 

Secure Managed Hosting 

The Contractor’s Secure Managed Hosting Service includes a portfolio of computing, 

security, storage, backup and infrastructure components that can be integrated to provide 

bespoke Customer solutions. 

The Contractor shall work with the Customer to identify and design an appropriate hosting 

solution, based on the Platform Service components, to support the Customer’s requirements. 

This will also include considerations such as resilience and disaster recovery. The Contractor

provides all its Hosting Services in a range of resilience options including single site, 

geographically separate site, and active and passive standby provisions. 

The following sections provide more detail on the elements of the Service: 

Internet Access 

Connectivity between the Customer’s Hosting Infrastructure and the Internet. 

Infrastructure Services 

The provision, installation, maintenance and management of network equipment. Specific 

Service options include: 

305 

Switching management 

Routing management 

Load balancing management. 

Computing Platform Services 

The provision, installation, maintenance and management of computing hardware 

platforms. The following platforms are supported under the Service: 

HP DL and BL ranges 

Sun T-series 

Cisco UCS. 

Additional platforms will be considered on a case-by-case basis. 

Operating System Services

The provision, installation, management and administration of Operating Systems on 

Contractor-managed hardware including Clustering Management. The following Operating 

Systems are supported under the service: 

306 

Windows 

Solaris 

Red Hat Linux 

VMWare. 

The Contractor will provide secure, hardened builds for the Operating System environments 

according to the Impact Level of the Service. 

Monitoring and Reporting Services 

The service includes: 

Non-Agent-based monitoring of Hosting Equipment, Operating Systems and Applications 

Agent-based monitoring services offer in-depth monitoring of a Customer’s Hosting 

Solution 

Operating System monitoring 

SNMP collection. 

Security Services 

The provision, installation, maintenance and management of security devices and services. 

The service encompasses: 

Managed firewalls 

Managed intrusion detection 

Managed proxy servers 

Managed IDS appliances.

Backup and Restore Services 

The Contractor’s Backup and Restore Service offers a fully-managed service based on either 

a shared or Customer-dedicated infrastructure. The Service includes backup to either Tape or 

Virtual Tape library and is offered on a per-Gigabyte backup per-month basis. 

Storage Services 

The Contractor offers both dedicated and shared storage solutions. The Service involves the 

provision, installation, maintenance and management of the storage, which is presented to the 

Customer’s hosting architecture as a LUN of a given size and RAID configuration. The shared 

service is offered based on a per-Gigabyte per-month basis. 

Anti-Virus Protection 

All servers shall be installed with Sophos Anti-Virus software which shall be automatically 

updated from a secure source. 

Website Services 

The Contractor’s Managed Web Application and Platform Service is specifically designed to 

host Customer web-based applications that can be accessed and used by multiple public sector 

Customers. The Managed Application Service is based on the following principles: 

307 

The provision of a shared and accredited hosting platform suitable to support a range of 

applications that can be accessed via the PSN and the Internet. 

The Service shall include physical infrastructure support, Active Monitoring and support 

of the environment and infrastructure 24/7.

308 

Management of security – including scanning for viruses, damage repair and updating 

virus checking software – backup of applications, and taking calls from the Customer 

and occasionally End Users. 

The platform shall be accredited to support protectively marked data up to RESTRICTED. 

The platform shall be provided along the lines of a hybrid Infrastructure-as-a-Service 

(IAAS) and Software-as-a-Service (SAAS) model, in that it will provide both the 

infrastructure – including computing resources – and the underlying application 

technologies to support a range of custom-written applications. 

The platform shall include both production and pre-production environments to allow 

applications to be tested before full deployment. 

The platform shall allow Customers to securely run pilot applications subject to 

application accreditation or to support fully-fledged applications which may have 

previously been hosted by the Customer. 

The Contractor shall work with the Customer to assess pre-existing applications for 

compliance with the Contractor’s Platform and shall assist Customers during the 

deployment and acceptance testing of applications on the managed Service. 

All applications shall be deployed in the Contractor’s pre-production environment 

before being deployed in the production environment. The Contractor shall work with 

the Customer to define an operational acceptance testing strategy and to create scripts 

to verify new application stability and coexistence with other applications in the hosted 

environment. 

The service includes all the necessary ancillary applications required to develop, deploy, 

deliver and manage a wide range of web-based applications. Our current Managed Application 

platform is based on the following ancillary applications, but has been designed to support all 

well-known technologies, including: 

Lotus Domino 

WebSphere 

MySQL 

IIS. 

The Contractor currently uses the following development and deployment tools: 

Bugzilla

309 

Compuware OptimalJ 

Eclipse 

Enterprise Architect 

Mercury Quality Centre 

SVN 

Visual Source Safe. 

The Contractor’s Managed Application service shall include the registration of appropriate 

addresses (publicly accessible or internally accessible) necessary to enable applications to be 

accessed from the appropriate domains. This will include addresses of services and applications 

provided by other Contractors. 

Flexible Computing 

The Contractor’s Flexible Computing Service allows Customers to purchase cloud-based 

compute capacity, in addition to or separately from traditional Contractor provided hosting 

services. 

Specifically, Customers are able to order virtual machines (known as Flexible Instances) 

through a self-service ordering portal. 

The Service is physically provided on a virtualised multi-tenant compute infrastructure 

which has been pre-built across two geographically diverse data centres. 

Isolation is achieved using a combination of VLANs (Virtual LANs) and isolated ‘partitions’ or 

‘contexts’ in the various devices that make up the core architecture – specifically the firewalls, 

load balancers, server and storage platforms. The primary technologies used in the compute 

layer are Cisco UCS blade servers running VMware vSphere. This is supplemented operationally

y VMware vMotion (Virtual Machine mobility), HA (High Availability) and DRS (Distributed 

Resource Scheduling). 

The Service shall provide the Customer with Virtual Machine template options called 

Flexible Instances. The Contractor will offer one of nine Flexible Instance options from a 2Ghz, 

single vCPU with 2GB of vRAM to a 2Ghz, eight vCPUs option with 32GB of vRAM. 

The Service shall offer the following choice of Operating Systems: 

310 

Red Hat Enterprise Linux (32 & 64 bit editions) 

Windows 2003 R2 

Windows 2008 R1. 

The Service shall offer the following support options: 

Premium 

Standard 

Distributed Protection. 

The Premium Flexible Instance shall be monitored 24/7/365 by the Contractor up to the 

Operating System. The Premium Flexible Instance also includes additional services such as 

Antivirus, Patch Management and an option for Data Backup and Archiving. 

For Standard Flexible Instances, the Customer shall be responsible for the management and 

support of the Operating System. There is no Antivirus or Patch Management with this 

unmanaged option, and Backup services cannot be requested for Standard Flexible Instances.

Distributed Protection provides dual site resilience. Intelligent DNS network devices, which 

monitor server availability and response times, allow requests to be distributed across both 

data centres to the most appropriate Flexible Instances or site. 

The Contractor’s Flexible Computing Service is based on the Cisco UCS (Unified Computing 

Systems) compute product line, integrated with new, dedicated networking and storage 

environments into both Swindon and Leeds data centres. 

All traffic into and out of the Flexible Computing platform shall traverse the perimeter 

firewall context. 

Service Provision – Approach (Design and Build) 

Collocation, Secure Managed Hosting, Website Services 

The Contractor shall work with the Customer on a pre-sales basis to capture and identify 

their requirements in a Solution Design Document. The Solution Design Document shall capture 

the following details: 

311 

Customer requirements, including performance and availability requirements 

Protective marking requirements 

Data centre space requirements including rack elevations 

Proposed device or devices (managed hosting & Website Services only) 

High level architecture (managed hosting & Website Services only) 

Solution or component level availability guarantees 

Proposed Customer acceptance test criteria for the service.

The Customer is required to sign the Solutions Design Document which shall be referenced 

in the Contractor’s contract. 

Once the Customer’s requirements are documented, detailed investigation of the 

requirement and solution shall be performed to confirm viability. At this stage, where 

applicable, a Detailed Designer will complete a Detailed Design Document, which shall be used 

by the Contractor’s engineers to build or provision the service. 

The Service shall be provisioned as defined in the Solution Design Document. The 

Contractor shall advise the Customer of an Agreed Ready for Service Date (“ARFS Date”) in the 

Solution Design Document, by which time the Contractor will use reasonable endeavours to 

Provision the Service. 

When the Customer Acceptance Test, as defined in the Solution Design Document, has been 

completed successfully, the Contractor shall report the results of the testing and send a 

Customer Acceptance Form to the Customer. 


As part of the on-boarding process, the Contractor through consultation with the 

Customer’s assigned representative(s) shall agree the network design and configuration options 

for the Customer’s environment within the Flexible Computing platform, and the connection to 

it. On-boarding shall commence following the agreement of the design and contract 

completion. The Contractor’s implementation staff shall complete the build activities required 

312

to connect the Customer to the platform, including the creation of an administration account 

on the portal. 

The Customer shall provide details and input to the process, including allocation of IP 

address ranges, and the email address of an allocated individual who shall be the administrator 

on the Flexible Computing platform (further user accounts can be added by this administrator 

after on-boarding). 

During the consultation phase the Customer’s requirements and connectivity options shall 

identify whether connections into both of the Flexible Computing sites, or only one, are 

required. If the Customer only requires connection into one site then the distributed protection 

(cross-site load balancing service) service will not be available. The Customer shall also be asked 

to describe any PVLANs that need to be set up initially on the platform (further can be added 

later, up to a maximum of nine). 

Once the design has been agreed, an order will be required and this shall be submitted to 

the Contractor’s teams who will manage the creation of the Customer’s dedicated virtual 

environment within the Flexible Computing platform. Once the order has been processed the 

Contractor shall advise the Customer of an Agreed Ready for Service Date (“ARFS Date”) by 

which time the Contractor shall use reasonable endeavours to Provision the Service. 

The configuration required to connect the service to the Customer’s WAN, via either a 

private WAN or the PSN, shall be completed as part of this activity. 

313

As part of the on-boarding activity the Customer shall assist with the testing of connectivity 

to ensure that access to the dedicated environment on the platform is available from the 

Customer’s sites, via the WAN. 

When ready for operation the Customer will be set up with a single administrator account 

for the Flexible Computing portal and the password and user guides shall be supplied to the 

allocated individual. 

Security 

The following sections detail the security elements of the Hosting Service. 

Data Centre Qualification for ISO 27001 

The certificate covers the Information Security Management System (ISMS) relating to the 

provision of Secure Hosting Services and covers the Contractor’s Brentford, Leeds, Swindon, 

Park Royal and Watford Data Centres. 

The Contractor has designed the ISMS, security policies and procedures to align directly 

with the ISO 17799:2005 structure. 

The Contractor’s ISMS implements the Denning Cycle of continuous improvement (PLAN > 

DO > CHECK > ACT). The Contractor conducts regular internal audits of policy, process, people 

and physical security and at least one day every six months undergoes external audit by BSI. 

314

All non-conformities/observations are entered into the Contractor’s National Audit 

Database which instigates automatic escalation within the business when actions are not 

carried out within the timescales stated. 

To monitor actions and maintain focus the Contractor operates a monthly Information 

Security Management Forum, chaired by our Head of HMG Security, which covers: 

315 

Overdue and due audit actions 

Audits and assessments (review and plan) 

Risk and threat management 

Review of security incidents 

New threat updates 

Document review/update/issue. 

Facility Security 

The Contractor’s physical security measures of its data centres as a critical priority. include 

physical security measures include the following: 

Provision of 24-hour on-site security personnel 

Local and remote CCTV monitoring and recording 

Enforcement of single entry and exit point policy at each site 

Turnstile access control points at entry points into data centre areas (prevents tailgating 

and removal of equipment) 

Proximity card access control system (with audit and role-based access control 

capabilities). 

Strict escorted access policy for non-Contractor personnel whilst with sites (also 

required to fulfil health and safety requirements). 

The processes and physical measures in place to ensure the security of the Contractor’s 

data centres have been subject to a successful audit for compliance with BS7799, the standard

that formed the basis of ISO 17799, the international standard for information security 

management. 

Within the computer rooms, where additional security is required, caged or walled areas 

can be provided if requested as part of the implementation. 

A multi-level electronic swipe card system is in place at door and cage level, and audits 

users’ movements through a building. Individual computer cabinets are locked to prevent 

access. 

All network management and administrative systems are contained within secure rooms, 

over and above the security in place for access to buildings. Access to these rooms is strictly 

controlled. 

Access to the physical network components is also controlled. All equipment is located 

within a secure location with the doors locked when not in use. These locations are fitted with 

remote alarm systems. Any access requires the issue of a key by a nominated key holder and 

verification of identity by the Network Operations centre (NOC). 

Regular risk assessments and audits of security measures are also completed. 

Vetting of Data Centre Staff 

All staff in the UK are required to complete a basic security check. In addition, the 

Contractor’s existing colleagues in the UK, and new recruits to roles with significant access to 

personal or other sensitive data, systems or network equipment are required to complete 

316

either a Counter Terrorist Check or to obtain Security Clearance via the Government vetting 

agency. Outside the UK the Contractor conducts other forms of security vetting. 

All new starters are required to complete data protection and security awareness 

computer-based training courses (with knowledge check assessment) as key areas, and these 

courses have recently been rolled out as mandatory for all the Contractor’s staff. This maintains 

staff awareness of the importance of processing personal data correctly, keeping it secure, and 

in particular, that any disclosures of personal data outside authorised business processes are 

strictly prohibited and constitute a criminal offence. 


Collocation, Secure Managed Hosting, Website Services. 

The Contractor’s Service Desk shall be the primary service interface for the hosted services 

and shall provide the coordination of service management activities including: 

317 

Incident management 

Security incidents (physical and logical security breaches) 

Problem management 

Change management 

Configuration management 

Service level management 

Billing and provision queries 

Escalations 

Complaints. 

Interfaces between Customer and Contractor Service Desks

The Contractor’s Desk operates twenty-four hours a day, seven days a week, every day of 

the year for Incident Management. 

Service change Management 

The Contractor shall operate a change management process to support the Service. 

Changes shall be requested by submitting a Request for Change (RFC) form to the 

Contractor’s Service Desk. The Contractor’s Change management process is responsible for 

managing the effectiveness of change, and providing the mechanism for assessing, controlling 

and managing requests. It also incorporates release and configuration management processes. 

Changes shall be processed using formal change management procedures. 

The Contractor shall ensure that the process protects the Customer and optimises the 

Contractor’s effectiveness in managing the service. The change process comprises the following 

activities: 

318 

Raising and recording changes 

Assessing the impact, cost/benefit, and risk 

Business justification and approval 

Managing and co-ordinating implementation 

Reporting and monitoring implementation 

Reviewing requests 

Assessing and approving change requests. 

Monthly Service Level Reporting

The Service includes regular reporting with respect to service levels. The format and content 

of the reports shall be agreed at the commencement of the Service. Reports shall be amended 

during the course of the contract by mutual agreement. 


The Customer shall be provided with an optional capacity management service that delivers 

the following: 

319 

Regular reviews of solution capacity and performance statistics to ensure the 

optimisation of performance across the solution 

Regular reviews of service continuity plans and performance to validate resilience built 

into the solution 

Collaborative review of solution infrastructure, making recommendations to improve 

the solution. 


The Contractor’s Flexible Computing service is primarily managed in-life via the Flexible 

Computing self-service portal. This capability, in addition to the management support and 

billing services, includes: 

In-life ordering – the Customer shall be able to order and delete virtual servers (Flexible 

Instances), scale the resources available to these servers, add or remove storage and 

request changes to the network and security configuration. 

Incidents – the Customer shall raise faults via the portal or (if the portal is not available), 

via a help desk number. The Contractor shall pro-actively monitor all Premium Flexible 

Instances and all platform components, and any alarms will be investigated through an 

incident management and escalation process. 

Change management – the Customer shall request changes via the portal. Change 

requests raised via the portal are deemed as approved changes by the Customer and 

shall be acted upon without further authorisation. Changes that are deemed to be

320 

complex changes are requested via the portal and shall be subject to the Contractor’s 

change management policies. 

Billing – usage elements are billed monthly in arrears and the bill shall list the service 

charges individually, with references that link to the Service (hostname of the Flexible 

Instance, if applicable, and order reference from the portal). The Contractor will 

proactively monitor all Premium Flexible Instances and any alarms will be investigated 

through an incident management and escalation process. 



Cisco - Provision of routers and switch hardware and support services 

Scisys – Web Page and application development. 

EMC – Storage solutions 

SECURITY – EMAIL FILTERING SERVICE DESCRIPTION 


The Contractor’s Email Filtering Service provides protection from malicious and unsolicited 

email, and includes anti-spam protection, anti-virus protection, content control and email 

image control. Email is filtered between Customers’ communities and all other trusted and 

untrusted external domains, including the Internet. 

An online administration portal allows Customers to individually tailor controls in 

accordance with local acceptable usage policies for anti-spam, content control and image 

control. 

High-Level Service Offering

E-Mail filtering 


The Email Filtering Service provides the following features: 

321 

Multi-layered anti-virus protection – 100% protection against known and unknown 

email viruses with no more than 0.0001% false positives. 

Anti-spam protection – 99% detection rate with no more than 0.0003% false positives. 

Email inspection and cleansing of malware and other inappropriate content according to 

an agreed set of rules. 

100% email delivery with average email scanning time within 60 seconds. 

100% service uptime for anti-virus and 99.75% for anti-spam. 

Online administration portal – Customers can individually tailor controls in accordance 

with local acceptable usage policies for anti-spam, content control (e.g. blocking of 

passage of terms such as ‘RESTRICTED’) and image control. 

Dashboards and reporting. 

Dual UK-based data centres with geographical diversity. 

Provided at each Impact Level 

ISO/IEC 15408 industry-standard compliance. 

Proven compatibility with standards-compliant SMTP Relay software (Exim, Sendmail, 

Microsoft Exchange, Lotus Notes (with any required SMTP modules installed and 

configured). 

The Email Filtering Service shall be based on MessageLabs technology which is the 

Contractor’s partner for this service. The Service shall operate within the network and with 

appropriate assurance levels to enable the scanning of traffic between Customers in the same 

community and between all other boundaries. 

The Email Filtering Service shall be based on the principle of deploying multiple 

MessageLabs ‘towers’ at multiple geographic locations per Impact Level. Each tower shall

include all the processing power and equipment necessary to deliver MessageLabs’ multi- 

staged filtering architecture, including the proprietary Skeptic heuristic engine. 

The Email Filtering Service shall ensure that the deployment of the MessageLabs service 

within the PSN network enables the provision of additional services which may be requested by 

Customers, including the ability to validate email addresses to reduce spam, TLS-to-community 

security with the third sector and industry on the Internet, and data loss prevention (e.g. to 

block Internet-bound email containing ‘RESTRICTED’ content). The Email Filtering Service has 

been designed as an in-network service so that it can be adopted within the PSN as a generic 

filtering service. 

The Email Filtering Service shall employ a multi-layered approach to email filtering, which 

shall be reinforced by MessageLabs’ proprietary Skeptic heuristic technology. The scanning 

process follows three steps: 

322 

Traffic and connection management identify, slow and reject infected or suspected 

virus-bearing email. 

Multiple commercial scanners detect known and identified viruses. 

Skeptic predictive technology incorporates thousands of heuristics rules, smart 

signatures, fuzzy fingerprinting and dynamic header analysis to identify unknown and 

new viruses. 


The Email Filtering Service shall be provided from two geographically-diverse data centres in 

the UK. Global Server Load Balancing (GSLB) and Local Server Load Balancing (LSLB) shall be 

used to present a Virtual IP address (VIP) for the AV service at each data centre. The VIP shall be

withdrawn by the GSLB service in the event of a failure of the site or of the multiple AV relay 

servers within the site. The Email Filtering Service shall be accessed externally (via the Internet) 

based on the resolution of weighted MX records; one record shall point to one data centre and 

one record shall point to the other. 

The Email Filtering Service is based on a tower architecture, where a tower includes all the 

processing capability, load balancing and management architecture required to provide the full 

service. For resilience and performance, the Email Filtering Service shall be replicated (N+N) 

between the two data centres. 

The Email Filtering Service will scale in line with Customer demand and is underpinned by 

load-balancing technology which enables the load to be distributed over a number of 

computing platforms, the scaling of which is invisible to the Customer. 

Service Provision - Approach (Delivery inc where applicable Design and Build) 

In receipt of a fully completed and accepted order, the Contractor will enable Email Filtering 

for the Customer. For some functions the Contractor will enable the capability for the 

Customer to apply that capability via the portal facility 

The Contractor shall, to the extent practicable, provide a consistent and uniform approach 

to service management. 


323

In the event of service failure, the Customer will report the incident to the Contractors 

service desk. The Contractor’s service desk representative will open a record of the incident 

and record the time when it is notified. The Contractor will investigate and, if incident found, 

resolve the incident to the SLA agreed between the Contractor and the Customer 

The Contractor shall operate a comprehensive change management process to support the 

Email Filtering Service. Changes shall be requested by submitting a Service Request to the 

Contractor’s Frameworks Change team via the Contractor’s Service Desk. This role also 

incorporates release and configuration management processes. 

Changes, which will be processed using formal change management procedures, shall be 

agreed and aligned with the Customer’s requirements. The Contractor shall ensure that the 

process protects the Customer and optimises the Contractor’s effectiveness in managing the 

Email Filtering Service. The change process shall comprise the following activities: 

324 




Managing and coordinating implementation 


Reviewing Service Request 

Assessing and approving Service Requests. 

The Contractor shall monitor and document any changes made to the configuration of 

network elements under management. With the assistance of the Customer’s staff, the

Contractor shall produce network schematics, using the Customer’s existing schematics as a 

baseline. 

The Contractor’s change management process shall be controlled by a coordinator who 

shall be responsible for the overall management of the change. 

The Contractor will supply a service reporting capability. Dashboard, summary, detailed 

and scheduled reporting options shall be included and configurable to provide visibility. 



325 

Symantec (Messagelabs) - Provision of filtering and scanning services 

SECRUITY – MANAGED AUTHENTICATION SERVICE DESCRIPTION 


The Contactor’s Managed Authentication Service provides user authentication and reduces 

the risk of fraudulent access. The Managed Authentication Service is based on two-factor 

authentication: something you know (username/password) and something you have (a token). 


Managed Authentication Service 


The Managed Authentication Service provides the Customer with an authentication system 

configured to their requirements to provide control of access. The features of the Managed 

Authentication Service are listed below: 

326 

Fully Integrated Solution: Designed to be integrated into existing contractor or third 

party security solutions. 

Control: Designed to authenticate users prior to allowing access to protected resources. 

Back-up: Schedule back-ups of User databases to facilitate service restore in the event 

of system failure. 

Management: The Contractor provides, configures and maintains the hardware and 

maintains software installation. Change management procedures are utilised to ensure 

any changes to the solution are properly managed 

Flexible deployment options: The service is offered with bespoke rules configured to 

meet the Customer’s operational requirements 

Security Expertise: The Contractor uses qualified staff to provide the appropriate 

support level 

Resilience: The Contactor’s Managed Authentication Service offers a range of resilience 

options. This shall enable Customers to achieve their required level of availability and 

fault tolerance for mission-critical applications 

Direct User administration: The Customer is provided with administrator account(s) that 

will allow User account management 

Reporting: The service offers reporting functionality to enable the Customer to 

effectively manage user accounts and gain a better understanding of user activity. 

The Managed Authentication Service is based around using the Cisco Access Control Server 

(ACS) Solution Engine. This appliance provides a RADIUS and TACACS+ platform for AAA 

(Authentication, Authorisation and Accounting). 

The AAA appliance shall be hosted by the Contractor in a dedicated Customer-firewalled 

area. It will be configured with a list of authorised authentication clients and a list of trusted 

User databases. The AAA appliance also supports an internal user database.

Whenever an authentication client receives an access request from a User, it will forward 

the User’s details to the AAA appliance. The appliance will then validate the User and its right to 

access the system it has attempted to connect to. This in turn triggers further look-ups using 

external databases such as RADIUS or Active Directory. Once complete, the user will then be 

either granted or denied access to the resource they have attempted to connect to. 

The Managed Authentication Service uses token-based authentication to provide the 

Customer with a strong authentication option and additional AAA servers or firewalls for 

increased resilience. 

A DMZ will allow the Contractor’s operations team to gain access to the appliance for 

backing up and monitoring. A link into the Customer network will provide a connection into the 

Customer’s infrastructure to gain access to their username and password store (Active 

Directory, NDS). 

Service Provision – Approach (Delivery inc where applicable Design and Build) 

The Contractor shall design and provision a Managed Authentication Service using Cisco ACS 

solution engine to meet the Customer’s specific requirement. 

The Managed Authentication Service shall be provisioned based on the details captured in 

the high-level design (HLD) document. The HLD shall capture the following details: 

327 


High-level rule-base 

Service Levels targets

328 

Proposed acceptance test criteria. 

When the Customer’s acceptance tests as defined in the HLD have been completed 

successfully, the Contractor shall report the results of the testing and send a Customer 

acceptance form to the Customer. 

The ACS Solution engine used as part of the Managed Authentication Service shall be set up 

to service AAA requests from a variety of different access devices including firewalls, VPNs and 

routers. 

The ACS software shall have several components set up: 

The first component is to configure a list of all authorised clients to the ACS system. To 

facilitate secure authentication, only authorised clients will have their authentication 

requests processed. Addition of clients will require the submission of a client IP address 

and a shared secret to be used in securing communication between the ACS and the 

authentication client. 

The second component is the provision of authorised administrators’ usernames and 

passwords. 


All physical access to managed service components is undertaken by authorised 

representatives of the Contractor’s operational team. The Customer is not provided with access 

to any part of the Managed Authentication Solution. The Contractor will provide the Customer 

with a number of defined ‘administrator accounts’ that will enable the Customer to perform 

basic user management such as adding, editing or deleting User accounts on the ACS Server. 

The Contractor shall perform the following duties:

329 

Initial consultancy, design and installation 

Policy development and configuration 

24x7 maintenance, including full replacement of hardware 

Detailed monitoring and testing 

Customer support, including change control 

Regular updating of signature requirements 

Cross-Customer learning and correlation 

Back-up and restore management. 

Use Of Sub Contractors 

Sub-contractors are not used to deliver this service. 

MANAGED SECURITY INFRASTRUCTURE SERVICE DESCRIPTION 


The Contractor shall provide a Managed Security Infrastructure Service that shall 

encompass the provision of security devices including firewalls, proxies, intrusion detection 

products and application gateways. 


Firewall 

Proxy server (encompassing Anti Virus and Web Filtering) 

Intrusion Detection Service. 


The Managed Security Infrastructure can be provided either at the Customer’s site or 

hosted within the Contractor’s data centres, depending on the most appropriate location for

the control. The Managed Security Infrastructure service includes a range of devices and 

services that can be supplied individually or combined together dependent on the Customer 

need. 

Within each service category, the Contractor shall provide a range of devices offering a 

variety of performance characteristics, features and availability options. 

Firewall 

The Firewall Service provides a passive defence mechanism based on a set of defined 

Firewall rules. Firewall policies are defined using the principle of everything that is not explicitly 

allowed is denied. These policies can be defined using a combination of Source IP address (or 

network), destination IP address (or network) & service port, e.g. HTTP, HTTPS, FTP etc 

The Firewall Service includes equipment that has been evaluated using the Common Criteria 

for Information Technology Security Evaluation international standard (ISO/IEC 15408) 

Events generated by each Firewall are collected and stored centrally and made available to 

Customers via the Contractor’s portal. 

Proxy server 

The Contractor shall provide a range of dedicated proxy appliances, which can be hosted in 

the Contractor’s data centre alongside their border or in-network firewalls and delivered into 

the Customer’s network via a dedicated transit network. 

330

The Contractor’s proxy service can be configured either as a simple proxy capability or as 

part of a more complicated web security solution including anti-virus and web content filtering. 

AV key features: 

331 

Real-time scanning of Internet traffic to delete viruses, worms, Trojans and other 

malicious programs. 

Flexible scanning rules. 

Ability to scan archived files (supports more than 260 file type formats). 

Detection of potentially harmful programs such as spyware. 

Web Content Filtering key features: 

Forward and reverse caching capability with transparent-mode available. 

Blocks malware, Web threats, fake software updates, fake AV offers, phishing offers and 

botnets or key-loggers calling home 

Provides Web 2.0 filtering for mashed-up or customised web portals, blocking panels 

and dynamic content per policy settings. 

Provides reputation ratings so policy controls can opt for inline threat analysis, or 

blocking downloads such as drive-by installers and executables from these sites. 

Web security solutions are typically bespoke services based on the Hosting Service and 

managed firewall portfolios, and require detailed design and planning. The Contractor can 

provide this as a Professional Service. 

The Contractor subscribe to engine and signature updates to ensure that the latest threats 

can be detected (where applicable). The volume of traffic that can be inspected by a single 

appliance depends upon a number of conditions. 

Intrusion Detection Service

The Contractor shall provide intrusion detection services based on the deployment of 

dedicated hardware. The intrusion detection service provides the following features: 

332 

Attack detection and anti-hacking protection capabilities that include ‘exploits’, ‘denials 

of service’, ‘reconnaissance’ and ‘misuse’. 

Transparent operation, designed not to impact network performance. The service is 

completely transparent to End Users. 

Scalable sensing performance. 

Analysis and correlation to identify real threats and tune out false positives. 

Active response for those alerts where this action is appropriate – the Customer’s 

nominated contact shall be alerted following an initial risk assessment. 

IDS tuning. The service includes the ongoing tuning of alerts. 


The Contractors Gateway Services operations and field engineering department are 24x7. 

The Contractor employs both SC and DV service operation and field engineering staff. Where 

appropriate for the Impact Level the Contractor will utilise only its DV staff operating from the 

Contractors dedicated DV only operations centres 

Service Provision – Approach (Delivery inc where applicable Design and Build) 

For the Firewall Service, Proxy Server Service and Intrusion Detection Service, the 

Contractor shall work with the Customer to define all requirements and complete a solution 

design document. The Customer Firewall Service shall be provisioned based on the details 

captured in the high-level design (HLD) document. The HLD shall capture the following details: 


Protective marking requirements

333 

High-level rule-base 

Proposed device or devices 

Service Levels targets 

Proposed acceptance test criteria for the Customer Firewall Service. 

When the Customer’s acceptance tests as defined in the HLD have been completed 

successfully, the Contractor shall report the results of the testing and send a Customer 

acceptance form to the Customer. 


Service management shall include: 

Continually monitoring and reporting in order to provide an indication as to the quality 

of the Managed Security Infrastructure service being measured. 

Monitoring service performance against the Service Level targets and reporting within 

the defined periods on service performance achieved and any Service Credits to be paid. 

Defining, agreeing, documenting and managing operational level agreements (OLAs) 

with other vendors. 

The primary service interface supporting the Managed Security Infrastructure service shall 

be the Contractor’s Service Desk, providing coordination of service management activities: 

Incident management 

Problem management 

Change management 

Release management 

Configuration management 

Capacity management 

Availability management 

Service level management 

Billing and provision queries

334 

Escalations 

Complaints 

The activities of third parties, including the security briefing (e.g. access procedures) of 

Sub-Contractors attending sites. 

The Contractor’s Service Desk shall operate 24 hours a day, seven (7) days a week, 365 days 

a year. The Customer shall be able to contact the Contractor’s Service Desk to raise and track 

service Incidents using the Customer Portal, telephone or email. Each Customer shall have 

access to a service management helpline (UK Freephone 0800 number) that shall enable them 

to contact incident management, service management and account management functions. 

The Contractor shall utilise existing HM Government service desks, infrastructure and 

processes to deliver a secure and compliant service. The core aspects of the Customer Firewall 

Service shall include: 

Service management functions aligned to ITIL. 

Proactive service monitoring. 

Management information delivered from multiple sources. 

Resilient UK secure customer service centres 

UK and global network operation centres (NOCs) in support of the Customer Firewall 

Services. 

Use of SC and DV-cleared engineering support teams. 

The Contractor shall provide a helpdesk function that shall assist in the resolution of 

Customer Firewall Service technical issues. This shall include troubleshooting and, where 

necessary, log file analysis. The Contractor shall create a customer service handbook to provide 

Customers with further information and guidance on both how to engage with the Contractor 

and how the Managed Security Infrastructure service shall be operated.



335 

Bluecoat- Provision of proxy hardware and support services 

Checkpoint - Provision of firewall hardware and support services 

Cisco - Provision of firewall and switch hardware and support services 

ZScaler - Provision of web filtering and support services 

Symantec (Messagelabs) - Provision of filtering and scanning services 

SECURITY – PROTECTIVE EVENT MONITORING SERVICE DESCRIPTION 


The Protective Monitoring Service is designed to help the Customer to meet the 

requirements of Good Practice Guide 13 (GPG13) in relation to monitoring IT estate for 

potential security breaches. As well as supplying regular reports detailing malicious activity, the 

service includes real-time alerting and 24x7 Incident Response in line with published GPG13 

guidance. 

The Service has been specifically designed to align with the DETER segmentation of GPG13, 

and as such, is broadly suitable for monitoring IT solutions up to IL3 RESTRICTED. 

The service provides log storage and collection, as well as an analysis and correlation 

service. Any critical incidents identified will be analysed and assessed by QinetiQ against known 

threats, known Change Control activities and the general architecture of the service. After 

analysis the incident will be categorised and escalated to the Contractor’s Real-Time Operations

Centre (RTOC) for further investigation. Upon completion of the investigation, the Security 

Operations Centre (SOC) will provide a detailed explanation of the vulnerability or incident and 

make recommendations on how the issue should be addressed, e.g. patching, further logging or 

disconnection. 


336 

Event Collection 

Event Monitoring and analysis service in support of compliance to GPG13 

Overarching Service Accreditation 


A high level summary of each component is provided below 

Event Collection 

Generation and collection of events from standard sources (where applicable) 

Retention of logs for further analysis as per GPG13 guidelines 

Hashing of event time-stamps to ensure integrity. 

Event Monitoring and Analysis Service in Support of Compliance To GPG13 

24x7 Security Operations Centre (SOC) 

Formalised set of Alert Actions in response to the analysis of Event Sources 

Integrated Incident Management function 

Automated Weekly Management Reports structured around GPG13 

Annotated Monthly Management Reports structured around GPG13 

Representation of Events and Reports in the context of system security risks. 

Overarching Service Accreditation

337 

Service RMADS and service accreditation/re-accreditation 

Service separation between Customers to simplify assessment of risks 

Service delivered from List X sites 

Service operated by SC-cleared staff. 

The Protective Monitoring Service provides a 24x7 SOC which processes all the events 

generated by the GPG13 Service provided to the Customer. The technology is dedicated to each 

individual Customer solution, with analyst resource provided from the pool of SOC staff on each 

shift. 

A dedicated Event Processing engine will continually poll the Customer Logger Appliance 

and pull events back for real-time processing within the SOC. The key functions of Analysis, 

Reporting and Alerting are: 

Pull Events in real-time from the Customer Logger Appliance 

Generate incident tickets on the Contractor ticket systems if log path failure detected 

Real-time correlation of events as defined 

Generate alarms when events meet defined rules/triggers 

Trend analysis of event data to detect suspicious activity 

GPG13 Customer Management Report production 

Initial Investigation of alarms prior to escalation or closure 

Escalation of all alarms to the RTOC that require further investigation (Qualified 

Incidents) 

Maintain records of all incident response activity (from creation to closure) for all alarms 

raised (regardless of whether they are qualified or not). 

Incident Response (RTOC) 

The Contractor RTOC will act as First Responder in relation to any incidents raised to it by 

the SOC (Qualified Alarms). The SOC has no access to any of the systems being protected by the

service (except limited read-only access to IDS sensors). Incident Response is a joint function 

between the SOC and RTOC. The SOC tracks all incidents from creation to closure and the full 

Incident Response process is detailed in the standard service RMADS. Key functions of Incident 

Response are: 

338 

Investigation of Incidents that are escalated by the SOC for further investigation 

Provide updates to all incident tickets 

Preserve any logs (as requested by the Customer) to support a formal Forensic 

Investigation 

Implement any changes (as per the change control process) to the collection platform or 

the monitored service (if managed by the Contractor) that are recommended by the 

SOC as the result of any Incident Investigation 

Incident Escalation (as detailed in the Incident Response Process). 

Event/Log File Retention 

Log data collected and processed by the SOC will not be retained by the SOC longer than is 

required to carry out trend analysis and monthly reporting. 

Each dedicated Logger appliance will store all logs received (both CEF and Raw format) for a 

period of three months. Log data beyond this age will be removed from the appliance. The 

appliances are backed up daily and the archived backups maintained for a period of 12 months. 

The Contractor is able to offer offline archiving for longer periods than those stated. This is 

subject to additional charges. 

In the event of an incident (whether detected by the service or not) that the Customer 

deems serious enough to warrant further investigation by the Customer (or their appointed 

Forensic Investigators or Law Enforcement), the Customer may request read access to the log

data held on the Logger appliance to facilitate the investigation. The Contractor will provide 

assistance where reasonably requested to support any formal investigation. 

The Contractor will make archived log data available to the Customer upon written request 

(provided the data is within the contracted archive period). The method of making this data 

available to the Customer will be agreed at the time of request. 


Service Provision - Approach 

Installation 

The service will include equipment, licences, design and physical implementation of the Log 

Collection solution: 

339 

List X data centre 

Design consultancy 

Hardware Logging Appliance(s) 

SmartConnector Agents 

Rack space (with suitable power and cooling) 

Implementation 

Configuration of all components in line with GPG13 requirements 

24x7 hardware and software support 

24x7 monitoring of log feeds to ensure all agents are operational 

24x7 Security Operations Centre 

24x7 Incident Investigation (as defined in the GPG13 specification) 

Secure Connectivity from the Log solution to the SOC 

Dedicated Event Processing Appliances

340 

Backup 

Log collection and retention 

Critical security upgrades 

Reporting (as defined in the GPG13 specification). 

Testing 

Upon completion of the build phase, the Contractor will perform a standard set of tests to 

confirm that all of the components are working correctly and events are flowing from the 

monitored devices to the SOC as expected. When all tests have been performed successfully, 

the solution will be considered live. 

Service Baselining 

To work efficiently, the GPG13 Protective Monitoring Service requires a period of baselining 

to allow analysts to fine tune and map log collection, event rules and triggers accurately to the 

solution being monitored. The period of baseline activity can vary from solution to solution, but 

usually takes around one calendar month. 

Logger, Connector, SmartConnector agents and other Licenses 

The equipment and licences below are supplied as part of the service implementation: 

Logging equipment 

Agent Connector appliance 

SmartConnector agents. 


The service includes regular reporting to meet GPG13 requirements. This will take the form 

of an automated weekly report and a monthly report annotated by one of the SOC analysts.

341 

The Weekly Incident Report will be published within 24 hours of the final date to which 

the report relates. 

The Monthly Incident Report will be published within six working days of the final date 

to which the report relates. 

A custom report that details any events that triggered applied custom signatures will be 

published at the Customer’s request (subject to agreement). 

Weekly Report 

The Weekly Management Report will provide data for the previous weekly reporting period, 

comprising: 

Summary details of all Alerts raised within the period 

Details of any Service Issues. 

Monthly Report 

The Monthly Management Report will be based on the same underlying data as the weekly 

report, but will take a longer-term analysis of the collected data. This enables the SOC to 

provide historical and trending information about the Protective Monitoring Controls. 

Additionally, the Protective Monitoring Analyst will provide commentary on the data, 

attempting to explain patterns and anomalous behaviours. The report will be split into two 

sections: a management summary and more detailed technical content. This will present the 

data and will comprise: 

High-level breakdown against Protective Monitoring Controls 

Summary details of all Alerts raised within the period 

Summary of Event Tuning status for the period 

Change management. 

Details of any Service Issues

342 

Service performance details 

Written summary of each relevant Protective Monitoring Control, with graphical and 

tabular analysis. 

The Contractor shall operate a comprehensive change management process to support the 

GPG13 Protective Monitoring Service. Changes shall be requested by submitting a Service 

Request to the Contractor’s frameworks change team via the Contractor’s Service Desk. 

The Contractor’s change management process shall be responsible for managing the 

change, providing the mechanism for assessing, controlling and managing requests. This role 

also incorporates release and configuration management processes. 

Changes, which will be processed using formal change management procedures, shall be 

agreed and aligned with the Customer’s requirements. The change process shall comprise the 

following activities: 




Managing and coordinating implementation 


Reviewing Service Request 

Assessing and approving Service Requests. 

The Contractor shall monitor and document any changes made to the configuration of 

network elements under management. With the assistance of the Customer’s staff, the 

Contractor shall produce network schematics, using the Customer’s existing schematics as a 

baseline.

The Contractor’s change management process shall be controlled by a coordinator who 

shall be responsible for the overall management of the change. 



343 

QinetiQ - Provision of security services 

SECURITY PRACTICE SERVICE DESCRIPTION 


The Contractors Security Practice shall provide ongoing advice, support and design work 

including an option for use of CLAS consultants. The consultant shall work with the Customer’s 

IT security team so they can achieve the required level of accreditation subject to the 

Customer’s accreditation budget 


Security Professional Services 


The Contractor’s security specialists have expertise covering: 

Service Group Overview of Service 

Service Name

Vulnerability 

Detection 

Risk Metrics and 

Reporting 

Project 

Consultancy 

344 

A number of services 

targeted at identification of 

technical security vulnerabilities 

across key system components. 

By identifying security 

weaknesses we can reduce risk 

levels and attain compliance to 

key policies and standards for 

Customers. 

A series of management 

reports providing insight into 

particular risk levels within IT 

and Operational Environments 

including infrastructure security 

vulnerabilities and patching 

levels. 

A consultancy service - to 

interact with major business 

� Perimeter Penetration 

Testing. 

� Self Service Penetration 

Testing. 

� Operating System Security 

Scans. 

� Remote Network Security 

Scans. 

� Application Security Scans. 

� Wireless Network 

Detection. 

� Information Leakage 

Impact Assessment 

� Monthly Reporting. 

� Anti-Virus Index. 

� Vulnerability Index. 

� Infrastructure Change 

Consultancy. 

� New Technology Reviews. 

� Application Change 

Consultancy.

Security 

Standards 

Risk Awareness 

345 

projects in order to provide 

advice on good practice to help 

ensure that new systems go live 

without introducing additional 

security risks. 

A set of security standards 

aimed at establishing a minimum 

baseline of controls that 

significantly contribute towards 

Customers meeting the IT 

security expectations of their 

Customers, Regulators and 

Auditors. 

A service to alert relevant 

staff of critical vulnerabilities 

and risks as they arise so that 

the risks can be mitigated in a 

timely manner. 

Draws on notifications 

received from third parties on 

� Security Certification 

� IT Security Health Check 

� Security Gap Analysis 

� ISO27001 Gap Analysis 

� ISO27001 Compliance and 

Certification 

� Criticality Assessment. 

� Risk Logging. 

� Risk Assessment (CRAMM) 

� Technical Risk Assessment 

� Vulnerability Alert 

Notifications. 

� Real World Event 

Notifications. 

� Industry Security Trends.

346 

emerging threats. 

� Investigations � A series of investigation 

based services targeted at 

potential misuse of assets, 

theft of data, social 

engineering attempts and 

other incidents. 

� Incident 

� Response 

� Training and 

� Awareness 

� Audit and 

� Regulatory 

� Support 

� Change 

Review 

� and Approval 

� A service to respond to 

various incidents that may 

have a security or 

information risk angle, such 

as a virus outbreak, denial 

of service attack or theft of 

assets. 

� A service targeted at raising 

the awareness of 

information risk throughout 

our customers business. 

Combination of staff wide 

messages combined with 

specific training targeted at 

key staff. 

� A support service to IT to 

help them through internal, 

external or regulatory audits 

or investigations. 

� We help to answer 

questions related to security 

and explain key controls. 

� A service to review and 

approve various changes 

that may impact on 

informational risk. These 

include new connections, 

firewall rule changes and 

new infrastructure standard 

builds. 

� Incident Management 

Process 

� Computer Forensics 

Investigations. 

� Phishing Attempt 

Investigations. 

� General Investigations. 

� Malicious Code Response. 

� Virus Response. 

� Denial of Service 

Response. 

� External Complaint 

Response. 

� Target Technology 

Training. 

� Security Administrator 

Training. 

� New Joiner Induction. 

� Communications and 

Awareness. 

� Instructor-Led Courses 

� Pre-Audit Health Check for 

IT. 

� Advice & Guidance During 

Audit. 

� Regulatory Interaction. 

� Change / Service Request 

review / Approval. 

� New Connection Request 

review / Approval. 

� New Infrastructure Build 

Standard Sign Off.

� Application 

� Security 

Technical 

Assurance 

(Public Sector) 

PCI-DSS 

Compliance 

347 

� Application Security reviews � Oracle Security Review. 

� Application Security Health 

Check 

� Operating Systems 

Security Scan (Win Unix) 

Architecture and operational 

service review to ensure that 

application, server and network 

architecture meets with HM 

Government and other highly 

regulated vertical sectors such as 

finance, utilities and 

pharmaceuticals. 

Services to provide 

assurance to en-clients of their 

compliance to PCI-DSS. 

� Technical Assurance Audit. 

� IT Health Check 

� Infrastructure Security 

Improvement Programme 

� GSi Network Accreditation 

� ISO27001 Technical 

Operations Readiness 

� Assessment 

� PCI-DSS Compliance Card 

Data Flow Review 

� PCI-DSS Compliance Gap 

Analysis and risk ass 

� PCI-DSS Compliance Policy 

& Process Review 

� PCI-DSS Compliance 

Network Security Review 

� PCI-DSS Compliance 

Remediation Plan 

� PCI-DSS Remediation Plan 

implementation 

� PCI-DSS Certification Audit

Outsourcing 

Security 

Management 

Business 

Continuity 

Disaster 

Recovery 

Identity and 

Access 

Management 

348 

Transition services that will 

review client security and service 

management environments in 

readiness for security take-on of 

services. 


Services that will utilise 

Business Continuity standard 

BS25999 part 1 and part 2 

To analyse business 

continuity processes. 

Architecture and operational 

service review to ensure that 

application, server and network 

architecture meets with HM 

Government 

Delivery of Professional Services to the Customer 

� Outsourced Security 

Management Gap Analysis 

� Contractual Security 

Service Review 

� Security Service 

Management Review 

� Others??? 

� Business Continuity Gap 

Analysis (BS25999) 

� Technical Assurance Audit. 

� IT Health Check 

� Infrastructure Security 

Improvement Programme

Professional Services can be delivered in many different ways. The Contractor has outlined 

two approaches that Customers use most often: defined deliverable (fixed price) and day rate 

(time and materials). 

Defined Deliverable (Fixed Price) 

Prior to signature of the Call-Off Form, the scope of delivery, timescales and price shall be 

agreed by the Customer and Contractor in accordance with the Call-Off Terms. The Contractor 

shall then ensure suitable resources are applied to deliver the agreed scope within timescales 

for the agreed price. The methodology used for developing solutions shall take into account the 

full spectrum of requirements and not solely the functional aspects. Key risk areas for work 

packages delivered to the Customer include accuracy associated with following: 

349 

Scope; 

Assumptions (technical and commercial); 

Exclusions; 

Dependencies (internal and external); and 

Effort (both the Contractor’s and the Customer’s). 

The Contractor shall produce a scope of works document to define and explain the scope, 

assumptions, exclusions and effort (amongst other critical information) to allow the Customer 

to make an informed decision. The Contractor shall produce a fixed price based upon the 

production of one of the following documents: 

Day Rate (Time and Materials) 

The Customer may require professional resources to attend meetings and work with their 

teams to achieve specific objectives where the professional services requirement cannot be

fully scoped up front due to unknown variables. In such cases Customers can chose to adopt a 

day rate charging mechanism. 

All deliverables will be fully scoped and priced and will be subject to change control. 

Use of Subcontractors 


350 

QinetiQ - Provision of security services 

INTERNET SERVICE DESCRIPTION 


This service description describes the Internet Access Service, its standard and optional 

features, and technical, service and support information. 

The Contractor’s Internet Access Service connects the Customer’s site directly to the 

Contractor’s Global IP Backbone (AS1273) via a dedicated access circuit provided at a range of 

fixed and burstable bandwidths from 2Mbps to 1Gbps. 

The Contractor’s Internet Access Service supports IPv4 and IPv6 internet addressing. 


Access Circuit(s) – connecting the Customer’s site to the multi-service platform and 

onwards to an Internet Edge Router on the Contractor’s IP Backbone. 

Service/Port Bandwidth – Internet service bandwidth is provisioned over the Access 

Circuit. The Contractor will provide options of:

351 

o Throttled bandwidth 

o Committed bandwidth plus burstable.(i.e. bandwidth above the committed) 

The Contractor shall provide as additional options: 

Customer Site Routers – where ordered, the Contractor shall install, configure, manage 

(remotely for changes where possible) and maintain a router located at the Customer 

site 

Internet features – where ordered, these include: 

o Managed Domain Name Services 

o IP Addresses 

o ASN Numbers 

o Performance Reporting. 

Security features – where ordered, these include: 

o DDOS protection 

o Internet proxy services 

o Email security 

o Managed firewalls 

o Resilience services. 

Service support including: 

o Proactive monitoring of the Internet service up to the service demarcation point 

for hard down, alarms and events which map to severity 0-2 faults 

o 24/7 incident management support all year round 

o Service change requests 

o Online ‘MYCW’ portal. 


Internet Access. 


Internet Access is provided over the Contractor’s Global IP Backbone known as AS1273*. 

The Contractor’s Global IP Backbone is engineered to 99.999% availability. In the event of a 

failure, the backbone will automatically deploy the most appropriate protection path, restoring 

traffic across the network in milliseconds using the RSVP fast reroute protocol. 

*Regional aggregation in the UK may be provided via the Contractor’s backbone known as 

AS2529, that is connected upstream to AS1273. 

Feature Summary Table 

Feature Sub-Feature Standard Optional 

Access 

Circuit 

Service/Port 

BW 

Customer 

Site 

Routers 

Internet 

Features 

352 

2, 4, 6, 8, 10, 100, 1000Mbps symmetric 

bandwidths. 10Gbps available subject to technical 

feasibility investigation. 

Committed bandwidth options from 2Mbps to 

1000Mbps 

Committed bandwidth plus burst options from 

2Mbps burst to 4Mbps, to 500Mbps burst to 

1000Mbps 

Range of Cisco ISRG2 routers, fully installed and 

configured with remote change management and 

maintenance 

Domain Name Services: transfers/registrations, 

authoritative DNS, DNS caching, SMTP mail 

IP Address Blocks: portable and non-transferable 

IPv4 & IPv6 addresses 

Autonomous System Network numbers: registration 

and routing 

� 

� 

� 

� 

� 

� 

�

Security 

Features 


Support 

Technical 

Features 

353 

Performance Reporting: standard performance 

reporting or Application Performance Management 

DDOS Protection: reactive and proactive options 

using shared or dedicated cleaning zones 

Internet Proxy Service 

Managed Firewall 

E-Mail Security: sold per mail box 

Dual Homing & Resilient Services 

Proactive monitoring for unavailability & 24/7 

incident management 

MYCW Self Service Portal � 

Standard change management services � 

Range of professional services: capacity and 

performance management, security, project 

management 

Routing: static, BGP with default route, BGP with full 

routing table 

The Contractors Internet Access service shall support the following capabilities: 

Access Circuit and Service Bandwidths 

Managed Customer Site Router 

Optional Internet Features 

Optional Security Features 

Professional Services. 

� 

� 

� 

� 

� 

� 

� 

� 

�

Access Circuit and Service Bandwidths 

The table below list access circuit and service bandwidth options. 

Access 

Circuit BW 

s 

ps 

354 

BWs 

Committed Service 

Committed + 

Burst Service 

BWs 

2Mbps 2Mbps n/a 

4Mbps 2, 4Mbps 

2Mbps burst 

to 4Mbps 

Access 

Technology 

Ethernet 

or Leased 

Line 

Interface 

(Customer 

provided 

router) 

X21 

RJ45 or 

Ethernet RJ45 

6Mbps 2, 4, 6Mbps n/a Ethernet RJ45 

8Mbps 2, 4, 6, 8Mbps n/a Ethernet RJ45 

10Mbp 

100Mb 

2, 4, 6, 8, 10Mbps 

10, 15, 20, 30, 40, 

50, 60, 70, 80, 90, 

5Mbps burst 

to 10Mbps 

10Mbps burst 

to 20Mbps 

Ethernet RJ45 

Ethernet RJ45

ps 

1000M 

355 

100Mbps 20Mbps burst 

100, 200, 250, 300, 

400, 500, 600, 700, 

800, 900, 1000Mbps 

to 40Mbps 

50Mbps burst 

to 100Mbps 

100Mbps 

burst to 200Mbps 

200Mbps 

burst to 400Mbps 

500Mbps 

burst to 

1000Mbps 

Ethernet 

x/Lx 

1000BaseS 

Ethernet may be provided over copper, using Ethernet First Mile technology, or Fibre. 

Where new access circuits are required, then only the ‘Committed’ and 

‘Committed+Burst’ service bandwidths shown above are supported over the respective 

access circuit bandwidths. Where MSP access circuits already exist at the Customer site, 

and are provided over Fibre Ethernet access technology, then any of the ‘Committed’ 

and ‘Committed+Burst’ service bandwidths will be supported where the existing access 

circuit has sufficient spare capacity. 

Service bandwidths are inclusive of all protocol and access network transmission 

overheads. 

Unless agreed otherwise, where managed Customer Premises Equipment (CPE) is 

required, and subject to the bandwidth and feature requirements, the Contractor may 

provide the service at the bandwidths ordered over the access technology of the 

Contractor’s choice. Where a ‘wires only’ service is required, the technologies and 

interfaces relevant to each site shall be those detailed on the order form and/or agreed 

during service delivery.

Managed Customer Site Router 

Where ordered, the Contractor shall install and configure Cisco ISR G2 router equipment. 

The Contractor shall manage and maintain the router in-life as follows: 

356 

Undertake service change requests, including soft and minor changes remotely, 

including changes to routing, IP addressing or service bandwidths 

Proactive monitoring all year round for critical hard down, unavailability, alarms 

Provide 24/7 fault management, including remote fault diagnosis and fault resolution 

where possible, and on-site repair or replacement of the Managed Router hardware or 

software, if necessary, to resolve faults. 

Optional Internet Features 

These include: 

Domain Name Services 

Public IP Addressing and ASNs 

Performance Reporting. 


The Contractor’s Internet Domain Name Service (DNS) provides registration, transfer and 

hosting services for one or more domains. Domain names are supported subject to terms and 

conditions. 

tariff: 

The Contractor shall provide the following feature options within the Domain Name Service 

DNS resolution – DNS resolution caching servers for the Internet to map domain names 

to individual IP addresses 

SMTP mail – Using mail exchange (MX) records in conjunction with corresponding mail 

systems, the DNS can be used to send and receive email. The Contractor supports 

multiple MX records for email delivery.

357 

Primary and secondary DNS – The Contractor provides a primary and/or secondary 

authoritative Domain Name Server service. 

Public IP Addresses and ASNs 

The Contractor supports IPv4 public IP addresses. IPv6 addresses are supported on a 

reasonable endeavours service level basis. 

For IP address assignments of /29, and larger address blocks, then RIPE approval will be 

required. 

The following types of IP addresses are available: 

Provider Aggregateable (PA) – These addresses are not portable. Addresses must be 

surrendered back to the Contractor at termination of service. 

Provider Independent (PI) – These addresses are fully portable. 

If the Customer has or intends to obtain a public Autonomous System Network (ASN), PI 

address space is required. 

Performance Reporting 

Performance reporting may be ordered, for a premium, with all Internet Access services. 

Performance Reporting provides the Customer with information regarding: 

Bandwidth utilisation 

Service availability 

Quality of service performance over the Contractor’s Global IP Backbone. 

Data is polled every five minutes and returns information over hourly, daily and monthly 

periods. Hourly data is stored for up to three months; daily and monthly data are stored for 14 

months.

In order to access MyStats reporting, the Customer representative shall require a MS 

Internet Explorer or Mozilla Firefox browser to be installed, operating at the required version 

(as defined at time of call off), together with relevant Java plug-in software. 

Optional Security Features 

These include: 

358 

Resilient Services 

Dual Homing 

Distributed Denial of Service (DDOS) Protection 

Wider Security Portfolio Options. 


Where requested, the Contractor shall provide (subject to feasibility study) a second 

‘Resilient’ Service into a Customer Site and in such instances a higher overall annual availability 

SLA can be offered. The following configuration options are available: 

Dual Parent (Fully Diverse) – with load balancing or active/standby configuration 

Dual Parent (Diverse Internet Edge Routers) – with load balancing or active/standby 

configuration. 

Dual Parent (Fully Diverse) 

The Resilient Service shall be connected to separate MSP access nodes and Provider Edge 

Routers, as well as separate IP Backbone nodes and Internet Edge Routers (IER) to that of the 

Primary Service. Reasonable endeavours will be used to provide assured diversity (at a cable 

and also duct level where possible) between the Resilient and Primary Services. At the 

Customer site, a common building entrance point will be used as standard. Separate building 

entrance points may be investigated, upon request, on a bespoke basis.

The Resilient Service Internet Port bandwidth must not be less than that of the Primary 

Service. Only committed Service/Port bandwidths are permitted on the Primary and Resilient 

Services. It is possible to use the Primary and Resilient Services simultaneously (i.e. in a ‘Load 

Balanced’ configuration). Alternatively, the Resilient Service can be used as a backup should the 

Primary Service fail. Where Managed Routers are provided, the Contractor shall be responsible 

for configuring Load Balancing or Failover between the Primary and Resilient services. Where 

the Customer has their own ASN the Contractor shall support BGP resilience between the 

Primary and Resilient Services as standard. 

Dual Parent (Diverse Internet Edge Routers) 

The Resilient Service shall be connected to a separate IP Backbone node and Internet Edge 

Router (IER) to that of the Primary Service. The Resilient Service Internet Port bandwidth must 

not be less than that of the Primary Service. Only committed Service/Port bandwidths are 

permitted on the Primary and Resilient Services. It is possible to use the Primary and Resilient 

Services simultaneously (i.e. in a ‘Load Balanced’ configuration). Alternatively, the Resilient 

Service can be used as a backup should the Primary Service fail. Where Managed Routers are 

provided, the Contractor shall be responsible for configuring Load Balancing or Failover 

between the Primary and Resilient services. Where the Customer has their own ASN the 

Contractor shall support BGP resilience between the Primary and Resilient Services as standard. 

Dual Homing 

This resilience option allows the Customer to order a separate Internet Access service from 

another ISP for use alongside the Contractor’s service. The Contractor shall provide a single 

Internet Access Service at the Customer site. The Customer shall be responsible for managing 

359

the resilient configuration (in terms of load-sharing or redundancy) across the Contractor’s 

service and that of another ISP. The Customer is required to have their own ASN. All exchange 

of routes between C&W Worldwide and the Customer will be via BGP. AS numbers used in BGP 

sessions and in AS Paths in routes notified by the Customer to us shall not be from ranges 

reserved for private use. 

Distributed Denial of Service Protection 

DDOS Protection aims to stop or diminish the effectiveness of DDOS attacks. The service 

stops attack packets from reaching their intended destination. 

Arbor Peakflow SP traffic anomaly detectors are deployed on the edge of the Contractor’s 

Global IP Backbone (upstream peering points) and Cisco DDOS Guard is used to mitigate 

attacks. 

The Contractor offers two service options: 

360 

Service Option 1 – a reactive service where the Contractor does not monitor the 

Customer’s Internet Access Service for DDOS attacks. Customers will have access to a 

24/7 support line to contact if attacked. The service is configured per IP address block. 

Service Option 2 – a proactive service where the Contractor monitors the Customer’s 

Internet Access Service for DDOS attacks. Key service features include: 

o Proactive monitoring – of traffic flows to protected IP addresses against predefined 

thresholds. The Contractor shall respond to alarms within 15 minutes, 

24/7 all year round. At this point, mitigation steps shall be agreed between the 

Contractor and the Customer. 

o FiveZone Detection configuration – allowing granular monitoring of critical 

servers and services across the Customer’s IP address range 

o Reporting – a portal showing near-real-time traffic flows against protected IP 

addresses.

The DDOS mitigation service operates from a shared Platform that offers protection for a 

number of Customers. The platform capacity to mitigate DDOS traffic for any given Customer is 

dependent upon a number of factors, including but not limited to: capacity already allocated in 

mitigating DDOS traffic for other customers of the platform, method of attack used, and the 

location at which the attack enters the C&W Worldwide network. 

DDOS is only available to Customers that are connected directly to the Contractor’s AS1273 

backbone. 

Wider Security Portfolio Options 

The Contractor’s Internet Access Services can be provided in conjunction with the following 

services: 

361 

Managed Internet Proxy 

Email Protection 

Managed Firewall. 


The following, non-exhaustive list of professional services are offered as options to the 

Customer with the Internet Access Service: 

Project Management 


Network and Solution Design 

Capacity and Performance Management 

Lifecycle Management 

Dedicated Customer Change Management 

Security and Compliance Management.


Routing 

Static Routing 

The Customer’s router is configured with a default route via the Contractor’s Internet Edge 

Router. The router advertises the Customer’s prefix range to the Internet through a static 

route(s) redistributed into BGP. 

BGP with Default Route 

The Customer’s router shall be configured to establish a BGP session with the Contractor’s 

Internet Edge Router using a private ASN assigned by the Contractor. This routing option is the 

minimum required when a Resilient Service is used. 

362 

The Customer shall advertise the ranges assigned to them to the Internet router 

The Internet router shall only advertise a single default route back to the Customer 

router. 

NB: Default BGP Timers shall be used as standard for Internet Access services, including 

existing migrated services that use non-default timers. Default BGP timers are set to 60 

seconds/180 seconds for keep-alive/hold-time. Where Customers with dual-homed sites 

require increased service fail-over, the Contractor can, upon request, tune the BGP timers for 

the Primary site only, to a maximum of 10s/30s keep-alive/hold-time. 

BGP Full Table 

The Customer’s router shall be configured to establish a BGP session with the Internet 

router using the Customer’s own ASN or one assigned by the Contractor. 

The Customer shall advertise the ranges assigned to them to the Internet router

363 

The Internet router shall advertise a full Internet routing table to the Customer. 

NB: Default BGP Timers shall be used as standard for Internet Access services, including 

existing migrated services that use non-default timers. Default BGP timers are set to 60 

seconds/180 seconds for keep-alive/hold-time. Where Customers with dual-homed sites 

require increased service fail-over, the Contractor can, upon request, tune the BGP timers for 

the Primary site only, to a maximum of 10s/30s keep-alive/hold-time. 

Managed Customer Router 

The Contractor shall configure the router, as per the order, for any of the following routing 

options: 

NAT – Network Address Translation (NAT) over the service via a managed Customer site 

router or a Managed Firewall 

Static – Using static routing, the Customer is provided with a statically-configured 

default route 

BGP – Using BGP a dynamic routing interface is established between the Customer and 

the Contractor 

HSRP – Deployed where multiple managed Customer site routers with Resilient Services 

are delivered. 

Management Traffic 

The Internet Access Service shall be managed in-band. Service bandwidths are inclusive, 

therefore a small amount of bandwidth shall be used for management purposes. Where sites 

are connected using third party Fibre Ethernet circuits, the Contractor may locate a dedicated 

NTE at the Customer site behind the third party provider’s NTE. 

Wires Only Services 

Where no Managed Customer Site Router is provided, the service demarcation point shall 

be the Customer-facing interface of the access circuit NTE at the Customer site. Other than

where 2Mbps access circuits are provided over leased lines, the LAN interface will be 

configured as an IEEE 802.1Q port. 

Resilient Services shall require the Customer to manage resiliency and failover 

configuration. 


Dual Parent (Fully Diverse) 

The eBGP sessions between the Contractor’s Managed Customer Site Router and the 

Internet Edge Router (IER) ASPATH pre-pend. MED is used to make the backup link less 

preferred. Hot Standby Redundancy Protocol (HSRP) is run between the two managed 

Customer site routers where requested. In the event of a failure of the Primary CE, traffic shall 

be serviced by the Resilient Service CE. Upon return of the Primary CE, traffic shall then be 

serviced by the Primary CE. HSRP, if used, is also capable of providing ‘load balancing’ in the 

form of multiple HSRP groups being used, with the different groups using different routers as 

their primary router. While this is referred to as ‘load balancing’ it does not guarantee an equal 

distribution of traffic across both links. That is dependent upon the traffic loads from each of 

the configured HSRP groups. 

Dual Parent (Diverse Internet Routers) 

The Primary and Resilient Internet Access services are connected to a single MSP Edge 

Router but the end points (Internet Edge Routers) are diverse. The eBGP sessions between the 

Customer routers and the Internet routers and ASPATH pre-pend, MED would be used make 

364

the backup link less preferred. HSRP is run between the two Customer site routers where 

requested. HSRP is capable of supporting ‘load balancing’ where ordered. 

Burstable Bandwidth 

Where a burstable bandwidth option is taken and access technology allows, Customers shall 

be able to exceed their contracted bandwidth, within limits, based on the access circuit and 

committed rate. Out-of-contract (>CIR) traffic shall be marked with a lower EXP through the 

MSP aggregation into the Contractor’s IP/AS backbones. In the Internet, traffic differentiation 

does not exist. 


The Contractor’s DNS resolution server addresses are as follows: 

365 

Euro-cns3.cw.net – 141.1.1.1 

Euro-cns2.cw.net – 195.27.1.1 

The Contractor’s Global DNS server addresses are as follows: 

Ans1.cw.net – 141.1.27.248 

Ans2.cw.net – 195.27.1.2 

In order to act as a secondary DNS provider for a Customer: 

The Customer shall amend the allow-transfer parameter in their DNS configuration to 

allow zones transfers from 141.1.27.128 for all domains required to be secondary 

The Customer must ensure that each domain for which the Contractor acts as secondary 

has a refresh time value set between 1000 and 86,400 seconds 

Once A and B have been confirmed, the Customer must also notify the Contractor of 

their Public IP address for their DNS server from which the zones transfers are to occur 

The Contractor shall then ensure the name server records have been amended by the 

registrar for the domain(s) and show the required authoritative name servers.

Use of AS1273 and AS2529 

Internet Access is provided over the Contractor’s Global AS1273 backbone, however in the 

UK the AS2529 backbone may be used for aggregation purposes. AS2529 is connected 

upstream to AS1273. The table below provides more detail: 

Requirement Default AS 

Existing AS2529 connected Customer 

wishes to make a hard change whilst 

retaining IP addressing 

Existing AS1273 connected Customer 

wishes to make a hard change whilst 

retaining IP addressing 

New Customer Service requiring DDOS 

Protection 

New Customer Service requiring IPv6 

support 

(IPv6 is supported on a reasonable 

endeavours basis at present) 

Internet Access Service provided with an 

existing network service, over a MSAB, to 

an EU site outside mainland UK 

366 

AS2529 

AS1273 

AS1273 

AS1273 

AS1273 

All other new Customer Services. AS2529 

BGP Communities 

The Contractor’s Internet Access Service shall support use of BGP communities allowing the 

Customer to advertise routes between its Autonomous System Network number and the 

Contractor’s peers and/or transit providers. 

Service Support

Proactive Monitoring 

As standard, the Contractor undertakes proactive monitoring for a range of alarms that 

correlate to the Contractor’s definition for severity 0-2 faults. Severity levels shall be defined 

with the Customer. 

The Contractor proactively monitors its Internet Backbones, Multi-Service Platform and 

access circuits to Customer sites, and any Managed Routers where these are provided. The 

Contractor shall use reasonable endeavours to identify and react to alarms, to open trouble 

tickets and to commence service restoration activity, ahead of the Customer raising a trouble 

ticket. The Contractor will notify the Customer in accordance with the agreed contact plan 

within 15 minutes of the Contractor opening a trouble ticket. 

t 

The table below specifies the alarms that are proactively monitored for as standard*: 

Impac 

Grouping 

Acces 

s Circuit 

367 

Type 

Event 

Interfac 

e Down 

Loss of 

Resilience 

Description Internet 

The circuit is unavailable to send or receive IP 

packets in either direction. Applicable to access 

circuits provided over leased line technology. 

Traffic has failed to a Resilient Service 

provided at the Customer site 

Access 

Y 

Y

ged 

Mana 

Customer 

Site 

Router 

368 

BGP 

Routing 

Failure 

Bouncin 

g Interfaces 

Device 

unreachable 

BGP routing protocol is not functioning. 

Applicable to Access Circuits provided using 

Ethernet technology. 

An Access Circuit is subject to brief instances 

of unavailability. If there are more than eight of 

these instances over an eight minute period an 

alarm will be triggered. 

Connectivity is lost to the C&W Managed CE 

device from the Internet Edge Router. 

* Proactive Monitoring excludes all service features and components not specified. 

Where access circuits are provided using Ethernet technology, service unavailability is only 

identifiable through loss of BGP routing alerts rather than an interface down alarm, and 

requires the Customer to use BGP routing. Where Ethernet First Mile technology is used, only 

full circuit failure upon loss of BGP is provided. The Contractor’s proactive monitoring policy 

(for the alarms detailed above) accounts for the suppression and buffering rules detailed below. 

Y 

Y 

Y

Suppression 

The following events are suppressed from being presented to the Contractor’s Network 

Management Centres for validation and generation of a trouble ticket: 

369 

Planned Outages and Emergency Maintenance – alarms generated by these events shall 

be fully suppressed 

Restricted Monitoring – for certain Customer sites and/or services, proactive monitoring 

may be withdrawn where requested by the Customer or as a consequence of frequent 

occurrence (three or more instances in a calendar year) of Customer-caused events, 

such as powering down. 

Buffering 

Alarms that are not suppressed shall be subject to the following buffering policies prior to 

presentation to the Network Management Centres: 

Basic Buffering (all alarms) – all alarms shall be buffered for 10 minutes from first 

occurrence. 

Bouncing Interfaces – except where there are more than eight bounces over an eight 

minute period, alarms relating to bouncing interfaces shall be buffered. The following 

exception applies: 

o All other access circuit interfaces – if there are more than five occurrences over a 

two hour period, an alarm will be triggered on the sixth occurrence for proactive 

monitoring following the defined 10 minute buffering period. 

Incident & Change Management 

Incident management is provided 24/7, all year round. Incidents may be raised by the 

Customer via telephone or online using the ‘MYCW’ self-service portal. 

Soft changes (including changes to managed Customer site routers, service bandwidths, 

routing and IP addressing, optional internet and security features) and hard changes are 

supported.

Online Portal 

Where ordered, the Contractor shall provide access to an online portal. The portal provides 

a range of self-service applications and supporting information including: 

370 

Service and support materials 

Order tracking 

Incident Management – For raising and tracking trouble tickets, and adding queries and 

comments 

Performance Reporting – Access to reporting where ordered 

E-billing. 


There are no Sub-Contractors in the supply this service. 

APPLICATION PERFORMANCE MANAGEMENT SERVICE DESCRIPTION 


The Contractor’s APM Service consists of two distinct capabilities named Optimisation and 

End User Experience. The service will provide: 

Traffic visibility including application usage and performance over the network, real user 

experience for web or enterprise applications and business services; 

Traffic Performance Optimisation & Assurance; 

Fault investigation capabilities and performance base lining; 

24/7 incident management and proactive monitoring for critical unavailability events in 

the reporting infrastructure; 

Access to professional services. 


Optimisation

371 

End User Experience 

Service Description Optimisation 

The Contractor will deploy customer premises equipment that is connected to the LAN side 

of WAN routers. Physical appliances are deployed symmetrically — in data centres and remote 

locations to improve the response times of business-critical applications over network links. 

Optimisation consists of: 

Application Acceleration 

Application Control. 

Together these elements: 

Prioritise business-critical traffic, through AQS (Application Quality Score) policing and 

traffic-shaping. 

Reduce network latency using protocol and application specific optimisation. 

Reduce the bandwidth required to transfer traffic by compressing traffic 

Application Acceleration 

The Service provides improved performance for applications and files (subject to traffic 

profile) through a combination of technologies, including: 

Application and file protocol acceleration - Reduces latency and bandwidth utilisation 

through advanced protocol optimisation, including read-ahead, message prediction, and 

caching; 

Throughput optimisation - manipulate transport protocols to improve efficiency in WAN 

environments; and 

Bandwidth optimisation - Minimise the transmission of redundant data patterns through 

Data Redundancy Elimination (DRE) and TCP Flow Optimisation (TFO). 

The solution will be capable of use with the following applications as a minimum:

372 

File Sharing (MS Windows/CIFS; UNIX/NFS); 

Email (MS Exchange/MAPI; SMTP/POP3/IMAP; Lotus Notes); 

Internet/ Intranet (HTTP, WebDAV); 

Data Transfer (FTP); 

Software Distribution (Microsoft SMS; IBM Tivoli, Altiris); 

Database Applications (SQL; Oracle; Notes); 

Data Protection (Backup Applications; Data Replication); and 

Any TCP Based Application (Layer 4 compression & Acceleration). 

Optional services include: 

Pre-positioning on-Demand - The Contractors shall provide a reduction in cross-WAN 

traffic by using the Common Internet File System (CIFS) file pre-positioning capability 

and off-peak bandwidth to pre-warm the DRE cache in anticipation of a subsequent TCP 

request for the content or updates. 

Disk Encryption - Disk encryption provides protection for sensitive information that 

flows through deployed WAAS systems and that is stored in WAAS persistent storage. 

The disk encryption feature includes two aspects: the actual data encryption on the 

Acceleration Appliance disk and the encryption key storage and management. 

Cisco WAAS supports EAL4 certified disk encryption The Cisco Disk Encryption will not 

store a Key on the Appliance, all keys are read at boot time from the CMS. No key is 

stored anywhere on the WAAS appliance. 


Application Control 

The service has two main features - Visibility & Control, which enables the following: 

Protection of critical application traffic using enterprise-defined objectives; 

End-to-end WAN optimisation; 

Visibility of end-to-end WAN application performance; 

Proactive management of network spending. 

The Contractor will work with the Customer to define the business criticality and 

performance objectives of key applications and setup the APM service accordingly. The real-

time component of APM shall automatically and continuously optimise application 

performance in real-time, providing: 

373 

Increased application availability; 

Performance visibility; 

Bandwidth allocation on a per application/ per session basis to provide a defined user 

experience for defined applications; 

Visibility 

The Contractor solution will provide and manage the APM infrastructure and deliver the 

tools to enable the Customer to administer the application performance, behaviour, and 

fluctuating user demands across the wide area network. 

Comprehensive Measurement 

The APM Control Service performs deep packet inspection to identify comprehensive 

network metrics on a global, per site or per application basis. 

Application Discovery 

The APM Control Service will automatically discover applications running over the Customer 

network. Specific applications can be further defined using subnets and ports during 

implementation and after by securing the services of the Contractors Professional Services. 

Control 

Application Performance Objectives 

Visibility gives WAN wide per user per session information which allows the Customer to 

define how applications are to perform across the network (Application Performance 

Objectives).

The Customer, in conjunction with the Contractors professional services team, establish 

AQS (Application Quality Scores) based on both applications criticality to the business and 

traffic types. This enables dynamic bandwidth allocation to support peaks in demand. 

Applications Quality Score (AQS) 

AQS is dynamically calculated using information on whether or not the Application 

Performance Objectives have been reached showing the delivered service level using three 

values: 

WAN. 

374 

Good: all metrics are better than the objective thresholds – Application SLA 

met/exceeded 

Fair: some or all metrics are between the objective and maximum values - Application 

SLA is partially met 

Poor: some or all metrics have reached or exceeded the maximum value - Application 

SLA is not met 

The Application SLA’s are enforced using the Application Performance Objectives across the 

Application SLAs are per individual active session and include a set of objectives metrics and 

maximum thresholds on a configuration dashboard: 

Bandwidth per session 

One-way LAN to LAN delay, jitter, loss rate 

Round Trip Time, TCP retransmission rates 

Server Response Time 

The Service Levels are constantly monitored by the system, comparing achieved end-to-end 

performance with objectives.

Reporting 

The Customer will be provided with their own portal to access real time diagnostic tools and 

reports as part of the managed service, allowing real time troubleshooting and monitoring of 

key application SLAs. The tools can also be utilised for predictive modelling for workforce 

expansions, deployment of new applications and changes in work practices when aligned with 

the Contractors Professional Services function 

Helpdesk & Discovery Tools 

The following elements of the Ipanema system provide the Customer information on their 

data as it crosses the network Nominated Customer staff will be provided with user accounts 

to administer these elements. 

375 

Helpdesk - The Helpdesk provides a traffic light heat map of the real time performance 

of the applications flowing across the network. 

Real Time Flows (AQS) - From the helpdesk the user can investigate any element on the 

heat map to view real time flows. 

Discovery Tool - The Discovery Tool delivers the capability to see every packet crossing a 

physical device. 

Please note 

“The Discovery Tool feature may be restricted or removed if there is adverse impact on the 

performance of the ip|e Engine. It is expected that the Customer will only start the discovery 

agent on an ip|e Engine when detailed traffic analysis is required for troubleshooting. This also 

assumes that the agent will be stopped when not required.” 

Optional services include: 

Rightsizing - This service is an optional extra available on physical engines only. The 

Customer can use these reports to plan the required amount of bandwidth based on the 

Customer’s objectives for performance and that rules are delivering enhanced 

performance and user satisfaction. 

Smartpath - This service is an optional extra available on physical engines only. 

Smartpath is for multi-networked branch offices, allowing automatic selection of the

376 

best network according to actual performance and application traffic characteristics, in 

real time. 

This feature selects the best access method for each application flow to increase the 

delivered performance and continuity, while optimising the usage of each available 

network. WAN selection criteria include performance parameters including network 

delay, jitter and loss, as well as currently available effective bandwidth. 

SmartPath assesses the best path at the beginning of each session. This choice can 

be static (no change during the session) or not as dynamic changes can be allowed. It is 

optionally possible to guarantee the same path choice for both directions of the session. 


End User Experience (EUE) Service Description 

The Contractor APM EUE service will measure end user experience that contribute to 

service components, proactively detect performance issues, quantify their business impact and 

provide information that can be used to resolve the issue. The solution works for any type of 

application, including applications accessed by employees, e-commerce web sites visited by 

Customers or applications running on mobile devices. 

APM EUE Reporting will provide visibility of the real user traffic for business critical 

applications, site to site. 

The service makes use of agentless probes, which can be placed at various locations across 

the application delivery chain, in order to measure the user performance across key

applications. It is possible to measure Meta data, application transactions and performance 

within multiple tiers of the application by providing detailed response-time measurements for 

middleware and database transactions. 

The Contractor’s service offers two EUE Reporting options, Standard and Premium: 

377 

Standard – provides visibility of end user transactions across the internet, and /or 

enterprise, for an agreed list of applications. A range of role based, dashboards and 

metrics are provided, to meet the needs of different users within the Customer 

organisation. 

Premium – dashboards, metrics and targets are tailored, within limitation, to meet the 

Customer’s requirements. It is possible to develop the dashboards to provide a business 

service management view. 

Key differences between Standard and Premium are tabled below: 

Key Values 

Single Tier Reporting for Web or 

Enterprise Apps 

Multi-Tier Reporting for Web & or 

Enterprise Apps 

In 

Tariff 

� 

x 

Standard 

Opti 

onal 

x 

� 

In 

Tariff 

� 

� 

Premium 

Optio 

nal 

x 

x

Universal decode for HTTP/HTTPs � x � x 

Out Of The Box Standard Reports 

and Dashboard 

Customised Reports, Dashboard & 

Business Service Management 

Up to 100 locations with grouped 

user stats 

Up to 250 locations with individual 

user stats 

378 

� 

x 

x x � x 

Reports updated daily � x x x 

Reports updated in near real time x x � x 

3 Monthly Baselining � x x x 

Monthly Baselining x x � x 

Optional Modules, Decodes, Metrics 

& Professional Services 

� 

x 

x 

x 

x 

� 

� 

x � x � 

Professional Services � x � x 

x 

x 

x

(design/implementation) 

Professional Services (training) � x � x 

Professional Services (In life 

Performance Consulting) 

Optional Synthetic Web Site 

Monitoring 

379 

x � � x 

x � x � 

The demarcation point for the Contractor APM service is at the LAN port of the AMD 

physical appliance, there is no accountability on the LAN side of the Customer data Centre or 

for the amount of data being sent to the WAN from the LAN. 

APM EUE Reporting provides essential visibility of the real user experience for business 

critical applications, end to end, from the first mile to the last mile via 2 deployment options. 

APM EUE Web 

APM EUE Enterprise 

Contractor EUE Web 

A 10Mb IP Virtual Private Network (VPN) connection (management Path) is built and 

configured to connect the Customer WAN to the Contractor Hosting platform, where the 

Customer specific Management PoD is housed. The Management PoD houses the intelligence 

for the APM EUE Web service. On the Customer data centre the Contractor shall install 

Agentless Monitoring Device(s) to suit the solution. These devices will collect data from the

Customer network and relay that information to the Management PoD, where the information 

will be collated and presented back in a dashboard view to provide information about 

performance and usage of web site performance. 

Contractor EUE Enterprise Applications 

A 10Mb IP Virtual Private Network (VPN) connection (management Path) is built and 

configured to connect the Customer WAN to the Contractor Hosting platform, where the 

Customer specific Management PoD is housed. The Management PoD houses the intelligence 

for the APM EUE Web service. On the Customer data centre the Contractor will install 

Agentless Monitoring Device(s) to suit the solution. These devices will collect data from the 

Customer network and relay that information to the Management PoD, where the information 

will be collated and presented back in a dashboard view to provide information about 

performance and usage of key applications. 

Detection of Abnormal Application & Network Usage Patterns 

A set of predefined alarms detects application performance problems (response time). A 

report will be generated at the end of the day, showing application errors and exceptional 

network conditions (latency, retransmissions, bandwidth abuse) and will inform about new 

applications, new servers, new users, and new workstations on the network. 

Alarms 

The rule-based alerting engine, works on real-time data stored in the database, it checks all 

the defined alarming conditions every five minutes. The engine has: 

380

381 

Alarm-triggering hysteresis 

Alarm reminders 

Extinguishing options 

Automatic (baseline) 

Manual thresholds 

Customisable alarm notification messages. 

Professional services shall, as an option, be provided 



Incident Management and Reporting 

Proactive infrastructure Monitoring for critical unavailability issues 

24/7 all year round incident management 

Automated back-up scripts for APM configurations 

Change Management 

Upgrade / Update service 

The demarcation point for the Contractors APM service is at the LAN port of the WAAS 

physical appliance, there is no accountability on the LAN side of the Customer data Centre or 

branch estate or for the amount of data being sent to the WAN from the LAN. 



Cisco - Provision of APM hardware and support services

STORM SERVICE DESCRIPTION 


The Contractors STORM service provides direct fixed and mobile voice network connectivity 

with up to 30,000 ports available – 20,000 TDM and 10,000 VoIP. 

Each access number hosted on STORM is allocated to a specific client or service. 

Inbound inquiries are provisioned to receive a treatment – for example by being answered 

with a recorded announcement 

For outbound services, automated predictive diallers can initiate concurrent voice (or SMS) 

contacts - using number lists uploaded to STORM, or derived from a Customer’s system. Using 

IVR STORM can, for example, instigate a voice call, play recorded prompts, route an inquiry 

according to the responses given, record the entire dialogue, or generate an email or SMS 

notification as a result. 


In-bound and out-bound multi media messaging 


STORM provides a range of ‘Cloud based’ functions and facilities, delivered through a 

Software-as-a-Service (SaaS) model. These capabilities can be combined and enables the 

Customer to implement multi-functional messaging solutions. 

382

Interaction with STORM uses web-based interfaces, via the Internet or direct connections. 

Functions and facilities available include: 

Predictive Dialler 

Outbound voice service linking a Contact Centre agent to an end customer. Used for 

relaying sales, service and marketing messages or a prompt that then initiates a contact centre 

agent call. Or alternatively a direct connection with the Agent. 

Outbound Voice broadcast 

Contacts are called on the telephone and a pre-recorded message, preceded optionally by 

an introduction prompt is played to them. Acknowledgement by key press can be requested 

and logged. 

Inbound Short Message Service (SMS) 

The STORM platform receives a mobile text message with a key word that identifies the 

service to be run and then creates a configurable response determined by the content of the 

text. Configurable response could be a confirmation text message sent outbound or other 

media such as MMS or video. 

Outbound Short Message Service (SMS) 

Delivering a text message to multiple mobile lines. Informational or invitation to respond 

based on the content of the text that can include a mobile internet link (URL). 

383

Outbound International SMS 

The ability to send message to international mobiles or UK mobiles roaming internationally. 

Inbound Multi-media Messaging Service (MMS) 

The STORM platform receives a multi media message with a key word that identifies the 

service to be run and then a configurable response determined by the service. The configurable 

response could be a confirmation text message sent outbound or other media such as MMS or 

video. 

Outbound Multi-media Messaging Service (MMS) 

Delivering a multimedia message to multiple mobile lines. Informational or invitation to 

respond based on the content of the MMS. 

Outbound video to mobile 

Delivering video content as a MMS attachment. Can be combined with an SMS inbound 

short code advertised or voice inbound number, or just a straight outbound broadcast. 

Configurable to have a response to a contact centre agent. 

Web Inbound 

VoIP calls into STORM from a web click. Customer call link initiates a VoIP call to a contact 

centre agent, or web entry for polling. 

Inbound Email 

384

The STORM platform receives an email message to an address that identifies the service to 

run with a configurable response based on the content. Converting the email to an SMS by 

analysing the subject or address to find out the destination. 

Inbound email with WAV, TIFF or PDF attachments that are converted to a fax or voice call. 

Outbound Email 

Broadcast email message to multiple addresses, or inbound SMS/fax converted to an 

outbound email. Informational or invitation to respond based on content of the email. 

Converting an inbound SMS message to an email for delivery to an address. 

Red Button 

Entry for polling via interactive TV. Integration with 3 rd party Red button platforms to collect 

entries for a converged competition. 

Inbound Fax 

STORM receives fax and stores as TIF file. Inbound fax attached to an outbound email. 

Outbound Fax 

STORM sends TIF file to end user’s fax machine. Informational or invitation to respond 

based on content of the fax. This could also be a fax broadcast service. 

Automatic Speech Recognition (ASR) 

385

Callers are asked to speak their responses as an alternative to DTMF. 

Self service application 

The STORM self service portal allows a user to define the service logic which controls how a 

service runs. The Customer is allowed to set up inbound/outbound service from a template and 

gives it a schedule and access method / contact list (phone number, SMS short code etc). 

More complex requirement can be created using the Service Designer function 

The Service Designer can be used to create the service logic for: 

386 

Web / SMS / Red Button and Voice services 

Customer Identification and Verification services 

Inbound and outbound call handling, tracking and recording services 

Automated SMS, email and VoIP notification services 

Call recording 

Calls can be recorded on the basis of all calls received or a specified percentage of calls. 

Includes storage and an access tool for the Recording manager. 


The Contractor can offer professional services to assist with designing a solution for the 

Customer 

Managed service package

The set up of the inbound or outbound services are managed according to Customer 

requirements 

STORM Reporting 

The Customer has access to statistics, both real-time (dashboard) and historical (15 minute 

delay) Users can check on call volumes, and option popularity for example. Users can also pick a 

winner for competitions. The export facility allows download of CDR information for the 

Customer’s own analysis. 

Storm Dashboard 

STORM Dashboard is used to create customisable displays of real-time service data. The 

Customer can design their own Dashboards, multiple dashboards can be designed to cater for 

differing service environments and reporting requirements, and the resulting Dashboard 

designs can be saved and shared among users. 


PCI Compliance 

The STORM platform is PCI compliant and certified every 3 months in relation to the 

processing of credit/debit payments. 

If there is a requirement for PCI compliance in relation to call recordings, there are two 

options: 

387

388 

A manual stop and start recording process, i.e. the agent stops the recording and starts 

the recording either from the softphone or keypad tones. 

Integrating into a Customer’s CRM so that when the agent clicks on the payment page, 

the system automatically stops recording and once out of the payment page recording is 

resumed. 


The Contractor will provide Service from the Service Commencement Date given to the 

Customer. 

When a Service or Software is to become unavailable, the Customer will be notified by 

means of a Service or Software Discontinuance Notification (SDN) document. The document 

will provide details of the Service or Software being discontinued, and relevant dates. 

If a discontinued Service is to be replaced by a new Service or Software, this constitutes a 

Service Change or Upgrade. 

Incident Management 

The STORM platform is designed to achieve a target availability of 99.999%. 

When necessary to carry out essential maintenance or network upgrades, The Contractor 

shall give the Customer at least ten (10) calendar days’ notice of any temporary interruption in 

Service which is necessary for to carry out essential maintenance or network upgrades 

(“Planned Outage”) and shall endeavour to agree a convenient time for the Planned Outage 

with the Customer. In the event that an emergency Planned Outage is required, The Contractor

shall give the Customer the maximum notice reasonable. Any Planned Outage shall not be 

included in Fault or availability measurements. 

The Customer must provide adequate information, to be agreed between the Contractor 

and Customer, to the Contractor when the problem is first reported to enable The Contractor 

to diagnose and resolve the suspected fault. 

A monthly performance report is available on request. The fault summary within the report 

will contain a breakdown of all faults experienced by the Customer. 

Billing and Payment 

Set-up and installation fees will be payable on receipt of order or completion of installation 

as agreed. 

Any regular monthly service charges will be payable one month in advance. 

Any usage charges e.g. sms or voice calls, will be billed monthly in arrears. 

Payment terms shall be 30 days from date of invoice. 


There are no sub contractors in the supply this service. 

389

Cassidian UK 

Provision of Communications Services: supply, installation, maintenance, technical architecture and 

system design, project management, and support for equipment, commodity and managed service. The 

Lot scope includes: all traditional and IP based voice services; voice call packages; voice minutes; DDI, 

premium rate numbers; non-geographic numbers; 118 enquiries; call preference services, audio 

conferencing, desktop video conferencing and collaboration tools; web conferencing; Internet services; 

email and website services; co-location and hosting; on-line storage; security services; antivirus; email 

scanning and filtering; firewalls; intrusion and spyware detection; authentication and access 

management; web and application sign on services; web conferencing; messaging services; real time 

information services; desktop messaging; messaging via email, SMS, pager and mobile or fixed line 

telephone; provision of all elements of a complete solution; Note that connectivity does not fall within 

the scope of this Lot. 

Communications Services - Introduction 

Cassidian provides a suite of specific services and service capabilities within the PSN 

Communications Service, which are available to the Customer Authority and their Service Consumers. 

The following sections introduce Cassidian’s Technical approach, Service Management approach, and 

Security approach to the delivery of these services. For each of these approaches, Cassidian has 

identified the underpinning principles for a successful delivery to the Service Consumer. 

Communications Service – Technical Service Approach - Overview 

Cassidian has a number of service capabilities that are appropriate to the PSN Service Consumer 

within this framework contract. These services and service capabilities have been designed with all the 

relevant PSN and CESG requirements and policies incorporated within the service solution offering. All 

service offerings are provided with relevant client and server software, licensing, and management. The 

390

level and specific aspects of management provided by Cassidian via the Cassidian Service and 

Operations Centres (CSOC) is defined within the Service Management Approach section that can be 

found at 0. 

The underpinning Security and Accreditation approach adopted for these services within the PSN 

environment are defined within section 0. 

Unless specifically excluded, Cassidian offer all of our Services and Service Capabilities within all 

three PSN Security Domains (PROTECT, RESTRICTED and CONFIDENTIAL). 

As a result of this comprehensive approach Cassidian is able to provide the following services to the 

Service Consumer: 

Voice Services 

Within this service offering, Cassidian provides a comprehensive Voice Service that provides all of 

the essential and enhanced voice functionality required within the modern consumer organisation. 

This service delivers all the required aspects of the telephony distribution, voice conferencing, call 

handling, interconnectivity, and gateways to other Service Consumers along with associated services, 

and dependent upon the security domain, onward connectivity to and from the wider public telephony 

network. The full technical detail definition for this service is contained within 0. 

391

Desktop and Web Video Conferencing and Collaboration Environment 

Within this service offering, Cassidian provides a fully functional Video-Teleconferencing and 

Collaboration environment, this service and it constituent capabilities have been designed to deliver the 

most flexible, integrated and agile near-face to face and collaboration environment for our Service 

Consumers within the requirements of the PSN security environments. 

This service provides the Service Consumer with all the required aspects of this service including the 

client software and server capabilities. This service also provides integration with voice services via a SIP 

gateway, fully functional remote connectivity via the web-client interface and federation integration 

with other solutions via the standards based VTC gateway. 

The full technical detail definition for this service is contained within 0. 

Internet Services 

Within this service offering Cassidian provides a complete suite of Internet and Intranet Service 

capabilities. These capabilities have been selected to allow the Service Consumer to realise all of the key 

and core enabling and underpinning service capabilities required for effective communications within 

the PSN environment. To achieve this Cassidian can provide the Service Consumer with the following 

service capabilities: 

392 

Internet Access Service – This provides a complete managed and monitored connection from 

the Service Consumer’s environment to the Internet. The full technical detail definition for this 

service is contained within 0

393 

Domain Name Service – This provides the Service Consumer will all resolution services required 

within their own Intranet namespace and manage their Internet namespace. The full technical 

detail definition for this service is contained within 0 

Dynamic Host Configuration Protocol (DHCP) Services – This allows the Service Consumer to 

dynamically provide all of their IP devices and appliances with the relevant IP configuration 

information and the location of key services. The full technical detail definition for this service is 

contained within 0 

Forward and Reverse Network Address Translation (NAT) Services – This ensures that the 

Service Consumer does not publish or route incorrect IP addresses outside of their boundary 

whilst still ensuring that interoperability can be achieved with other Organisations within your 

PSN environment. The full technical detail definition for this service is contained within 0 

Network and Capability Monitoring Services – This capability ensure that the Service Consumer 

is provided a real-time awareness of the current status of all Cassidian delivered services and 

capabilities. This service offering is also available for the Service Consumer to achieve a 

comprehensive 24x7 view of their current network; platform and services with an ITIL based 

escalation and alerting process. This service is available for all existing Service Consumers assets. 

The full technical detail definition for this service is contained within 0 

Network Capability Management Services – Network Management extends the capabilities 

within Network Monitoring to include a fully managed and configuration controlled Service 

Consumers environment delivered 24x7 by Cassidian. The full technical detail definition for this 

service is contained within 0 

Secure Internet Gateways – The Cassidian Secure Internet Gateway capability provides the 

Service Consumer with both secured messaging and web gateways services to enable 

interworking between PROTECT and the Internet, for higher level inter-domain working please 

use the firewall services. The full technical detail definition for this service is contained within 0 

Accurate Time Service – Modern systems and security capabilities require highly accurate time, 

this service capability form Cassidian provides the service consumer will all the required 

elements to maintain that accurate time required to support business applications and 

operations. The full technical detail definition for this service is contained within 0 

E-Mail and Desktop Messaging (Including scanning and filtering) 

Within this service offering Cassidian provides the Service Consumer with a comprehensive suite of 

Messaging services and capabilities. These capabilities provide the service consumer with all of the 

functional aspects required from the client and security labelling extensions to the messaging servers 

and inter-organisational gateways. 

Within the scope of this service offering Cassidian also provides extensibility options to support 

secure Inter-Personal Messaging and Inter-Organisational Messaging.

This service can also be supplemented by application level firewalls to provide the Service Consumer 

with inter-organisational mail scanning and filtering and secure release of inter-domain messaging. The 

full technical detail definition for this service is contained within 0. 

Co-location and Hosting 

Within this service offering Cassidian provisions processing, storage, networks, and other 

fundamental computer resources where the Service Consumer is able to deploy and run arbitrary 

software, which can include operating systems and applications. The Service Consumer does not 

manage or control the underlying infrastructure but has control over operating systems, storage, 

deployed applications and limited control of select networking components dependent upon the 

security domain. This service is only provided for PROTECT and RESTRICTED PSN domains. The full 

technical detail definition for this service is contained within 0 

On-Line Storage Services 

The online storage service (Secure Managed Storage Service) provides Microsoft Windows based 

network file shares based on the Common Internet File System (CIFS) standard, providing secure remote 

file and directory access for client machines independent of the client machines operating system. The 

service has been designed to integrate with the Service Consumers selected Directory Service to support 

full access control. This service is only provided for PROTECT and RESTRICTED PSN domains. The full 

technical detail definition for this service is contained within 0. 


Within this service offering Cassidian provides the Service Consumer with a mix of Professional 

Services and Technical Services. 

394

The Professional Services capabilities provide the Service Consumer with all aspects of support and 

configuration required to ensure that their service environment is compliant with all of the relevant PSN 

and CESG security aspects and resultant documentation. This service has been designed to support the 

Service Consumer from initial environment security scoping thought implementation to on-going 

compliance and audit validation. This is delivered by our CLAS Consultants. 

The Technical Services capabilities provide the Services Consumer with a number of specialist 

Professional Services delivered by our security design and enforcement engineers who will work with 

the Service Consumer to ensure that the implementation has been security ruggedised in accordance 

with PSN requirements. Cassidian also provides a number of specifically-designed security-enabling and 

enforcing service capabilities: 

395 

Managed Encryption – This service capability provides the Service Consumer with a complete 

managed inter-site or campus encryption capability at RESTRICTED and CONFIDENTIAL using the 

relevant PEPAS and CAPS approved encryption capabilities. 

Secure Remote Access – This service provides the Service Consumer with the ability to securely 

extrude their LAN environment for off-site, remote and home workers who only have Internet 

Access. This service has been specifically extended to address the issues of connection over 

portal based internet access (e.g. Hotels, Hot-spots). This Service is available at PROTECT and 

RESTRICTED. 

Another instance of this service has been designed to allow remote Service Consumers that have a 

PROTECT level network available to reach back to their RESTRICTED level LAN. This service is available at 

RESTRICTED.


Anti-Virus and Patching Service 

Within this service offering Cassidian provides the Service Consumer with a complete anti-virus, 

spyware detection and security patching service. 

The AV offering includes all of the required service aspects from the desktop or mobile client to the 

distribution service and near real-time signature and threat update service. Cassidian also provides a 

number of service extensions for the clients within this capability to extend the functionality to address 

centrally based Host Intrusion Detection Services (HIDS) and an Organisational level Patch status review 

to identify where your environment is at risk due based upon current threat vectors and the patching 

status of your devices. 

The Patching Service provides the Service Consumer with an on-line patch distribution service for all 

Service Consumer requirements for Windows and Linux. 


Firewall Service 

Within this service offering Cassidian provides the Service Consumer with a comprehensive suite of 

firewall services. These firewall services are categorised into two capability families: 

396

397 

Network Level Firewalls – These provide the Service Consumer with purpose-built, high 

performance platforms delivering WAN connectivity and security, plus the power to protect the 

high-speed LAN against internal network and application-level attacks while simultaneously 

stopping content-based attacks. 

o Shared Management through role based graphical Web UI central management system 

which is accessed via the Cassidian Customer Web Portal. 

o Policy-based management to allow centralised, end-to-end life-cycle management. 

Application Level Firewalls – These provide the Service Consumer with a range of both formats 

and grades of Application and Protocol Level Firewalls. Cassidian provides support to the 

following applications: 

o Messaging – Support to both standard e-Mail (SMTP) and organisational messaging 

(x.400) 

o Web Access – Support to secure managed web access for both HTTP and HTTPS 

o File Transfer – Support to secure transfer via FTP 

o Fixed Formal – Support to the secure interchange of files or messages with a defined 

format 

o XML – Support to the interchange of information based upon the .xml format 

o Directory – Support to the interchange of directory based information in both DIF and 

LDIF 

o Chat and Instant Messaging – Support to the secure interchange of Instant Messaging 

information (.xmpp) 

All Cassidian firewall services and solutions have been architected with accreditability by design to 

provide the Service Consumer with the lowest risk to adoption. 

Intrusion and Spyware Detection Service 

Within this service offering, Cassidian provides the Service Consumer with a comprehensive and 

resilient Intrusion and Spyware Detection Service which has been designed to provide the Service 

Consumer with a modular scalable IDS capability via the Cassidian Computer Network Defence (CCND) 

Service.

The core of this service is the Cassidian Threat Management Engine (TME). This provides our 

analysts with a coherent and comprehensive tuned view of all current security threats and security 

related events that are occurring within the managed Service Consumers environment. 

This TME receives threat and security related events from a broad suite of sources, including: 

398 

Operating Systems Security and Event Logs 

Network Switch and Routing Devices 

Firewall Devices 

AV packages 

NIDS solutions 

HIDS solutions 

Live Threat Updates 

Cassidian provides real-time threat analysis to the Service Consumer as a 24x7 service from the 

Cassidian Service Operations Centre (CSOC). The Service consumer can achieve their own view of the 

current security picture through either a dedicated correlated view within their own environment or as 

an access controlled view via the Customer Web Portal. 

Depending upon the Service Consumer’s current environment, Cassidian provides a suite of 

deployable Intrusion and Spyware detection tools that will either upgrade or supplement the Service 

Consumer’s existing threat detection and monitoring capabilities. These are provided, as per the main 

service, as a fully managed capability. These modular extensions include:

399 

Network Intrusion Detection Service (NIDS) – This will provide the Service Consumer with 

dedicated detection devices at the critical ingress and egress points within their network. 

Host Intrusion Detection Services (HIDS) – This is an extension to our AV Service which will 

provide the Service Consumer will a centrally managed and monitored policy-based client and 

server threat and anomalous detection and reporting engine. 

End-point Control – This service extension builds upon the AV and HIDS capability to centrally 

control the Client and manage the applications, websites, client-side firewall and data types that 

the client can execute or access. The use of this service ensures that the Service Consumer 

maintains the strongest practicable security stance for their environment. 

All of the Cassidian services and capabilities that provide a security enforcing and security policing 

function are fully integrated with the CCND Service thus ensuring the Service Consumer receives a 

comprehensive approach to security and compliancy. The full technical details of the Cassidian CCND 

can be found at 0 

Authentication and Access Control (inc Web and Application Sign-on) 

Within this service offering Cassidian provides the Service Consumer with a scalable, secure 

Authentication and Access Management Service for all Service Consumer Scenarios including federation, 

web-access, 3 rd party service sign-on, and client minimal sign-on. 

This service supports a number of different authentication methods for the User, Machine and 

software service, these include support to: 

Machine and Service Authentication – Certificate based Machine Authentication 

User Authentication – Classic – Username and Password combination 

User Authentication – Two factor – Username and Passcode or Certificate 

User Authentication – Smartcard based authentication

400 

Access Control Policies – These policies can be defined and enforced at the User, Organisational 

Group, security domain and Organisation levels thus allowing the Service Consumer the ultimate 

flexibility in adoption. 

Inter-Organisational Trusts – This ensure that the Service Consumers can ensure that all policies 

and authentication is defined once and used for all relationships from their authoritative 

source. 

All Authentication services provide a role-persona management and access control capability for 

business and operational access to such entities as: 

File Stores 

Websites and Services 

Centralised Applications 

Terminal Services 

Portals 

External Organisations 

This service extends the authentication element to include the following Access Control methods: 

Network Access Control – Decision support, based upon a profile analysis of a machine to 

determine if it is authorised to access the Service Consumers network and which network 

segment(s) it is authorised to connect to. 

Host Network Access Control - Decision support based upon a capability and compliancy profile 

analysis of the machine to determine if it is authorised to access the Service Consumers 

environment (e.g. – current status of the AV and patch levels of any given client). 

Full details as to the technical interoperability and scope of this service and extended capabilities are 

provided within 0.

Real-time Services 

Within this service offering Cassidian provides the Service Consumer with a secure real-time 

presence aware, multi-instance security aware Instant Messaging (IM) chat client and server service. 

This service is provided with a full recording and auditing function thus allowing the Service 

Consumer and PSN-approved Agencies to replay, review and analyse all IM traffic. It is possible to 

federate this bandwidth aware client with external collaboration client services via the standards-based 

.xmpp gateway extension (e.g. federation with the Cassidian Collaboration Environment) and establish 

cross-domain relationships with the Cassidian Chat Firewall Service. 

Full technical details of this service can be found at 0. 

Communications Services – Service Management Approach - Overview 

Cassidian shall deliver to the Customer Authority an ITILv3 aligned Service Wrap that covers the 

complete Service Lifecycle. 

Cassidian shall provide the PSN Customer Authority with a Call-Off Operating Manual relevant to the 

provisioned Service. 

Cassidian Support Solution 

Cassidian shall deliver a Service Model that will reflect the best use of Service Capability across the 

Customer Authority environment and relevant Security domain. 

401

In support of the Managed Service solution offered to the Customer Authority, Cassidian employs a 

set of industry standard Processes which interfaces with the Customer Authority and other PSNSPs at 

agreed touch points. 

The Cassidian Service framework is aligned and complimentary to the ISO 20000 standard (Cassidian 

holds ISO 20000 certification as an organisation) so supports the PSN requirement to achieve ISO 20000 

certification for the delivered Service within eighteen months of the date of signature of each Call-Off 

Contract. 

Service Support Locations 

Cassidian shall support PSN Services from the Cassidian Service Operations Centre (CSOC) in 

Newport and/or the Alternate Service Operations Centre (ASOC) in Cheltenham. 

Timing and Hours of Cover 

Cassidian warrant that Support Services shall be provided to all relevant sites and made available 24 

hours a day, 7 days a week, 365 day a year (24/7/365). Actual support hours shall depend on the 

contracted Service Category (i.e. Gold, Silver or Bronze). 

Contract Start and Duration 

Cassidian shall deliver Services from the agreed Operational Service Commencement Date. 

Cassidian shall continue to deliver Services until the end of the Call-Off contract. 

402

Operational Service Support 

Operational Service Support for Communication Services shall be provided through the Cassidian 

Service Operations Centre (CSOC). 

The CSOC shall provide the operational management of Communication Services 24 hours a day, 

seven days a week 365 days per annum, or at the times agreed with the Customer Authority. 

The Service Desk is staffed by Cassidian Service Agents and engineers on a shift rotation basis, 

supported by additional back office personnel during normal business hours. CSOC effort is driven by the 

resolution processes detailed within the PSN Service Definitions, ITILv3 Service Processes and applicable 

work instructions. 

Service Desk Function (SPOC) 

Cassidian will provide a Single Point of Contact (SPOC) Service Desk facility as the support focal point 

for all Customer Authority resources. The Service Desk shall provide accessibility for Authority Users of 

Communication Services to report all faults or requests for service through a single dedicated telephone 

number or email address. 

Cassidian shall deliver a Service Desk function that is designed as a tiered Service Desk structure to 

deliver a dedicated Incident relevant response. It shall be staffed by Cassidian trained in-house analysts 

who will be able to provide subject matter expertise to the User upon first contact so ensuring that a 

defined level of Service can be supported. 

403

The Service Desk shall be fully staffed and supervised to support all PSN Service requirements 

24/365 and shall be capable of handling all service requests across the Service, regardless of the time of 

day. The Service Desk shall provide support for a wide range of activities from logging incidents and 

providing advice to assisting users on how to gain access to Services through to acting as a central point 

for change. 

To aid User interaction with the Service Desk function, Cassidian employ a client Web Portal which 

shall provide controlled access to authorised stakeholders. 

All Incidents and requests for assistance are logged into the Service Desk tracking system. 

Functionality is provided through this toolset to support: 

404 

Visibility of all requests and their current status; 

Management of the lifecycle of incidents and requests; with escalation activity as relevant; 

The closing of Incidents where the user is satisfied with the result; 

Keeping users informed of the status of services, incidents and requests; 

Service Desk interaction via communication means that include telephone, web portal and 

email. This shall include the function to create Service Desk tickets using the web portal or 

email.

The Cassidian support solution ensures that the Service Desk shall be able to efficiently perform the 

following activities: 

405 

Incident recording (including Major Incidents and Security Incidents) against the standard 

detailed in PSN document Incident Management v2.0 at Appendix C; 

Incident classification; 

Incident prioritisation; 

Incident triage; 

Incident escalation; 

Inform the PSN bridge of all Major Incidents within 30 mins (during Agreed Service Time); 

Immediately inform the PSN Security Manager of all Security Incidents with a security severity 

level of Major or Emergency (during Agreed Service Time); 

Participate in Joint Major Incident Team (JMIT) activity; 

Search for workaround (via the Cassidian Knowledge Base); 

Receive all inquiries on incidents and Changes; 

Update the user on Incident progress; 

Perform communication activities for the other ITILv3 processes (e.g. release notifications, 

change schedules, SLM reports etc.); 

Weekly updates of all relevant procedural and emergency contact information; 

Report service desk performance to relevant stakeholders. 

Contacting the SPOC 

Support Team details, including the SPOC contact details will be provided to the Customer Authority 

as detail within the Call-Off Operating Manual. 

Resolver Group Function 

1st Level – The Service Desk 

The Cassidian Service Desk Agent shall register and classify Incidents received from the Customer 

Authority User and attempt to restore the failed Communication Service as quickly as possible. The 

Service Desk shall provide the capability to deliver first time fixes so as to reduce user downtime and so 

aid improved productivity.

If, post triage, no resolution is achieved, 1st Level support will electronically transfer the Incident to 

the relevant Cassidian expert Technical Support Group (2nd Level Support). 

1st Level support processes Service Requests and also keeps Authority Users informed about 

Incident status, at agreed intervals. 

2nd Level – User Support 

The Cassidian 2nd Level support function is responsible for resolving incidents escalated from the 

1st Level Service Desk and resolution of Events (i.e. system generated) through the Event Management 

process. 2nd Level User Support is responsible for the configuration and management of the 

Communication infrastructure. 

If, post triage, no resolution is achieved, the relevant Incident will be routed via the Resolver Group 

roadmap to the appropriate Cassidian SME or 3rd party vendor for resolution. 

3rd Level Support 

The Cassidian 3rd Level teams receive incidents that have been escalated from 2nd Level teams. 

In order to effectively maintain the detailed knowledge required to manage the various technology 

platforms and capabilities relative to Internet Services, 3rd Level support shall be delivered by dedicated 

Subject Matter Experts (SME) teams. 

Major Incident Team 

When requested, Cassidian shall create a team of technical experts, led by the Cassidian Service 

Delivery Manager, to work within the remit of the Joint Major Incident Team. 

406

Service On-Boarding and Off-Boarding 

Cassidian employs a standard service introduction approach to deliver against proposals covering 

green field installations and service transition environments. Cassidian’s Take On Service Plan (TOSP) is 

used to manage the on-boarding process that transitions Service users from their existing Service to the 

new Service (and off again at the Service off-boarding point). 

Cassidian’s approach ensures that service continuity is maintained during the Transition Phase, and 

that the Service Consumer community continues using the processes in place immediately prior to on- 

boarding to record any faults and change requests; such that the “change” for Service Consumers is 

minimised. 

The remainder of this section describes how Cassidian introduce a new Service Consumer from both 

the Engineering and Security (EngSy) perspective and the Service Introduction Perspective (SvcInt). 

Service On-Boarding – EngSy 

The Cassidian On-Boarding process will take the Service to the point of Service Transition. 

Design Service 

Cassidian will work with the Customer Authority to identify the required configuration, 

dispersement and visualisation required for the PSN service instance. This scope of this activity will vary 

depending on the maturity of the Service consumer requirements, and the service options selected, but 

where appropriate would cover the definition of service levels, availability levels, site and user 

resiliency, segregation, quality of service settings, and security configuration. Consultancy services can 

optionally be provided where needed by the customer. 

407

The key aspects of this service include: 

1. Support to the accreditation process; 

2. Programme Management; 

3. Service Introduction; 

4. Baseline configuration of all relevant Configuration Items (CI’s); 

5. Defining change type based upon the assets and their associated complexity. 

Where infrastructure is to be installed, a site survey would normally be required to work with the 

Service Consumer to define accurate locations for user connectivity and on site equipment and to 

produce a site design for installation. This design would then be agreed and then implemented. Where 

RESTRICTED and CONFIDENTIAL equipment is being installed, these would be treated in line with 

JSP440, and JSP480 as appropriate. 

Installation and Commissioning Service 

Within this phase of service introduction Cassidian will work with the Customer Authority to 

implement the Service as defined within the design phase. At the culmination of this phase Cassidian will 

perform the Service Acceptance tests with the Customer Authority as the final aspect of transition to 

Operational Service. An as-installed document pack detailing the passive and active equipment would be 

provided. This pack would include building and site drawings with equipment physical and logical 

connectivity, and any necessary configuration details relevant to the service being provided to the 

service consumer. 

408

Service Off-Boarding - EngSy 

At the cessation of a service contract, Cassidian will recover all Cassidian owned assets from the 

Service Consumer sites and provide a final entity map export in MS Visio format. Cassidian will also 

provide the Customer Authority via DVD a copy of all current CI’s configuration status. 

Service On-Boarding – SvcInt 

Service Introduction 

This Service Introduction approach ensures that: 

1. All ITILv3 processes required to support the PSN Service are considered; 

2. Particular attention is paid to both environment and security domain when defining support 

processes that are fit for purpose across the totality of the Service Consumer’s operating 

envelope; 

3. Services are flowed into the live environment following a structured approach, delivered using a 

tailored Project Management background (i.e. Prince2 or PMI). 

Governance 

A Service Introduction Manager will interface directly with the Customer Authority representative to 

ensure project risks, issues and escalations are managed in alignment both within Service Introduction 

and day-to-day business. 

Cassidian will agree and allocate the necessary resources across the project to ensure the support of 

the programme delivery timelines. 

Governance and escalation relating to areas within the control of Service Management and Service 

Assurance will be escalated and managed through the agreed PSN governance structure. 

409

Assurance 

The Service Introduction assurance approach will be described in the Assurance Plan. The relevant 

elements of the Assurance Plan will be produced as Product Descriptions. These assurance activities will 

be contained within the Service Introduction Schedule. 

The Service Introduction process will provide input into the scoping and definition of testing and 

trialling activities through the production of a Service Evidence Plan. 

Requirements Management 

Cassidian will centrally manage all SM Requirements to be delivered during Service Introduction. All 

requirements will be prioritised, consolidated and baselined according to timescales defined by the 

Service Introduction Manager. 

Products - Service Introduction 

The creation or amendment of Service Management products will be captured by the Service 

Delivery team. Products such as ITIL Processes, Work Instructions, Communications Plan, OLA and UC 

will be documented and held in the Cassidian QMS. 

Trialling approach 

The Service Management Project Evidence Plan will outline which components of the Service 

Solution are to be trialled. 

Cassidian will provide the necessary resource to support the baselined scenarios and scripts. 

410

ITILv3 Processes 

All elements of the Communication support solution shall be aligned with the ITILv3 framework and 

will complement industry and OGC standards. 

Cassidian shall provide the Customer Authority Call-Off Operating Manual to support the ITILv3 

modules illustrated. 

SM Enterprise (Service Strategy) 

Cassidian shall design and deliver the processes and procedures to support the following ITILv3 

Service Strategy elements: 

IT Financial Management 

Cassidian shall provide input to the relevant Customer Authority processes to support the Customer 

Authority in the delivery of: 

411 

Financial Planning; 

Financial Analysis and Reporting. 

Service Portfolio Management 

The Service Portfolio presents a complete list of the PSN Services managed by Cassidian. 

Production of business cases for new PSN Services to ensure that Cassidian has the right mix of 

services to meet required Customer Authority business outcomes. 

Demand Management 

Cassidian Demand Management activities focus on anticipating Service Consumer demand for 

Services. Cassidian align Demand Management with the Capacity Management process to 

ensure sufficient capacity is available to meet the required demand. 

Continual Service Improvement (CSI) 

Cassidian uses CSI to align Services to changing Customer Authority business needs by 

identifying and implementing improvements to the PSN services that underpin those business 

processes. 

Cassidian will use a Service Improvement Log to manage ongoing CSI proposals and activities. 

This log shall be partitioned to show to which Service the proposed improvement applies.

412 

A Continual Service Improvement Plan (CSIP) shall be established for each Cassidian PSN Service 

entering the live environment with the aim of reducing costs throughout the Service Lifecycle, 

whilst improving the end user experience. 

Cassidian shall design and deliver the processes and procedures to support the following 

Continual Service Improvement elements: 

o CSI - Step Improvement; 

o Service Review; 

o Service Reporting; 

o Customer Satisfaction. 

o Service Records 

Cassidian will provide the Customer Authority with either a Performance Monitoring Report or 

a Monthly Summary Report as detailed in Schedule 2.1 Section 3. 

Service Design 

Cassidian shall advise the Customer Authority on business and IT Capability design as a function of 

Change. Cassidian shall design and deliver the processes and procedures to support the following 

Service Design elements: 

Service Level Management 

The Service Level Management Service shall manage the Service Level Agreement (SLA) with 

the Customer Authority and ensure that PSN Services are designed to meet the agreed Service 

level targets. 

The Service Level Management function shall: 

o Define, document, agree, monitor, measure, report and review the level of PSN service 

provided to the Customer Authority; 

o Ensure that the Customer Authority has a clear and unambiguous definition and 

expectation of the level of service to be delivered; 

o Identify those interfaces which constitute links in the Service delivery chain; 

o Manage the output of any internal or external Service Provider tasked with the delivery 

of an element supporting the Service. This shall include, in the form of an OLA or UC, the 

Services and Service levels required from that Service Provider and, where applicable, 

how those Services shall be called off by the Cassidian Service function; 

o Provide and improve the relationship and communication between Cassidian Service 

function and the PSN customer; 

o Ensure that proactive Continual Service Improvement measures are delivered and 

implemented where Benefit can be realised; 

o Monitor and improve PSN Customer satisfaction through the quality of service 

delivered. 

2. Capacity Management 

Cassidian shall implement a Capacity Management plan aligned to a set of processes that shall 

ensure that the infrastructure can support existing and future capacity requirements. This

413 

process, and its associated activities, shall enable the Cassidian Service function to actively 

forecast, monitor and report capacity utilisation on the PSN Service infrastructure. 

The key processes and activity that Cassidian use to deliver the Capacity Management Service 

are: 

o Capacity Monitoring 

o Capacity Optimisation 

o Capacity Reporting 

o Capacity Problem Management 

o Capacity Planning 

Availability Management 

Availability Management (AM) is managed in co-ordination with the Capacity Management process. 

In accordance with ITILv3 Good Practice guidance, Cassidian AM plans shall be produced to 

support all PSN Service AM activities. 

Cassidian shall design and develop the AM Service function to influence the design of the 

Service, and supporting processes, to consistently provide the contracted levels of Service 

Availability to the Customer Authority. 

Cassidian shall design and develop the AM Service function to: 

o Influence the design of the Service, and its supporting processes, to consistently provide 

the contracted levels of Service Availability to the Customer Authority, 

o Establish the appropriate monitoring capability to: 

� Quickly drive awareness of issues affecting Availability or Performance of 

Service; 

� Obtain the relevant Availability information for Reporting, Audit and trending; 

� Counter Availability issues in both a reactive and proactive manner; 

� Provide input to the Service Reporting Service; 

� Provide input to the Service Continuity Service. 

o Deliver a reactive process that manages Availability issues as part of Service Continuity, 

o Escalate Incidents that impact Service Availability to the Cassidian Service management 

team best placed to deal with the issue, 

o Identify vulnerable Service components and introduce effective countermeasures 

through the Change Management process. 

IT Service Continuity Management 

Cassidian shall deliver processes that detail Cassidian Service management and coordination of 

IT Service Continuity Management (ITSCM) activity including Business Continuity (BC) and 

Disaster Recovery (DR) solutions. 

Cassidian shall develop and maintain a set of IT Service Continuity Plans and IT recovery plans 

that support the overall Business Continuity Plans (BCP) of the Customer Authority, these will 

include: 

o IT Service Continuity and Recovery Plans;

414 

o Risk Analysis and Management processes; 

o An assessment process to determine the impact of Change on the IT Service Continuity 

Plans and IT recovery plans; 

o Escalation procedures; 

o Any necessary evidence-preservation activities (for security related incidents). 

Information Security Management 

The Cassidian Information Security Management (ISM) / Information Assurance process shall 

ensure that IT Security is aligned with Business security and that Information Security is 

effectively managed in all Cassidian Service areas. 

The Cassidian design for an Information Security Management process supports an ISO 27001 

compliant Information Security Management model. 

Cassidian Information Security Management (ISM) / Information Assurance process will be 

delivered through the following activities: 

o Production, review and revision of an overall Information Security Policy and a set of 

supporting specific policies; 

o Communication, implementation and enforcement of the security policies; 

o Assessment and classification of all information assets and documentation; 

o Implementation, review, revision and improvement of a set of security controls and risk 

assessment and responses; 

o Monitoring and management of all security breaches and security Incidents; 

o Analysis, reporting and reduction of the volumes and impact of security breaches and 

Incidents; 

o Schedule and completion of security reviews, audits and IT health checks. 

Supplier Management 

The Supplier Management process shall manage all suppliers, and the services they provide, in 

order that a seamless quality of Service is delivered to Customer Authority. The Supplier 

Management Service ensures that all contracts with suppliers support the needs of the Call-Off 

contract and that all Service suppliers meet their contractual commitments. 

To ensure that the element of Service provided by the Supplier(s) continues to meet PSN 

Service requirements, an internal system of monitoring, reporting and regular review of 

Supplier performance against targets will be followed. These reports shall be made available to 

the Customer Authority for audit and review 

Any identified improvements shall be delivered through the production and management of a 

Supplier Improvement Plan. 

Service Transition 

Cassidian shall provide the processes and Call-Off Operating Manual sections to support the 

following Service Transition elements: 


The Cassidian Change Management process ensures that Cassidian uses a standard format for 

efficient and prompt handling of corrective, adaptive and perfective Change. This strategy shall

415 

minimise the impact of Change related Incidents upon Service quality and consequently 

improve the day-to-day operations of the Customer Authority. 

Cassidian employ a standard ITILv3 Change process, which is aligned with Call-Off Schedule 6.2, 

and accredited to ISO 20000 standard. 

The main components of the Change Management Service lifecycle are: 

o Raising and recording Changes; 

o Categorising the Changes; 

o Contract Change 

o Fast-Track Change 

o Operational Change 

o Assessing the impact, cost, benefit and risk of proposed Changes as detailed in Call-Off 

Schedule 6.2 Section 5; 

o Approving or rejecting Changes (applying Customer Authority business, financial, 

operational and strategic perspectives); 

o Building, testing and, where appropriate, trialling Changes; 

o Scheduling and implementing Changes; 

o Reviewing and closing Changes; 

o Trend analysis and Performance Monitoring reporting. 

Knowledge Management 

Cassidian employs the ITIL Knowledge Management process to capture, maintain and make 

available operational information to the Cassidian Service teams, so promoting the effective 

delivery of Service. This improves Service efficiency, by reducing the need to rediscover 

Knowledge, and drives informed decision making. 

The Cassidian Operations Management function shall share this knowledge base information 

with the Customer Authority and other PSNSPs, at a level that aligns with their support role. 

Knowledge sharing will be carried out using all available communication channels. However, 

access to Knowledge detail shall be regulated to prevent unauthorised or insufficiently trained 

personnel using that information. 

Service Asset and Configuration Management 

Cassidian’s Service Asset and Configuration Management (SACM) process provides a logical 

model of the IT infrastructure deployed for the PSN Service. It does this by identifying, 

controlling, maintaining and verifying the versions of all Assets and Configurable Items (CI) used 

to supply the PSN service. 

SACM allows for precise control of all IT Assets required to deliver the PSN service, as it is the 

management of these Assets which underpins the delivery and support of the service. 

Cassidian’s SACM process will: 

o Provide a focal point for the control of Service Assets and CIs in support of activities 

planned to deliver the PSN Service; 

o Ensure that Infrastructure and Service components, supplied in support of the PSN 

Service, are controlled at all times; 

o Use ITILv3 Good Practice guidance to account for all Assets and CIs throughout the life 

of the Service; 

o Make visible the status of CIs, their versions, location, related changes and problems 

and associated documentation to Customer Authority Stakeholders as they require it;

416 

o Support traceability and audit control, through the use of discovery tools where 

necessary; 

o Manage interfaces to internal and external service providers where there are Service 

Assets and CIs that need to be controlled; 

o Support license management activity. 

Transition Planning and Support 

The Transition Planning and Support Service support the controlled deployment of a new or 

modified PSN Service into Live Service; together with the necessary Service Management 

process modification. 

The Planning and Support Service, as presented through the Cassidian Service Introduction 

process, is responsible for the definition of the Service transition strategy, preparation for 

Service transition, development of the Service transition plan and support for Stakeholders. 

Cassidian employ a Service Introduction approach to deliver Transition Planning and Support 

Service activity. This Service Introduction approach ensures that: 

o All ITILv3 processes required to support transition of the Service are considered; 

o Particular attention is paid to both environment and security domain when defining 

support processes that are fit for purpose across the totality of the operating envelope; 

o Services are flowed into the live environment following a structured approach; using a 

tailored PRINCE2 or PMI background. 

Release and Deployment Management 

Cassidian manage Release and Deployment as an output activity from Change Management. 

The Cassidian Service Delivery Manager shall engage with the Customer Authority stakeholders 

to ensure that the Release Packages meet their specified requirements (including awareness 

and communication material) for integration testing and that the same Release Packages are 

released to the live PSN environment, in accordance with all relevant Standards and Policies. 

Detailed plans regarding the resource requirements, timings, communications and regression 

planning etc. will be held within the Change Management system and updated, inline with 

deployment progress. This approach ensures that any Release has been fully impacted across 

the Customer Authority business with respect to Operational effectiveness. 

Service Validation and Testing 

Validation and verification is performed by Cassidian’s Test function to assure the quality and 

correctness of the deliverable against the requirements of the customer, enabling the Customer 

Authority to issue the relevant test certificate and/or milestone achievement certificate. The testing is

performed in line with the Cassidian Business Management System (BMS. These processes conform to 

IEEE829 standards for test documentation and are fine-tuned to fit the needs of the customer. 

Cassidian shall make the associated Test Reports and Test Issue Management Logs available to the 

customer to enable the certificates to be issued. Cassidian will provide the Customer Authority with at 

least ten days written notice of a successfully tested deliverable becoming available to meet the 

delivery date defined in the Implementation Plan. All Cassidian test professionals are International 

Software Testing Qualifications Board (ISTQB) qualified and experienced in large scale integration 

testing. 

Evaluation 

Evaluation Management assures that the Services offered by Cassidian match the goals and 

requirements of the Customer Authority. It maintains the quality of the products and services in the live 

Service environment and assesses the impact of Service Change on the Customer Authority. 

Cassidian Evaluation activity considers: 

417 

the relevance of the Cassidian service design; 

Transition of the Service to the operating environment; 

the operational and business environments that the Change will have an impact on. 

Service Operation 

The primary aim of the Service Operation capability, as delivered through the Cassidian Operations 

function, is to support Incident, Event, Service Request and Problem Management in order to provide 

End-to-End management of Service Configuration Items (CI). 

Cassidian shall design and deliver the processes and procedures to support the following

Service Operation elements: 


418 

The Cassidian approach to Incident Management, inline with ITILv3 Good practice, is to restore 

normal service operation as quickly as possible so as to minimise the adverse impact on 

business operations. Cassidian’s Service Management Group is an ISO 20000 accredited 

organisation. 

The Incident Management Service shall: 

o Record all incidents; 

o Co-ordinate efforts to resolve incidents in a controlled manner, to agreed Service Levels; 

o Escalate Incidents when applicable; 

o Provide updates and communications through a variety of methods; 

o Detail workarounds and fixes that can be applied by first line support; 

o Deliver Key Performance reports to agreed timescales. 

PSN Services will be assigned an agreed Service Category based on: 

o their value to the Customer Authority business; and 

o the impact of the unavailability of that Service on the Customer Authority. 

Cassidian offer 3 levels of service (i.e. Gold, Silver and Bronze Service Levels) that map to the 

criticality of delivery and support of the Service to the Customer Authority. 

Cassidian will manage Major Incidents and Security Incidents inline with the direction offered in 

PSN Incident Management v2.0. 

Event Management 

The Event Management process gives the Cassidian Operations function the ability to detect 

events, make sense of them and determine the appropriate control action. This process also 

forms the basis for Operational Monitoring and Control across the live Service environment. 

The Event Management Service shall: 

o Detect Event notifications produced within the Service infrastructure; 

o Filter the Events according to pre-defined criteria; 

o Trigger the correct process or RG to act against the information produced by the Event; 

o Review actions to ensure that the most efficient and effective response was given. 

The key processes and activities that are used to deliver the Event Management Service are: 

o Event Notification 

o Event Detection 

o Event Filtering 

o Event Correlation 

o Response Trigger 

o Action Review 

o Event Closure 

Request Fulfilment 

The procedure for raising a Service Request shall be set out in Cassidian’s Call-Off Operating 

Manual. The CSOC shall provide the SPOC for initiating a Service Request. 

Request Fulfilment is the process of dealing with Service Requests from the Customer 

Authority.

419 

The Request Fulfilment Service shall: 

o Provide a channel for Authority Users to request and receive standard services for which 

a pre-defined approval (i.e. via the PSN Service Board) and qualification process exists 

(i.e. has been Impact assessed); 

o Provide information to Authority Users about the availability of Services and the 

procedure for obtaining them; 

o Assist with general information, complaints or comments. 

The Request Fulfilment Service shall deliver a reactive process that: 

o Accepts and logs Service Requests from users; 

o Ensures that the correct approvals are obtained, if necessary; 

o Engages the correct resources to fulfil the request; 

o Reports on activity to ensure that SLA targets are met. 

Problem Management 

The Cassidian Service function Problem Management team shall minimise the adverse impact 

of Incidents and problems on the PSN business and day-to-day user activity through the 

prevention of the recurrence of Incidents related to known errors in the Services being 

provided. 

The Problem Management Service shall: 

o Log, investigate and diagnose problems with the PSN Service; 

o Co-ordinate efforts to resolve problems in a controlled manner to agreed Service Levels; 

o Attend the Problem Management forum (as facilitated by the PSN Service Bridge); 

o Carry out trend analysis to identify potential problems before they impact the PSN 

Service. 

Access Management 

Cassidian provides capability that ensures only authorised Users are granted access to Services, 

applications and facilities while restricting access to non-authorised Users. 

Additional Support Functions 

Field Services (remote support) 

Cassidian will provide a distributed support capability for in scope Services at remote locations. 

This function will be delivered by a 2nd Level Field Service Engineering (FSE) role group which is 

located at the Cassidian main site. They shall act as the mobile FSE function in response to 

support requirements at remote locations. 

FSE staff would be used to investigate and resolve service Incidents at a local level where those 

Incidents could not be resolved remotely by the Cassidian Service function support functions 

using the Cassidian toolsuite. 

4th Level Support 

Cassidian 4th Level support is provided by vendors assisting the Cassidian Service function with 

the resolution of incidents and known errors.

Communications Services – Security and Resilience Approach – Overview 

This section describes Cassidian’s professional approach to securing and maintaining the 

confidentiality, integrity and availability of our Services within each security domain defined within the 

PSN scope. The remainder of this section identifies Cassidian overarching approach to security with any 

specific aspects of design for any given service being identified within their respective service definition. 

Securing the Service Business, Platform and Infrastructure 

Accreditation of Services 

All services will be certified or accredited in line with the requirements of the PSN RMARDS, the 

Security Policy Framework and applicable HMG policies. 

The strategy to achieve and maintain certification of PROTECT and accreditation of RESTRICTED and 

CONFIDENTIAL services shall be described in an appropriate Security Plan for the contracted level of 

service provided in compliance with Schedule 2.2 of the Call-Off Terms. 

Site Security 

Cassidian shall ensure that physical access controls prevent access by unauthorised individuals using 

a series of layered measures. The Cassidian campuses at Newport and Cheltenham that shall host the 

services are accredited as 'LIST X' facilities in accordance with the UK HMG Security Policy Framework 

(SPF), encompassing physical, personnel, technical and physical or electronic information handling 

measures. 

Cassidian’s ‘LIST X’ approval and accreditation status allows it to handle UK HMG Protectively 

Marked information up to SECRET. Confirmation of this status can be obtained from: DE&S SAC, Defence 

420

Equipment and Support, ISS, Poplar - 1 #2005, MOD Abbey Wood, Bristol, BS34 8JH, UK, Tel: +44 

(0)11791 34378. 

Staff Clearances 

Cassidian shall meet the necessary security requirements by obtaining suitable staff clearances 

through vetting, prior to granting physical or logical access to information or critical components in 

relation to the provision of the service. Logical and physical access shall also be controlled on a ‘Need- 

To-Know’ basis, limiting access to only those roles required and therefore to the minimum necessary to 

securely provision the service. Cassidian UK personnel and Contractors are Security Cleared by the DBS- 

NV (Defence Business Services National Vetting. The requirement for personnel to hold a higher level of 

clearance (above SC) is project specific. 

The Cassidian service offerings have been identified and resourced to support the requirement that 

the bulk of service operational personnel hold an ‘SC clearance’ by DBS as a minimum with some 

identified administrator/oversight roles, e.g. log analysis or deletion, requiring a higher clearance based 

upon the business risk assessment and agreement with the PSN Accreditation Panel. The process 

workflows shall be assessed to identify where segregation of duties is appropriate or necessary as a 

result of the business risk assessment. 

Platform Security 

Secure Configuration 

The service offering shall be hosted on a suite of secured Windows Server 2008 (W2K8) servers, 

Linux Redhat Enterprise Servers and Solaris platforms using dedicated hardened appliances. The W2K8 

Servers are securely configured in accordance with the Microsoft Specialised Security - Limited 

Functionality (SSLF) guidance and all Management Workstations are securely configured using the CESG 

421

GAP process flowed out as a Group Policy via the Domain Controller (DC). Linux and Solaris Servers will 

also be suitable locked down. 

Logical Access and Privilege Management 

Each host OS is configured to operate the necessary application instances with limited privileges. 

Controlled access to the host and the applications management console shall be in accordance with the 

recommendations of UK HMG Information Assurance (IA) Standard No 7 and IAIG3. Access and 

privileges will be implemented on an auditable business need and role basis and will be reviewed in line 

with policy or on change of role or termination of employment. 

User access to dedicated appliances or components such as switches, firewalls and routers shall also 

be secured and controlled in line with defined roles. The Operating System (OS) and applications are 

configured to operate within the scope of a single Active Directory (AD) DC. 

Access to the Linux and Solaris servers will be controlled by role based permissions. 

Availability 

The servers associated with the service offering exist within a secure physical and virtualised 

environment hosted across several physical server platforms and managed by a local hypervisor within a 

Cassidian Service Operations Centre (CSOC) at each site in order to meet the necessary availability. 

422

Resilience 

These service offerings have inherent resilience as stated in the applicable functionality description 

sections of each service offering; in summary each service offering shall achieve the required level of 

resilience by utilising the following strategies or a combination: 

423 

Service is distributed across multiple sites 

Service operates on a HA hypervisor environment 

Service is included in a scheduled back-up regime 

Logging Service 

The solution logs all key transactions to a centralised logging service within the CSOC at each site. 

The logging service has the capacity to index and store a minimum 3 months of transactions with a 

further archive of 3 months as an off-site back-up service. The logging service shall utilise a time 

stamping service that is provided by a time server at each CSOC and synchronised across all the 

Cassidian service offerings. 

Patching Service 

Within the scope of the secured AD security domain there is an OS and Application patch 

distribution service within the CSOC at each site. 

Linux and Solaris patching will be performed in compliance with the requirements of the security 

plan and defined SyOPs. 

Infrastructure Defence 

At the point of connection to the Government Conveyance Network (GCN) service at each site the 

service provisioning environment is protected with a twin, EAL4+ firewall instance implementation with

application and network level protection modules to ensure that any DoS/DDoS detected attacks can be 

filtered and mitigated without placing undue burden upon the delivering infrastructure. The firewalls 

can be strictly configured to limit the potential attack surface exposed by the service provisioning 

environment to the PSN WAN. 

Protective Monitoring 

Each site has a dedicated NIDS and HIDS solution which is centrally monitored within the CSOC at 

each site to detect any anomalous activity which, upon detection, is responded to in a timely fashion. 

This capability takes feeds from the logging service, all networked components, the virtualised hosting 

environment and all servers and workstations. 

Malware 

Each hosted server or management workstation has a full end-point protection implementation 

including AV, executable/driver white listing, external device control and a malware client. This service is 

managed from a management, configuration and update server located within the CSOC at each site. 

Integrity of the infrastructure and process used to deliver the service 

All changes to the service provisioning environment that deliver the service follow the ITILv3 Change 

Management process (Cassidian are ISO20000 accredited as a Service Management Group) described 

within the Service Delivery section of this lot. The configuration of the infrastructure is monitored 

remotely against the Configuration Management Data Base (CMDB). Any detected infrastructure 

changes are flagged to the CSOC administrators. Any unauthorised changes are flagged to the Cassidian 

service desk for escalation. Changes performed by service administrators are automatically detailed in 

an audit log showing as a minimum, the user identity that made the change, what the change was, and 

when the change was made. The automatic monitoring is supplemented by regular manual compliance 

audits and IT Health Checks of the technical security measures in order to maintain the accreditation 

424

status. The manual compliance audits also verify the integrity of the Service Delivery processes utilised 

as an integral part of the continued ISO20000 accreditation. 

Communications Services – Detailed Service Definition 


Technical Service Offering 

The Cassidian Voice Service provides a comprehensive suite of secure and scalable service 

capabilities to the Service Consumer. 

Cassidian provides the following PSN compliant service capabilities: 

425 

Next Generation Telephony Networks 

o SIP and Networking 

o PSN Standards Compliance 

Transport Layer Security (TLS) 


o Make and receive inbound and outbound calls 

o Voicemail Services 

o Conference Services 

o Call Routing Services 

o Logging and Billing 

o Mobility 

Telephony Features 

o Standard Features 

o Enhanced Features 

o Group Working Features 

Handsets and Peripherals 

o Physical Phones 

o Soft Phones

Deployment Model 

The service supports a number of deployment scenarios. These deployment scenarios are in line 

with the needs and size of the Service Consumer. These include: 

426 

Full Central Managed Service delivery 

Local Instance – deployment of a local instance of the service(s) with a centralised management 

function 

Design and delivery of a fully distributed service deployment to support a multi-site instance 

with centralised and shared service management model. 

All service capabilities can be delivered as a high availability capability in support of the required 

service availability. 

Next Generation Networks Telephony 

Cassidian are engaged with the PSN Tier 1 suppliers of MPLS and SIP trunk gateways to provide 

solutions that make use of next-generation transport layers and PSN services. As part of this Service 

Capability Cassidian comply with the requirements documented in the PSN Technical Domain 

Description v 2.0 for Telephony Service Provider Obligations and the Cryptographic Framework v 0.1. 

Cassidian shall make use of IP and SIP technology within the PSN environment to deliver services to 

the Service Consumers, using the inherent Transport Layer Security (TLS) within the network to provide 

secure connectivity. Cassidian also deploys Session Border Controllers (SBC) to provide demarcation 

between the internal systems and external SIP networks to provide access control and protocol repair.

For additional security the Cassidian solution provides Secure Real Time Protocol (SRTP) within the 

phone system and voice encryption products if required by the security domain. Additional details for 

these are provided with the voice security section. 

Security is inherent throughout the service using devices which contain security certificates suitable 

for use within a TLS. Cassidian shall as part of its service delivery, validate the system to CESG Assured 

Services (Telecom). 

Within each PSN security domain the service is provided using standard telephony equipment using 

the TLS to provide separation. 

Telephony Service Core Features 

For off network secure communication the system supports: 

427 

SRTP to increase security for use within a RESTRICTED security domain 

SCIP phones for use in the CONFIDENTIAL domain. 

However where a site has a significant number of Authority Users within the CONFIDENTIAL domain, 

Cassidian can deploy their Ectocryp Black product, which encrypts all secure telephony streams as they 

leave the protected environment rather than deploying SCIP phones for each Authority User. This 

provides cost savings by utilising standard telephones and reduced key management.

The service provided makes use of: 

428 

Quality of Service 

Class of Service 

Power over Ethernet (PoE) 

VLANs for segregation of voice traffic over an IP network. 

Multiple access points within the PSN and/or local access points at the Service Consumers sites 

to provide additional resilience. 

Traditional telephony gateways and interfaces as needed to provide smooth migration paths 

from legacy systems and make use of existing capabilities as required. 

The service provides these additional service capabilities: 

Direct Dial In (DDI) and Direct Dial Out (DDO) 

Dial Plans 

o Number Porting Service: Cassidian offers a number porting service to transfer numbers 

from legacy systems into the new environments to enable this activity to take place 

without service interruption 

o Local STD presentation for inbound and outbound calls where required irrespective of 

network ingress and egress points 

Automated rerouting for calls to alternate network access points in the case of congestion of 

failures. 

Non Geographic Numbers and Intelligent Network Capability shall be provided if required. 


The Services includes the following function and features as standard: 

Application Enablement Services

429 

Conference Bridge 

o Ready Access (Ad Hoc) 

o Event Call (Planned) – scheduled and managed through the customer portal or 

dedicated Service Consumers interface 

Mobility 

o Feature Name Extensions 

o Mobile Integration 

o Hot Desking / Remote Hot Desking with user authentication 

o Presence 

Call Logging/Billing 

o Call Data Record Capture 

o Report Generation 

o Account Code Dialling 

o Advice of Charge for live calls 

o Billing Reports 

� Itemised billing 

� Department billing 

� Highlight areas of high spend 

Call Routing Services 

o Centralised Routing for ease of maintenance 

o Resilient Local routing capability 

o Including Barring and Allowing access of numbers and users 

Installation and Maintenance 

o Patches and updates to the system are be performed from centralised services such as 

TFTP and DHCP 

Voicemail 

o Interface to email facility (universal inbox) 

o External Access 

o Individual Mailbox 

o Internal Access 

o PIN security 

o Through dialling 

Automated menu based call routing to assist with call management (Auto Attendant) 

Audio Services 

o Music on Hold 

o Voice Recording and Archiving 

o Recorded Announcements 

This service also has a number of enhanced features that can be included as options for the Service 

Consumers:

430 

Operator Services 

o Directory Enquiries Service (118) 

o Centralised Telephony Operator Service 

Integration with Collaboration Services via a SIP Gateway 

Integration with the Clients messaging in-box to provide a Universal In-box capability 

Integration with the Organisation Directory Service 

Legacy System interoperation using both SIP (IP) and TDM interfaces, such as EuroISDN, QSIG 

and DPNSS supporting Migration and Parallel working. 

Telephony Service – Client Features 

The service provides a wide range of user features through the use of industry leading products. A 

selection of these that are commonly used have been included below for reference. 

Standard Features – As standard the Telephony Service provides the following: 

Abbreviated Dialling / Speed Dialling (Stored Numbers) 

Alerts (Audio, Visual including use of display, lights) 

Automatic Callback (Recall) 

Call Hold, Unhold, Hold Recall 

Call Forward 

Call Park, Answer Back 

Call Waiting 

Tones (Busy, Dial Tone, Engaged, Unavailable) 

Display (CLID, Name, History) 

Diversion (Busy, Immediate, No reply) 

Do not Disturb 

Last Number Dialled / Last Number Redial 

Transfer 

Loudspeaker Paging 

Flexible Language Displays 

Multiple Call Handling, Multiple Lines, Multiple Call Appearances 

Ringer Control 

Speakers 

Personalised Ringing 

On-Hook Dialling

Enhanced Client Features – Additional enhanced client features are available as options for the 

service Consumers Organisation: 

431 

Call Coverage 6 levels (Redirection Service) 

Caller ID (Name and number) 

Call Log (Missed/Answered/Outgoing calls, Call/Delete/Details) 

Directory, LDAP Integration 

Contacts (Add/Edit/Delete/Details) 

Malicious Call Trace 

Push Audio or text to Phones 

Local Survivability with Third Party Gateways 

Enhanced Group Working Features – The telephony service can be further expanded to include the 

following Group-working functionality: 

Call Pickup (Standard, Directed, Extended) 

Hunt Groups 

Executive / Assistant Features 

Conferencing 

Busy Line Indicator 

MLPP TDM Trunking 

Team Button 

Night Service 

Group Mailbox 

It should be noted that this is not a fully comprehensive list of features, and that customer specific 

features can be developed by Cassidian if required. This is enabled by the nature of the voice 

architecture used. Please contact Cassidian to discuss the specific requirements.

Handsets and Peripheral Devices 

The service provides a wide range of devices and interfaces for existing customer peripherals such as 

existing SIP end points and SCIP / BRENT phones. All these devices should be used in accordance with 

Service Consumers acceptable usage policy e.g. some customers may not allow USB storage devices on 

site. 

432 

Analogue phones and Devices 

Attendant Software package 

IP Phones including 

o Desk phones, 

o Soft phones (Work station and Smart Phone Applications), 

o Conference Phones – Installed from central templates using TFTP services for rapid 

deployment 

o Button Module (24) 

o Ethernet Interface 10/100/1000Mbps 

o Secondary Ethernet Interface (PC) 

o USB Devices 

o Web Phone 

BRI ISDN to the Desk 

Wireless - Subject to the site security policy Cassidian also provide the following hands free 

systems. 

Wireless IP – It should be noted that provision of Wireless LAN would be the responsibility of the 

Service Consumer 

DECT – Provision subject to site survey 

The Cassidian Telephony Service has been designed to support both H.323 and SIP IP devices along 

with a number of legacy technologies.

Service Management Offering 

Voice Service 

The support for the voice service is delivered from the CSOC and managed according to the TIL 

processes previously outlined at 2.1. The following sub-sections give further detail on specific service 

delivery elements. 

Voice System Test 

A test plan shall be tailored to account for site specific requirements and agreed with the Service 

Consumer to address the services procured. 

Testing shall take place on all delivered systems and solutions according to the deployment test 

plan. As far as possible the system shall be tested prior to transition to mitigate risk prior to the system 

transition. Typically, as Service Access Points (Handsets, Faxes etc) are introduced to the system, a 

sample of these ensure that all capability is operational for the deployment, this includes testing the 

features and services and that monitoring and management capabilities are properly operational. Basic 

testing shall be undertaken on the remainder of the system to ensure that all Service Access Points 

(SAPs) initiate and connect to the system. 

Voice - Transition to Service 

Cassidian recognises that Transition between voice systems needs to avoid impact to the Service 

Consumer and their business activities. In order to support this activity Cassidian works with the Service 

Consumer to find an appropriate solution and create a Transition Plan to meet their needs. Some of the 

services that Cassidian support are: 

433

434 

Porting of numbers to the new system 

Connectivity to Legacy systems to provide parallel usage and / or staged migration activity 

Out of hours cutover service 

Training of Authority Users prior to cutover activity taking place 

Floor walking services to resolve any usage issues and provide support to the Authority Users. 

User guides for the SAPs deployed 

Site Documentation 

Voice - Training 

As part of Cassidian’s standard provision, user guides for the SAPs shall be supplied. Typically this 

shall be provided as soft copy, hard copies shall be provided on request via the Service Consumer Portal. 

Additionally guides shall also be provided for other services such as conference bridging. 

Training shall be provided based on the needs of the Service Consumer and a Training Plan shall be 

agreed accordingly. This is in the form of training on standard SAP and service usage. Roll out methods 

include training for all Authority Users or nominated individuals. In some cases where the Service 

Consumer wishes to take on additional activity such as management of their own billing and logging 

reports, additional training shall be required. 

Voice - System Monitoring Services 

All core equipment and IP phones support SNMP enabling remote management and provision of 

real time updates to the system manager and providing end to and visibility of the installed system. 

A full system monitoring service is available from the CSOC that enables Cassidian to proactively 

address any issues that arise. Such issues are often identified by the CSOC prior to the Service Consumer 

being aware, particularly where a resilient solution is in place.

Additionally the Cassidian solution supports traffic measurement across the system to record traffic 

levels, usage on trunks, etc. This enables provides the capability to both ensure that the system is not 

over or under provisioned and trend analysis to be undertaken which facilitates the tracking of changing 

system demands prior to this becoming an issue for the Service Consumers. 

Voice System Management 

Cassidian offers its Solution with a fully managed service or supporting activity alongside the Service 

Consumer. Through its Service Operations Centre, (CSOC), Cassidian offer the following services: 

435 

Configuration Management of the system in response to Authority User requests, such as User 

account maintenance services 

Logging and Billing services, including report production 

Active System Monitoring with maintenance instigation 

Implement Change Management; 

Provide Release and Deployment Management; 

Dedicated Service Managers to liaise with the Service Consumers providing a common point of 

contact to discuss changing requirements, new capability that may be of interest and address 

any issues should they arise. 

Voice System Maintenance 

Fault management for deployed equipment is considered as part of the core service provided by 

Cassidian for the equipment deployed, where Cassidian is undertaking Monitoring services, this shall 

automatically invoked to tackle issues in the most efficient way possible minimise the possibility or 

duration of disruption to the Service Consumers. Additionally Cassidian offers a number of services from 

the CSOC to support the deployed systems including:

436 

Routine Maintenance such as patching and software upgrades in line with the manufacturers 

development cycles (may not be required for shorter contract durations) 

Controlled Power Down and Power Up Services 

Block Wiring and Cabling services 

Desktop and Web Video Teleconferencing and Collaboration Environment 


The Cassidian Desktop/Web Video Conferencing and Collaboration Tools service delivers as part of 

our Unified Communications offering the following capabilities and functions: 

Near face to face meetings audio and video. 

Full Managed on-net conference facilities 

o Public and Private Conference Rooms 

o Conference Booking Service 

o Conference Moderation 

o Support to ad-hoc Conferencing 

o Record and replay meetings 

o Presence Aware 

Full system and user utilisation reporting 

Conferencing Clients 

o Web client 

o Desktop Client 

o Mobile Client (where the security profile permits) 

Conferencing features 

o Visual indicators of participants joining and active speaker 

o Privacy 

o Desktop and application sharing 

o Whiteboard for all participants to work simultaneously 

o Secure encrypted meetings 

o Shared Conference Repositories 

Optional Extensible Interfaces and Gateways 

o Integrate with SIP services 

o Integrate with IM services 

o Integration with classic video conferencing solutions 

o Integrate with Messaging client to deliver single Inbox capability. 

o Universal Address Book 

Deployment Models Supported 

Each of these Services are available to the Service Consumer with the following deployment models:

437 



function 



All service capabilities can be delivered as a high availability capability to support the required 


Security Aspects of the Service 

This service leverages the underlying authentication service provided via the Authentication service 

provided by Cassidian for the fully managed or shared management instances of this service. Where the 

service offering is operationally managed by the Service Consumer or the Service Consumer has an 

extant suitable authentication DS then an instance of this service will be integrated with that where 

appropriate form a security and interoperability perspective. 

Desktop/Web video conferencing capability 

The Desktop/Web Video Conferencing service includes the following selectable capabilities. 

Standard or high availability service. 

Service Consumers can connect regardless of their location within the PSN via the web gateway 

service. 

Provision of real-time near face-to-face meetings and collaboration. 

Desktop Voice and Video Conferencing (DV2C) 

The DV2C service delivers high quality video and voice conferencing using standard protocols:

438 

PROTECT networks will use the following communications 

o Client – Server communications RTP/TLS over SIP/SDP 

o Video encoding H.264 

RESTRICTED, CONFIDENTIAL 

o Cryptographic and message authentication using SRTP/TLS over SIP/SDP 

o Video encoding H.264 

Service Collaboration Interface and Features 

The DV2C service provides the following collaboration capabilities and optional external service 

interfaces: 

Interfaces to: 

o MS Office 

o MS Outlook 

o SIP Gateway to other external or 3rd party voice services 

o IM Gateway to integrate with other external or 3rd party IRC services 

User Collaboration Features 

User Collaboration is achieved using a provided Client providing the following features and 

capabilities: 

Desktop sharing. 

Application sharing. 

Whiteboard for all participants to work simultaneously 

File sharing 

Shared collaboration document store by conference 

Scheduler Functions 

The service provides the service consumer with the following scheduling functions: 

Schedule a new meeting 

List all scheduled meetings

439 

View and modify details of an existing meeting 

Delete an existing meeting 

Join an existing conference 

Send email invitations to meeting participants. 

Client Authentication and Encryption 

The Cassidian DV2C service supports multiple authentication methods to ensure only authorised 

Service Consumers can participate in meetings 

Direct Challenge Response – The User will be challenged to enter their credentials via a secure 

pop-up. 

Single Sign-on – When integrated with a suitable DS the Service will automatically validate the 

User and confirm their credentials for a specific conference. 

Encrypted communications client–server 

Optimised for conference room systems and headsets 

The preferred implement of DV2C shall use certificates to perform strong authentication and TLS for 

client-server interaction. 

Logging and Auditing 

Cassidian will implement DV2C with full auditing capabilities to comply with the PSN security policy 

thus all transactions will be logged to a central management point for a pre-agreed duration with the 

Service Consumer. 


The full managed on-net service is managed from the CSOC and access to the Video Conferencing 

service is booked through the Consumer Portal. The conferencing management application will, 

dependent on the authentication method used, present an invitation to the conference call to each 

participant giving the call details and authentication requirements. All Incident and Problem

management and other ITILv3 processes are managed by the CSOC and available via the Service 

Consumer Portal. 


The Cassidian Internet Services have been designed to provide the Service Consumer with the 

comprehensive suite of secured services required for Internet and Intranet access, integration and 

interoperability. Cassidian provides the following PSN compliant capabilities within our Internet Service 

Offering: 

440 

Internet Access Service 

Domain Name Service - DNS 

Dynamic Host Configuration Protocol (DHCP) Services 

Forward and Reverse Network Address Translation (NAT) Services 

Network Monitoring Services 

Network Management Services 

Secure Internet Gateways 

Accurate Time Service 


Each of these Services are available to the Service Consumer with the following deployment models: 



function 




service availability.

Security Environments Supported 

All of Cassidian’s service capabilities have been designed to be delivered at PROTECT, RESTRICTED 

and CONFIDENTIAL (unless specifically excluded within the capability description) and are supported 

from the Cassidian Service Operations Centre (CSOC). 


Internet Access Services 

Cassidian will provision an Internet facing service for the Service Consumer. This can be provided in 

either standard or high availability mode as a virtual point of presence via a secured extrusion for the 

CSOC over the Cassidian Encryption Service (Security Services) or as a physical point of presence at the 

Service Consumers location(s). Irrespective of the deployment model this service can be provided in 

both standard and high availability mode. 

Within this capability Cassidian provides an agile service that can be augmented by the additional 

capabilities identified below. Cassidian also ensure that the Service Consumer is provided with an agile 

bandwidth capability, to respond to changes in the Service Consumers needs and ensuring no loss of 

response or access during anomalous surges. 

Within this Service Offering Cassidian manage, maintain and registers the Service Consumers: 

441 

Internet Address Space 

Internet Name Space 

Bandwidth and Contention 

Resilience and Availability 

Basic Access Control 

Routing

442 

Time Source 


Cassidian will provide the Service Consumer with a high availability secure PSN compliant Name 

Service based upon a secure distributed BIND implementation. This implementation provides the 

following technical functionality:- 

Supported Implementations 

The Cassidian Name Resolution Service implementation has identified and can provide the following 

configuration options 

Full DNS – This will provide the Service Consumer with a complete DNS for all zones that the 

Service Consumer requires to be hosted. 

Split DNS – This will provide the Service Consumer with a DNS to support a differential public 

and or private resolution space. This function also supports the DNS requirements for support to 

cross boundary resolutions (via proxies or other means). 

Zone Delegation and Parent Hosting – This will provide the Service Consumer with the required 

delegations and zone hosting records required to allow the Service Consumer to run their own 

child domain as a zone hosted on a Name Server within their control. 

Secondary DNS Hosting – This will provide the Service Consumer with a shared resilient DNS 

implementation. Thus it will be possible for the Service Consumer to share the responsibilities 

within this service provision implementation thus enabling tight coupling and integration with 

any existing LAN side implementations. 

The remainder of this section identifies the scope of technical functionality available to support 

these implementations. 

Server Types 

The following Server types are provided within this service:

443 

Primary Master Name Server – Master 

Secondary Master Name Server – Slave 

Supported Zone Types 

The Cassidian service provides support to the following zone types within its Name Servers: 

Forward zones 

in-addr-arpa and ip6.arpa zones 

Stub Zones 

Based upon the zones this Service provides the Service Consumer with a complete resilient 

resolution path service that supports any required configuration for the delegation, management and 

hosting of full domain tree or sub-tree implementation. 

Supported Resolution Modes 

The Cassidian service supports the following resolution modes: 

Recursive – The DNS Service, when operating in this mode for any given Service Consumer, shall 

provide the originating requester a complete answer to the original request. Depending upon 

the resolvability of the initial request the resultant response shall either provide the required 

zone response or the relevant error/failure message. 

Iterative – The DNS Service, when operating for any given Service Consumer, in this mode will 

provide the best answer this instance knows back to the requester (typically another server) or 

an error/failure message. 

Extended Resource Records (RR) Support 

The Cassidian DNS Service supports all bespoke or specific requirements and extensions mandated 

by any current Operating Systems or network implementations. The Cassidian implementation supports 

all currently recognised RR’s. This includes, but is not limited to, those records required for:

444 

DNS Security (RRSIG, DNSKEY, DS, NSEC) 

Telephone Number Mapping (NAPTR) 

Service or Server Location (SRV) 

Geographic locator records (LOC) the implementation 

Supports all IPv4 and IPv6 derived record types. 

Additional Support to Private or Close Community Full Path Resolution 

The Cassidian implementation provides the following support to the root-path: 

Integrate and maintain the trusted root path for all zones it is responsible for as a child of a 

parent domain tree. 

Integrate with the security domains root and maintain the trusted root path for all zones it is 

responsible for as a parent within a domain tree. 

Provide a fully traversable root zone path (including a root service if required) for all 

implementations that are closed or private in their nature. 

Provide a root.hints file for those Service Consumers’ clients and servers Operating Systems. 

Support to Legacy Domain Names and Domain Name Migrations 

The Cassidian solution provides interim and transition support to legacy FQDN transformations. This 

provides the Service Consumer with a transformational capability to ensure that the externally 

resolvable names reflect the current PSN naming conventions whilst the internal system is migrating 

from a previous naming convention. 

Supported Interfaces and Transaction types 

This implementation provides listeners on port 53 for both TCP and UDP interactions with built in 

support for EDNS0 transactions. 

Support to Zone Transition

The Cassidian DNS implementation provides the Service Consumer with a low risk service transition 

via a number of defined zone transfer and adoption processes. 

Support to Dynamic DNS 

For any given Service Consumers zone this service can provide this as a DDNS enabled zone. 

Access to the DNS Service Status and Zone Administration 

Access to the current availability status of the DNS Service will be presented via the Customer 

Technical Portal. Where a zone has been delegated for Service Consumer Administration access to this 

zone will be via a secondary authentication interface presented on the Customer Service Portal. 

Optional Service Consumers Hub Name Servers 

Where the underlying network architecture and VPN correlation dictates a dedicated DNS Appliance 

can be included within that site thus optimising the resolution for that Service Consumers environment. 

This extension would be recommended for overall performance efficiencies when large volumes of 

hosts are connecting to DDNS enabled zones. 

Service Capacity 

The provided DNS Service will support the capacity throughput requirements as defined within the 

PSN Technical Domain Description v2. 

Performance Metrics 

The solution has been scaled to support the performance requirements as defined within the PSN 

Technical Domain Description v2. 


445

The Cassidian DNS implementation has the same security architecture and characteristics for 

PROTECT, RESTRICTED and CONFIDENTIAL service offerings as a consequence of the DNS lookup services 

within the PSN being considered critical and, as such, shall meet IL 5 in terms of integrity (refer to 

Section 8 of the PSN Technical Domain Description , V2.0). 

For each of these security impact level service offerings there is a segregated solution in terms of 

physical platform and logical functionality. 

DNS Operational Integrity 

The Cassidian implementation supports the following transactional security measures utilised in 

order to support the DNS functionality: 

446 

Transactional Signatures (TSIG) – Cassidian supports a transactional signature based solution. 

DNS Security Extensions (DNSSEC) – Cassidian supports a DNS Security based solution. 

The Cassidian service also implements and supports access control lists at both the Name Server and 

Zone levels. 

The implementation also ensures that there is delineation between the recursive Name Servers and 

the iterative Name Servers. Thus any external resolver requests are handled by dedicated iterative 

Name Server instances to accommodate their requests. These iterative Name Servers will direct the 

client to a Slave recursive Name Servers for final resolution.

It should be noted that within this model the resolver client only interacts with the Slave Name 

Servers for a given zone and not the Primary Name Server for that zone. The relationship between the 

Slave Name Servers and the Primary Name Server for zone transfers and interactions utilises TSIG. 

DNSSec is used to ensure the integrity of the records and exchanges for Name Servers and 

compliant resolvers outside of the Cassidian DNS implementation. 

Resilience Options 

The Cassidian DNS provides the required resolution capacity within the compliant VPOC 

deployment. Each hosted zone will be deployed across our HA architecture which in turn will be 

distributed across our DR site. The service is implemented on a dedicated suite of hardware with 

inherent hardware resilience and robustness. Each hosted zone will be fully resolvable from any of our 

DR sites. 

Dynamic Host Configuration Protocol 

Cassidian will provide the Service Consumer with a fully functional DHCP service as defined within 

RFC 2131. This capability will provide the requestor with host requestor configuration parameters, the 

allocation of a network address and the ability to interwork with BootP relay agents. 

447

Within this DHCP service the required and defined service parameters can be configured on a scope 

by scope basis for any given Service Consumer. The most common parameters as defined within RFC 

2132/2485/3679/4776/6153 that are supported include but are not limited to: 

448 

Gateway 

Time Server Address 

DNS Server Address 

Log Server 

Print Server 

Domain Name 

NETBIOS Parameters and Server 

FQDN 

SIP Server Options 

Lease time 

VLAN ID 

IPv4 Address allocation 

IPv6 Address allocation 

TFTP Server Address 

Mail Server Address(s) 

Cassidian provides this service as a centralised capability, a site specific instance or a hybrid / 

distributed deployment. The nature of any deployment of this service will be guided by the Service 

Consumer’s needs, the capabilities of the underlying LAN/WAN infrastructure, the resilience required 

and the size of any given consumer by site and organisation. 


As DHCP standard has no inherent security configuration parameters this service leverages the 

overarching security configuration for all Internet Services and the PSN baseline security profile and 

engineering best practice. 

Resilience Options

Given the nature of DHCP a multi homed and cool standby DHCP service can be provided to support 

the resilience requirement of the Service Consumer. 

Forward and Reverse Network Address Translation (NAT) 

Cassidian provides an IPv4 forward and reverse Network Address Translation service. This service 

enable a Service Consumer to present PSN allocated IP Addresses irrespective of the existing the IP 

address plan used internally. 

Forward NAT Service 

The forward NAT Service will assign and manage the session based IPv4 translation between the 

internal (private) IP address and an external (public) IP Address. 

Reverse NAT Service 

The reverse NAT Service will map an external IP Address and port to a specific internal IP Address 

and port. This function allow the Service Consumer to present external services (via a split DNS) to other 

organisations or consumers without exposing the internal IP structure. 


This service will ensure that the Service Consumers internal IP address range is obfuscated from the 

public areas of the PSN. This service will log all translation mappings for future review and analysis 

Network Monitoring Service 

Cassidian provides a full Network Monitoring Service. The Network Monitoring Service provides the 

Customer Authority with a solution that will continuously monitor a network, providing early detection 

449

and notification of slow, over utilised or failing components and then notify your administration team of 

these issues. 

In order to support today’s complex IT systems and networks the Cassidian Network Monitoring 

Service provides a comprehensive monitoring service that delivers: 

450 

Early indications of faults and errors; 

Identification of equipment configuration changes and inconsistencies (e.g. additions or 

removals); 

Monitoring of performance of any IT component against a defined operational scope; 

Provision of data in support of the Compliancy and Security Audit process. 

Main Components of the Service 

To describe the breadth and depth of our Network Monitoring Service, Cassidian has defined the 

following functional components: 

Discovery and Agent Service – Cassidian work with the Service Consumer to discover and 

catalogue all networked assets to be monitored. Once the first capture has been executed 

Cassidian shall periodically repeat the discovery to assist in the identification of changes or 

anomalies within the defined scope of those elements being monitored. 

Incident and Alert Collectors – Cassidian work with the Service Consumer to efficiently design 

and define how existing and additional collectors can be best utilised to provide the most 

comprehensive alerts and notifications within the defined scope of those elements being 

monitored. 

Network Efficient Aggregators – Cassidian work with the Service Consumer to ensure that the 

most cost and capability efficient aggregation service is delivered thus maximising your return 

on investment. 

Unifying Correlator and Threshold Monitor – Efficient alerting capture is only the first part of an 

effective Network Monitoring Service so within this function Cassidian works with the Service 

Consumer to baseline and identify the required correlation and entity thresholds required to 

provide a pro-active and reliable. 

Visualisation and Alerting Service – This function provides the Service Consumer with a near-real 

time visualisation of the status of all networked elements within the defined scope of those 

elements being monitored which is access from the Customer Web Portal.

451 

Ticketing System – This function is used to support the helpdesk service by controlling the flow 

of events throughout the support process and ensuring that there is a designated owner for 

each event action. 

Configuration and Reporting Service – Cassidian will provide a regular status report for the 

Service Consumer to assist with internal compliancy, change and future growth management. 

Network Management Service 

The Network Management Service provides you with a fully managed solution that will continuously 

and proactively manage a network providing change control, configuration management and network 

monitoring of all networked devices. This service provides the Service Consumer with the following 

capabilities: 

Give early indications of faults and errors; 

Identify equipment configuration changes and inconsistencies (e.g. additions or removals); 

Monitor the performance of any IT component against a defined operational scope; 

Provide data in support of the Compliancy and Security Audit process; 

Manage change; 

Maintain 5 configuration snapshots for all relevant managed devices; 

Provide Networked device patch update service; 

Provide Anomalous behaviour detection. 

The Network Management Service uses the ISO / ITU-T FCAPS model to deliver Fault, Configuration, 

Accounting, Performance and Security Management as its core capabilities and deployed using an ITILv3 

aligned Service wrap. 

The FCAPS model and the ITIL framework underpin this service by providing: 

Active network monitoring – Proactive SNMP and ICMP monitoring of selected target devices;

452 

Passive network monitoring - Reception and processing of SNMP traps and messages; through 

standard protocols or custom log file reading and parsing. 

Device configuration management; 

Change Management; 

Release and Deployment Management; 

Fault Resolution – Customer facing Visualisation and Alerting Service; 

Performance Reporting – Service Levels, Trending and Configuration reports. 

Main Components of the Service 

To describe the breadth and depth of our Network Management Service, Cassidian has defined the 

following functional components: 

Discovery and Agent Service – Cassidian will work with the Service Consumer to discover and 

catalogue all networked assets to be monitored. Once the first capture has been executed 

Cassidian will periodically repeat the discovery to assist in the identification of changes or 

anomalies within the defined scope of those elements being monitored. 

Incident and Alert Collectors – Cassidian will work with the Service Consumer to help design and 

define how existing and additional collectors can be best utilised to provide the most 

comprehensive alerts and notifications within the defined scope of those elements being 

monitored. 

Network efficient Aggregators – Cassidian will work with the Service Consumer to ensure that 

the most cost and capability efficient aggregation service is delivered so maximising your return 

on investment. 

Unifying Correlator and Threshold Monitor – Cassidian recognises that efficient alerting capture 

is only the first part of an effective Network management Service thus within this function 

Cassidian works with the customer to baseline and identify the required correlation and entity 

thresholds required to provide a pro-active and reliable. 

Visualisation and Alerting Service – This function provides the Service Consumer with a near-real 

time visualisation of the status of all networked elements within the defined scope of those 

elements being monitored. 

Ticketing System – This function is used to support the helpdesk service by controlling the flow 

of events throughout the support process and ensuring that there is a designated owner for 

each event action. 

Configuration Collection Repository – Cassidian has developed a dedicated toolset that focuses 

on collecting all managed devices current or running configurations and compares those with 

the current deposited version on a bi-weekly basis. In the event of any difference Cassidian will 

investigate these anomalies and provide a report of the delta with a severity and urgency based 

upon the results of that analysis. 

Configuration and Reporting Service – Cassidian has found that providing a regular status report 

for their customers greatly assists them with their internal compliancy, change and future 

growth management.

453 

Change Management Process – To support change within this service Cassidian has a complete 

Change Management process from initial receipt of the Request for Change through to 

implementation and configuration update. 

Network Monitoring 

Each network element will be monitored continuously, or at a frequently necessary and appropriate 

to its function, for failure or degradation in performance against a pre-defined threshold. Monitoring 

criteria will be set according to the nature of the network element and its function e.g. for a network 

data link the link status, bandwidth utilisation and number or errors will be measured whereas for a 

server the CPU utilisation, temperature and free disk space available will be monitored. 

Tuning 

It will be necessary to adjust the level of monitoring to maintain a usable level of information. Too 

much emphasis on one item, such as increasing link bandwidth usage, may mask degradation in another 

related field such as data link errors and vice versa and it is important therefore to review the attributed 

within the monitoring system on a regular basis. 

Test for Normal Condition 

An integral part of the process is the test for normal condition and this will largely be an automated 

process with rules being set up within the software toolset to process information received directly from 

the polling engine. Once an event occurs outside of what is classified as the normal condition for the 

monitored element, it will be flagged by an alert or alarm according to its severity or significance and 

will be resolved according to the rule set and either logged or escalated to an engineer for further 

attention as per the normal operation of Event Management. 

CSOC Notification

The monitoring toolset will be configured to notify the CSOC engineers of any anomaly according to 

the priority criteria set within the SLA. The CSOC will then resolve the Incident within the timescales 

indicated in the Service Level Agreement (SLA). 

Web portal access will also be available to view real time data and produce customisable reports. 

Continuation of Monitoring 

Following any notification to the CSOC and at any point during the lifecycle, a decision may be made 

to discontinue monitoring customer equipment. This may be due to one of several reasons: 

454 

Temporary loss of contact with the equipment due to upstream failure 

Disconnection of the device for maintenance 

Removal of the equipment after decommissioning 

Contract termination 

If the monitoring is to be suspended temporarily, this will be processed using a standard model 

change request (service request) and the polling engine suspended for the agreed period. If the change 

is permanent a normal change will be raised so that the schedule may be amended as appropriate. A 

separate process for termination will be defined in the Off-boarding process so that relevant data may 

be archived for future statistical reference and accounting purposes. 

Configuration Management 

The configuration of each network element will be monitored for any unscheduled change and any 

deviation from a known configuration baseline stored in the configuration management database

(CMDB). Any unauthorised configuration changes identified will be investigated and reported upon by 

the CSOC. 

Service Delivery Points 

Cassidian will deliver the Network Management Service from the Cassidian Service 

Operations Centre (CSOC) in Newport and will securely connect to the customer network via IPSec 

VPN tunnels; for a more resilient solution, it is recommended that the VPNs are terminated at two 

separate customer locations. 

For small enterprises comprising less than 5000 monitored elements, an Aggregator and Correlator 

will be sited at the Cassidian site; for larger enterprises, with greater than 5000 monitored elements and 

where bandwidth requirements dictate, one or more Aggregators and a Correlator will be sited at the 

customer premises; if bandwidth requirements permit, the Correlator may be retained at Cassidian. 

Cassidian will provide the necessary hardware platforms and required software for the 

Aggregator/Correlator. 

Backup and Restore 

Cassidian perform a daily cross platform warm standby back-up for all critical Service elements, 

including real time database replication across multiple distributed platforms. This ensures Cassidian can 

exceed the requirements for a Tier 3 data centre for those critical delivery elements of this service 

offering 

455


This service is provided with the following security aspects and attributes: 

456 

All interactions with the devices under management will be completed using a secure channel if 

the device is capable of support. 

All data in transit to and from the CSOC will be configured to pass down a secure separated 

channel. 

All access to the resultant network status views will be via the Cassidian Secured Customer Web 

Portal will full access control and rights management. 

All access to the resultant status for a discreet implementation will be configured with the 

relevant local rights management and access control parameters. 

Secure Internet Gateways 

Cassidian provides two types of Secure Internet Gateway Services: 

Secure Web Gateway 

Secure e-Mail Gateway 

The Secure Web and e-Mail Gateway services described below is only available at PROTECT however 

an enhanced Web-Guard service is also available at RESTRICTED and CONFIDENTIAL which will provide 

the functionality as required by PSN and CESG security standards within these higher security domains – 

Please see the Firewall Service – Application Firewalls for further details. 

Secure Web Gateway 

HTTP(S) Scanning 

The Web Service Gateway scans all HTTP and HTTPS traffic and analyses it for both malware and 

inappropriate content. This includes inspection and alerting for all certificates that appear suspicious.

Organisational Acceptable Use Policies 

This capability allows the Service Consumer Organisation to set a comprehensive usage policy based 

upon a number of defining criteria: 

457 

A list of users, computers and/or groups to whom the policy applies 

A list of URL category and application filtering rules 

Destination site reputation risk analysis 

Malware scanning including real-time Javas emulation and analysis 

Enhances zero-day attack detection rates 

File type definitions and analysis 

Data loss mitigation 

Additional options that affect the user’s browsing experience. 

Advanced Detection Techniques 

The Web Service Gateway provides the Service Consumer with a number of enhanced technologies 

and techniques that have been designed to help reduce and mitigate the threats from: 

Anonomyzing Proxies detection – attack vectors launched from behind a proxy service 

Anonymous Call Home detection – Detects and identifies machine making unexpected or 

authorised web connections 

Deployment and Management 

This service can be deployed as either a physical or virtual appliance at a Service Consumers location 

or accessed from the CSOC. Irrespective of the deployment configuration this service will receive near 

real-time signature updates and ‘bad site lists’ from the CSOC over the PSN within the relevant security 

domain.

Cassidian will manage these gateways from the CSOC for the Service Consumer and can provide 

both shared view and shared management via role based delegation thus optimising the usability and 

responsiveness of this service within the approved implementation security parameters. 

Enhanced Capabilities 

This gateway is fully interoperable and can be fully integrated with the Cassidian Computer Network 

Defence Service, further enhancing the security detection for the Service Consumer. 

This gateway is fully interoperable with the Cassidian HIDS and Anti-Virus Service; when integrated 

this service will combine to provide fully protection and control of remote users when suitable 

connected (e.g. via the Cassidian Secure Remote Access Service). 

Secure e-Mail Gateway 

The e-Mail Service Gateway provides the Service Consumer with a number of enhanced 

technologies and techniques that have been designed to help reduce and mitigate the threats from: 

458 

Pre-defined sensitive data types 

Automatic data protection Prevent the accidental or malicious loss of sensitive data. 

Protects sensitive data with automatic email encryption 

Reduces the risk of data loss with pre-packaged DLP definitions 

Blocks known and zero-day threats with the built in AV engine 

Anti-spam management and mitigation 



technologies and techniques that have been designed to help reduce and mitigate the threats from:

459 

SPAM Campaigns – Eliminate over 99% of spam with Sender Genotype Technology and Live 

Anti-Spam real-time updates 

Proactively protect against evolving threats including viruses, phishing, and malware with 

Behavioural Genotype technology 





domain. 





This gateway is fully interoperable and can be fully integrated with the Cassidian Computer Network 

Defence Service, further enhancing the security detection for the Service Consumer. 




Accurate Time Service 

Cassidian can provide the Service Consumer with a highly accurate Time Service. This time service is 

provided to ensure that all aspects of the Service Consumers IS and IT environment can maintain 

accurate time and time synchronisation to within

Cassidian PSN compliant time source or an available time source from the Service Consumers DNSP 

source as defined within the PSN Technical Domain Description Document. 

This time service has a number of different deployment models to support the Service Consumers 

requirements: 

460 

Full Client Time Service Capability 

o Clients connected to the CSOC managed Client Time Server 

o Clients connected to a deployed Cassidian Client Time Server 

Time Synchronisation Capability 

o Connection to the Cassidian Stratum Time source over the PSN WAN link 

o Connect to a site deployed stratum time source 


All component services that comprise the Internet Service provision are monitored and managed 

from the CSOC using remote network and device management toolsets. The CSOC delivers Event, 

Incident and Availability management processes which are key components that underpin the service 

and information concerning real-time service status is provided via the Service Consumer Portal. 

E-Mail and Desktop Messaging 


Cassidian provides the following PSN compliant capabilities within our messaging offering which is 

delivered within our Unified Communications Service offering. This service provides the following 

capabilities: 

Desktop Messaging 

Web Messaging 

Interpersonal Messaging (SMTP and eSMTP)

461 

Inter-Organisational Messaging (x.400) 

Enterprise and Domain Messaging Gateways 

Content inspection of incoming and outgoing messages for infection and non-compliance with 

PSN policy 

Extended Client functionality including 

o Collaboration with shared calendars 

o Fully functional Address Book 

o Task Management 

o Meeting planning 

o Security Labelling for Messages 

Service Continuity Scope 

Availability 

The hosted solution is Highly Available and Scalable across our DR sites. Secure multifunction 

messaging gateways in conjunction with Mail Guards protect the network from external mail threats. 

Outgoing mail is checked for conformity against IA based policies. Hosted services are centrally managed 

from Cassidian Service Operation Centre (CSOC). 

Backup and Restore 

Cassidian perform a daily cross platform warm standby back-up for all critical Service elements, 

including real time database replication across multiple distributed platforms. This ensures Cassidian can 

exceed the requirements for a Tier 3 data centre for those critical delivery elements of this service 

offering 


This service is provided with the following security aspects and attributes: 

All interactions with the devices under management will be completed using a secure channel if 

the device is capable of support. 

All data in transit to and from the CSOC will be configured to pass down a secure separated 

channel. 

All access to the resultant network status views will be via the Cassidian Secured Customer Web 

Portal will full access control and rights management.

462 

All access to the resultant status for a discreet implementation will be configured with the 

relevant local rights management and access control parameters. 

Service Capabilities 

Client Capabilities 

Standards Desktop Messaging (Windows Client) – the client provided is integrated and multi- 

capable; examples of the functionality provided includes: 

Personal email management 

Multiple email accounts from different domains or servers 

Address book local and company 

Security labelling of all messages 

The Messaging client will be modified with Security Classification labels which comply with PSN 

IA policies. The Security labels ensure downstream equipment route the messages on the 

correct network. 

Message archive 

Searchable archive across multiple end user mailboxes 

Secure email transport SSL/TLS POP3, SSL/TLS IMAP4, SSL/TLS SMTP 

Integrates seamlessly with directory services and PKI infrastructure 

Mail and attachment screening for virus and malware content 

Junk mail filtering 

Protection against Phishing attacks 

Extended Desktop Client functionality includes: 

Collaboration with shared calendars 

Fully functional Address Book 

Task Management 

Meeting planning

Web Messaging – Web messaging will connect roaming and remote access Service Consumers to 

their mailbox via and authentication hosted web interface. 

463 

Search folders 

Message filtering 

Ability to set categories in the message list 

Options in the Web management interface for Outlook Web App 

Side-by-side view for calendars 

Multiple client language support 

Ability to attach messages to messages 

Expanded right-click capabilities 

Integration with Office Communicator, including presence, chat, and a contact list 

Conversation view 

Outlook Web App mailbox policies 

Messaging Server Capability 

The Cassidian Messaging Services support the following capabilities: 

Support to MIME and SMIME attachments 

Messages sent on the RESTRICTED and CONFIDENTIAL networks will be digitally signed in 

accordance with CESG guidance and the PKI-Strategy for PSN 

Mail-box sizing 

Security Label enforcement 

Anti-virus and Malware detection. 

Interpersonal Messaging also supports: 

Client Transport mechanisms supported 

o POP3 

o IMAP 

Inter-server transport mechanisms

464 

o SMTP 

o eSMTP 

Inter-Organisational Messaging (x.400) also supports: 

non-repudiation 

Supported formats 

o P2 

o P22 

o P772 

Within Inter-Organisational Domain Messaging Gateway 






Reduces the risk of data loss with pre-packaged DLP definitions 







Anti-Spam real-time updates

465 



Cross-Domain Messaging Gateway 

The above gateway is supplemented with the following functionality (as required) when deploying a 

messaging gateway between security domains. 

Cassidian will provide Multi Functional Gateways to send and receive X.400 and SMTP traffic. 

The gateway will inspect mail message security label and act based upon the define Service 

Consumers release and acceptance policy. 

Non delivery reports are configurable and can notify Service Consumers of failed messages or 

the security office dependent upon the Service Consumers policy requirements. 

Source and Destination domain white-lists 

The MFG conforms to MMHS 

Hygiene Management 

Each hosted server or management workstation has full end-point protection implementation 

including AV, white listing, and a malware client. This service is updated with new threats and signatures 

from an update server located within the CSOC at each site. 

Collaboration Servers –Option 

The Cassidian messaging service shall allow Service Consumers to collaboratively work on shared 

documents, share calendars, tasks, email and notes Collaboration services will be delivered as Normal 

Availability or High Availability where: 

Normal Availability – A single Collaboration Server with daily back-ups

466 

High Availability – Multiple Collaboration Servers load balanced across DR sites 

Mailbox Servers 

Cassidian shall implement mailbox servers across our DR sites for resilience hosting the following 

functions: 

Web Server 

Host Mailbox database 

Provide email storage 

Host Public folder database 

Email Address Policies 

Address lists and offline address books 

Multi-mailbox searches 

Content indexing 

HA and site resiliency 

Messaging records management and retention policies 

Cassidian shall provide the Service Consumer with access to a web server instance. This capability is 

required to host the webmail portal for Service Consumers accessing their mailbox through a web 

browser 

User Authentication 

Service Consumers shall be authenticated against a directory service to gain access to their mailbox. 

Integration and Interoperability functions 

Cassidian messaging service uses open standards to allow Service Consumers to communicate 

across disparate networks 


Each of these Services are available to the Service Consumer with the following deployment models: 



function

467 





Business Continuity and Disaster Recovery 

Each HA Site resilient service will be deployed across our HA architecture which in turn will be 

distributed across our DR site. The service is implemented on a dedicated suite of hardware with 

inherent hardware resilience and robustness. Each hosted service will be fully resolvable from any of our 

DR sites. 

Cassidian can offer a site resilient service to ensure no loss of service by extending the physical 

locations of the mailbox servers. 

Mailbox backup will form part of the DR policy. Service consumers will be able to request retrieval of 

deleted email or a corrupt mailbox 


Messaging services are hosted and delivered from the CSOC. All infrastructure elements that 

underpin the service, including Collaboration Servers and Mail guard gateways are monitored and 

managed using remote network and device management toolsets. Service status information is provided 

via the Service Consumer Web Portal which also provides Incident management and Service Request 

support.

Co-location and Hosting 


Cassidian provides Co-Location and Hosting Services through its Secure Data Centre Services Centres 

(SDSC) managed via our CSOC. These data centres are equipped to deliver Tier 3 services to meet 

requirements from the hosting of Service Consumer owned equipment to the provisioning of servers 

and virtual data centres. 

The Cassidian SDSC is approved to operate up to RESTRICTED and implements the relevant security 

process and procedures as defined within the relevant impact level. As such this service is only offered 

at PROTECT and RESTRICTED for PSN. 

The Infrastructure as a Service (IaaS) capability provisions processing, storage, networks, and other 

fundamental compute resources where the Service Consumer is able to deploy and run arbitrary 

software, which can include operating systems and applications. The Service Consumer does not 

manage or control the underlying infrastructure but has control over operating systems, storage, 

deployed applications and limited control of select networking components dependent upon the 

security domain. 

Scope and Function of the Services 

The Co-Location and Hosting Services are flexible and shall be offered for the following 

infrastructure layers:- 

468

Hosting Environment 

469 

Co-location of Service Consumer equipment through the provision of data centre floor space, 

power and physical connectivity 

Secure connectivity from the Service Consumers location(s) through PSN connections. 

Support for Service Continuity and Disaster Recovery. 

Hardware Platform 

Co-location of Service Consumer equipment in Cassidian provided server and network 

equipment racks 

Cassidian provided physical servers into Cassidian managed server racks 

Storage presentation from the Cassidian SDSC SAN storage facility 

Secure connectivity from the Service Consumers location(s) through PSN connections. 


Virtualised Platform 

Virtual servers and virtual data centres based upon the Cassidian SDSC virtualisation and 

provisioning platform. 

Secure connectivity from the Service Consumers location(s) through PSN connections 


The Service Consumer may use the above service offerings in combination interconnected as 

required within the constraints of the security domains.

This Service offering is intended to meet the needs of what is currently termed “private cloud” and 

“community cloud” deployment models. 


The Co-Location and Hosting Services shall be offered over two security domains covering PROTECT 

and RESTRICTED. Both domains are physically and logically separated from the other domains to avoid 

any accidental or deliberate attempt to transfer information to a lower domain. Each domain has its 

own service management infrastructure platform for the maintenance and monitoring of the equipment 

providing the services, supporting security separation. 

PROTECT level services are protected by standard security measures as identified in the baseline 

countermeasure set within ISO 27001, whilst RESTRICTED level services have additional security 

measures in line with the Deter and Resist Controls. PSN Connectivity will be employed to provide 

protection for data transmitted and received data at the necessary Impact Levels. 

Within each domain, the security model for each Service Consumer varies depending upon the layer 

of Co-Location and Hosting Services taken up. Part of the SLA definition with the Service Consumer will 

identify the exact level of security measures to be provided by Cassidian to support accreditation of the 

Service Consumers system and maintain accreditation/certification of the SDSC data centre. 

Specific Capability 

The Cassidian SDSC Tier 3 data centres provide the infrastructure environment for the hosting and 

co-location services offered up to RESTRICTED. These data centres within or secure facilities. 

470

The Cassidian service management team supports the Service Consumer with the definition of 

resource requirements, planning, on-site logistics, resource deployment, and connectivity services. 

The following service offerings are available within the SDSC datacentres: 

471 

Floor space to host service user owned equipment 

o The Service Consumer provides the hardware and enclosures to be placed and 

commissioned in an allocated space within in the SDSC facility 

o Access to this environment is as determined by the Service Consumer’s requirements 

for application, administrative and out-of-band access. 

Partial or full rack space to host service user owned equipment e.g. Servers and network 

equipment 

o Dedicated standard server and network equipment racks into which Service Consumer 

installs their equipment 

o Access to this equipment is as determined by the Service Consumer’s requirements for 

application, administrative and out-of-band access 

Physical servers built to specific hardware, BIOS and firmware configurations 

o This IaaS deployment model provides servers ready for operating system and 

application deployment. Network connectivity is provided to local and wide-area 

networks 

o Network connectivity is provided through VLAN separation 

o Access to this equipment is as determined by the Service Consumer’s requirements for 

application, administrative and out-of-band access 

Virtual machines configured to support service user workloads 

o The provisioning of one or more virtual machines to the Service Consumer using a CAPS 

approved hypervisor environment which is part of the SDSC. The virtual machines are 

provisioned with the resources available to satisfy the service user application workload 

requirements such as performance and availability 

o Connectivity to the Virtual Data Centre (VDC) is provided through virtual network 

adapters associated with the VLANs assigned to the service user 

o Access to the virtual machines is via virtual machine remote console access and any 

operating system remote access and application protocols 

VDC configured to support Service Consumer workloads and virtual network segmentation 

o Virtual Data Centres enable multiple virtual machines to be deployed and operated as a 

single entity. The virtual machines can be segmented and secured within the virtual data 

centre using hypervisor virtual distributed switches and virtual appliances which provide 

edge firewall capability. An example of using this facility would be a multi-tier web site 

service where web servers, application servers and database servers can be deployed on

472 

separate network segments within virtual data centre and traffic filtering applied as 

required 

o Connectivity to the VDC is provided through virtual network adapters associated with 

the VLANs assigned to the service user 

o Access to the virtual machines is via virtual machine remote console access and any 

operating system remote access and application protocols 

Virtual machine backup and recovery. 

o The backup facilities offered cover virtual machine disks using the virtualisation platform 

storage APIs. This enables virtual machine recovery without the use of agents or access 

to the virtual machines 

o A file level recovery option is available where agent software can be deployed to 

provide an interface for Service Consumer initiated recovery. This is only available for 

supported operating systems and workloads 

Virtual machine High Availability or Fault Tolerance 

o The SDSC virtualisation infrastructure supports both High Availability (HA) and Fault 

Tolerance (FT) options. The HA option enables virtual machines that are affected by a 

host server failure to be instantiated on another server within the same cluster. Fault 

Tolerance achieves this using a hot standby virtual machine on another host server in 

the same cluster 

Fibre Channel SAN based storage presented as required. 

o Cassidian SAN based storage is provisioned on high function, multiple high availability 

storage arrays capable of supporting high performance and high capacity requirements 

through a tiered storage architecture 

o Where storage is being presented to physical hardware this facility requires HBA 

hardware and firmware specifications which meet the compatibility requirements of the 

SAN fabric, storage technology and the Service Consumer’s operating system. This 

compliance requirement is determined as part of the technical design 

Inter-site disaster recovery through synchronous or asynchronous storage replication. 

o Where Cassidian SAN based storage is utilised local and inter-site resilience options are 

available through replication and point-in-time copy (snapshot) 

Each service offering described is implementable at PROTECT and RESTRICTED. 

The Power, HVAC and physical uplink connectivity will be provided by Cassidian. The redundancy 

level and diversity will be determined by the security domain Impact Level and specific Service 

Consumer requirements.

Provisioning of the service offerings are achieved through established work flows including 

requirements analysis, design and specification. 

The PSN provides the required protection for all data in transit for the relevant security domain. 

The virtualisation platform provides dedicated virtual machines; storage and connectivity based on a 

CAPS-approved hypervisor technology on which the Service Consumer is able to deploy their operating 

systems and applications. The SDSC is equipped with chassis based blade servers with redundant power, 

SAN and LAN redundancy. 

Where Service Consumer environments at different IL levels are inter-connected the higher impact 

level environment will contain an appropriate security gateway. These will be determined according to 

the security requirements. 

Access to the hosted services is provided through PSN secured connections. 

Monitoring 

The following infrastructure elements are covered by the system monitoring and alerting toolset. 

473 

Environmental monitoring of Power, HVAC.

474 

Cassidian supplied hardware monitored through out-of-band management interfaces. E.g. HP 

iLo for Proliant servers. 

Virtualisation, Network, SAN fabric and storage subsystems. 

Access control systems. 

SDSC data centre surveillance. 

Deployment and Migration Services 

Cassidian provides comprehensive planning, design and deployment services tailored to Service 

Consumer needs. 

Cassidian supplies physical and virtual computing resources along with the required connectivity 

through standard service management processes managed by the CSOC. 

Cassidian can assist Service Consumers in deploying their workloads to the IaaS computing 

resources. 

Cross-domain security models 

The Co-Location and Hosting Services provided relate to single domain solutions for PROTECT and 

RESTRICTED. Any requirement for multi domain provisions must be addressed as independent solutions. 


The services offered for PROTECT and RESTRICTED are managed with in-domain tool-sets. 

Regardless of which level of service is required by the Service Consumer, the security design of the 

Cassidian Data Centre capability should address the following within each of the security environments. 

Security Service Code of Connection compliance

Service Consumers wishing to connect into the services must adhere to the Code of Connection 

(CoCo) for the security level being provided by Cassidian. The CoCo needs to place suitable controls on 

the Service Consumer’s infrastructure to minimise the risk of attacks through the interface provided. 

Prior to the CoCo, the first step is to clarify the Service Consumer’s requirement for the protection of 

confidentiality and integrity of their information or data. This will be provided through a Security Aspect 

Letter and a Privacy Impact Assessment by the Service Consumer to Cassidian alongside any technical, 

schedule or commercial service terms. 

These documents identify the business and privacy impact levels associated with the service 

provision agreement and initiate the appropriate actions, preparations and awareness within the 

Cassidian Security Management structure, amongst the service provision personnel and if necessary 

flowed down to any contracted external suppliers. 

Physical Security Aspects of the Service 

Within the approved site, dedicated rooms with electronic access controls are required to prevent 

unauthorised access by Cassidian or contractor personnel not allowed entry into these areas. Separate 

racking and locking of infrastructure for the different security levels and individual Service Consumers is 

required to prevent unauthorised access to the rest of the system by those individuals that are allowed 

into these areas. 

475

Security sensitive areas such as the CSOC are kept physically separate from the data centre to 

reduce the insider threat by removing the ability to attack the infrastructure from within the data centre 

itself. 

Resilience and disaster recovery of the services are provided through use of two data centres at 

different sites. 

Enhanced Security Enforcing Functions 

These are the electronic and hardware controls that protect the data centre and the service 

provision to the Service Consumer. These controls are grouped into the eight areas of concern that are 

addressed in the following sections. 

Within the service provision Cassidian shall employ a strategy for protecting the Service Consumer 

information or data that falls into eight possible categories depending upon the service required. These 

categories are: 

476 

Physical Protection to site, buildings and rooms 

Access Control to Infrastructure 

Separation of Individual Service Consumer Services 

Separation of the Different IL Security Domains 

Confidentiality and Integrity Protection of the Data 

Monitoring of the Infrastructure (including Audit collection) 

Configuration Control of the Infrastructure 

Maintenance of the Infrastructure 

Service Provided - Hosting Environment

When the Service Consumer procures this service they require the physical location to place their 

infrastructure within. Therefore the security service element is primarily around providing physical 

protection of the Service Consumer’s equipment as part of the security environment and the secure 

connection between the Service Consumer’s sites and the Cassidian locations. 

The service options available from a security viewpoint are: 

477 

Minimum interaction from Cassidian – Minimum interaction is effectively where Cassidian has 

no management connection into the Service Consumer’s equipment other than at the boundary 

to monitor the interface. The Service Consumer is totally responsible for installation of 

operating system, software and system updates including all licensing and support costs. The 

infrastructure in this case is an extension of the Service Consumer’s own security environment 

where instances happen to be located at the Cassidian data centre. Therefore the Service 

Consumer must also be responsible for additional security measures such as PKI management 

and user access to equipment/applications, lock down of equipment, time synchronisation and 

overall monitoring of their equipment. Cassidian in this scenario are only responsible for 

segregation of environments, preventing Service Consumer activity from interfering with or 

disabling other Service Consumer’s infrastructure 

Security Monitoring of Service Consumers infrastructure – Security Monitoring of Service 

Consumers Infrastructure provides an additional level of security service to monitor the Service 

Consumer’s hosted equipment for any security events detected by the monitoring tools. This 

can be adopted separately or as part of a wider CSOC service provision to the Service 

Consumer’s infrastructure at their own sites to give them a full network monitoring capability. 

The Service Consumer though in this scenario is still responsible for maintaining the hardware 

and software installed on the infrastructure. The CSOC in this case becomes an extension of the 

Service Consumer’s security domain as a monitoring element 

Full Security Protection of Service Consumers infrastructure – Full Security Protection of Service 

Consumers Infrastructure effectively takes over control and maintenance of the hardware 

provided by the Service Consumer so that Cassidian perform all OS upgrades, software updates 

and installs all patch releases. AV and IDS monitoring of the hardware will be provided through 

the Cassidian core services. Audit and backup of the hardware are also available as options on 

the core services. A PKI service can also be offered as part of larger CSOC service offering for 

identity management. The Service Consumer is still responsible for providing the OS, software 

and all update/patch releases to Cassidian, but Cassidian will test on the System Reference 

Model (SRM) prior to installation on the live infrastructure

Service Provided - Hardware Platform 

When the Service Consumer procures this service they require Cassidian to also provide the physical 

hardware as well as the hosting location. Therefore the security service element is widened to provide 

enhanced security measures as standard to the Service Consumer. 

The options available are: 

478 

Base Hardware (i.e. no OS or applications installed) – The base hardware option is effectively the 

same as the Hosting Environment service, with the only difference being that Cassidian provides 

the physical hardware. Secure management and monitoring of this hardware by the CSOC will 

depend upon the type of service required by the Service Consumer 

Secured Hardware – The secured hardware option is a higher level service offering where 

Cassidian manage the infrastructure that the Service Consumer’s applications and data are 

hosted upon. The Service Consumer only need provide the application and in service updates to 

Cassidian for them to integrate and manage on the data centre platform. This service closely 

resembles the final service offering of Virtualisation, where Cassidian provides and manage the 

entire infrastructure used by the Service Consumer 

Service Provided - Virtualisation 

When the Service Consumer procures this service they require Cassidian to host applications/data 

on their virtualisation platform in the data centre. Therefore the security service element is the standard 

implementation of the security controls required to protect the data centre. The Service Consumer will 

be allocated virtual machines on the existing infrastructure or a separate instance of virtualised platform 

depending on the impact level of the Service Consumer’s data

The Service Consumer only need provide the application, data and in service updates to Cassidian 

for them to integrate and manage on the data centre platform. Cassidian are responsible here for all 

other security measures to protect the Service Consumer’s environment within the data centre 

Service Continuity and Availability 

Cassidian has a comprehensive service continuity plan that satisfies our critical service support 

commitments. It should be noted that this service is hosted upon a high resilience infrastructure with in- 

built component and process redundancy. This critical capability design is supplemented by the 

following additional back-up, data recovery and disaster recovery plans as identified below. 

Cassidian perform daily platform warm standby backups for all critical service elements including 

real-time replication across multiple distributed platforms. This ensures Cassidian meet the service 

requirements for the critical service delivery elements. 

Virtual machine High Availability or Fault Tolerance options are provided as required mitigating 

virtualisation host failures. 

Cassidian can offer support to the Service Consumer for: 

479 

Online data storage for disaster recovery data copies 

Synchronous and asynchronous storage replication for storage allocated on Cassidian SAN based 

storage between sites.

480 

Inter-site virtual data centre failover 

Connectivity and support for server consumer BC and DR technical solutions 


Management of the service is provided by CSOC who will monitor and maintain all ancillary and 

peripheral infrastructure elements relevant to the service provided. In addition, a ‘remote hand’ service 

is available to provide local engineering support to hosted Service Consumer equipment at the CSOC 

site. Escort personnel will be provided for Service Consumer engineering staff requiring access to hosted 

equipment if this option is not taken up. 

On-line Storage 


Cassidian provides Co-Location and Hosting Services through its Secure Data Centre Services Centres 

(SDSC) which are hosted on a List X accredited site. These data centres are equipped to deliver Tier 3 

services to meet requirements from the hosting of Service Consumer owned equipment to the 

provisioning of servers and virtual data centres. 

The online storage service (Secure Managed Storage Service) provides Microsoft Windows based 

network file shares based on the Common Internet File System (CIFS) standard, providing secure remote 

file and directory access for client machines independent of the client machines operating system. This 

service is provisioned for use at PROTECT and RESTRICTED. 

The service is hosted from the SDSC UK premises and accessed via the PSN from Service Consumer 

location/s.

The Secure Managed Storage Service allows the Service Consumer to: 

481 

Control which of their users has access to the service 

Allow the Service Consumer (clients) to access files and directories located on the file store as if 

they were local. 

The service is hosted on a virtual file server from the Cassidian SDSC and accessed via the PSN 

connection from Service Consumer location/s. The service allows the Service Consumer to administrate 

the virtual file server thus allowing the Service Consumer (clients) to control access to files and 

directories located on the file store. 

The service can be readily integrated with the Service Consumer’s Microsoft Active Directory Service 

(MSAD) enabling role based access control with minimal administration overhead. 

Key functions: 

An access controlled network file share 

Client and server file storage 

Service Consumer centralised administration for configuration access to files and folders 

The Secure Managed Storage Service shall: 

Provide a network file share (or shares) supporting a specific Impact Level of the defined volume 

and monitor this file share to the agreed thresholds. 

Deliver the Secure Managed Storage Service from the Cassidian Service Operations Centre 

(CSOC) in the UK and propose the secure connection be via the PSN.

Security Models 

The On-line Storage service is available at PROTECT and RESTRICTED. Each domain will be physically 

separated from the other domains to avoid any accidental or deliberate attempt to transfer information 

to a file share on a lower domain. Each domain will also have its own service management infrastructure 

platform for the maintenance and monitoring of the equipment providing the services to support the 

separation. 

The Service Consumer shall comply with the relevant security measures detailed in the code of 

connection for the SDSC. 

Specific Capability 

The Secure Managed Storage Service is based on virtual Microsoft Windows bases servers 

presenting storage as one or more Common Internet File System (CIFS) file shares. 

482 

The online storage service is constructed using one or more virtualised Microsoft Windows file 

servers provisioned by Cassidian with the file services role enabled. These servers are 

provisioned in the SDSC CAPS approved virtualisation platform. The Service Consumer is then 

able to customise and administer the server at the operating system level. 

The require storage capacity is presented as one or more virtual disks as agreed with the Service 

Consumer. This is provisioned from the SDSC highly available storage facility. The virtual disks 

are physically discreet and provisioned in line with the requirements of the security domain. 

The service resilience is achieved according to the SLA agreed with the Service Consumer. 

The following options can be facilitated: 

o A backup and recovery service. This is a virtual machine backup but includes file level 

recovery capability. 

o A High Availability configuration where a failed virtual server is re-instantiated on a 

different physical server. 

o A Fault Tolerance configuration where a failed virtual server is rapidly replaced by a hotstandby 

server transparently to the Service Consumer. 

o An inter-site failover based upon synchronous or asynchronous storage replication 

between SDSC data centres.

483 

Access to the servers is enabled through a secure network connection giving administrative 

access through Remote Desktop Services. 

The servers are handed over to the Service Consumer technical support nominees who take 

administrative control of the server. This enables the Service Consumer to integrate the server 

with their environment for the intended purpose and implement access control and protection 

according to their Security Policies. 

Deployment and Migration Services 

Cassidian provides comprehensive planning, design and deployment services tailored to Service 

Consumer needs. 

Cassidian supplies physical and virtual compute resources along with the required connectivity 

through standard service management processes managed by the CSOC. 

Cassidian can assist Service Consumers in deploying their workloads to the IaaS compute resources 

Two domain security model 

To achieve this multi-domain model, a separate data connection for each domain will be required 

and achieved using the PSN connectivity. 

The On-line Storage offering will have to be procured by the Service Consumer. This service will be 

facilitated using the connection required to the relevant domain, routing the information appropriately 

from the consumer to the file share within the SDSC. 


The Cassidian SDSC is approved to operate up to RESTRICTED and will implement the 

relevant security process and procedures required for ISO27001 Certification or Accreditation 

under HMG IS 1 and 2 as required for the impact level. We can also provide the Service 

Consumer with security guidance and support for any internal accreditation updates or 

modifications to satisfy their requirements.

The CSOC will provide discreet physically separate management infrastructures to support each of 

the proposed security domains being offered at PROTECT and RESTRICTED. 

Security Service Code of Connection compliance 

Service Consumers wishing to connect into the services must adhere to the Code of Connection 

(CoCo) for the impact level being supplied. Cassidian will require them to show compliance against the 

CoCo, which places suitable controls on the Service Consumer’s infrastructure to minimise the risk of 

attacks through the interface provided. 

Prior to the CoCo, the first step is to clarify the Service Consumer’s requirement for the protection of 

confidentiality and integrity of their information or data placed on the file share. This will be provided 

through a Security Aspect Letter and a Privacy Impact Assessment by the Service Consumer to Cassidian 

alongside any technical, schedule or commercial service terms. 

These documents identify the business and privacy impact levels associated with the service 

provision agreement and initiate the appropriate actions, preparations and awareness within the 

Cassidian Security Management structure, amongst the service provision personnel and if necessary 

flowed down to any contracted external suppliers. 

Physical Security Aspects of the Service 

Within the approved site, dedicated rooms with electronic access controls are provided to prevent 

unauthorised access by Cassidian or contractor personnel with no requirement for entry into these 

areas. Separate racking and locking of infrastructure for the different IL levels is required to prevent 

484

unauthorised access to the other system areas by any other individuals that are allowed into these 

areas. 

Security sensitive areas such as the CSOC are kept physically separate from the data centre to 

reduce the insider threat by removing the ability to attack the infrastructure from within the data centre 

itself. 

Resilience and disaster recovery of the services are provided through use of two data centres at 

different sites. 

Enhanced Security Enforcing Functions 

These are the electronic and hardware controls that protect the data centre and the service 

provision to the Service Consumer. These controls are grouped into the eight areas of concern identified 

below that have to be addressed within the security design, through the implementation of control 

measures. 

Within the service provision Cassidian shall employ a strategy for protecting the Service Consumers 

information or data that falls into the eight possible categories depending upon the service required. 

These categories are: 

485 

Physical Protection to site, buildings and rooms

486 

Access Control to Infrastructure 

Separation of Individual Service Consumer Services 

Separation of the Different IL Security Domains 

Confidentiality and Integrity Protection of the Data 

Monitoring of the Infrastructure (including Audit collection) 

Configuration Control of the Infrastructure 

Maintenance of the Infrastructure 

Security Service Element 

When the Service Consumer procures this service, they require Cassidian to host file shares on their 

platforms in the data centre. Therefore the security service element is the standard implementation of 

the enhanced security controls required to protect the data centre, but with the exception that the 

Service Consumer’s technical support team have administrative control over the configuration and use 

of the file share. 

The Service Consumer will be allocated virtual machines on the existing infrastructure or a separate 

instance of virtualised platform depending on the impact level of the Service Consumer’s data being 

stored. 

Cassidian is totally responsible for installation of operating system and system updates, including all 

licensing and support costs. The file share infrastructure in this case is an extension of the Service 

Consumer’s own security environment where the instances happen to be located at the Cassidian data 

centre. Therefore the Service Consumer must be responsible for some security measures, such as 

controlling user access to the data.

All other security measures such as lock down of equipment, PKI certificate management time 

synchronisation, overall monitoring of their equipment come under the Cassidian security service 

provision. Cassidian are also responsible for segregation of environments, preventing Service Consumer 

activity from interfering with or disabling other Service Consumer’s file shares. 


This service is hosted upon a high resilience infrastructure with in-built component and process 

redundancy. This critical capability design is supplemented by the following additional back-up, data 

recovery and disaster recovery plans as identified below. 

Cassidian perform daily platform warm standby backups for all critical service elements including 

real-time replication across multiple distributed platforms. This ensures Cassidian meet the service 

requirements for the critical service delivery elements. 

Virtual machine High Availability or Fault Tolerance options are provided as required mitigating 

virtualisation host failures. 

Cassidian can offer support to the Service Consumer for: 

487 

Online data storage for disaster recovery data copies 

Synchronous and asynchronous storage replication for storage allocated on Cassidian SAN based 

storage between sites.

488 

Inter-site failover 

Connectivity and support for Service Consumer BC and DR technical solutions 


The online storage service is hosted and managed via the CSOC. The Service Consumer Portal 

provides access to tools to view current capacity and storage usage and to manage additional storage 

requests, provision additional hosts and monitor service status. 



For the purposes of describing the scope of the Security Service, Cassidian shall segment the service 

into the following two topic areas of offering: 

Security Management Capabilities; 

Technical Security Capability. 

Security Management Capabilities 

Cassidian’s CLAS Consultants and Security Engineers are proficient in providing advice and guidance 

across the full spectrum of HMG Cyber Security related management activities in support of the Service 

Consumers requirements. 

Security Program 

ISO27000 series compliance assessment and gap identification 

ISO 27001 ISMS scoping, statement of applicability (SoA), implementation and improvement 

CESG IA Maturity Model (IAMM) assessment and audit 

Service/product/capability out-sourcing / procurement lifecycle support 

Security Policy 

Policy and procedure development (Security Operating Procedures, Acceptable Use Policies etc) 

Information exchange agreement or Code of Connection preparation 

Preparation of Privacy Impact Assessments 

Business Continuity Planning and Disaster Recovery strategies, plans and testing in accordance 

with BS 25999, Joint Services Publication (JSP) 503, etc

Compliance Audits 

Security policy compliance auditing and reporting 

Regulatory compliance auditing and reporting e.g.: Data Protection Act (DPA) and Freedom of 

Information (FoI) Act 

Information exchange and/or Code of Connection (CoCo) compliance auditing and reporting 

such as AIRWAVE CoCo compliance 

Risk Management 

Asset identification and valuation 

Threat identification and assessment 

Risk Assessment and Treatment - HMG IS 1, CRAMM, CITICUS 1 

Security Architecture 

Security requirements analysis and derivation 

Advice on infrastructure defence and protective monitoring solution design, deployment and 

operational management 

Advice on cryptographic standards, products, deployment and operational management 

Advice on component configuration, hardening and secure lockdown 

Advice on identity management solution design, deployment and operational management 

Advice on current industry best practice and trends e.g.: the Open Security Architecture (OSA) 

framework 

IT Security Health Checks 

Advice, support, assistance and planning of IT Security Health Checks under the CHECK scheme 

Advice, support, assistance and planning of compliance auditing, inspection and testing in 

accordance with Joint Services Publication (JSP) 480 System Coordinating Installation Design 

Authority (SCIDA) 

Security Certification and Accreditation Guidance 

Support of programmes through Accreditation lifecycles including RMADS development, in 

accordance with UK HMG IS 2 

Guidance of programmes in achieving compliance with governmental security polices such as UK 

HMG Security Policy Framework (SPF), Joint Services Publication (JSP) 440 and the Association of 

Chief Police Officers (ACPO) Community Security Policy (CSP) 

Guidance of programmes in achieving compliance with industry regulatory bodies such as the 

Payment Card Industry (PCI) Security Standards Council and their Data Security Standard (DSS) 

Technical Security Capabilities 

This sub-service encompasses the architecting, design, integration, roll-out, monitoring, reporting 

and on-going management of selected technical countermeasures within the framework of a Service 

Consumer’s overall security architecture. These technical countermeasures include: 

489

490 

Managed Encryption 

Secure Remote Access (SRA) 

Managed Digital Identities 

Other technical countermeasures that would typically be bundled as a technical security capability 

such as Intrusion Detection Service – Cassidian Computer Network Defence and Malware Detection and 

Prevention Service – Anti-Virus, Patch Update and Prevention, have been described within their own 

individual service descriptions within this framework. 

Managed Encryption Service 

All Cassidian Encryption Services are fully PSN compliant as defined within the PSN Technical 

Domain Description v2 and the PSN Cryptographic Framework v1.0. 

RESTRICTED Encryption Service 

Deployment Models 

This service is delivered using a suite of PEPAS, Common Criteria, FIPS and CAPS approved 

products. To support the flexibility for the Service Consumer this service provides a number of 

scaled Secure Service Delivery Points (SSDPs). The following types of SSDPs are available for 

implementation: 

10Gb High Availability(HA) SSDP 

10Gb Non Critical(NC) SSDP 

1Gb HA-SSDP 

1Gb NC-SSDP 

100Mb HA-SSDP 

100Mb NC-SSDP 

10Mb HA-SSDP 

10Mb NC-SSDP 

The SSDP delivers the following technical functionality:

491 

Support to the Service Consumers LAN side routing 

Provision of boundary security enforcing functions (on both the encrypted and unencrypted 

SSDPs interface points 

Provision of a boundary monitored IDS function (optional) 

Centralised VPN community and VPN association management 

Centralised key management including key generation and automated key distribution services 

All Quality of Service (QoS) markings will be reflected in the IP header presented to the 

underpinning GCN network. 

Provision of a WAN side routing service 

Provision of a tunnel encryption service as required from a security gateway device. 

The availability and status of the SSDPs can be visualised on the Technical Customer Web Portal via a 

secure Service Consumers Interface. 

In addition to the SSDPs functionality the service also supports the configuration of a Service 

Consumer encryption and routing hub(s) thus optimising bandwidth utilisation within the DNSP zone 

and (an optional) onward connectivity gateway to other external RESTRICTED domain secure 

communities via the DNSP HA Gateway service. 

The following SSDP Extensions are available if required by the Service Consumer: 

When the Service Consumer’s Network does not currently support the PSN QoS markings the 

SSDP shall apply QoS marking where applicable or requested. 

For high capacity SSDPs (e.g. at the Service Consumer’s Hub Sites) a bandwidth optimised IDS 

correlation appliance can be included - thus reducing the TCO for this service whilst maintaining 

the required level of monitoring.

492 

The SSDP’s IDS capability can be enhanced to provide application level monitoring. 

Capacity and Performance Metrics 

The SSDPs are designed to provide the required capacity and performance required for the 

delivery of this service to the Service Consumer. This capacity is further enhanced by the high 

availability nature of this service. 

Resilience 

The core services have been designed and implemented in accordance with the relevant 

availability and resilience capabilities where delivered. This resilience has been extended to the 

SSDP’s with the HA and NC Service Consumer options. 

CONFIDENTIAL Encryption Service 

Technical Functionality 

The Cassidian CONFIDENTIAL Encryption Service builds on the functionality of the Cassidian 

RESTRICTED Encryption service, by using CAPS approved encryptors to provide a service which includes 

the ability to support remote access. The encryption is transparent; QoS bits as set by the services are 

passed and therefore all services are supported at CONFIDENTIAL. QoS prioritisation is also supported by 

means of the DiffServ Code Point (DSCP) classification. 

The CONFIDENTIAL encryption service is based on high grade encryption products from the CAPS 

approved encryptor list. This service will provide an encrypted IPv4 service, with the capability to permit 

tunnelling of IPv6, to CONFIDENTIAL for bandwidths to a maximum of 100Mbps. 

Encryption will be transparent, QoS will be fully supported. A management and key distribution 

VLAN network will be established in the Cassidian Service Operations Centre CSOC for the management 

of the encryptors and the distribution of keys to the encryptors, along with software/firmware

upgrades. The encryptors that are used to provide the service will be RED side connected to this 

management VLAN network by a separate management port, so that the encryptors can be keyed and 

configured remotely, whilst maintaining separation of management traffic from service traffic. 

The encryptors to be used are CESG certified to High Grade through the CAPS process, meeting the 

requirements for authentication and revocation using CESG approved IPSec profiles. Therefore these 

encryptors will comfortably meet the confidentiality and Integrity requirements for an CONFIDENTIAL 

service. The encryption service also runs across Common Criteria certified equipment’s as part of the 

connectivity service. 


To support the flexibility for the Service Consumer this service provides a number of scaled secure 

service delivery points (SSDPs). The following types of SSDPs are available for implementation. 

493 

100Mb HA-SSDP 

100Mb Non Critical (NC)-SSDP 

10Mb HA-SSDP 

10Mb NC-SSDP 

Each SSDP has the following technical functionality: 

Support to the Service Consumers LAN side routing 

Provision of boundary security enforcing functions (on both the encrypted and unencrypted 

SSDPs interface points 

Provision of a boundary monitored IDS function (optional)

494 

Centralised VPN community and VPN association management 

Centralised key generation and automated key distribution service 

QoS can be applied to the data-streams in line with the PSN Classes on behalf of the service 

consumer. 

All Quality of Service (QoS) markings will be fully supported and reflected in the IP header 

presented to the underpinning GCN network. 

Provision of a WAN side routing service 

Provision of a tunnel encryption service as required from a security gateway device. 

The availability of the SSDPs can be visualised on the Technical Customer Web Portal via a secure 

Service Consumers Interface. 

In addition to the SSDPs functionality the service also supports the configuration of a Service 

Consumer encryption and routing hub(s) thus optimising bandwidth utilisation within the DNSP zone 

and (an optional) onward connectivity gateway to other external CONFIDENTIAL secure communities 

via the DNSP HA Gateway service. 

The following SSDP Extensions are available if required by the Service Consumer: 

The SSDP’s IDS capability can be enhanced to provide application level monitoring. 

Capacity and Performance Metrics 

Examples of the encryptors that are used to provide CONFIDENTIAL services are given as follows to 

illustrate the ability of the solution to meet the capacity requirements:

495 

ECTOCRYP ® Blue comes with 1000 Base SX/LX Optical Traffic Interface, LC Connectors and 

supports up to 900Mbps for 4kpackets and 500Mbps for an IMIX mixed traffic profile. Up to 

15,000 simultaneous security associations are supported. 

ECTOCRYP ® Small Form Factor (SFF) supports up to 80 Mbps for 4k packets and 10Mbps for an 

IMIX mixed traffic profile. Up to 256 simultaneous security associations are supported. 

As these encryptor appliances are based on multi-processor and multi-FPGA hardware, the latency 

introduced by the encryptors is of the order of 100µs. They introduce an encryption tunnel overhead of 

approximately 53 bytes regardless of packet size. 

Resilience 

To meet the availability requirement for the HA service at CONFIDENTIAL, HA routing nodes will be 

provided and the encryptor appliances will be configured in parallel pairs to offer in excess of 99.99% 

availability. The MTBF for ECTOCRYP ® Blue is 50,000 hours. The MTBF for ECTOCRYP ® SFF is 120,000 

hours. ECTOCRYP ® SFF will be available in April 2012, however in the interim; ECTOCRYP ® Blues will be 

used. 

Secure Remote Access (SRA) 

Technical Functionality 

The Cassidian SRA Service allows the Service Consumers to connect back to their host infrastructure 

via the Cassidian Service Operations Centre’s Gateway and their SSDP. The remote users establish 

validated and protected VPN tunnels back to the CSOCs which is then securely forwarded to the relevant 

Service Consumers SSDP. 


SRA has the following deployment models available for adoption by the Service Consumer:

496 

Access to PROTECT Networks – This Service is provided to connect to PROTECT level networks 

via remote clients and (pending the security target) mobile devices. 

Access to RESTRICTED Networks – This service is provide to connect to RESTRICTED level 

networks via remote clients 

RESTRICTED Gateway – This service is provided to connect from an PROTECT network access 

point to an RESTRICTED network via a remote client. 

The variation of the implementation in respect of each service level shall reflect the sensitivities and 

business criticality of the Service Consumer’s Information Service being protected. 

Security Model 

To achieve this connectivity the following technical and security aspects are provided: 

Two factor authentication following applicable CESG Good Practice Guides and UK HMG 

Information Assurance Standards 

TLS based secured connectivity within the session 

Role based access website 

Dedicated low impact client agents 

Integration into the Service Consumers existing LDAP or AD User directory 

On-line Client update service 

Certificate and Digital Identity Management Service 

Cassidian currently provides a PSN compliant Certificate Service to support a number of different 

capabilities and functions for the Service Consumer: 

Organisational Services 

o Issuing Organisational level Certificates to Sub-CA’s 

o Trust Anchors 

o Cross-signing 

o Trust Paths

497 

Consumer Services 

Machine Based Certificate Authentication 

User 

o Authentication 

o Encryption 

o Signing 



o Encryption 

o Signing 

Messaging 

o Encryption 

o Signing 

This service is provides from the Cassidian Service Operations Centre’s (CSOC) and is made available 

to the relevant Service Consumer organisations via the PSN. This Service delivers the required Certificate 

Issuing Servers and Revocation Points at PROTECT, RESTRICTED and CONFIDENTIAL. 


Due to the nature of this service it will always be provided as a CSOC high availability hosted service 

for the Cassidian Trust Anchor(s). Where practicable, secure and efficient Cassidian may deploy Issuing 

CA’s to the Service Consumers site. 

Certificate Trust Path 

Cassidian will register all intermediate and subordinate CA’s with the relevant CESG Root CA (where 

available) and thereafter maintain this trust path to all Service Consumer and Service Offering CA’s 

within the Cassidian Service offering. 

Certificate Subscription Models 

Dependent upon the quality and security impact of the certificates being issued Cassidian support 

the following subscription methods:

498 

Manual request 

Electronic request with verification 

Auto-enrolment 

Each of these methods has a detail management and control policy associated with them. 

Certificate Storage 

Cassidian provides a secure key store for certificate recovery and a public x.500/LDAP based 

Directory Service for Certificate validation and revocation. 

Server Roles 

Cassidian supports the following server roles and functions: 

Policy CA 

Issuing CA (Basic, Medium and High Security instances) 

Intermediate CA 

Revocation 


The Cassidian certificate and identity management service has been designed and is implemented in 

accordance with the relevant PSN and CESG guidance and polices for these capabilities. Cassidian also 

provide the required level of proxy certificate capabilities to the cross-domain firewalls as required. This 

is achieved using the directory application firewall. 


Security Service - Encryption 

The specialist Security Operations Centre (SOC), located within the CSOC provides remote key 

management and distribution services and remote supervision and management of all security endpoint 

and encryption devices. All Security Incident Management processes are delivered from the CSOC-SOC 

and accessed via the Service Consumer Web portal or via email.

Security Service – Secure Remote Access 

The Secure Remote Access service is delivered and hosted from the CSOC. Service Consumer Client 

software support is also available from the CSOC via the Consumer Portal or via email. The Client 

software will be distributed locally via CD or from the Consumer Portal. The service is initiated by the 

client software connecting to a dedicated web portal that will provide further authentication from the 

Service Consumer. 

Anti-Virus and Patch Update Service 


The Cassidian Anti-virus (AV) and Patch update and review (PUR) Services provides the Service 

Consumer with a complete end-point protection and review capability. 


The AV and PUR services are available in the following modes 

AV Service 

499 

Fully Managed central service 

Fully Managed distributed service 

Distributed Service Consumer co-managed Service 

Cassidian provides the Service Consumer either directly to the end-point or via an on-site 

distribution point, provided to improve network efficiencies, a fully managed AV client capability 

including and automatic signature and agent update service. 

The AV client capability is available for the following clients: 

Windows

500 

Linux 

MAC (OS-X) 

MS Exchange 

Cassidian provides near-real time signature and client agent updates from the CSOC either directly 

to the client or to a managed distribution point within the Service Consumers environment. 

Client Extensions 

Dependent upon the Service Grade selected the following additional features and capabilities are 

also available from this AV service: 

Additional AV Platforms 

o UNIX 

o Windows Mobile 

o MS SharePoint 

o Network Storage 

o Virtual Machine Environments 

Client Web Protection – This is the client-side capability delivering the same controls as defined 

within the Secure Web Gateway Service within the Internet Services Section. This capability 

integrates will all main client web browsers 

Device Network Access Control 

o Detect and fix managed endpoint vulnerabilities. 

o Make sure guest computers match your security requirements before they access your 

network. 

o Prevent unauthorised computers from accessing the network 

o Interoperates with the main 802.1x NAC implementations to provide a complete service 

offering. 

Policy based Client firewall 

Application Control – This provides client side white and black listing capabilities. 

Data Loss Prevention Agent 

Device Control – Find and block the unauthorised use of removable storage devices, optical 

media drives and wireless networking protocols (e.g., Wi-Fi, Bluetooth and infrared) 

Control and Management 

All of the above capabilities are managed via policies thus providing highly granular configurability, 

monitoring and reporting capabilities. These policy based capabilities are fully controlled by Cassidian

for the Service Consumer or in partnership with the Service Consumer via a shared Central Console 

capability. 

Reporting and Alerting 

All aspects of this AV service provide the Service Consumer with a real-time status via the Cassidian 

Customer Web Portal and can generate routine and exception reports as required for internal 

compliancy and incident management activities. 


This service is also full compatible with the Cassidian Computer and Network Defence (CCND) 

PUR Service 

The Cassidian PUR Service contains two discrete but interconnected capabilities: 

501 

Patch Update and Distribution 

Patch Review Service 

Patch Update and Distribution Capability 

This service capability provides the Service Consumer with an ‘in domain’ near-real time 

authoritative update and distribution service for all patches within the Windows OS, Server and Client 

Application suites. The master service is located within the CSOC and provides the following distribution 

and subscription models: 

Selective replication to a local authorising distribution server 

Selective replication to a Service Consumers distribution Server 

Direct update of subscribing clients

Cassidian works with the Service Consumer to identify the required patching profile and either 

distribute these to their distribution server or maintains and authorising distribution and reporting 

server on the Service Consumer’s behalf. In the latter instance this server will be located based upon the 

most efficient and effective bandwidth and administration model. 

Patch Review Capability 

The Patch review is a provided as an extension to the AV Service (it is dependent upon the client) 

and monitors the current status of the Service Consumers patching status based upon the current and 

active threats detected on the Internet. It will identify the current Service Consumer’s vulnerabilities due 

to the clients current patch status. This is achieved via the following functions: 

502 

Scan finds unpatched computers vulnerable to threats 

Scans for Windows and other common application patches 

Prioritise patches based on threats and likelihood of exploit 

Identify computers missing critical patches 

Sort by patch vendor, threat and priority 

This status is reported either via the Cassidian Customer Web Portal or via the distributed console 

dependent upon the service model adopted within the AV Service. 


The Anti-Virus update and Patching Services are provided from the CSOC and accessed via a 

dedicated link from the Service Consumer Portal. The service is available fully managed or co-managed 

and delivery of the service is direct to the client from a central point or to a locally placed server for 

further distribution to the client.

A patching deployment review will be undertaken to determine which patches will be deployed and 

deployment groups will be defined according to user role or platform type/version to enable targeted 

deployments. 

Reports detailing latest virus definition availability and critical patch recommendations form part of 

the service and are available from the Service Consumer Portal. 

Firewall 


Cassidian provides a suite of firewall capabilities within this Service offering. These service 

capabilities are described in two capability families: 

503 

Network Level Firewall Service (NLFS) – Within the NLFS Cassidian use either CEGS or Common 

Criteria (CC) approved appliances to augment this fully managed service capability 

Application Level Firewall Services (ALFS) – Within the ALFS Cassidian use application, 

releasability and payload inspection modules within an NLFS cradle to deliver this service. 

All NLFS capabilities support the following level of inspection: 

Purpose-built, high performance platforms deliver WAN connectivity and security, plus the 

muscle to protect the high-speed LAN against internal network and application-level attacks 

while simultaneously stopping content-based attacks. 

Shared Management through role based graphical Web UI central management system which is 

accessed via the Cassidian Customer Web Portal. 

Policy-based management to allow centralised, end-to-end life-cycle management.

The selection and combinations of both the NLFS and ALFS will be mainly dictated by the security 

domain and interworking requirements of the Service Consumers organisation. Using the combination 

of these two capabilities Cassidian can provide the following fully managed firewall services: 

504 

Port and Protocol Firewalls 

Messaging Firewalls – IPM and IOM 

Web and File Transfer (HTTP(S) and FTP) Firewalls 

Fixed Format Firewalls 

XML Firewall 

Directory Application Firewall 

Chat Application Firewall 


Cassidian supports the following implementation and deployment models for these service 

capabilities: 

Hosted Service within the Cassidian CSOC environment 

Remotely Managed Service deployed within the Service Consumers environment. 

Cassidian has designed the firewall service to be deployed either at the Service Consumers 

organisational edge with the PSN (e.g. at the point of ingress and egress with the DNSP) or at the Service 

Consumers security boundary (e.g. between different security domains within the Service Consumers 

organisation.). All NLFS capabilities have an high availability mode 


For this particular Service, especially in an inter-domain configuration, Cassidian will work closely 

with the Service Consumer, Pan Government Accreditor and CESG to finalise the security design at 

RESTRICTED and CONFIDENTIAL. At PROTECT Cassidian has a standardised deployment model that

ensures the firewall elements are integrated in a secured environment with secure management, 

quarantined and administration interfaces. For the Service Consumer in a shared administration 

implementation the administration interface will be access via either a dedicated management terminal 

or the Cassidian secure Customer Web Portal. 

Exemplar Functionality 

As Cassidian has a number of different appliances available within this service from multiple vendors 

the following section describes representative examples of the available capability. 

Network Level Firewall Service 

The Cassidian Network Level Firewall Service provides a number of enhanced level capabilities which 

can augment the conventional firewall approach. These include such capability enhancements as: 

505 

Comprehensive set of Unified Threat Management (UTM) security features including stateful 

firewall, 

PEPAS approved IPSec VPN, 

Intrusion Prevention Sensor (IPS), 

Network level antivirus (anti-spyware, anti-phishing, anti-adware), anti-spam, and Web filtering. 

Proven firewall security with integrated routing and a variety of LAN/WAN interface options 

provide the ability to consolidate devices and reduce IT expenditures. 

Application Level Firewall Service 

The following provides two examples of the available Cassidian ALFS which can be deployed to 

support the Service Consumer. 

Web Application Firewall 

The Web Application Firewall scans all HTTP and HTTPS traffic and analyses it for both malware and 

inappropriate content. This includes inspection and alerting for all certificates that appear suspicious. 

Organisational Acceptable Use Policies

This capability allows the Service Consumer Organisation to set a comprehensive usage policy based 

upon a number of defining criteria: 

506 

A list of users, computers and/or groups to whom the policy applies 

A list of URL category and application filtering rules 

Destination site reputation risk analysis 

Malware scanning including real-time Javas emulation and analysis 

Enhances zero-day attack detection rates 

File type definitions and analysis 

Data loss mitigation 

Additional options that affect the user’s browsing experience. 


The Web Service Gateway provides the Service Consumer with a number of enhanced technologies 

and techniques that have been designed to help reduce and mitigate the threats from: 

Anonomyzing Proxies detection – attack vectors launched from behind a proxy service 

Anonymous Call Home detection – Detects and identifies machine making unexpected or 

authorised web connections 





domain.




Secure e-Mail Application Level Firewall 



507 




Reduces the risk of data loss with pre-packaged Data Loss Prevention (DLP) definitions 







Anti-Spam real-time updates 




This service can be deployed as either a physical or virtual appliance at a Service Consumer’s 

location or accessed from the CSOC. Irrespective of the deployment configuration this service will 

receive near real-time signature updates and ‘bad site lists’ from the CSOC over the PSN within the 

relevant security domain.





These firewall services are fully interoperable and can be fully integrated with the Cassidian 

Computer Network Defence Service, further enhancing the security detection for the Service Consumer. 





The specialist Security Operations Centre (SOC), located within the CSOC provides this service 

including remote supervision and management of all infrastructure elements that underpin the service. 

All Security Incident Management processes are delivered from the CSOC-SOC and accessed via the 

Service Consumer Web portal or via email. 

Intrusion and Spyware Detection Services 


Cassidian provides the Service Consumer with an Intrusion and Spyware Detection Service in the 

form of the Cassidian Computer and Network Defence Service (CCND). This service provides threat 

detection, incident response and compliance services across the managed Service Consumer estate and 

includes additional optional defence enhancements as required by the Service Consumer. 

508

The CCND Service automates the collection, analysis, assessment, response and archiving of security 

related events in the customer’s ICT estate. It provides the Service Consumer with a reliable, central 

monitoring and escalation/response service, comprising a mixture of automated processing and expert 

analyst support, based at the Cassidian Security Operations Centres. It provides the foundation on which 

to build a coherent and responsive security compliance regime for all Service Consumers. 

The CCND core service provides the following capabilities to the Service Consumer: 

509 

Collection, filtering, normalisation and reporting of security events generated by network, 

server, workstation and security devices in a complex heterogeneous environment. 

Integration of event collection from a multitude of existing 3 rd party and legacy infrastructure 

devices through a combination of custom collection agents and standard interfaces such as 

Syslog or Microsoft WMI interface. 

Incident analysis and management by the Cassidian Secure Operation Centres through near realtime 

event correlation to group seemingly different individual events into valuable threat 

intelligence. This enables focused use of resources to respond to serious issues in a timely 

fashion. 

Reports based on key incident metrics to facilitate the visualisation and tuning of security 

policies and procedures. 

An archive of data for subsequent post incident re-analysis. 

The CCND optional enhancement services provide the following optional integrated security 

measures with integrated policy compliance reporting: 

Custom Log Retention

510 

Network Intrusion Detection Services (NIDS) 

Host Intrusion Detection Services (HIDS) 

Endpoint Device Control 

Endpoint Data Control 

Endpoint Web Filtering 

Endpoint Application White-Listing 

Endpoint Application Black-Listing 

Endpoint Firewall Services 

Endpoint Patch Assessment 


The Cassidian CND service is based on a modular, scalable and flexible architecture. Both the core 

components and the optional enhancements can be deployed as a dedicated instance at the Service 

Consumer premises, as part of a Managed Security Service Provider (MSSP) shared infrastructure service 

or as a hybrid deployment which enables Service Consumers to leverage key benefits of both 

approaches. 

At the centre, the CCND framework and the supporting optional services are based around four core 

technology components: 

Collectors 

Aggregators 

Correlators 

Threat Analysis Engine 

Each of these core technologies are available to the Service Consumer with the following 

deployment models:

511 



function 





Core Service Capabilities 

Collectors 

The collectors act as the point of entry for events into the CCND framework. Collectors can either be 

agent-based or agent-less in the form of a remote appliance. The collectors are capable of supporting a 

wide range of third party products and additionally support a number of industry standard reporting 

formats as well as a configurable universal log collector. 

Aggregators 

The aggregators take feeds of information from multiple collectors, normalise the events into a 

standard schema, perform de-duplication and rule based filtering before forwarding to the correlation 

engines. 

Correlator 

The correlation engines used in the CCND framework group seemingly different individual events 

into potential incidents based on a combination of rules and priority based correlation. 

Threat Analysis Engine

Once a potential incident has been identified it is passed to the CCND threat analysis engine where 

the incident is examined, categorised and authenticated by a CCND analyst and the incident 

management chain is invoked. 

By combining these four technology components as either role based nodes, dedicated nodes or as 

a combination of multi-functional nodes, the CCND service shall be able to be deployed intelligently and 

subsequently grow and scale in line with the requirements of the Service Consumers network. 

Service Functionality and Scope 

The CCND Service provides the Service Consumer with a fully managed solution that will 

continuously and proactively monitor and detect anomalous behaviour across all monitored devices. 

This service provides the Service Consumer with the following capabilities: 

512 

Collection, normalisation and aggregation of security event data from a wide range of data 

feeds; 

System tuning to minimise false positive alerts thus providing most accurate threat picture; 

Identification, analysis and alerting of key security events; 

Incident management and handling inline with Service Consumer policies and industry best 

practises; 

Correlation against known asset profiles, vulnerabilities and other specialist threat intelligence 

such as the Cassidian operated Warning Advice and Reporting Portal (WARP); 

Near real-time alerting on the status and usage of any monitored IT component against a 

defined security policy; 

Provide data in support of the Compliancy and Security Audit process; 

Identify unauthorised change of any monitored device; 

Provide analysis reports over specific time periods to identify trend based threats; 

Reporting of key security metrics, capacity and performance tuning in-line with Service 

Consumer requirements; 

Provide Anomalous behaviour detection;

513 

Provide the Service Consumer with security visibility across the estate via a managed customer 

portal; 

The CCND service is also capable of interfacing with a number of external systems. Alerting and 

notifications services in the form of SNMP, SMTP, Syslog or pager notifications allow for rule based and 

schedule based automated incident notification and escalation chains and a published API enables 

bidirectional communication with supported service desk products. 

This functionality enables the CCND service to be integrated with either a 3 rd party service supplier 

or 3 rd party system and allows for flexible interoperability. 

Optional Additional Security Services 

Optional enhancement services are also available as part of the CCND service. These additional 

services enable additional levels of protection, detection and compliance reporting to provide a full 

defence in depth offering. 

Custom Log Retention 

Event data can also be archived in a searchable format for forensic purposes or regulatory 

compliance and subsequently stored either within a secured managed storage service deployed onsite 

or located on a SAN/NAS as identified within 0. 

The data can also be filtered for specific types of record prior to storage which may also be retained 

separately dependant on the Service Consumer requirements.

Network Intrusion Detection Service 

The Network Intrusion Detection Service (NIDS) shall provide the Service Consumer with the 

functionality to detect threats and alert at key deployment points around the estate such as at network 

boundaries or on critical network segments. 

The NIDS shall be capable of supporting Span, Tap, In-line fail-open and In-line fail-closed 

deployment modes. Sensors are available with a variety of port densities and throughput capabilities 

from 10Mb Ethernet through to 10Gb Fibre connections and are fully capable of supporting high 

availability configurations. 

This service provides the Service Consumer with the following additional capabilities: 

514 

Detection, analysis and reporting of actual security events at key network entry points or critical 

network segments; 

Detection, analysis and reporting of attempted malicious activity occurring on the Service 

Consumer network; 

Detected events shall then be fed into the CCND core framework and will contribute further to 

the overall security picture of the Service Consumer estate; 

Provide the Service Consumer with the optional functionality to prevent specific attacks and 

alter their security stance to a pro-active blocking mode (This is dependant on sensors being 

deployed in-line NIDS devices are deployed inline and based on Service Consumer 

requirements); 

Option for Cassidian to provide and deploy custom written signatures to detect targeted threats 

specific to the Service Consumer; 

The NIDS is also available as a stand alone service and is not dependant on the CCND framework in 

order to operate as a Network Intrusion Detection System. In the case of a stand alone service, the NIDS

system can be configured to provide a feed of events into a 3 rd party SIEM system or network 

monitoring tool. 

Host Intrusion Detection Service 

The CCND Host Intrusion Detection Service (HIDS) is available on the Microsoft Windows platform 

and shall provide the Service Consumer with an additional layer of defence against known and unknown 

malware threats. 

This service shall provide the Service Consumer with the following additional capabilities: 

515 

Detection, analysis and reporting of host based security events across the Service Consumer 

Microsoft Windows estate; 

Pre-execution, behavioural and buffer overflow analysis to identify suspicious behaviour and 

minimise threats from new unidentified malware variants; 



Provide the Service Consumer with the optional functionality to prevent specific attacks and 

alter their security stance to a pro-active blocking mode; 

Option for Cassidian to define, provide and deploy custom policies specific to the Service 

Consumers requirements; 

This service is supplied as an optional feature enhancement of our standard Antivirus service 

offering, however, this service is not reliant on the CCND service and can be offered as a separate layer 

of defence to the Cassidian antivirus service. 

Endpoint Device Control 

The CCND Endpoint Device Control enhancement shall provide the Service Consumer with the ability 

to enforce policies governing the use of specific hardware devices on Microsoft Windows endpoints.


516 

Detection and reporting of the use of controlled devices across the Service Consumer Microsoft 

Windows estate; 

Controlled access to removable storage devices, optical media drives and wireless networking 

protocols; 

Meet key requirements of data protection policies; 

Minimise the impact of malware spreading via the use of unauthorised removable devices 








Endpoint Data Control 

CCND Endpoint Data Control shall enable the Service Consumer to control the flow of sensitive data 

through a combination of pre-defined definitions and custom built policies. 


Monitor and report of the movement of sensitive data across commonly used office formats as 

well as a wide range of other standard file formats; 

Monitor for predefined data types such as financial or personally identifiable data;

517 

Meet key requirements of data protection policies; 

Prevent the intentional or unintentional copying of data with a combination of blocking or 

alerting policies; 








Endpoint Web Filtering 

CCND Endpoint Web Filtering is not intended to replace a gateway deployed web filtering solution 

but rather provides a ‘defence-in-depth’ approach to the problem. 


Monitor, report and filter access to URL’s based on a feed of known malicious websites; 

Minimise the impact of new malware threats and reduce the effectiveness of unknown and new 

exploits specifically targeting common internet browser packages; 

Enforce essential policy compliance by controlling access to a selection of predefined categories 

of website such as adult sites or gambling; 




Consumers requirements;




Endpoint Application White-Listing or Black-Listing 

With this service Cassidian shall be able to prevent or allow the use of specific applications as 

required by the Service Consumer. 


518 

Define and enforce the use of standardised applications such as web browsers across the estate; 

Control use across the entire user community or simply enforce to specific groups as defined by 

the Service Consumer requirements; 

The Service Consumer shall additionally receive reports identifying the use of unwanted or 

unauthorised applications as part of this service; 








Endpoint Firewall Services 

The CCND Endpoint Firewall service offers the Service Consumer a fully managed client firewall 

service.


519 

A fully managed endpoint firewall solution; 

Cassidian shall work with the Service Consumer to define an appropriate set of client firewall 

rules which shall reduce the available attack points for Internet Worms, hackers and other types 

of intrusion; 

Additional protection capability to reduce the threat of application hijacking and impersonation 

attacks. 

Block transmission of certain protocols which may be undesirable or in direction contravention 

of the security policy; 

The service shall be location aware and shall provide suitable functionality to keep remote 

computers or ‘Road Warriors’ protected either in the office or out of the office. 






Endpoint Patch Assessment 

Cassidian shall supply the Service Consumer with a service to identify and locate assets which are 

unpatched to specific security threats, as identified through the CCND service. 


Reporting on the patch status of assets as identified during incident investigations;

520 

Patches reported shall include Microsoft Windows, common application patches (Such as web 

browser or common office productivity patches) and other 3 rd party vendor patches; 

Reports shall prioritise missing patches based on real-world intelligence and the likelihood of 

exploit to ensure remediation efforts can be suitably targeted; 





The service incorporates the following security aspects; 

All core functional components of the CCND service include authentication, role-based access 

control and multi-domain organisation capabilities. These are implemented in a directory 

structure to allow easy federation of multiple systems with multi-level granular access controls; 

All events are time-stamped on entry into the CCND service based on a Cassidian supplied PSN 

compliant time source which allows for accurate correlation and forensic analysis; 

Product selection has been based on a combination of factors. These include the suitability for 

deployment, current/past/future accreditation/certification awards (Such as CAPS or Common 

Criteria) and their existing use on UK government and UK military networks at equivalent 

classifications; 

All management communications shall utilise encrypted protocols between components; 

All Service Consumer event data will be encrypted once the event data has been received into 

the CCND framework. 

Event data that is archived and stored by the CCND core system for forensic purposes or 

regulatory compliance shall be encrypted and digitally signed to provide confidentiality and 

integrity of the event archives. 

All products which make up the CCND service framework shall be installed, configured and 

operated based on the vendor advised security best practices. 

All updates for the components of the CCND service framework issued from the CSOC shall be 

deployed from a secure repository hosted in the CSOC. These will only be issued following 

completion of an approved test and release procedure and will include signature files, software 

patches, and major upgrades;


The specialist Security Operations Centre (SOC), located within the CSOC at Newport and the ASOC 

(Alternative Security Operations Centre) at Cheltenham provide this service including remote 

supervision and management of all infrastructure elements and security endpoints that underpin the 

service. All Security Incident Management processes are delivered from the CSOC-SOC and accessed via 

the Service Consumer Web portal or via email. 

Authentication and Access Control 


The Cassidian authentication and access management service has a number of discreet but 

complimentary capabilities. These capabilities support the following Authentication and Access 

Management requirements: 

521 

Authentication Capabilities 

o Machine Based 

� Certificate Based Authentication 

o User Based 

� Smartcard Authentication 

� Secondary Authentication – Certificate 

� Authenticating Directory Service (DS) 

DAP 

LDAP 

SLDAP 

Kerberos 

o Service Based 

� Certificate Service 

� Authenticating DS 

Access Management Capabilities 

o Machine Based 

� Network Access Control (NAC) 

� Host Network Access Control (H-NAC) 

o User and Service Based 

o Role Management 

o Profile Management


For these service capabilities Cassidian provides a High Availability option for all Authentication 

Services and User/Service Access Control Services with auto fail-over option for all other Access Control 

capabilities. 

Due to the nature of these service capabilities distributed models are available to ensure integrity 

and availability with the Service Consumer having limited delegated rights as required by the PSN 

derived Security Architecture. 


Due to the nature of this service offering all aspects of this service are under the most stringent 

configuration and change control with a target security architecture internally defined as that required 

for IL5. Thus any access and delegation will be fully logged to provide an audit trail. 

Certificate Authentication Service Capabilities 

Cassidian currently provides a PSN compliant Certificate Service to support a number of different 

capabilities and functions for the Service Consumer: 

522 

Organisational Services 

o Issuing Organisational level Certificates to Sub-CA’s 

o Trust Anchors 

o Cross-signing 

o Trust Paths 

Consumer Services 

Machine Based Certificate Authentication 

User 


o Encryption 

o Signing

523 



o Encryption 

o Signing 

Messaging 

o Encryption 

o Signing 

This service is provided from the Cassidian Service Operations Centres (CSOC) and is made available 

to the relevant Service Consumer organisations via the PSN. This Service delivers the required Certificate 

Issuing Servers and Revocation Points at PROTECT, RESTRICTED and CONFIDENTIAL. 


Due to the nature of this service it will always be provided as a CSOC high availability hosted service 

for the Cassidian Trust Anchor(s). Where practicable, secure and efficient Cassidian may deploy Issuing 

CA’s to the Service Consumers site. 

Certificate Trust Path 

Cassidian will register all intermediate and subordinate CA’s with the relevant CESG Root CA (where 

available) and thereafter maintain this trust path to all Service Consumer and Service Offering CA’s 

within the Cassidian Service offering. 

Certificate Subscription Models 

Dependent upon the quality and security impact of the certificates being issued Cassidian support 

the following subscription methods: 

Manual request 

Electronic request with verification 

Auto-enrolment

Each of these methods has a detail management and control policy associated with them. 

Certificate Storage 

Cassidian provides a secure key store for certificate recovery and a public x.500/LDAP based 

Federated Directory Service for Certificate validation and revocation. 

Server Roles 

Cassidian supports the following server roles and functions: 

524 

Policy CA 

Issuing CA (Basic, Medium and High Security instances) 

Intermediate CA 

Revocation 


The Cassidian certificate and identity management service has been designed and is implemented in 

accordance with the relevant PSN and CESG guidance and polices for these capabilities. The relevant 

guidance includes the PSN Cryptographic Framework, PSN Technical Domain Description, CESG Manual T 

and HMG IS7. 

Cassidian also provide the required level of proxy certificate capabilities to the cross-domain 

firewalls as required. This is achieved using the directory application firewall. 

Network Access Control 

For a mobile workforce, alternative security mechanisms are possible and recommended, although 

they do have reliance on other applications areas including having a suitable Authentication, 

Authorisation and Accounting (AAA) systems in place. The security capabilities in the Cassidian solution 

enables checking of user identification within their own host information infrastructure (through the 

Cassidian Directory Service) and device compliancy before allowing further access onto the network.

This holds user devices away at the first point of entry to provide maximum security from rogue 

devices, or devices that may contain malware. Additionally users can be constrained to the parts of the 

network that they are intended to access providing a network level barrier to unauthorised actions. 

The Cassidian NAC solution shall enable such advanced security services, and is compliant with 

802.1x protocol for port based network security. This approach to securing the network also enables 

role based access, with all users from guests through to system administrators being provided with the 

appropriate levels of access 

Host Network Access Control 

This can be delivered either as a discreet service capability or be used to extend the NAC above to 

provide a more complete service. The H-NAC provides the following additional capabilities: 

525 

Detect and fix managed endpoint vulnerabilities. 

Make sure guest computers match your security requirements before they access your network. 

Prevent unauthorised computers from accessing the network 

Interoperates with the main 802.1x NAC implementations to provide a complete service 

offering. 

Authenticating Directory Services 

The Cassidian Directory Service provides the Service Consumer with the ability via a single repository 

to store all of the relevant User and Service credentials required to support authentication, and rights 

management for any given application or data repository. Dependent upon the Service Consumers 

existing infrastructure capabilities Cassidian has the following capabilities available:

526 

Organisational Single Instance DS 

Organisational Distributed DS 

Federating DS 

This service has a two Tier model thus allowing the Service Consumer to maintain their security 

boundaries whilst still maintaining interoperability and interworking with other PSN DS’s or service 

provided via other means. 

Tier 1 – Federating DS 

The Federating DS Tier is provided to ensure that all PSN subscribers within the Cassidian Sphere 

and via other providers have a reciprocal service that is capable of sharing their ‘contact’ information in 

a secure and meaningful way. 

This DS is based upon a x.500 architecture and has been designed for scalability, resilience and 

security. Within this DS Cassidian can publish the Users public attributes such as: 

Contact Name 

Phone Number 

E-Mail Address(s) 

x.509 Certificates 

As this directory contains the x.509 certificates for the Users (and services) any requesting service 

can now obtain a strong authentication channel for a requestor with published credentials in this 

directory.

Tier 2 – Organisational DS 

The Organisational DS Tier is provided as the primary Service Consumers Authentication DS. All 

instances of this DS will be federated for resilience and externally authenticated with the Tier 1 

Federating DS. 

The Organisational DS will provide the following capabilities: 

527 

Registration of Users 

Registration of Computers 

Group Management 

Access Control Lists 

Role and Personal Management 

Kerberos Integration with external services 

Definition of Password Policies 

Certificate Repository 

Cross Instance trusts 

Domain Security Policies 

Enterprise Security Policies 

Delegated Administration Roles 


Cassidian provides the following deployment models for these capabilities: 

Master Federation Directory will be located with the CSOC in HA mode. 


Local Instance – deployment of a local instance of the service with a centralised management 

function 


with centralised and shared service management model.



Delegated Administration Models 

Cassidian support the following Delegated Administration Models: 

528 

Full Delegation with 3 rd and 4 th line support and back-ups – Available for any Service Consumer 

instance 

Limited Delegation – Provision of limited administrative accounts to the Service Consumer for 

such activities as: 

o Add or remove Users Objects 

o Add or remove Computers Objects 

o Add objects to a Group 

o Assign permissions to a group or User 

o Change Attributes 

o Reset Account 

o Reset Password 

o Disable Users 

Fully Managed – The complete directory environment is managed and controlled by Cassidian 

with all change requests being initiated via the Customer Web Portal. 

Integration Options 

The instance of the Organisational DS allows the Service Consumer to provide an unified 

management directory by integration at the authentication and directory level for the provisioning and 

control of such additional services as the: 

Messaging Service 


Collaboration Services 

Anti-Virus Service 

Video Conferencing Service


The service is managed from the CSOC where a Directory Service is provided to enable Service 

Consumer account management. Service provision is initiated via the Service Consumer Portal which 

also provides tools for service Consumer account management requests by authorised administrator. 

Real-time Information Services 


Cassidian provides a real-time information service via our security aware instant messaging service. 

This service has been designed and is provided for use within all PSN security domains. This IM service 

and its associated client supports the following capabilities and functionality: 

529 

On-to-One Chat 

Multi-User Chat (XEP-0045) 

Publish and Subscribe and Personal Eventing 

Archiving and Audit 

Directory Based Authentication 

User Migration (XEP-0227) 

Ad-hoc Commands (XEP-0114) 

Integration with non-XMPP IM Service (XEP-0114) 

Presence Aware (XEP0060) 

BOSH (XEP-0124) 

Peering Control 

Clustering 

Security labelling 

Search (XEP-0055) 

Message Filtering (XEP-0191) 

Client for Windows, MAC, LINUX 


This service can be deployed in the following configurations: 

Fully Managed Centralised Service (inc HA)

530 

Fully Managed Distributed Service (inc HA option) 

Distributed Service Consumer co-managed Service (inc HA option) 

Core Service Components 

XMPP Server 

The high-performance XMPP server supports 1:1 chat, multi-user chat (MUC), Personal Eventing 

(PEP) and other XMPP services. These servers are deployed to support Wide and Local Area clustering. 

Archiving, Security Labels and other security features. 

Directory for Configuration and Authentication 

This Service integrates with the Cassidian Directory Service to hold authentication and configuration 

information. It can also be configured to use an independent directory for these functions if the Service 

Consumers configuration requires this option. The configuration directory holds information on 

configuration and permanent MUC rooms. The authentication directory holds information on users, 

which will often use an existing enterprise directory, such as Active Directory. 

Gateways to non-XMPP IM Services 

Connections to non-XMPP instant messaging services (such as AIM, ICQ, and Windows Lynx) via 

support for XEP-0114 (Jabber Component Protocol) is an capability option and is enabled by use of an 

XMPP Gateway. 


These features include support for security labels according to XEP-0258 (Security Labels in XMPP), 

data confidentiality using TLS and support for SASL authentication, Kerberos authentication and Strong 

Authentication (based on X.509 Public Key Infrastructure), for client/server and for server/server 

connections. 

Resilience and Clustering

The XMPP Service is scalability and support for both Wide and Local Area Clustering make it the 

natural choice for deployments supporting large and growing user numbers and concerned about 

service interruptions due to server or network failure, support for Disaster Recovery and for military 

organisations needing a survivable deployment 

Cross Domain Connectivity 

This is a capability option delivered using the XMPP Boundary Proxy. Whilst peering decisions are 

the simplest way to apply boundary controls, use of an XMPP Boundary Proxy enables controls to be 

applied and checks made separate to the XMPP server(s). This proxy is then integrated with the Chat 

Application Firewall to provide a High Assurance Boundary. 

Management Tools 

This service provides both GUI and web-based management tools the Service Consumer can 

securely access these tools via the Cassidian Customer Web Portal. 

Client Interface and Application 

Cassidian provides an IM client that supports all of the standard feature required but also provides 

the following specific capabilities required for operations within a secure environment: 

531 

Easy room joining and bookmarking. 

XEP-0258 Labelling for secure environments. 

Stream compression for bandwidth-saving. 

Support for the new SCRAM authentication mechanism. 


The real-time information service is delivered and hosted from the CSOC. The service is initiated by 

client software which allows one to one connectivity for private communication or options to log in to a 

secure hosted area for group conversation. Service Consumer Client software support is available from

the CSOC via the Consumer Portal or via email. The Client software will be distributed locally via CD or 

using ftp direct from the Consumer Web Portal. 

532

Daisy Communications Ltd 

Daisy Communications Service Descriptions - Communications Services 

Daisy shall provide the following Communications Services: 

- Traditional and IP Based Voice Services 

- DDI Services 

- Premium Rate Services 

- Inbound Services 

- Audio and Web Conferencing Services 

- PBX Supply and Maintenance 

- Hosted IP Telephony 

- Email Scanning and Filtering 

- Web-access Management Service 

- Internet Intrusion Detection Service (IDS) 

- Managed DDOS Prevention Service 

- Co-Location Services 

- Enterprise and Application Hosting 

- Storage and Operational Recovery 

- Messaging 

TRADITIONAL AND IP BASED VOICE SERVICES 

Daisy shall supply a range of Traditional and IP based voice services. 

These shall include outbound call routing via CPS or IDA. These calls shall be routed over BT 

Openreach WLR lines. 

Daisy shall supply a Fixed Line Telephony service utilising the BT Openreach infrastructure. 

Daisy shall install, repair and maintain lines for the Public Sector and transfer lines from other 

Service Providers. A range of calling and network features shall be supported for each of the line types 

provided. 

Analogue Lines: Two options shall be provided for analogue lines - single lines (for fax, ADSL, 

individual handsets) and multi-lines (for multiple lines sharing the same telephone number). 

Lines shall also be provided to support the Redcare service. 

Basic and Primary Rate ISDN exchange lines: Basic Rate ISDN or ISDN2 shall provide Customers with 

two 64Kbps channels via a single line and ISDN2 Standard and System access types shall all be 

supported. 

533

Primary Rate ISDN or ISDN30 shall deliver a minimum of 8 and up to 30 x 64kbit/s channels to the 

Customer’s premise equipment. Two termination types shall be supported; ISDN30e (ETSI) and ISDN30 

(DASS). 

Daisy shall provide outbound local, regional, national, non-geographic, international calls, calls to 

mobile networks and all other standard call types. 

Daisy shall supply a range of Voice & Fixed Line Telephony products that shall allow access to a 

variety of tailored call plans - Metered Call Plans charging only for calls used by the second; Bundled 

Minutes Packages that shall provide a fixed rate of charges, Call Capping and a Fixed Mobile Rate across 

the four main mobile networks. 

Daisy shall on Customer request supply its Call Capping Package offering capped call charges to UK 

local & national and mobile calls for up to one hour duration. Bundled calls shall also be provided for 

chosen destinations if requested by the Customer. There shall be no minimum customer spend 

commitment for Customers to qualify for the packages. Daisy shall apply an increased discount for 

volume spend thresholds. 

Daisy shall work with the Customer to provide the best call plan dependent on the Customer’s call 

profile. 

Daisy shall provide a comprehensive range of call features and network services to complement its 

Fixed Line and Voice Telephony Services. 

Daisy shall transfer existing services from other providers on a like for like basis ensuring continuity 

of service at all times. 

Porting, new provision and reconfiguration of DDIs shall be provided. DDI shall be supplied and be 

available on ISDN2e, ISDN30e and ISDN30 DASS line installations. DDI ranges and SNDDI (Single Number 

DDI) shall be supplied up to a maximum of 5 numbers/ranges per installation. 

Daisy shall provide a voicemail product as a feature of their Intelligent Network Platform for 

translated numbers called Voice Mail to Email (VME). This shall be similar to standard voicemail facilities 

and the Customer can record a greeting that is played when a call cannot be taken. The service shall 

record a message from the caller and be sent as a wav or mp3 file to a pre-determined email account. 

VME is associated with a translated number. 

External prefix dialling is provided for all line types and shall allow the Customer to charge homeworkers 

for business related calls 

Call back shall be provided over single PSTN lines. 

Caller Identification shall be made available through subscription to the CLIP (Caller Line Identity 

Presentation) service. CLIP shall be available on all ISDN line types. 

Daisy shall supply a network based messaging product. Call Minder shall be a product available on 

single PSTN lines. 

Daisy shall provide a Call Diversion facility to allow calls to be diverted to another number anywhere 

in the UK, overseas or to a mobile phone. Call Diversion shall be available on single and multi line 

auxiliary PSTN lines. Daisy shall also provide Administration Provided Diversion for ISDN30 DASS lines. 

Daisy shall provide Administration and Customer Controlled Call Forwarding options for ISDN2E and 

ISDN30E line types. 

534

Daisy shall supply a call waiting facility that shall allow the Customer the option to end their original 

call and take the new call, swap between both calls or continue with their current call. Call Waiting shall 

be available on Single PSTN and ISDN2E line types. 

Daisy shall offer a range of Call Barring options to provide flexible options for call cost control. Call 

Barring shall be available across all fixed line types PSTN, ISDN2E and ISDN30 and can be applied to 

incoming and outgoing calls. Options available shall include National / International calls and Premium 

Rate Services. Call Barring shall be provided as Customer controlled or Admin controlled options if 

requested. 

Daisy shall supply a chargeable fully automated interactive and integrated Audio and Web 

Conferencing Service. The Service shall be available in the UK and cover overseas calls. 

Daisy shall provide inbound numbers network services and all non- geographic number types to the 

Customer. 

Daisy shall supply free call (e.g. 0800 ), local call (e.g. 0845 and 0844), national call (e.g. 0870) and 03 

number facilities for inbound calls and provide inbound call plans offering flat rate competitive ppm 

tariffs without volume commitments. 

Daisy shall provide platform independent, network based IVR solutions which shall allow the 

Customer to manage these services. 

The IVR solutions provided by Daisy shall use scripting interfaces which shall allow Customers to 

design, test and deploy new IVR services integrating them into the application environment. 

Daisy shall provide a range of traditional TDM, IP and Hybrid, telephony solutions to the Public 

Sector. 

Daisy shall provide impartial advice on the individual merits of leading PSN compliant telephony 

platforms in the UK and ensure provision of the optimal solution for the Customer. 

Daisy shall provide these solutions under a nationwide support network which includes proactive 

monitoring, managed services and flexible on site support services. 

Daisy shall offer constituent parts of a Customer business continuity plan and consultancy as to how 

these parts may be combined to produce an effective plan for the Customer’s particular circumstance. 

Daisy shall provide, maintain and update a Business Continuity Plan which ensures availability of 

PSTN lines, calls and the contracted Service at all times with minimal disruption to the Customer’s 

operation. 

This shall include: Basic diversion for Voice & Data calls - Change of network for outbound calls using 

IDA - Fault on Line - Customer Controlled Divert - Site Assurance Option 1 / Site Assurance Option 2 / 

Alternative routing / Diverse routing / DDI Dual parenting / Diversion to Non Geo with Simple IVR 

Implementation of Voice Services 

Daisy shall provide the Customer with a single number to contact the Managed Service Helpdesk 

(MSH) which shall operate to meet the Customers contracted Service Levels. 

The MSH shall operate as the first level interface between Daisy and the Customer. 

The Service Desk shall operate as an overflow for the MSH desk if required. 

The MSH team shall perform the following key functions: 

535

- call receipt 

- call ownership 

- incident management updates 

- request transfer to internal departments for moves and changes 

- escalation control and interaction to internal departments 

- Customer satisfaction of task completion 

- reporting of performance statistics versus SLA targets 

The Customer shall be able to contact the Service Desk (telephone or email) at any time 24/7/365 

for any type of fault or other activity requests. 

Daisy shall provide detailed project planning and management to ensure minimal interruption to the 

Customer’s services during any migration activities or if physical interruption of the lines and services is 

required. 

Daisy shall ensure that any PSTN line transfers and/or new line installation are conducted in 

accordance with a program which reflects the requirements of the Customer. 

Daisy shall project manage the management of any Service transition. Daisy shall create an 

inventory of all telecom lines and equipment and identify each fixed line in terms of line rental and call 

costs and any other associated charges. Daisy shall also identify all contracts involved in the provision of 

the above and any maintenance and support costs involved. 

All lines, services and charges shall be identified by budget manager/cost centre/site and 

department and the Customer shall be provided with a spreadsheet and schedule of lines and charges 

that includes the account number, line number, postcode where the line is situated, line type and any 

relevant cost centre information. 

Daisy’s Project Planning shall include: 

First Stage 

Implementation meeting with the Customer 

Identification of all telecom lines and equipment, 

Contractual status 

Porting limitations 

Identify correct business continuity options for requirements 

Identify billing reports to be enabled 

Desired billing format 

Second stage 

Meeting of Transition Group 

Check for line plant issues on all addresses 

536

Place orders for new circuits 

Submit porting applications 

Third stage 

Meeting of Transition Group 

Identify numbers for bulk upload WLR3 transfers 

Place orders 

Fourth stage 

Ensure all relevant information is placed on Daisy billing system 

Enable Customer access to e-secure and carry out training as necessary 

Test new installations 

Bring new installations into service 

Fifth stage 

Provision cps on all transferred and newly installed lines 

Daisy shall carry out maintenance acceptance tests on all telephony equipment. 

Daisy shall take full responsibility for the management of the migration and implementation of 

services. 

Billing and reporting of Voice Services 

Daisy shall provide raw call data and bespoke billing and reporting options to reflect the 

requirements of the Customer. 

Project Management of Voice Services 

Daisy shall provide a team of pre-sales personnel to provide consultancy to the Customer regarding 

technical architecture, network,system and solution design. 

Daisy shall assign a dedicated project team for the Customer. 

A Project Plan shall be prepared encompassing timescales, resources and hardware. Microsoft 

Project shall be used as the planning tool. 

The Plan shall be provided to the Customer for sign off as part of the overall project delivery. 

The Project Management process shall be divided into four phases: 

Project Initiation Phase – project deliverables shall be agreed between Daisy and the Customer. 

Planning Phase –resources shall be allocated and the project schedule approved by the Customer. 

537

Transition/Implementation Phase – the project shall be implemented according to the schedule 

defined in agreement with the Customer at the planning phase. 

Service Transition Phase – the project shall be signed off by the Customer and Daisy Service Delivery 

teams prepared for the successful transition to maintenance. 

During the Project Initiation Phase, Daisy shall appoint a Project Manager shall work with the 

Customer and the Daisy Project Team to define and agree the scope of work and technically validate the 

proposed solution. Upon completion of the Initiation Phase, the Daisy Project Manager shall take 

ownership of the project and manage the Planning, Transition/Transformation, and Service Transition 

phases. 

The Daisy Project Manager shall: 

Assist in the sales process 

Arrange Initial Project Meeting 

Secure understanding of project roles and responsibilities 

Ensure the proper flow of communications between the various project members 

Manage project scope, cost and time elements 

Escalate issues 

Manage Change Control 

Manage transition to service 

Customer Project Manager 

The Customer shall appoint a single point of contact for all project issues. These nominees shall be 

identified during the Initial Project Meeting. The Daisy Project Manager shall work with the Customer 

nominated project team to assure project success. 

The Project Initiation Phase shall consist of all tasks related to securing an understanding of the 

proposed solution and the commitment to proceed. The proposed solution shall be articulated in an ITQ 

Response or Statement of Requirements (SOR). 

The Planning Phase shall establish a clear process for the identification and management of project 

scope changes with the Customer. 

Roles shall be defined and assigned 

Project control and reporting processes shall be established 

Project risk and dependencies shall be reviewed 

Change management processes shall be identified and approved by the Customer 

Project schedule shall be approved by the Customer 

The key milestones for the Planning Phase shall include the completion of the roles and 

responsibilities, review of the contract terms, review of change management process, approval of 

changes and the project schedule. Upon approval of the project schedule the Planning Phase shall be 

deemed complete. 

538

The Transition/Implementation Phase shall consist of all tasks related to the delivery, design and 

installation and shall be carried out in accordance with the outcomes of the planning phase. 

The Project Manager shall advise the Customer of the transition to service. A transition / Project 

Review meeting shall be scheduled with the Customer. The service process and escalation procedures 

shall be reviewed and responsibilities outlined. 

The Post Transition/Implementation Review shall provide the Customer with the opportunity to give 

feedback to the Daisy Team on the overall project experience. 

Daisy shall adopt PRINCE2 methodology throughout the Implementation and Transition Process. 

When a project risk is identified the Project Manager shall record the risk in the RAID Log and assign a 

risk owner. The risk shall then be evaluated by the project manager and its probability and impact 

identified. Daisy categorises risk probability as High, Medium or Low and impact is defined as above. 

The Project Manager shall then propose suitable options to the Customer for reducing the likelihood of 

the risk occurring. 

Engineering 

Daisy shall maintain an independent engineering workforce in the UK, including rural and remote 

parts of Scotland, with over 165 field based engineers, national coverage and 24/7/365 availability. 

Incident / Fault Management of Voice Services 

Daisy shall provide a fault reporting service that is available to take fault reports on a 24 / 7 basis 

including Bank Holidays. 

Daisy shall respond to all network and switch faults affecting service to the customer as per the 

agreed SLA. 

Daisy shall require certain information from the Customer when a fault is reported. This shall 

include: 

539 

the telephone number(s)/circuit(s)/serial number(s) affected. 

symptoms of the fault. 

details of any on-site tests carried out in attempting to rectify the fault. 

availability of access to the site for engineering staff 

whether services affected can be suspended, if necessary, for testing. 

sample calls and details of faulty calls 

Faults shall be reported to Daisy by email or on a dedicated 0330 telephone number. 

Each incident shall receive a unique tracking number which shall be quoted by the Customer when 

seeking an update from the Service Desk or Account Manager. The fault shall be automatically tracked 

from start to end. 

When the Customer reports a fault to Customer Services Daisy’s target shall be to answer 98% of all 

calls within 20 seconds.

When the Customer reports a fault to Customer Services a unique Fault Reference number shall be 

provided. This number must be quoted by the Customer at all times when requesting progress updates 

or confirming fault clearance. 

The time taken to respond to any fault shall be governed by the Service Level assigned to each line. 

Daisy shall always respond to faults as quickly as possible irrespective of the Service Level. 

Fault progress and response times shall be automatically measured against the service levels of 

individual lines. 

Daisy shall ensure regular updates are passed to the Customer via email or telephone. 

Once a fault is resolved Daisy shall validate the fix with the customer and only close the fault ticket 

in agreement with the Customer. 

Daisy shall always notify Customers of actual, predicted or potential faults and problems at the 

earliest available opportunity. 

Daisy shall contact the Customer directly either by email or telephone a minimum of five days in 

advance of any planned maintenance that affects service delivery. Notification shall be given to the 

Customer as soon as the information is received by Daisy. 

Escalation Procedures 

Daisy shall maintain a formal escalation procedure using a matrix of fault severity and the time a 

fault has been open. 

Daisy shall operate three tiers of automatic escalation: 

Priority 1: Complete loss of service at a site. Stage One escalation shall commence after 30 minutes; 

Stage Two after four hours and Stage Three after eight hours. 

Priority 2: Partial Loss of Service. Faults that cause the Customer to lose some but not all of their 

telephony services at a site. Stage One escalation shall commence after two hours: Stage Two after eight 

hours and Stage Three after twenty-four hours. 

Priority 3: Quality Impairments. Poor speech quality to a specific site. Stage One escalation shall 

commence after twelve hours; Stage Two after twenty-four hours and Stage Three after seventy two 

hours. 

Daisy shall reconfirm the applicable service level and the standard priority level for the fault to the 

Customer when the fault is logged. 

Daisy shall agree the frequency and communication method of updates with the Customer until the 

fault is resolved. 

Daisy shall update the Customer immediately with any change in the fault status or progress, during 

which the Customer shall be free to request interim updates. 

Daisy shall log for investigation any discrepancy between update information and Customer 

information. 

Customers may request escalation at any time during the life of the fault outside of the automatic 

escalation process. 

Daisy shall provide reports into the customer of all escalations. 

540

Daisy shall not close a fault without the agreement of the Customer. 

Escalation Timetable 

Repair 

Service Levels 

541 

Initial 

Telephone 

or Email 

Response 

15 

minutes 

1 hour 

1 Hour 

1 Hour 

Fix SLA 

Update 

Intervals* 

See Note 2 

6hrs 2 Hours 

24hrs if 

raised by 

13:00 

End of 

next 

working day 

End of 

next 

working day 

+ 1 day 

4 Hours 

8 Hours 

8 Hours 

Escalation 

Level 1 - Support 

Technician, Level 2 - Support 

Team leader, Level 3 - Customer 

Operations Manager, Level 4 - 

Service Delivery Manager, Level 

5 - Customer Experience 

director 




operations Manager, Level 4 - 



director 







director 







director 

Level 1- The working hours for this service shall be 0800-1800 hours Monday-Friday excluding Public 

and Bank Holidays. Daisy (through Openreach) shall respond to a fault report received before 1800 hrs

on one working day by the end of the next working day. Where a fault is reported outside of the working 

hours for this service the fault shall be treated as if it has been reported at the beginning of the next 

working day. 

Level 2 – The working hours for this service are 0800-1800 hours Monday–Saturday excluding Public 

and Bank Holidays. Where a fault is reported outside of the working hours for this service the fault shall 

be treated as if it has been reported at the beginning of the next working day. Daisy (through BT 

Openreach) shall respond within 4 working hours of receipt of a fault report. If the fault is not cleared 

during this period BT Openreach shall advise Daisy’s nominated contact of the progress being made to 

clear the fault. 

Level 3 – The working hours for this service are 0700 – 2100 Monday to Friday and 0800 – 1800 

Saturday and Sunday including Bank Holidays.Where a fault is reported outside of the working hours for 

this service the fault shall be treated as if it has been reported at the beginning of the next working day. 

Daisy (through BT Openreach) shall respond within 4 working hours of receipt of a fault report. If the 

fault is not cleared during this period BT Openreach shall advise Daisy’s nominated contact of the 

progress being made to clear the fault. 

Level 4- This service operates 24 hours a day, 7 days per week including Bank and Public Holidays. 

Daisy (through BT Openreach) shall respond within 4 hours of receipt of a fault report. If the fault is not 

cleared during this period BT Openreach shall advise Daisy’s nominated contact of the progress being 

made to clear the fault. 

Service Desk – Daisy shall operate a manned 24 hour UK based Service Desk 365 days a year. 

Level Description/SLAs Engineering Working Times 

1 – WLR 

Basic Analogue 

Lines 

542 

End of next working day + 1 working 

day 

Monday – Friday (excluding 

Bank Holidays*) 

08:00-18:00 

2 End of next working day(EoNWD) Monday – Saturday 

3 In by 13:00 fix same day, in after 

13:00 fix by 13:00 next working 

day(EoNWD) 

08:00-18:00 (excluding Bank 

Holidays*) 

Monday – Sunday (including 

Bank Holidays) 

07:00-21:00 Mon-Fri (via FA in 

tariff) 

08:00-18:00 Sat-Sun 

4 6-Hour repair Monday – Sunday (including 

Bank Holidays)

Daisy shall provide the capability to expedite the fault resolution process by raising the service level 

of lines if required. 

Account Management 

The Customer shall have a dedicated service team within Daisy. 

The Account Manager and Team shall be responsible for running all aspects of the Customers 

account 24/7, 365 days of the year and shall be the primary interface for all matters between Daisy and 

the Customer. 

Direct dial telephone numbers, mobile numbers and email addresses shall be provided for each 

member of the account management team. Daisy shall provide a single contact number for all services 

and direct dial numbers for the Account Manager (and team) shall be provided so that any urgent issues 

the Customer may have can be acted on immediately. 

This single point of contact shall be for all issues including fault resolution, ordering/cancelling lines, 

quotations, moves and changes, billing and any general account queries. 

Security Accreditation 

Daisy shall ensure that the management of the ISDN services shall be linked to the ISO27001 

requirements and, where practicable, the enhanced CESG requirements for telecommunications shall be 

applied both within Daisy and its third parties (BT). As part of the Customer/Consumer engagement 

process the security requirements shall be the subject of formal risk assessment with 

Customer/Consumer organisations to ensure that the integrity of the Customer’s/Consumer’s security 

model is not compromised and that compliance with the PSN codes can be maintained. 

VOICE CALLS – packages and minutes 

Daisy shall provide outbound local, regional, national, non-geographic, international calls, calls to 

mobile networks and all other standard call types. 

Customer lines shall be connected via concentrators onto digital local exchange switches. The reach 

and distribution of the concentrators shall be governed by the technical limitations and economics of 

the access network. The local exchanges provide the intelligence to route calls according to Customer 

profiles and destination numbers. 

Access shall be via carrier preselect (CPS) or indirect access (IDA) where the routing code is 

programmed locally. 

Where a call is routed by CPS, the originating operator shall prefix the Customer’s dialled digits with 

the ‘CPS access code’ before passing the call across the Point of Interconnection. The CPS access code 

ensures routing through the originating operator’s network to the Point of Interconnection. Where a 

pre-selected call is dialled using the local dialling format, the originating operator shall insert the leading 

zero and area code between the CPS access code and the dialled number. 

CPS facilities shall not apply to operator controlled calls, including transfer charge calls. Operator 

and other special services of CPS Operators shall be accessed using the appropriate indirect access code. 

A CPS access code shall be a 4 digit non-diallable prefix. 

543 

24/7

The Customer shall be able to override the CPS facility by dialling the indirect access code of another 

operator in the event of the failure of the chosen network by using a diallable prefix. 

Options 

Daisy shall provide a range of Voice Telephony products that shall allow access to a variety of 

tailored call plans. 

Features shall include: Metered Call Plans charging only for calls used by the second; Bundled 

Minutes Packages that shall provide a fixed rate of charges, Call Capping and a Fixed Mobile Rate across 

the four main mobile networks. 

On Customer request Daisy shall supply Call Capping Packages offering capped call charges to UK 

local & national and mobile calls for up to one hour duration. Bundled calls shall also be provided for 

chosen destinations if requested by the Customer. 

There shall be no minimum customer spend commitment for Customers to qualify for the packages. 

Lead times 

Where the line is in contract with Daisy the lead time for CPS provisioning shall be 24 hours from 

acceptance of the completed order. 

Where the line is new or not in contract with Daisy the lead time for provision of CPS shall be 10 

working days from acceptance of completed order. This procedure is concurrent with the provision of 

the new line. 

Service Level, Support and Maintenance 

Daisy’s services shall be operational 365 days per year, 24 hours a day and shall be available 99.97% 

of the time within these service hours (with the exception of scheduled service downtime). 

99.99% of calls shall be successfully connected on the first attempt. 

Service availability is affected by both line and core network availability. Daisy shall measure and 

report on performance against targets for both. Daisy shall aim to provide a mean service performance 

across all services to all Customers equivalent to ‘five nines’ availability (99.999%). 

SLA shall be agreed with the Customer 

Supply Options 

Daisy shall supply options for supply including: 

- Select Services which are a function of the access network used to provide the telephony service. 

- Operator Connected Calls 

- Fixed Line Text Service: this service shall enable Customers with landlines to send and receive text 

messages to mobile phone users and other landline users. 

- Call barring products which include PRS (Premium Rated Services), MOB (Mobile only) and INT 

(International). 

DDI SERVICES 

DDI services,support and maintenance shall be provided as part of a Wholesale Line Rental package. 

544

Supply Options: 

Daisy’s DDI service shall provide 10 or more directory numbers on ISDN30. A maximum of five Direct 

Dialling In (DDI) ranges are provided on the ISDN30 access. All numbers in all ranges shall have the same 

service profile for ISDN30e. ISDN 30 DASS channels shall have individual service profiles. 

The Network sends digits to the Integrated Services Private Branch Exchange (ISPBX) to identify the 

terminal/extension that the call is for. The ISPBX then uses this number as routing information to 

connect the call to the correct terminal. 

It shall be possible for the ISPBX to be configured so that multiple calls can be delivered via one 

number to one device. This shall mean that a main switchboard number and operator function can 

answer calls. 

The ISPBX (if it supports the capability) shall provide digits to the network on each outgoing call for 

identification purposes. If the ISPBX does not send identification digits, the network shall use the default 

billing number of the ISDN30 access as its source of identification information. 

A single number direct dialling in (SNDDI) shall be provided as an individual number DDI range. For 

incoming calls the network shall send, as default, six routing digits to the Customer equipment so that it 

shall be possible for calls to be directed to the correct channel. SNDDI is not applicable to ISDN30 DASS 

installations. 

The numbering options shall allow a mixture of SNDDI and DDI ranges on the same ISDN30e access 

with all numbers using any of the available channels. 

It is possible for a maximum of five SNDDIs – including the main number – to be provided on 

ISDN30e access. 

The Customer’s terminal equipment shall be required to support DDI to recognise the single 

numbers. 

DDI on ISDN30e - Direct Dialling In (DDI) shall allow incoming calls to an ISPBX to be routed directly 

to an extension without going via the ISPBX operator. The service provided on digital exchanges shall 

allow up to six digits to be forwarded from the exchanges to the ISPBX. Outgoing calls for DDI lines shall 

be provided on separate outgoing trunks connected to the ISPBX. The ISPBX shall be configured to route 

outgoing calls to these trunks. 

It is not possible for DDI number ranges on ceased installations to have call forwarding services. It 

shall be possible to have Caller Redirect. 

It is necessary for the first number of the DDI range to be the first number on Caller Redirect. 

It shall be possible for up to five DDI ranges or a mixture of DDI and single number direct dialling in 

(SNDDI) to be configured on a European Telecommunications Standards Institute (ETSI) access. 

ISDN30e shall support the following DDI numbering options. 

1 Number 

2 Single Numbers 



Up to 5 DDI Ranges 

545

1 Single Number and max of 4 DDI ranges 

2 Single Numbers and max of 3 DDI ranges 

3 Single Numbers and max of 2 DDI ranges 

4 Single Number and max of 1 DDI range 

An SNDDI shall be provided as an individual number DDI range. For incoming calls the network shall 

send, as a default, 6 routing digits to the Customer equipment so that calls can be directed to the 

correct channel. 

The numbering options shall allow a mixture of SNDDI and DDI ranges on the same ISDN30 access 

with all numbers using any of the available channels. 

It shall be possible for a maximum of four SNDDI to be provided on an ISDN30e access. 

DDI Services on ISDN 30 DASS - DASS supports the following numbering options. 

It shall be possible for one number with up to five DDI ranges to be applied across the same 

channels. If the Customer requires more than one DDI range across the same channels it shall be 

necessary for the last six digits of all the numbers to differ but the digits in front of the last six shall have 

to stay the same. 

DDI Services on ISDN2 - These shall be available on an ISDN2e System installation, in a point to point 

configuration, and shall operate on a single main billing number. 

This product variant shall support the following DDI options using BT numbers and ranges: 

BT numbers (5 max): 

1 number 

2 single numbers 



5 single numbers. 

BT ranges (5 max): 

1 SNDDI + 4 DDI ranges max 

2 SNDDIs + 3 DDI ranges max 


4 SNDDIs + 1 DDI range max. 

Where import number is required to provide ISDN2e, this product variant shall support the 

following DDI options using non-BT numbers and ranges: 

Non-BT numbers (10 max): 

1 number 



546







10 single numbers. 

Non-BT ranges (10 max): 

1 SNDDI + 9 DDI ranges max 








9 SNDDIs + 1 DDI range max. 

PREMIUM RATE SERVICES 

Daisy shall provide Premium Rate Services on application depending on availability and Ofcom and 

PhonePayPlus restrictions and guidelines on number selection. All number types can be routed on all 

products subject to Ofcom and PhonePayPlus restrictions and guidelines. Undue delaying in answering 

Premium Rate numbers is not acceptable. 

Daisy shall provide a number translation service that routes premium rate numbers in a variety of 

configurations and reports on the delivery of the calls. 

Daisy shall provide a web portal which shall be available for use 24 hours per day 7 days per week. 

This portal shall allow configuration changes to be made, numbers to be brought into service and 

reports to be generated. 

The portal is accessed via Internet Explorer or Mozilla Firefox and shall require simple login and 

passwords. Different levels of access shall be provided to cater for different roles within the Customer 

organisation. 

The following Routing Options shall be made available: 

One to One routing - This service allows the Customer to translate the non-geographic number to 

any fixed geographic, international or mobile number of their choice. The destination number can be 

changed in real-time on the web based portal. 

547

One to One routing plus voice to email - This product provides the same call routing functionality as 

Inbound Connect, but with the option to forward calls as a wav file to an email address. 

One to One routing - This service shall allow the Customer to translate the non-geographic number 

to any fixed geographic, international or mobile number of their choice. It shall be possible for the 

destination number to be changed in real-time on the web based portal. 

One to One routing plus voice to email - The Customer shall be able to forward calls as a wav file to 

an email address. 

One to One with Divert on Busy - Routed calls that ring with no reply shall be diverted to voicemail 

or an alternative destination number. 

Time of Day Routing with Voicemail - This service shall route calls according to the time of day and 

day of the week. It shall be possible to programme special days/dates into the routing configuration. Out 

of active hours calls shall be diverted to an alternative number or voicemail. 

Time of Day Routing with Intro Audio and Voicemail - This service shall route calls according to the 

time of day and day of the week with a message delivered on connection. 

Call Hunt Group – It shall be possible for calls to be distributed across multiple destination numbers 

with divert available if no member of the hunt group picks up the call. Ring duration, sequencing and 

destinations shall all be configurable. 

Inbound Hunt Group Manager - It shall be possible for calls to be distributed across multiple 

destination numbers with divert available if no member of the hunt group picks up the call. Calls shall be 

distributed according to time of day. 3 time zones shall be available and up to 6 destination numbers per 

time zone. Each time zone shall have a configurable greeting message. 

Time of Day, Call Hunt Group and Whisper - The call whisper product shall allow the called party to 

hear an announcement specific to the dialled number before answering the call. 

Simple IVR (Interactive Voice Response), Time of Day and Voicemail - 12 DTMF options shall be 

made available to the caller and it shall be possible for the service to be configured for Time of Day. Out 

of hours calls shall be diverted to an alternative number, voicemail or a greeting and then disconnected. 

Multi-Level IVR - This service shall allow multiple options to be configured on three levels. It shall be 

possible for the service to be configured for Time of Day. Out of hours calls shall be diverted to an 

alternative number, voicemail or a greeting and then disconnected. 

Fax to Email - Faxes are received via an NTS number shall be delivered to the Customer’s email 

inbox. A choice of file formats shall include .pdf or .tif. 

Reporting options available via the web portal shall include - 

548 

· Call Summary (shows total calls and duration). 

· Call Records (shows individual call records) 

· Call Summary By Outcome (shows total calls split by call outcome (answered, 

unanswered, engaged, etc) along with total duration.

549 

· Call Summary By Period (shows total calls split by call period (day, evening, weekend, 

etc.) along with total duration. 

On the Web portal Home screen a number of reports shall be shown in a dashboard format. 

This shall include: - Total calls - Total minutes - Total by outcome - Total by period - Longest Call - 

Busiest location - Call Origin (pie chart) - Daily calls/current month or hourly- Calls/current day (bar 

chart) 

Lead times and Implementation Process 

Daisy shall provide service within 48 hours of the accepted order provided Ofcom and PhonePayPlus 

registration is complete. 


SLA shall be agreed with the Customer. 

Daisy shall provide access to the Network IVR platform 24 hours a day throughout the year. 

INBOUND SERVICES 

Daisy shall provide a number translation service that shall route NTS numbers in a variety of 

configurations and report on the delivery of the calls. 

Daisy shall provide 0800, 0844, 0845, 0871, 03, and geographic NTS numbers depending on 

availability. It shall be possible for all number types to be routed on all products. Daisy shall provide 

inbound call plans offering flat rate competitive tariffs without volume commitments. 

Daisy shall provide a web portal which will be available for use 24 hours per day 7 days per week. 

This portal shall allow configuration changes to be made, numbers to be brought into service and 

reports to be generated. 

The portal shall be accessed via Internet Explorer or Mozilla Firefox and requires simple login and 

passwords. Different levels of access shall be provided to cater for different roles within the Customer 

organisation. 

The following Routing Options shall be available: 

One to One routing - This service shall allow the Customer to translate the non-geographic number 

to any fixed geographic, international or mobile number of their choice. It shall be possible for the 

destination number to be changed in real-time on the web based portal. 

One to One routing plus voice to email - The Customer shall be able to forward calls as a wav file to 

an email address. 

One to One with Divert on Busy - Routed calls that ring with no reply shall be diverted to voicemail 

or an alternative destination number. 

Time of Day Routing with Voicemail - This service shall route calls according to the time of day and 

day of the week. It shall be possible to programme special days/dates into the routing configuration. Out 

of active hours calls shall be diverted to an alternative number or voicemail.

Time of Day Routing with Intro Audio and Voicemail - This service shall route calls according to the 

time of day and day of the week with a message delivered on connection. 

Call Hunt Group – It shall be possible for calls to be distributed across multiple destination numbers 

with divert available if no member of the hunt group picks up the call. Ring duration, sequencing and 

destinations shall all be configurable. 

Inbound Hunt Group Manager - It shall be possible for calls to be distributed across multiple 

destination numbers with divert available if no member of the hunt group picks up the call. Calls shall be 

distributed according to time of day. 3 time zones shall be available and up to 6 destination numbers per 

time zone. Each time zone shall have a configurable greeting message. 

Time of Day, Call Hunt Group and Whisper - The call whisper product shall allow the called party to 

hear an announcement specific to the dialled number before answering the call. 

Simple IVR (Interactive Voice Response), Time of Day and Voicemail - 12 DTMF options shall be 

made available to the caller and it shall be possible for the service to be configured for Time of Day. Out 

of hours calls shall be diverted to an alternative number, voicemail or a greeting and then disconnected. 

Multi-Level IVR - This service shall allow multiple options to be configured on three levels. It shall be 

possible for the service to be configured for Time of Day. Out of hours calls shall be diverted to an 

alternative number, voicemail or a greeting and then disconnected. 

Fax to Email - Faxes are received via an NTS number shall be delivered to the Customer’s email 

inbox. A choice of file formats shall include .pdf or .tif. 

Queue, One to One, time of Day with Voicemail - This service shall be configurable to allow up to 99 

calls to queue at network level, based on destination, engaged status and destination call count. The 

maximum number of call connections can be set up to 200. These calls shall be routed according to time 

of day with three options for out of hours call handling. Queue reporting shall include configurable ‘time 

in queue’ alarms. There shall be a choice of six settings for music on hold plus 5 apology modes including 

cycle, repeat and queue position notification. It shall be possible for a number of messages to be 

uploaded via the portal including a welcome message, up to 3 apology messages, next to connect 

message and a voicemail greeting for the out of hours voicemail option. 

% distribution - This service shall allow calls to be distributed across up to 6 destination numbers by 

percentage. 

Multi Out Dial - This service shall allow up to 7 destination numbers to ring simultaneously on 

receipt of a call via the NTS number. The first destination to answer ceases the call on all other numbers. 

Multi-Plan for single service numbers – The Customer shall be able to switch between four 

configurable plans for individual service numbers. The Customer shall be able to select which of the four 

plans is active using the portal or Multi-Plan service IVR. 

• It shall be possible to configure up to four plans per service number. 

• It shall be possible for each plan to be associated with any available product pages except Fax-to- 

Email. 

• It shall be possible for the pre-defined plans to be switched either via the Portal or the Multi-Plan 

Service IVR 

550

Multi-Plan service number groups - The Customer shall be able to form a group of service numbers 

that can be switched individually or as a group to one of four specific, configurable plans. 

• This shall allow the Customer to group service numbers with individual pre-defined plans. 

• It shall be possible for all the numbers within this group to be switched as a group to a specific 

plan number. 

• It shall be possible for the pre-defined plans to be switched either via the Portal or the Multi-Plan 

Service IVR. 

Service number assignment group – It shall be possible for the Customer to associate multiple 

service numbers to a set of up to four plans. Once assigned, all the service numbers within this group 

shall have the same call flow as defined by each of the four plans. 

• This facility shall allow the Customer to associate multiple service numbers to a maximum of four 

plans. 

• It shall be possible for each of the plans to be a different product page – with the exception of Faxto-Email 

or Audio Conferencing. 

• It shall be possible for the Customer to assign numbers to the plans via the number assignment 

section. 

• It shall be possible for the Customer to switch the plans via the Portal or the Service IVR using one 

of the service numbers within the number assignment group. 

Reporting - Reports shall be made available via the web portal. 

Report Options available shall include: 

551 

· Call Summary (shows total calls and duration). 

· Call Records (shows individual call records) 

· Call Summary by Outcome (shows total calls split by call outcome (answered, 

unanswered, engaged, etc) along with total duration. 

· Call Summary by Period (shows total calls split by call period (day, evening, weekend, 

etc.) along with total duration. 

On the Web portal Home screen a number of reports shall be shown in a dashboard format 

including : Total calls / Total minutes / Total by outcome / Total by period / Longest Call / Busiest 

location / Call Origin (pie chart) / Daily calls/current month or hourly calls/current day (bar chart) 


Daisy shall provide these Services within 48 hours of the accepted order dependent upon number 

availability. 



Daisy shall provide the Services 24 hours a day throughout the year.

Dependencies 

Porting of existing NTS numbers onto the Daisy NTS service is subject to porting agreements being in 

place with the range-holder (s). 

AUDIO AND WEB CONFERENCING SERVICES 

AUDIO CONFERENCING Product Features 

· Auto Continuation - participants shall be able to stay on the conference call without the 

Customers attendance. The conference ends once the last participant disconnects. 

· Auto Record - Automatically records all calls without prompting to start a recording via a 

telephone keypad and eliminates the ability for anyone within the conference to stop the recording. 

· Conference Breakdown – shall prevent conference calls that have not been disconnected 

properly from continuing indefinitely by automatically ending the conference once it has reached the 

duration and/or number of participants that have been specified by the Customer. 

· Conference Code-Level Custom Greeting – the Customer shall be able to set up a custom 

greeting to play after participants enter the conference code. 

· Conference Entry Mode - prior to participants joining the call, it shall be possible for the 

Customer to select one of the following entry mode options: un-muted , group mute or lecture mode. 

· Consecutive Interpretation – the Customer shall be able to utilise a dial-out option to instantly 

connect an interpreter to the conference allowing participants to listen in two languages. It shall be 

possible through the use of a pausing to allow the interpreter time to render any remarks into whatever 

language is required. 

· Custom/Branded Greetings – The Customer shall be able record a custom welcome message to 

be played to the participants who join the conference using a chosen toll-free or toll dial-in numbers. 

· Custom Entry – A facility shall allow the Customer to quickly enter a conference and turn 

specified prompts off that are played after entering the conference code or leader PIN. 

· Dial-Out – The Customer shall be able to dial out directly from the conference to domestic 

participants and bring them into the call. It shall also be possible to contact the operator to dial-out to 

international participants. 

552

· Disconnect Grace Period - A grace period shall allow the Customer to rejoin the conference in 

the event that Auto Continuation is disabled and the Customer has been disconnected. 

· Entry Announcement Limit – The Customer shall be able to reduce the number of entry tones 

played when the call has started. 

· Entry/Exit Options – The Customer shall have the facility to decide how participants are 

announced when they join or leave the audio conference call - tone, name announce, name and tone or 

silence. 

· Force Disconnect – The Customer shall have the facility to clear the conference by 

disconnecting all participants from the call while remaining connected. 

· Group Mute/Unmute – The Customer shall have the ability to silence all participants’ lines by 

pressing a keypad command on the telephone. 

· Leader Express Entry – The Customer shall be able to start the conference by consecutively 

entering the conference code followed by * and the leader PIN followed by #. 

· Leader Smart Entry – The Customer shall be able to store a phone number so that when that 

number is used to dial into the call, the system shall recognise that number and join the Customer to the 

conference without the need for inputting the conference code and leader PIN. 

· Leave and Join a Conference - Participants shall have the ability to leave the conference they 

are attending and join a new conference without hanging up and redialing the same dial-in number. 

· Lecture Mode – The Customer shall have the facility to mute all participants during the 

conference to reduce background noise. Participants shall not have the capability to unmute their lines, 

allowing the Customer to deliver the message uninterrupted. 

· Lock/Unlock – The Customer shall be able to lock the conference call to prevent additional 

participants from joining the call, with the exception of dialling out. 

· Mobile Assistant – The Customer shall be able to control and access the conference call from a 

large selection of mobile phones. 

553

· Multiple Leaders – The Customer shall have the ability to have multiple leaders on the 

conference call that allows them to have access to all leader controls. 

· Online Management – The Customer shall be able to manage the call online by scheduling, 

starting, presenting and archiving the conference. 

· Operator Assistance – The Customer shall be able, at any time during the call, to request an 

operator simply by pressing *0 to join the conference or 00 to speak to the operator privately. 

· Outlook Plug-In – The Customer shall be able to create, edit and schedule meetings with predetermined 

conferencing information from an Outlook toolbar. 

· Personal Greeting – The Customer shall have the facility to record a personal message for 

participants to hear when joining your conference. 

· Phone Commands – The Customer shall have the ability to mute lines, lock the conference, 

and request operator assistance through the use of touch button on the telephone keypad. 

· Post-conference Emails – The Customer shall be able to keep an attendance roster of the 

participants with an email record of which participants were on the phone and/or web. The Customer 

shall also be able to keep track of the total conferencing minutes. 

· Private Participant Count – The Customer shall have the ability to privately announce the 

number of participants on the conference call at any participant's request. 

· Quick Start - The Customer shall have the ability to select Quick Start to immediately begin 

the conference call by allowing participants to enter the conference and start speaking before the call 

officially begins. 

· Record & Playback - The Customer shall have the ability to digitally record the Reservationless 

- Plus call for participants who were unable to attend or for participants who would like to listen to the 

conference call again. The recording is available 24/7/365 and can be accessed on the Internet or by 

dialling a toll-free number. The Customer shall be able to purchase a CD, downloadable link and/or a 

transcription of the recording. 

· Record Pause/Resume - The Customer shall have the ability to pause the recording in progress 

and resume the recording when ready to continue. 

554

· Roll Call - The Customer shall have the ability to prompt participants to record their names as 

they join the audio conference call. It shall be possible at any time during the conference for the names 

to be replayed privately to any conference participant. 

· Security Passcode - The Customer shall have the facility to provide an added level of security 

for the Reservationless - Plus conference by having control over who joins the conference. It shall be 

possible to select and distribute the security pass code for every conference that is hosted by the 

Customer. The Customer shall also have the ability to add a security pass code to an active conference 

by returning to the leader account menu. 

· Self-Mute/Unmute - The Customer shall have the ability to allow participants to silence their 

own lines by pressing a keypad command on their telephones. 

· Sub-conference - The Customer shall have the ability to allow pre-selected guests to join a 

private discussion during the conference call. Sub-conferencing shall allow the Customer to discuss side 

issues and other non-public information. 

· Third-Party Conference Start – It shall be possible for a participant to bypass the hold music 

and start the conference as the leader if the Customer’s leader is late or unable to host the call. 

· Waiting Room - The Customer shall have the ability to place participants on music hold until 

such time as the Customer is ready for them to join the conference call. 

WEB CONFERENCING Product Features 

· Microsoft Outlook and Lotus Notes Integration – It shall be possible for the Customer to send 

invites from Outlook or Lotus Notes Calendar for one-click access to the meeting. 

· Reservation-less Meeting Room - It shall be possible for the Customer to host remote meetings 

without the need to make reservations. All moderators shall have their own, secure meeting room. 

· Easy Participant Access - Participants shall be able to join the meeting without the need of 

plug-ins or downloads. It shall be possible to join from all major browsers and Operating Systems. 

· Integration with Reservation-less Plus Conferencing – An audio feature shall automatically dial 

out to the Customer and all participants when the conference begins if required. 

555

· Audio Broadcasting – This shall allow participants to listen to the audio conference using their 

computer speakers, headsets or telephone. 

· Customisable Meeting Interface – The Customer shall have the ability to control their user 

interface. It shall be possible for the “panels” that are displayed in the meeting interface, to be 

expanded, collapsed and resized. 

· Full Screen – The Customer shall the facility to set participants to Full Screen to maximise 

viewing space for sharing applications. 

· Recording – The Customer shall be able to create a synchronised archive that replicates the 

live meeting including all visuals, annotation, polling, audio and video. 

· Show Power Point Presentations - The Customer shall be able to show uploaded PowerPoint 

presentations to their audience via a presentation mode. 

· Application Sharing - The Customer shall be able to share any application from a computer and 

grant control to authorized participants to edit shared documents while in the meeting. 

· Web Tour - The Customer shall be able to conduct a web tour in the meeting, which shall allow 

participants to navigate and click on the live web site that is being shared. 

· Desktop Video - Customers and participants shall be able to view and broadcast live video in a 

meeting using a standard desktop video webcam. 

· Participant Interaction and Management - The Customer shall be able to chat/send instant 

messages to an individual or a group without interrupting the meeting. 

· Survey, Quiz, Poll - The Customer shall be able to gain feedback from participants using polling 

questions or creating surveys and quizzes that can be displayed in the meeting. The Customer shall be 

able to publish the results so that the results are visible to all participants. 

· Instant Messenger Quick Invite - The Customer shall be able to invite participants to the 

meeting, after it has started, using MSN Live Messenger, Lotus SameTime Instant Messenger or 

Microsoft Office Communicator Instant Messenger. 

556

· Participant List - The Customer shall be able to view the voice and web connectivity status of 

the participants using the Participant list in the online web meeting interface. 

· Emoticons – It shall be possible for the participants to provide instant feedback to the 

Customer using a variety of emoticons included in the participant meeting interface. 

· SSL Encryption - Enhanced meeting security shall be provided via 128-bit SSL encryption. 

· Security Passcodes – The Customer shall have the ability to add an additional layer of security 

with moderator-created security codes unique to each meeting. 

· Close Meeting Room Door - The Customer shall have the ability to prevent unauthorised 

access to the conference and limit disruptions by “closing the door” to the meeting. 

· Stored Documents - The Customer shall have the ability to upload and access PowerPoint 

Presentations, Surveys, Quizzes, Polls, Images, Web Tours and Files that can be used during the 

meetings. 

· Online Reporting - The Customer shall have the ability to view detailed reports from the 

meetings with information on duration of the meeting, number of participants, participant names and 

survey or quiz results. 

· Archived Recordings - After the meeting the Customer shall have the ability to access and 

playback hosted or zip archives. The Customer shall be able to send participants archive email links and 

choose to password protect them. Detailed reports shall show who has accessed the recorded 

conference and how long it was viewed. 


Daisy shall provide an initial account and login set up within 5 working days. An email shall be sent 

to the Customer with account details, portal login, PIN and a software link. The Customer shall be able 

to download the host software and launch a conference immediately. Conference users do not have to 

download software. The Customer shall be able to request extra hosts once the account is active and 

these will be set up within 48 hours. Where the request is for 100 or more extra hosts the lead time shall 

be extended to 5 working days. 


557


In the event of a fault, Customers shall call the Daisy conferencing support line. 

This Customer support function in the event of a fault shall be available 24 hours a day, 365 days a 

year through the Daisy Conferencing Support Line. 

Customers shall be able to access the Daisy Conference Manager to view information and make the 

following changes: 

558 

Schedule audio & visual calls 

Send email invitations and reminders 

Review, edit or delete scheduled meetings 

View, edit, delete and set up host details 

Access reporting tools 

User guides for Customers shall be made available. 

The Daisy Conference Services shall have the following SLAs 


Platform 

Audio 

Platform 

Operator 

Assisted 

Platform 

Serv 

ice Level Definition 

% 

% 

99.9 

99.9 

Availability of the 

Reservationless platform 

through the dial-up 

network. 


Operator Assisted 

platform through the 

dial-up network. 

Measurement 

Automated continuous 

periodic access attempts to 

audio conference bridge. 


periodic access attempts to 

audio conference bridge.

Web 

Conferencing 

SLAs include: 

559 

% 

99.9 


document conferencing 

platform through the 

Internet. 

Resolve fault/issue – shall be within 24 hours 


server health and status 

monitoring. 

Email Response Times – 98% of all emails shall be responded to within 2 hours 

New user set up – 98% of all new users shall be set up within 24 hours 

Operator Calls – 98% shall be answered within 20 seconds. 


The Daisy Conferencing Service shall consist of the following services: 

Reservation-less Plus –Customers shall have an always available audio conferencing service. The 

Customer shall not need a reservation or an Operator. The service shall provide for a maximum 

of 125 participants. 

Operator Assisted – Daisy shall provide a reservation based service that shall offer Customers an 

audio conferencing service with an operator and support personnel who manage high-touch 

features. 

Unified Meeting – Daisy shall provide a Web Conferencing service that shall allow audio 

integration and audio conferencing users to manage their audio calls. No download shall be 

required for participants. 

PBX SUPPLY AND MAINTENANCE 

Daisy shall provide a wide range of systems with full functionality able to be incorporated into a 

single traditional voice, IP based or hybrid network. 

This functionality shall include: 

Integrated voice mail 

A range of digital and analogue handsets from POTs to Operator Consoles

560 

Automatic Call Distribution 

Teleworking 

Conferencing and Collaboration 

Paging and Door Opening facilities 

Phonebook access 

Message Waiting indicators 

Music on Hold 

Dynamic Extension 

Auto Attendant 

Daisy shall supply systems with ‘five 9s’ availability. 

Daisy shall supply resilient systems with the options of hardware redundancy, automatic failover 

and geographic redundancy across the network. 


Daisy shall supply traditional TDM and IP based telephony systems. 

Daisy shall offer the Customer the choice of outright purchase or lease subject to acceptance. 

Daisy shall supply a full installation, design and project management service using fully qualified 

engineers, pre-sales personnel and PRINCE2 project managers. 

Daisy shall supply a range of standard maintenance services with bespoke options for critical sites 

and applications. 

Daisy shall undertake to provide a fully managed service through integral management tools, alarms 

and pro-active health monitoring of the pbx network. This service shall be provided through the 24/7 

systems management centre at the Daisy Centre of Systems Excellence. 

All systems upgrades, back-ups, time synchronisation, adds , moves and changes shall be carried out 

on a daily basis as requested from the Customer. All access to Customer pbx networks shall be via 

approved, encrypted connections as agreed with the Customer. 

Options for the service shall include but are not limited to: 

System choice from manufacturers such as Mitel, Avaya, Siemens, LG etc. 

Choice of analogue or digital handsets 

Full installation including cabling 

System only, Handsets etc. 

Telephony applications specific to the chosen supplier 

As part of its PBX supply service Daisy shall provide access to technologies such as mobility solutions, 

unified technologies, collaboration, virtualisation, basic contact centre technology and advanced 

management and reporting.

Daisy shall provide a full range of additional equipment to complement the pbx service including but 

not limited to 

Call logging 

Call recording 

End user management applications 



Daisy shall offer a range of standard service levels agreements on the telephony service. 

Daisy shall provide customised SLA packages on application. 

Daisy’s standard Service Levels shall be: 

Bronze Cover – Complete hardware cover available Monday to Friday (excluding bank Holidays) 

between the hours of 08:30 and 18:00. Faults that results in 50% system crash will receive a response 

within 8 working hours, all other system faults will receive a response within 16 working hours. 

Silver Cover - Complete hardware cover available Monday to Friday (excluding bank Holidays) 



Gold Cover - Complete hardware cover available Monday to Friday (excluding bank Holidays) 

between the hours of 08:30 and 18:00. Faults that results in 50% system crash will receive a response of 

a man to site within 4 working hours, all other system faults will receive a response within 8 working 

hours. 

Platinum Cover - Complete hardware cover available Monday to Sunday (including bank Holidays) 

24 hours per day. Faults that results in 50% system crash will receive a response within 4 hours, all other 

system faults will receive a response within 8 hours 

Platinum Plus Cover - Complete hardware cover available Monday to Sunday (including bank 

Holidays) 24 hours per day. Faults that results in 50% system crash will receive a response of a man to 

site within 4 hours, all other system faults will receive a response within 8 hours 

Handsets - All of the above services exclude support of handsets which will be covered on a Next 

Business Day post out service 

Service Levels: 

Cove 

r Level 

Cove 

r Type 

561 

Bro 

nze 

Sil 

ver 

ld 

Go 

Plati 

num 

Plati 

num 

Plus 

Complete (parts & labour inclusive) Hardware 

Cover

Avail 

able 

Syste 

m Crash 

Tech 

nical 

Response 

Resp 

onse to 

Site 

Othe 

r Faults 

Tech 

nical 

Response 

Hand 

set Faults 

System Faults 

562 

Monday to Friday 

(excluding bank Holidays) 

08:30 - 18:00 

Service Levels (working hours) 

Monday to 

Sunday (including 

bank Holidays) 24 

hours per day 

8 4 --- 4 --- 

--- --- 4 --- 4 


16 8 8 8 8 

Next Business Day post out service* 

It shall be possible for system faults to be logged 24 hours a day, 7 days a week. 

These shall be subject to the appropriate SLA response to site by a Daisy engineer as agreed in the 

service description to be agreed with the Customer. “Other system faults” are determined to be any 

other maintenance call which falls outside of the clearly stated system crash parameters. 

Daisy shall operate a 24x7 ITIL certified Technical Service Desk (TSD) operation within the Customer 

Services department. The TSD shall be responsible for logging calls and automatically escalating them 

against pre-defined Operational Level Agreements to the correct area within Daisy or third party. 

HOSTED IP TELEPHONY 

Daisy shall provide a fully hosted and managed telephony solution. 

The Telephony platform shall be hosted in an enhanced ISO27001 certified, secure and resilient data 

centre. The onsite premise equipment required shall be a managed router, suitable cabling and a choice 

of handsets. The platform shall be monitored 24/7 by qualified UK based engineers.

The system shall be modular and it shall be possible for the number of seats or users to be increased 

and decreased with additional handsets and licences on the assumption that sufficient bandwidth is 

available. 

System features shall be controlled via a dedicated web portal on an individual user or administrator 

basis. It shall be possible for the Customer to invoke disaster recovery plans via a web portal accessed 

from any web enabled device. 

The service shall be delivered over Ethernet or DSL services directly into the Daisy core network. The 

service shall not use the public internet. 

When the service is provided over Ethernet then Quality of Service shall be configured with the 

option of a separate vLAN. 

The Customer shall be able to integrate the Daisy Hosted Telephony Solution into MS Outlook, 

Explorer and Firefox. 

Bandwidth and Codec 

The following Codecs shall be available: 

563 

G.711a 

G.729 

IP Configuration 

The voice vLAN will need to be built with sufficient bandwidth to support the required number of 

calls using the desired voice codec. 

The components of the platform shall be: 

BroadSoft BroadWorks Soft Switch 

Acme Packet Session Border Controllers 

Access Network (Daisy Data / Daisy Wholesale)

564 

Daisy managed CPE Router 

Customer Switches 

Customer IP phones 


Daisy shall provide the Customer with three levels of functionality - Lite, Business and Premier. 

A Mobility Package shall also be available to add to any other functionality level. 

Lite Service Pack - Call Forwarding Busy / Authentication / Basic Call Logs / Call Forward Always / 

Call Forward No Answer / Call Forward Not Reachable / Calling Line ID Delivery Blocking / Calling Line ID 

Blocking Override / Calling Name Retrieval / Call Return / Call Transfer / Call Waiting / Connected Line 

Identity Presentation / External Calling Line ID Delivery / Flash Call Hold / Internal Calling Line ID Deliver 

/ Last Number Redial / Three Way Calling / Hunt Groups / Call Capacity Management / Intercept Group 

Business Service Pack shall include all features in the Lite Service Pack plus the following features: 

Anonymous Call Rejection / Automatic Call-back / Diversion inhibitor /Do Not Disturb /Speed Dial 100 

/Call Park / Call Pickup 

Premier Service Pack shall include all features in the Lite and Business Service Pack plus the 

following features: 

Alternate Numbers / Barge-In Exempt / Call Forwarding Selective / Call Notify / Custom Ring back 

User / Directed Call Pickup / Directed Call Pickup With Barge-In (DPUBI) / N-Way Call / Priority Alert / 

Privacy / Push to Talk / Selective Call Acceptance / Selective Call Rejection / Shared Call Appearance 

(Multiple Appearance Directory Numbers) / Account Authorisation Codes / Custom Ring back Group / 

Instant Group Call / Music On Hold / Personal Mobility Package 

Personal Mobility Package features shall include: Remote Office / Daisy Anywhere / Simultaneous 

Ring Personal / Sequential Ring / Multiple Call Arrangement Description (MCA) 

Handsets - A choice of either Cisco or Polycom handsets is available to the Customer for use with 

the Daisy Hosted Telephony Solution. 

Daisy Softphone - The Daisy Softphone application shall allow the Customer to make and receive 

calls from their PC/Laptop when connected to the internet. Daisy shall supply a Sennheiser USB headset 

with each softphone ordered. The softphone shall have a Premier license. As an alternative the 

Customer shall be able to install the softphone on an iPhone/Pad or Android device. This shall allow the

Customer to make and receive calls on their main number or DDI when they are connected to Wifi. The 

Customer will appear to be calling from their business phone number not the mobile phone number. It 

shall be possible for this service to be used anywhere in the world where the Customer has access to 

Wifi.All calls from the softphone to any other user in the Customer organisation are classed as “on net”. 

Headsets, analogue devices and digital DECT devices 

Daisy shall provide a range of headsets and analogue devices: Sennheiser DW Office Wireless HD 

Headset / Cordless Analogue DECT phone / SLT (Single line analogue telephone). Wireless digital DECT 

phones with full feature access shall also be available for areas where analogue signals are limited. 

Options 

Daisy shall provide the following optional features: 

Auto Attendant – This feature shall field inbound calls and deliver them to the intended destination 

through interactions with the caller. Auto Attendant is reached by dialling an associated phone number 

or an extension. Once connected to the Auto Attendant, the caller shall be played a greeting that 

provides a menu of options to complete call routing. The maximum recording length for Auto Attendant 

shall be five minutes. The menu is configured by the Customer and shall provide up to nine options to 

the caller. These include: 

565 

One-Key Dialling 

Operator Dialling 

Name Dialling 

Extension Dialling 

Immediate Extension Dialling 

Holiday Schedule 

Enhanced Business Hour Support 

Daisy Toolbar: The Customer shall have access to this desktop communications management 

product. The Customer shall be able to make and accept telephone calls, and change telephone settings, 

from within Microsoft Outlook, Internet Explorer and Firefox. 

The Customer shall be able to manage incoming and outgoing messages, maintain up-to date 

connection information, and configure controls on calls and voice mail. The Customer shall be able to 

view basic history and contact directories. The service shall provide click to dial capabilities and screen 

popping of incoming calls.

Daisy Receptionist Console: The Customer shall have access to a web tool that screens inbound 

calls. 

Call Centre: The Customer shall be able receive incoming calls from a central phone number. This 

facility allows the Customer to establish technical assistance lines, customer support numbers and 

order-taking centres. Multiple call centres are also supported. 

Voice Messaging –This service shall enable the Customer to record messages from callers for calls 

that are not answered within a specified number of rings or for calls that receive a busy condition. The 

maximum number of rings for the no-answer timer is 20 (inclusive). 

Fax to Email – This service shall enable the Customer to retrieve and manage fax messages from 

voice mailboxes and/or e-mail accounts. 

Call Recording – This hosted service allows Customers to retrieve call recordings via a dedicated web 

page. The Customer shall be able to store calls for a 6 month period and export recordings to a remote 

machine or drive. The service is FSA compliant. 

Daisy Web Portal – The Customer shall be able to control their services through any internet 

enabled device. The user shall have access to four tabs: 

· Profile 

· Calling Features 

· My Calls 

· Utilities 

The Administrator Web Portal shall allow Customer administrators to control personal and group 

services through any internet enabled device. The Customer administrator shall have access to eight 

tabs: 

· Group Profile 

· Departments 

· Manage Users 

· Group Services – Management of hunt groups and users that allows unscheduled changes. 

· Policies & Utilities 

566

· Directory – The corporate directory is shared across all phones and users regardless of location. 

· Disaster Redirect -Automatically diverts calls to an alternate number should the data connection 

experience a fault. 

· Call Details – Full real time details of all calls made, received and missed per extension of the 

Customers main phone numbers. 


The Customer shall be provided with a full Proof of Concept based on interoperability tests carried 

out on test numbers using the proposed architecture. A dedicated SIP engineer shall format a test plan 

to be carried out in conjunction with the Customer. 

Lead time for the provision of new Ethernet service shall be 60 working days. 

Lead time for a new DSL service shall be 10 working days. 


SLA shall be agreed with the Customer. Remote maintenance is included as a standard service. 

Daisy shall offer a range of enhanced service levels agreements on the hosted telephony service. 

The Customer shall also be able to request customised SLA packages if required. 

Enhanced Service Levels: 

Bronze Cover – Complete hardware cover available Monday to Friday (excluding bank Holidays) 



Silver Cover - Complete hardware cover available Monday to Friday (excluding bank Holidays) 



567

Gold Cover - Complete hardware cover available Monday to Friday (excluding bank Holidays) 

between the hours of 08:30 and 18:00. Faults that results in 50% system crash will receive a response of 

a man to site within 4 working hours, all other system faults will receive a response within 8 working 

hours. 

Platinum Cover - Complete hardware cover available Monday to Sunday (including bank Holidays) 

24 hours per day. Faults that results in 50% system crash will receive a response within 4 hours, all other 

system faults will receive a response within 8 hours 

Platinum Plus Cover - Complete hardware cover available Monday to Sunday (including bank 

Holidays) 24 hours per day. Faults that results in 50% system crash will receive a response of a man to 

site within 4 hours, all other system faults will receive a response within 8 hours 

Handsets - All of the above services exclude support of handsets which will be covered on a Next 

Business Day post out service. 

Cove 

r Level 

Cove 

r Type 

Avail 

able 

Syste 

m Crash 

Tech 

nical 

Response 

Resp 

onse to 

Site 

Othe 

r Faults 

568 

Bro 

nze 

Sil 

ver 

ld 

Go 

Plati 

num 

Plati 

num 

Plus 

Complete (parts & labour inclusive) Hardware 

Cover 

Monday to Friday 

(excluding bank Holidays) 

08:30 - 18:00 


Monday to 

Sunday (including 

bank Holidays) 24 

hours per day 

8 4 --- 4 --- 

--- --- 4 --- 4 

Service Levels (working hours)

Tech 

nical 

Response 

Hand 

set Faults 

569 

16 8 8 8 8 

Next Business Day post out service* 

The Customer shall be able to log system faults 24 hours a day, 7 days a week subject to the 

appropriate SLA response to site by a Daisy engineer as agreed with the Customer. Daisy operates a 

24x7 ITIL certified Technical Service Desk. 

EMAIL SCANNING AND FILTERING 

Daisy shall provide a Software as a Service (SaaS) application - MailDefender This provides email 

protection which includes anti-spam and anti-virus. The service shall update every five minutes with new 

anti-virus information. The Mail Defender product shall be hosted in a PSN compliant data centre. 

The MailDefender product shall scan for trojans, worms, viruses and phishing emails and other 

malware. 

MailDefender shall use multiple methods to identify virus emails. 

Heuristic scanning shall analyse email payloads for suspicious signs that might indicate that an email 

is carrying a new form of virus. 

The email shall then be passed across to the Sophos Anti-Virus engine to be analysed for the 

presence of known viruses. 

The Sophos Anti-Virus engine shall check for the latest updates from Sophos every 5 minutes. 

The email shall then be passed to the Clam and Cloudmark Anti-Virus engines for further scanning. 

Zero-hour anti-virus protection includes: 

Polymorphic viruses whose fingerprints have been identified as a virus shall be blocked. 

Zero-hour anti-virus shall provide support for content disposition. Viruses shall be identified and not 

classed as spam. This classification and reporting shall be available to the Customer.

The following methods shall be used to identify spam email. The Customer shall have the ability to 

modify these methods. 

Allow and deny lists – The Customer shall have the ability to override the system to ensure that 

specific email addresses are always blocked or always allowed through the system. 

A Web content scanner shall check URL links database. 

Graphometric scanner - a filter is used to scan qualified databases for unique spam characteristics 

and URLs. 

A language scanner shall check the character-set used. 

Spam Assassin – This shall allow the Customer to make use of a plug-in service for Mail Defender. 

Block lists - This facility shall check sources of email against databases of known spammers and 

openrelay checks. 

Suspected spam shall be placed in a quarantined area separate to the local network. 

Web based management reporting shall also be available to the Customer. 


A Project Implementation Meeting shall be held with the Customer to establish and agree the 

timescales for the project roll out to include: 

· Implementation of MailDefender 

· Available management reports 

· Required training 

· Deployment plan 

· Review of the project implementation and agreed further actions. 

570


571 

ty 

n 

Severi 

Severity 

Description 

Definition 

1 Critical The service is totally 

unusable and having a 

major impact on the 

Customer 

2 Very 

Important 

3 Importa 

nt 

4 Non- 

Urgent 

Admi 


WEB ACCESS MANAGEMENT SERVICE 

The whole service is 

severely degraded and is 

having a significant impact 

on the Customer. 

The service is degraded 

and is having an impact on 

the Customer. 

A problem is 

inconvenient, but Time Out 

business not severely 

impacted 

Ad hoc E.g. A routine 

parameter type change is 

requested, or an additional 

security data backup is 

required. Does not affect 

normal service operation. 

Target 

Response 

Time 

15 

minutes 

15 

minutes 

15 

minutes 

15 

minutes 

Not 

applicable 

Target 

Fix Time 

22 

Hours 

1 hour 

2 hours 

4 Hours 

1 

working day 

Daisy shall supply a managed Internet security and protection Web Management Service, known as 

WebDefender.

Daisy’s Web Defender shall have the following components: 

- Anti spyware detection 

- Desktop firewall 

- Intrusion prevention and detection 

- Application controls 

Daisy’s Internet Access policy shall allow the Customer to set, control, view and allow/prevent which 

websites users can access. Administrator access shall be given through a GUI interface to allow the 

Customer to administer and control their user group’s settings. 

It shall be possible for this policy to be adjusted according to the time of day. 

54 URL categories shall be provided. 

Websites containing malicious software shall be blocked. 

The Customer shall have the ability to block instant messaging and peer to peer applications. 

WebDefender filtering is approved by Becta and meets BSI PAS:74 2008 Internet Safety Standard. 

Daisy shall provide Global, Group and Per-User Filtering with full Active Directory synchronisation. 

Daisy shall provide Dynamic Web categorisation. 

Daisy shall provide hosted deployment– WebDefender shall operate within a PSN compliant data 

centre. 

A historical reporting function shall be made available. 

An exception reporting function shall be made available. 

A mobile option shall be available for Customers accessing the web via 3G. 

572


573 

ty 

n 

Severi 

Severity 

Description 

Definition 

1 Critical The service is totally 

unusable and having a 

major impact on the 

Customer 

2 Very 

Important 

3 Importa 

nt 

4 Non- 

Urgent 

Admi 

The whole service is 

severely degraded and is 

having a significant impact 

on the Customer. 

The service is degraded 

and is having an impact on 

the Customer. 

A problem is 

inconvenient, but Time Out 

business not severely 

impacted 

Ad hoc E.g. A routine 

parameter type change is 

requested, or an additional 

security data backup is 

required. Does not affect 

normal service operation. 

INTERNET INTRUSION DETECTION SERVICE (IDS) 

Target 

Response 

Time 

15 

minutes 

15 

minutes 

15 

minutes 

15 

minutes 

Not 

applicable 

Target 

Fix Time 

22 

Hours 

1 hour 

2 hours 

4 Hours 

1 

working day 

Daisy shall provide a pro-actively managed 24x7x365 IDS security monitoring service provided by 

Daisy’s Network Operations Centre - NOC. This Security Monitoring shall be available for all hosted 

services within the Daisy data centres and for MPLS delivered network services. IDS shall be delivered in 

the areas of Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). IDS-based security 

surveillance utilises a sensor that monitors a mirrored copy of the Customer’s Internet traffic. The IDS 

sensor has extended functionality that includes storing of traffic data and analysis of program files. This

shall make it possible for the Customer to detect unknown malicious/compromising software – including 

targeted attacks. 

Daisy’s IDS service shall have the following functionality: 

· Traffic Storage: 

o All the “sniffed” traffic shall be stored in a buffer on the sensor. This shall allow an analyst to go 

back in time (hours/days) to see how an attack started, how it was performed, and what happened after 

it was finished. 

o Data that is not downloaded for further analysis shall be overwritten by new data when the 

buffer is full. 

o The storage capacity shall be 300 GB or 1,4 TB and shall be dependent on the type of sensor. The 

time the data is stored shall depend on the amount of network-traffic at the point the IDS monitors. 

o IDS sensor capacity: 250 Mbit/s. At bandwidths over 250 Mbit/s, load balancing and multiple 

sensors shall be applied. 

· Dynamic malware analysis 

o All potentially dangerous files that are downloaded by the Customer shall be analysed by Daisy 

NOC. Daisy NOC shall use two different methods on each file: 

o Daisy NOC shall run a copy of all program files that are downloaded to the Customer through a 

total of 11 different antivirus products. If one of these products mark the program file as a threat, an 

analyst shall continue with further analysis of the data traffic (as previously described) to determine if 

the threat is real. 

Daisy NOC shall use the following antivirus products: 

574 

antivir 

avg 

avast

575 

clamwin 

f-prot 

f-secure 

kav 

nod32 

norman 

symantec 

trend 

o The same program file shall also be run through CW sandbox by Sunbelt. This shall be a 

full Windows implementation. The analyst shall receive a report that shows all changes 

that are made by the program file if it gets installed on the users’ PC. 

o The report shall include information on the following: - Automatic execution of new 

programs at startup - Changes made to the Windows Registry - Files that are 

created/deleted - Drivers that are installed - Processes that are created/deleted - 

Connections to servers on the Internet. 

On the basis of this information, compiled with the traffic from both before, during and after the 

download, an analyst shall determine if the downloaded file is malware or a legitimate program. Daisy 

SOC shall detect malicious software that is specially designed for attacks against the Customer. 

UTM & IPS 

Daisy shall use Fortinet IPS for automated security monitoring. Fortinet IPS (Intrusion Prevention 

System) shall be installed at the network edge or at the network core to protect critical business 

applications from both external and internal attacks. 

Backed by the automatic, real-time updates delivered by the FortiGuard, FortiGate IPS technology 

combines a customisable database of thousands of known threats to stop attacks that evade 

conventional firewall defences. The system contains anomaly-based detection that enables the system 

to recognise threats for which no signature has yet been developed. 

- Combined signature and protocol anomaly detection shall protect against known and unknown 

threats, with support for more than 1000 protocols and applications.

- Automatic updates of attack signatures from FortiGuard Intrusion Prevention Service 

- Per-device/unlimited-user licensing 

- Detailed logging and reporting aid in auditing and forensic analysis. 

- Centralised management and reporting. 

Fortinet UTM 

Daisy shall provide Unified Threat Management (UTM) which provides a combination of all security 

functionality, including IPS. 

There is no user licensing and no requirement for external servers or third party products. 

Fortinet shall be used as firewall with full security control of the content or in transparent mode 

with an existing firewall. 

Fortinet’s models shall include firewalls with up to 112 interfaces and 182 Gbps performance. In 

addition, there shall be a central management, log and reporting system. 

The service shall cover the following 

· Antivirus scan of SMTP, FTP, HTTP, POP3 and IMAP 

· Antivirus scan of IPSEC/SSL VPN traffic 

· Intrusion Detection & Prevention (IPS) 

· Data Loss Prevention (DLP) 

· Application Control 

· WAN Optimization 

· SSL Inspection (content control of encrypted connections) 

· AntiSpam for SMTP and POP3 

· URL filter with more than 30 million sites and over 48 categories 

576

· SpyWare filter 

· Instant Messaging (IM) filter, logging and monitoring 

· Peer-to-Peer (P2P) filter, logging and monitoring 

· SSL VPN enables clientless VPN for external users 

· Full support for VLAN/LDAP/AD RADIUS/BGP/OSPF directly in rulesets 

· Dual WAN ports for redundant Internet connections (2xISP) 

· QoS for all rules including VPN and SSL 

· Virtuall firewalls with up to 500 unique firewalls in one unit 

· Parallel firewalls for high availability (Redundant, active/active) 

· Supports Intel AdvanceTCA (ATCA) Chassis for blade models 

· Bandwidth up to 182 Gbps, 28 million simultaneous sessions and 112 physical zones 

The service is comprised of monitoring elements in a switched network with IDS systems connected 

on both sides of the firewall. 

The sensors shall be connected to their listening points by a network adapter operating in stealth 

mode. 

All traffic monitored by the sensor shall be stored in the sensor using a cyclical buffer. 

Older data shall be overwritten when the hard drive is filling up. 

Data categorised as illegal shall set off alarms on the sensor which shall then be transferred to Daisy 

Network Operations Centre for analysis. Analysts shall carry out a more in-depth analysis by transmitting 

raw data, related to the event, to Daisy NOC giving them a more complete overview before contacting 

the Customer. Data shall also be checked by consulting the firewall, router or application logs. 

Daisy’s network based sensor (NIDS) shall be capable of doing a real-time based traffic analysis and 

packet logging on IP-networks. It shall carry out protocol analysis, content search and detect several 

attack patterns including: 

· Probing 

· Buffer Overflows 

· Stealth Scanning 

· CGI Attacks 

· SMB Probes 

577

· OS Fingerprinting 

The Daisy signature database contains over 3000 known attack patterns. The database shall be kept 

updated by Daisy’s signature group, Sourcefire and other groups. The sensor shall also detect policy 

violations like P2P usage, IRC/MSN and Unauthorised fileservers 

The IDS-service shall contain the following on delivery: 

· Equipment 

o Sensor – 19” 1 or 2 U server installed on a sniffing point 

· Documentation 

o The Customer shall , before installation , fill out the necessary installation parameters in an 

installation document. This document shall also provide a description of the Service 

· Software (included in the IDS sensor) 

o The sensor shall contain a complete system for gathering and raw sorting of data that shall be 

used by an analyst for further study. 

o Web server for use by authorised users within the Customer’s organisation. The web interface 

shall be used for distribution of reports and messages to the Customer. 

o A gateway for secure communication between Daisy NOC and SOC and authorised users. 

o Forensic tools 

Data collection and analysis 

Collected data shall be stored on the sensor. Alarm data is transferred automatically through an 

encrypted Open VPN tunnel from all sensors and agents to Daisy’s central database for study and 

analysis at DAISY NOC 24 hours a day. 

Daisy’s security analysts shall perform analysis and checks of both the alarm data and local data 

gathered over the same Open VPN connection. 

Reporting 

Characterisation of events: 

578

- Red events shall be defined as attacks or attempted attacks presenting an immediate danger 

to the Customer’s network or network services: systems that are already compromised or are in 

immediate danger of being compromised. Red events shall be reported according to table 1. 

- Orange events shall be defined as attacks or attempted attacks which may result 

in systems being compromised if no action is taken within a reasonable period of time. 

- Yellow events are less targeted surveys, scans, sweeps and probes. These events provide 

important early warnings, as well as the basis for continually enhancing security and preventive 

activities. 

The target groups for these reports shall be a) Operations and security personnel, and b) staff with 

responsibility for business services. The Customer shall define this target group and Daisy shall report 

only to the specified persons / functions. 

Two procedures for reporting shall be agreed upon; one for normal reports and one for serious 

incidents. 

Reporting of events shall be carried out as per the below table: 

Reporting per incident category 

Inci 

dent 

type 

Ora 

nge 

Yell 

ow 

579 

Type of contact 

Max. time from 

incident to report 

Red Phone, secure e-mail or SMS 0.5 hours 10 

Malware analysis 

Phone, secure e-mail or SMS 1 hour 5 

Web-based reporting 12 hours 0 

Max. number of 

repetitions 

Daisy has an advanced lab for the analysis of viruses and trojans on the machine code level. This lab 

shall allow the Customer to uncover hidden functionality in malicious code, such as mechanisms for selfreplication 

or destructive behaviour. The lab shall be combined with Daisy's IDS service, where data

packets are stored on the sensor for a limited time so that the trojans / viruses are available for 

immediate analysis in the event of an emergency. 

From the sensors web-interface, the Customer shall have the ability to access reports that are 

generated every hour. Historical, weekly reports shall also be made available. 



Daisy shall provide a 99.97% SLA on network and power availability 

Daisy data centres shall be monitored by qualified engineering staff 24 hours per day, 7 days per 

week. Calls between 8am - 10pm, Monday to Friday (9am – 9pm Saturday and Sunday) shall be handled 

by the technical support team. Calls outside those hours shall be routed to the Network Operations 

Centre. 

Security Accreditation Considerations 

Where this service is provided to PSN customers at 2-2-X or greater levels of C, I and A, the service 

shall be logically separated from non-PSN clients and undertaken in accordance with the requirements 

of CESG’s GPG 13. The Protective Monitoring Controls shall therefore follow the respective 

Segmentation Model requirements for “Aware” and “Deter” and will form part of the PSN Accredited 

service. 

The management of the capability shall also be addressed within the ISO27001 ISMS and PSN 

RMADS. 

Output from the service provided for legal/law enforcement purposes shall be compliant with the 

guidance in BIP 0008. 

MANAGED DDOS PREVENTION SERVICE 

580

Daisy shall provide a Managed DDoS Prevention Service which shall be a network based traffic filter 

that shall detect Distributed Denial of Service (DDoS) attacks and clean attack traffic before it reaches 

the destination address in sufficient volumes to cause disruption to the Customer’s network. 

The Customer shall be configured with their own unique profile/zone on the Detector. 

- The zone traffic threshold levels shall be specific to the Customer and shall be learnt over a seven 

day period 

- The zone shall be automatically protected 

- The zone shall be monitored 24x7x365 

- The Customer shall receive a courtesy call when an attack is detected 

- The Customer shall receive an attack report by email within 24 hours. 

- There shall be no rate-limiting on cleaned traffic toward the zone 

Proactive Customers shall be configured on the Guards immediately following installation for a 

period of 7 days. The Customer’s traffic profile shall be analysed and thresholds shall be set following 

this period. 

Attack traffic shall be defined as but not limited to 

• Spoofed and non-spoofed attacks 

• TCP (syns, syn-acks, acks, fins, fragments) attacks 

• User Datagram Protocol (UDP) attacks (random port floods, fragments) 

• Internet Control Message Protocol (ICMP) attacks (unreachable, echo, fragments) 

• Domain Name System (DNS) attacks 

• Client attacks 

• Inactive and total connections attacks 

• HTTP Get Flood attacks 

• Border Gateway Protocol (BGP) attacks 

• Session Initiation Protocol (SIP) voice over IP (VoIP) attacks 

This shall be monitored by the Detector by the use of a Multi Verification Protocol which shall look 

for anomalies in relation to traffic flows, connections and protocols against the thresholds learned. 

Increase in volume shall not be a trigger by itself. 

581

Once the Detector determines the presence of a potential malicious flow or anomaly, it shall alert 

the Guard via SSH. 

The Guard shall then make a routing announcement to its own up-stream routers, which shall divert 

all traffic destined for the victim’s IP address to be re-routed through the Guard as its next-hop. The 

Guard shall then begin its analysis phase, if the traffic is determined by the Guard to be malicious it shall 

begin to filter out the attack traffic based on the rules learned.. 

Legitimate traffic shall continue to be delivered to the Customer’s protected zone unhindered. 

When the Guard determines that the attack has ceased, a further announcement shall instruct the 

Core Routers to resume normal routing. 

A report shall then be generated and collated, and then be made available to the Customer. 


Proactive Customers shall be configured on the Guards immediately following installation for a 

period of 7 days. The Customer’s traffic profile shall be analysed and thresholds shall be set following 

this period. 

The enrolment process shall co-ordinate the activities of bringing a Customer into the Security 

Managed Service whilst meeting all Pre-Requisites. Enrolment activities shall be performed by Daisy. 

Security Policy Definition and Review 

Daisy shall gather information and requirements from the Customer to create and complete F1034- 

MDDP Proactive Questionnaire.doc, which shall define the Traffic Management rules that the MDDP 

Proactive service shall implement. Once agreed with the Customer, this policy document shall be used 

as the basis of the Customers’ traffic profile. 



582

Designated Security Contacts: 

The Customer shall provide two or more staff members to be the security contacts (CSC). 

Full contact and authentication details for each security contact shall be provided by the Customer. 

A Customer Security Contact (CSC) shall be accountable for: 

a) Making security decisions on behalf of the Customer 

b) Requesting and authorising changes to the MDDP Proactive security configuration. 

Monitoring 

Daisy shall monitor the Customer Zone 24 hours a day, seven days a week, 365 days a year. Alerts 

shall be generated automatically in real time at the Customer Site and shall be captured at the Daisy 

Network Operations Centre (NOC) and Operational Management Centre (OMC). 

Alert Escalation and Response 

Alerts sent from Detectors and arriving at the Daisy NOC/OMC shall be logged, acknowledged, 

analysed and then escalated as appropriate. Alerts that may impact Security and/or Service delivery 

shall be escalated to the Customer Security Contact. 

Attacks shall be handled according to specific Customer requirements. 

Security Accreditation Considerations 

Where this service is provided to PSN customers at 2-2-X or greater levels of C, I and A, the service 

shall be logically separated from non-PSN clients and undertaken in accordance with the requirements 

of CESG’s GPG 13. The Protective Monitoring Controls shall therefore follow the respective 

Segmentation Model requirements for “Aware” and “Deter” and will form part of the PSN Accredited 

service. 

The management of the capability will also be addressed within the ISO27001 ISMS. 

Output from the service provided for legal/law enforcement purposes shall be compliant with the 

guidance in BIP 0008 

CO-LOCATION SERVICES 

583

Daisy shall deliver a Co-Location Service through one of its ISO27001 accredited Data Centres. 

Daisy shall deliver Co-location facilities on a whole (40U) or half (20U) rack basis. 

Power shall be made available in units of 8 Amps or 16 Amps with redundant “commando” sockets. 

Daisy shall provide the following facilities to the Co-location Customer. 

- Metered power sockets 

- Single or multiple 100/1000 Mbps Ethernet switch ports 

- 16 Amps (40 Units) of electricity equalling 3.84kW of power draw and cooling (rates at 16 Amps) 

- 8 Amps (20 Units) of electricity equalling 1.92kW of power draw and cooling (rates at 16 Amps) 

Up to 5 shelves upon which the Customer Equipment must be placed - it shall be possible for the 

profile of the Rack mounting posts to be adjusted by the Customer to meet their requirements. Daisy 

shall perform checks to ensure that servers are not packed too tightly causing heat generation above the 

requirements for 3.84kW power draw. 

Options 

The following modules are available as additional “redundant” services 

· Additional Ethernet ports for resiliency. 

584 

Additional power strips or commando sockets of 16 amps of electricity (Rated at 16 Amps). 

Additional Shelves 

Daisy shall provide additional services in the form of “Service Modules”. 

Remote Hands Service Module 

The Remote Hands Service shall include; 

24x7x365 Power Cycling of equipment

585 

Re-starting a windows or Linux operating system service, process, application or daemon 

Cable organisation , ties or labelling 

Pushing a button 

Observing, describing or reporting on indicator lights or display information on machines or 

Consoles; 

Observing and reporting on return air temperature measurement within the Data Centre; 

Media insertion; 

Modification of cable layout between Customer Equipment; 

Managed reboot and file system check (fsck); 

Swapping hot swap disks in the event of a RAID array failure; 

Escorting third parties to and from customer racks 

Co-Location Tape Rotation Service Module. 

Daisy shall provide the service on a weekly, monthly or daily basis. 

The service shall be limited to a single tape swap per device per day. Multiple tape swaps shall be 

performed on the purchase of multiple modules. 

The tape swaps shall be carried out between the hours of 15.00 and 17.00 daily. 

Co-Location Operational Recovery Service Module for Harbour Exchange and Server Bank Data 

Centres. 

The Operational Recovery service shall back up specified content of a Customer’s server(s) onto a 

disc based storage platform. Daisy shall restore the data when requested by the Customer. 

The following data options shall apply to this service: 

File system 

Database

The Customer shall define the Server(s), the Directories or Databases to be backed up along with the 

backup schedule. 

Back-ups shall take place at regular intervals during regular daily windows, typically, but not always, 

this shall be out of office hours between 12:00am and 08:00am. The Customer shall be able to specify a 

preferred day for a full back up. 

Backup Solution 

File System Backup 

586 

Daily Full 

Backup 

Weekly Full 

Backup 

MS File System 

Agent P P P 

UNIX File System P P P 

LINUX File System P P P 

MS System State P x x 

Flatfile Backup of Databases 

MSSQL P P x 

Oracle P P x 

MySQL/DB2/Other P P x 

Retention - Backed up data shall be held on disc by Daisy for a period of 14 days. 

Weekly Full & Daily 

Incremental Backup 

Installation - Daisy shall install a File System backup client on the Service Equipment. 

Back-up File System - The data being backed up shall be in the format of closed, flat files. The 

Customer shall specify which directories should be backed up. 

The managed back-up routine shall only copy flat files. Open files or running databases shall not be 

backed-up.

For Windows users, any open files and running databases shall need to be dumped to a specified 

location. For Unix/Linux users if the file is being written to, then the back up shall be an arbitrary 

snapshot. 

The managed back-up service shall not copy data from ‘network shares’ outside the Daisy data 

centre. 

The amount of disc space required shall be estimated per server based on the amount of data to be 

backed up and the backup method. 

Encryption - Encryption shall be facilitated using the data agent installed as standard on the Service 

Equipment. The data encryption algorithm used shall be AES with a 256 bit symmetrical key. 

Encryption and decryption shall be performed on the Customer server. All data in flight to the media 

and at rest on the media shall be encrypted. 

The encryption and decryption process shall use CPU cycles on the Customer server. 

The CPU overhead of encryption shall be between 20% to 40%. For Customers using a 100 

megabit/second connection to the admin LAN, there shall be no affect to the backup window. 

Encrypted data shall consume the same footprint on the storage platform as non-encrypted data. 

Growth - Backup volumes shall not be limited but shall be monitored monthly. 

Restore and Change - The Customer shall be able to request a restore of their data or change to 

their service by placing a call to the Daisy Service Desk and raising a ticket. 

The Customer may make requests for Data Restores for disk based storage. 

Operational Recovery service shall include 2 change requests by the Customer per calendar month. 

Data restores shall only be initiated when requested by the Customer. 

587

Service Level Agreements - Restore 2 hours to initiate in business hours (08:00 to 18:00, Monday to 

Friday, excluding public holiday), 4 hours to initiate outside of business hours. 


Daisy shall deliver Co-location Space within 5 working days. 

Daisy shall allocate as many IP addresses as the Customer requires, subject to justification and any 

maximum limits imposed by Réseaux IP Européens (RIPE). 



Daisy shall provide a 99.97% SLA on network and power availability 

Daisy Data Centres shall be monitored by qualified engineering staff 24 hours per day, 7 days per 



Centre (NOC) who will then engage appropriate support escalation paths within the Data Centres. 

ENTERPRISE AND APPLICATION HOSTING 

Daisy shall deliver an Application Hosting Service in one of its ISO27001 accredited Data Centres. 

Daisy shall provide the following facilities to the hosting Customer. 

- Pro-actively managed and supported Cisco ASA 5505 firewall 

- Remote administration facility 

Options 

Within Enterprise Hosting 

588

Daisy shall provide a choice of database MS SQL Sever 2003, 2008 Standard or Enterprise or MySQL 

2005 Workgroup Edition 

Daisy shall provide a choice of 2 or 4 GB DDR2 RAM 

Daisy shall provide an E5420 Quad Core chassis or HP DL360 Quad Core Chassis 

Daisy shall provide a choice of : 

2x160GB SATA RAID 1 HDDs 

3x147GB SAS RAID 5 

4x147GB SAS RAID 5/10 

Daisy shall provide MS Windows Server 2003 Standard Edition, MS Windows Server 2008 Web 

Edition or Data Centre Edition with IIS 6 or Redhat v5 with Apache. 

Within Application Hosting 

Daisy shall provide a choice of Monitoring and Management. 

Daisy shall provide a choice of three different HP server specifications – Web, Application, Database. 

Daisy shall provide a 99.97% Service Level Agreement (SLA). 

Daisy shall provide 4 hour Hardware replacement. 

Daisy shall provide 24/7x365 Support. 

Daisy shall provide a choice of Supported or Managed REDHAT Linux V4 or v5 with Apache, Lighty 

and PHP. 

Daisy shall provide a choice of Supported or Managed MS Windows Server 2003 or 2008 with 

Internet Information Services (IIS). 

589

Customer additional options shall include: 

• Operational Recovery (per server). 

• Enhanced Server Monitoring & Patching (per server). 

• Redundant Power Supply. 

• Managed Intrusion Detection System (IDS). 

• Software or Hardware Dedicated Load Balancing. 

• Managed Cisco or Juniper Firewall. 

• Offsite Tape Backup. 

• MS SQL 2005 or MySQL or Oracle 10g database. 

• Managed Layer 2 Switch. 

Daisy shall supply the following additional modules on request provided other qualifying modules 

are in place. 

For Enterprise Hosting - Enhanced Server Monitoring and Patching Module 

The service shall include Basic Server Monitoring. 

Daisy shall install, configure and test the system probe on the Service Equipment that shall monitor 

the following activities: 

Windows 2008 / Windows 2003: CPU - percentage used over a short and long cycle; File System 

Capabilities - warning and critical capacity thresholds; Memory Usage - percentage of physical memory 

in use; Service Monitor - reports on the status of a service as agreed with the Customer. 

Solaris / Linux Red Hat: CPU - 5 and 15 minute load average of the number of processes active / 

waiting for the CPU; File system Capabilities - warning and critical capacity thresholds; Swap Activity - 

Percentage of swap space used; Process Monitor - various processes as agreed with the Customer. 

The Customer shall be able to set up threshold management alerts through the SCAMP interface: 

590

The Daisy SCAMP system shall inform Customers when their server reaches pre-defined utilisation 

thresholds. Pre-defined thresholds are set within the SCAMP service. The thresholds cover the following 

criteria: CPU Utilisation; Hard Disk Capacity; RAM utilisation. 

Upon Customer request Daisy shall provide automated graphical reports on CPU, memory and disk 

usage. 

Daisy shall patch the Customer’s Operating System software: Daisy subscribes to vendor update 

mailing lists detailing patching requirements. These lists shall be the primary source of any security 

breach information. Daisy shall evaluate available patches and test the updates; Daisy shall then decide 

whether any advisory is a service affecting vulnerability. 

The vulnerabilities shall be broken down into 2 levels: Critical: Flaw that needs updating 

immediately; Non-Critical: Patch that shall enhance or optimise an application or service performance. 

Supported Customers shall be notified proactively, but patched reactively. Specifically Supported 

Customers shall be e-mailed for permission to patch the servers. 

Managed Customers shall be notified proactively, and patched proactively. Daisy shall seek 

confirmation before patching. 

Software Network Load Balancing Module 

The Customer must have a minimum of 2 nodes within the Network Load Balanced (NLB) Cluster. 

The maximum nodes in an NLB Cluster is 32. 

Network Load Balancing shall only be carried out on Web and Application Servers. 

Any Databases must use the specific technologies for that platform. 

Daisy shall configure the Network Load Balanced Cluster within the Operating System boundaries: 

- Runs on the server(s) to be load balanced 

- Presents a Virtual Internet Protocol (VIP) TCP/IP Address for the servers in the NLB Cluster. 

591

- Distributes incoming TCP connections and User Datagram Protocol (UDP) datagrams among the 

servers in the NLB Cluster. 

NLB session persistence (affinity) options shall be limited to ‘none’, ‘single host’ or IP address (s) 

only. 

Hardware Provision Module 

On installation Daisy shall: Install the Service Equipment in the Data Centre; Install the Customer’s 

Operating System; Physically configure Service Equipment; Connect the Service Equipment to the Daisy 

Data Centre & Network; Carry out end to end Connectivity testing. 

As required on an ongoing basis by the Customer, Daisy shall replace faulty parts or Service 

Equipment. 

Managed Operating System Module 

Root Access shall be owned exclusively by Daisy and Daisy shall perform Operating System 

Management Tasks proactively. Daisy shall keep an audit trail of the patch status for each server; 

- Operating System Management Tasks: Common Operating System Management Tasks on both 

Linux / Solaris and Windows: 

- Base Operating System installation and configuration. 

- Customer Security policy implementation. 

- Disk, Logical Volume and File system configuration. 

- Adding Users and Groups to the system configuration. 

Server Network Services configuration shall include: 

Process and system resource configuration; Secure access configuration; Customer provided 

SSL Certificate installation; Disk fault-tolerance test and disk partition creation; Windows Service Pack 

592

and Hot-Fix Patch installation; Dump file creation; Log file creation; Removal or disabling of any 

unnecessary Operating System components; Operating System Security Hardening; Operating System 

vendor liaison; Response to Enhanced Monitoring System alerts; Tuning of Operating System. 

Linux / Solaris specific Operating System Management Tasks shall include Kernel configuration. 

Daisy shall manage faults proactively. 

Supported Database Module 

MySQL/Oracle specific: Database Administrator (DBA) Access shall be shared between Daisy and the 

Customer. 

MS SQL: Database Administrator (DBA) Access shall be given to the Customer. 

Common Database Support Tasks on SQL, MySQL and Oracle: 

Database installation and configuration; ‘Database’ creation (Oracle Specific); ‘Server’ creation (MS 

SQL/ MySQL specific) ; Creation of data files and disk structures; Customer Security policy 

Implementation. 

Daisy shall evaluate available patches and test the updates. Daisy shall advise the 

Customer if any advisory is a service affecting vulnerability. The vulnerabilities shall be broken down 

into 2 levels: 

Critical: Flaw that needs updating immediately; 

Non-Critical: Patch that shall enhance or optimise an application or service performance. 

Daisy shall install Non-Critical Database within 5 Working Days of the Customer confirming their 

consent to do so; 

Additional Database Support Tasks for Oracle Customers: Installation & 

configuration of Oracle*Net. 

Fault Management shall be triggered by Daisy under the ‘Standard Monitoring’ module. 

593

Supported Firewall Service Module 

Daisy shall install and configure the firewall in the data centre. The default firewall shall be without 

DMZ capability. 

The Firewall configuration: 

Supported Firewall Service standard configuration: Configuring the public IP range; Configuring the 

private IP range; By default, all inbound traffic shall be denied except http and https; By default, 

outbound traffic only over the following ports http, https, ftp, smtp and DNS. 

Firewall Maintenance: 

It shall be possible for the Customer to request the creation of 1 VPN tunnel. 

Routine Management shall include: Routine changes due to software update release. Changes shall 

be noted centrally by Daisy. Update software releases, updates and advisory notices as issued by the 

Service Equipment Supplier. Updated software releases of the firewall operating system shall be 

downloaded and installed to the firewall by the Daisy SOC if deemed necessary. Operating system 

updates shall not be installed until a maintenance window of at least 1 hour has been agreed with a 

Customer. 

Standard Backup and Recovery Service Module 

The Managed Backup Service shall back up the specified content of a Customer’s server(s) onto a 

disk based storage platform. Daisy shall restore the data when requested by the Customer. 

All back-ups shall be made to disk only. 

Backups shall take place between 00:01 and 07:59. 

Daisy shall install a File System backup client on the Service Equipment. 

Back-up File System 

Restore and Changes: 

594

The Customer shall be able to restore data to their server’s directories. 

Daisy shall initiate a restore within 4 hours. 

For Application Hosting 

Operational Recovery Service Module 

The Operational Recovery Service shall back up specified content of a Customer’s server(s) onto a 

disc based storage platform. Daisy shall restore the data when requested by the Customer. 

Off Site Tape Applicability: 

An off-site tape solution shall be provided by purchasing the optional module F12112 Off-Site. 

Tape Backup Service Module.doc. 

Data options Operational Recovery 

File System 

Database 

Scheduling 

Daisy Managed Traffic Manager or “Load Balancer” 

Daisy shall provide an optional “load balancing “service for the management of website traffic. 

The F5 Traffic Manager is a dedicated appliance using algorithms that allocate http and https traffic 

to multiple web servers within a Customer’s solution. Two BigIP 3400 Traffic Managers terminate and 

initiate SSL connections between the World Wide Web and the Traffic Manager appliance. 

595

The two primary functions of the service shall be: 

- The load balancing function which shall be allocated on a throughput basis. The base offering shall 

be 10Mbp where the throughput is upgradeable in 5Mbps increments up to a maximum limit of 

20Mbps. 

- The SSL acceleration which shall be measured in transactions per second (TPS) where the opening 

allocation is 25 TPS. The TPS shall be upgradeable in 25 TPS up to a limit of 100 TPS. 

Off Site Tape Backup Service Module 

It shall be possible for Customers to have their data stored on digital tape media at a secure location 

off-site if requested. 

Daisy shall be responsible for the scheduling and the write of the data to digital tape media, the 

swap of the tape from the tape drive, the hand off of the tape to go off-site to PSN Compliant Storage 

Partner, the initiation of restore from tape once the tape is returned by PSN Compliant Storage Partner. 

The data shall be written from the existing data set backed up onto disk on the operational recovery 

managed backup solution. This shall reflect the scheduling and retention period contracted to the 

Customer in the operational recovery module. 

Off-Site Tape Backup shall be scheduled as follows: 

596 

Daily 

Weekly 

Monthly 

A PSN Compliant Storage Partner shall provide Off-Site Tape Backup pickup drop off and storage. 

Back-ups shall take place at regular intervals during regular daily windows It shall be possible for the 

Customer to select a preferred day for a full back up. 

Retention: Backed up data shall be held on disk by Daisy for a period of 14 days.

Installation: Daisy shall install a File System backup client on the Service Equipment. 

Service Level Agreements 


Restore: 2 hours to initiate in business hours (08:00 to 18:00), 4 hours to initiate outside of business 

hours (18:01 to 07:59). 

With storage platform failure, time taken to rebuild storage platform plus restore time, 2 hours to 

initiate in business hours (08:00 to 18:00), 4 hours to initiate outside of business hours (18:01 to 07:59). 

Restore for off-site tape backup shall be detailed in the Offsite Tape Backup Module. 


Daisy shall deliver Enterprise Hosting Space within 10 working days. 

Daisy shall allocate IP addresses per server and an additional IP address for the firewall. 

• 2 IP addresses for the first server. 

• 2 IP addresses for the second server. 

• 2 IP addresses for the third server. 

• 1 IP address for firewall. 

• 1 IP address for Managed Backup service (when applicable). 

Each server needs 2 IP addresses, one for the uplink and one for the back-up LAN. 

Daisy shall take responsibility for the following aspects of the Application Hosting Implementation; 

- Technical design of the solution as appropriate 

- Configuration of all hardware 

- Provisioning of the solution with immediate 24/7 support 

597



Daisy shall provide a 99.97% SLA on network and power availability. 

Daisy data centres shall be monitored by qualified engineering staff 24 hours per day, 7 days per 



Centre (NOC) who shall then engage appropriate support escalation paths within the data centres. 

Daisy shall provide 4 hr hardware replacement. 

Daisy shall guarantee 100% uptime. 

Daisy shall provide up to 100Mbs bandwidth. 

Daisy shall maintain the following components:- 

Server Hardware 

Firewall 

Firewall management 

The Customer shall remain responsible for the maintenance of the Operating system and the 

Database. 

SNMP, ICMP and TCP/IP polls shall validate the availability of the following elements of each Service 

as listed below. 


598 

SNMP Poll 

and Trap of 

Switch Port on 

Data Centre LAN 

ICMP Poll of 

Server's Internet 

Facing IP Address 

TCP/IP Poll 

of Active* 

Ports on the 

Server 

Poll of a 

Running Instance 

of a Named 

Service**

Supported O/S 

Standard Monitoring 

Supported O/S 

Enhanced Monitoring 

and Patching 

599 

Yes No No No 

Yes Yes Yes No 

*Active Ports are defined as those that are configured to deliver the Service by Daisy Data Centre 

technical staff. 

**A Named Service is an Application or Database 

Daisy shall monitor the Service Elements via ICMP, SNMP or dedicated agent polls. The polling 

device polls every 5 minutes and if failure occurs shall attempt 2 further polls at 1 minute intervals. If all 

3 polls are unsuccessful, the Service Element shall be declared unavailable. The polling devices shall 

continue to poll the Service and shall declare the Service to be available when it responds to this polling. 

STORAGE AND OPERATIONAL RECOVERY 

Daisy shall offer four different back-up types for Storage and Operational Recovery: 

Daily Full - The entire defined data-set shall be fully backed up every day. 

Weekly Full and Daily Incremental File System* - The entire file system data-set shall be backed up 

weekly, followed by daily back-ups of data that has changed since the last full or daily incremental backup. 

* This shall not include the back up of flat file databases. 

Weekly Full and Daily Incremental of Databases** - The entire database data-set shall be 

dynamically backed up weekly, followed by daily backups of data that has changed since the last full or 

daily incremental back-up. ** Data agent shall be required for this option, incremental back-ups using 

data agents shall be performed using transaction logs. 

Weekly Full 

The entire data-set shall be backed up weekly.

Backup Solution 

File System Backup 

600 

Daily 

Full 

Backup 

Weekly 

Full Backup 

MS File System Agent P P P 

UNIX File System P P P 

LINUX File System P P P 

MS System State P × × 

Dynamic Backup of 

Databases 

MSSQL Agent P P P 

Oracle Agent P P P 

Flatfile Backup of 

Databases 

MSSQL No Agent P P × 

Oracle No Agent P P × 

MySQL/DB2/Other - No 

Agent P P × 

Weekly Full & 

Daily Incremental 

Backup 

Backed up data shall be held on disc by Daisy for a period of 14 days 

This service shall be available to Daisy hosted Customers 


Daisy shall install a File System backup client on the Service Equipment 


SLA shall be agreed with the Customer.

Restore 2 hours to initiate in business hours (08:00 to 18:00, Monday to Friday, excluding public 

holidays), 4 hours to initiate outside of business hours. 

MESSAGING SERVICES 

Daisy shall offer a bulk SMS service - Daisy Messaging. This service shall include access to a set of 

SMS tools delivered through the messaging platform. 

Short Codes / Keywords 

� An inbound number 5 digits long 

� A short code shall be used in combination with a keyword. It shall be possible to check keyword 

availability on shared short code (60006) 

� Daisy shall provide keywords as requested on the Customer’s Dedicated Short Code 

� Keywords shall be a minimum of 3 characters long (alphanumeric) 

� Use for data collection 

� Inbound messages shall respond on keywords of the Customer’s choice 

� The Customer shall be able to use the short code as the originator to initiate 2 way 

communications 

� Individual keywords shall allow reporting and onward tracking 

Long Numbers 

� Daisy shall provide dedicated long numbers 

� The Customer shall be able to set up as many keywords as required 

� A dedicated long number shall provide an additional two-way communication channel 

� Messages shall always arrive from the same number 

� Daisy dedicated long numbers shall enable both incoming and outgoing messages to be 

responded to instantly. 

601

� Incoming mobile numbers shall be automatically captured 

Number Validation 

Daisy’s Number Validation software shall enable the Customer to “clean” mobile data. The software 

shall test each number and return with a result of “On”, “Off” or “Dead” and what mobile network the 

number is using. This shall allow the Customer to send messages to only “On” numbers. 


Client Portal - This is where Daisy Messaging products and offerings can be accessed. There are 4 

groups of products; Applications, APIs and Web Services, Widgets and Utility Services. 

The single interface shall allow the Customer to manage: 

§ The dashboard 

§ Applications 

§ Utility services 

§ Widgets (choose, configure, grab code) 

§ API’s/Web services/ Datafeeds (menu to configure) 

§ Reporting & Statistics 

§ Shop 

§ Support 

§ Account Settings 

§ News/Events 

Message Manager 

Message Manager shall allow Customers to send and receive messages from one interface. 

Functions: 

§ Ability to send out large scale broadcasts 

§ Ability to target specific users within the contact groups 

§ Create personalised messages through merged fields 

§ Create rules to manage inbound messages 

602

§ Create and manage messaging templates 

§ Detailed delivery reports 

§ Ability to target specific users, with personalised fields 

§ Intuitive ingestion technology for contact uploads 

§ Full contact management capability 

Campaign Manager 

Campaign Manager shall allow users to create customised mobile campaigns. The SaaS application 

shall enable multi-user, multi-business unit, and multi-department configuration, which includes 

multiple campaign deployment options, controls, rules and filters with full reporting. 

Customers shall have access to the following functions: 

§ Multiple users can log into one account 

§ Options for managing opt out lists and inbound messages 

§ Hierarchical access right options for administrators and users 

§ Allocation of message credits and multiple user options 

§ Import and Export of contacts 

§ Rules library for complex 2 way campaigns 

§ Ability to seed mobile numbers and schedule tests 

Txt Chat 

Txt Chat is a SaaS call centre solution that shall enable complete conversations to be held by 

Customers over text in a call centre management interface. 

Conversations are started by an inbound message which shall be queued for an operator to “pick 

up” and action. Txt Chat shall support an unlimited number of operators. It shall be possible to copy the 

conversation into any CRM. Txt Chat shall include full viewing rights for managers to evaluate messages 

queued, responded, opened and completed. 

The Customer shall have access to the following functions: 

603

§ Multiple user environments 

§ One-to-one communication between operator and Customer 

§ Chat history by contact so previous communications can be viewed even if they are with another 

operator 

§ Multiple simultaneous text conversations 

§ Web delivery 

§ Different permission levels so supervisors can monitor all conversations 

§ Instant messaging between PC and mobile via SMS 

Outlook Plug-in 

Daisy shall supply the Outlook 2007 Plug-in which shall allow Customers to send and receive SMS 

messages from within Microsoft Outlook. Customers shall be able to send text messages, receive text 

messages, review them in the message history and check the delivery status. It shall be possible for the 

Customer to send messages from contact records to individuals, groups or current look-ups. Customers 

shall be able to initiate immediate and direct communication to contacts. The SMSs shall be tracked and 

stored within Outlook with each delivery receipt available in the history record. 

Customers shall be able to 

� Send text messages to individuals and groups. 

� Receive responses or inbound texts directly to the Message Manager Inbox. 

� Synchronise contacts with Message Manager. 

� Store and track sent messages alongside sent emails. 

� Choose a unique individual sender ID for each SMS text message 

� Personalise messages by including merged fields 

� Create SMS text message templates for frequently used messages 

� Schedule communications by setting delivery times up to 12 months in advance 

� Deliver messages through dedicated UK mobile carriers. 

APIs / Web Services 

Daisy shall provide all the functional process required to deliver all the other applications, widgets 

and utility services through a range of APIs. This shall allow any function to be integrated into third 

party technology. 

604

An application programming interface (API) is a source code based specification used as an interface 

by software components to communicate with each other. An API includes specifications for routines, 

data structures, object classes, and variables. 

Features: 

§ Capabilities delivered through APIs 

§ APIs include data feeds to directly access real-time information 

§ APIs delivered over all Standard codes (JSON, HTTP,SOAP, PHP, SMPP etc.) 

§ Integration into existing applications 

§ Integration options including web services, HTTP Services and SMP 3.4 

§ Technical Support -integration requirements and support documentation shall be provided 

§ Project managed by API specialist team 

Utility Services 

Daisy shall provide Utility Services to carry out large scale specific tasks. They are accessed through 

the Customer portal. Daisy shall deliver its number validation, scoring and behavioural information 

service via the Utility Service. The Customer shall be able to request the Utility Service as a large widget 

object in order to place into an iframe within applications. 

The Customer shall be able to 

§ Upload files into the Utility 

§ Push/Pull via backend API connection. 

§ Access full report and export options export from the dashboard 

§ See results of number validation available for download for up to 3days. 

§ Demand historical reports.. 

§ Integrate messaging into existing applications 

Widgets 

Daisy’s widgets are stand-alone pre coded functional applications that can be embedded into third 

party sites/ software. Widgets shall allow Customers to turn messaging functions into web applications 

that can be used internally or provide services to end users. 

605

Customers shall be able to: 

§ Grab code and drop widgets into their own website or internal web based portal 

§ Access Cloud services immediately 

§ Access a customisable GUI 


All SMS Messaging Solutions are accessed through the Daisy Messaging Portal. Access to the Portal 

is through a public facing web interface. 

There shall be 4 groups of products: 

§ Applications 

§ APIs and Web Services 

§ Utility Services 

§ Widgets 

The SMS Text Messages shall be delivered according to the service level described below 

606 

Description Availability Target 

The delivery of mobile 

messages from Daisy Services 

to third party suppliers 

Available 24 hours 

per day, 7 days per week 

99.5% availability 

and transfer rate of at 

least 50 messages per 

second.

Daisy shall publish performance statistics, including message processing times on a monthly basis. 

Scheduled Maintenance 

Daisy shall carry out maintenance work between Midnight and 4am GMT as set out below: 

607 

Description Target 

Minimum Notice Period prior to 


Maximum Number of Scheduled 

Maintenance action per month 

exceeding 15 minutes 

Maximum Duration of any 

Scheduled Maintenance action in any 

month 



3 Days 

2 

1 Hour 

The service shall be available 99.5% of 24 / 7 / 365.

Freedom Communications (UK) Ltd 

Freedom Communications (UK) Ltd shall provide Communications Services, which shall include, but 

not be limited to: 

· Consultancy 

· Technical architecture and system design 

· Project Management 

· Supply 

· Installation 

· Training 

· Maintenance including transitional services 

· Support for equipment, commodity and managed service. 

· Help Desk and incident management service services 

· Upgrade services 

We shall provide services that are capable of meeting, as a minimum, the ‘Protect’ data Business 

Impact Level 2-2-x and deliver the services to ‘best practice’ guidelines. We shall meet the Security 

policies and procedures that are agreed at the time of procurement and in accordance with our 

Information Security practices, accredited to ISOS27001. 

We shall continue to design and provide new products and services that are relevant to this Lot 1 on 

an ongoing basis. 

Within this Lot 1, we shall offer products from multiple vendors, including but not limited to Alcatel- 

Lucent, Cisco, Mitel, HP, Avaya, 3Com, Shoretel, Siemens, BT and Gamma Telecom 

We shall have the role of prime contractor and shall use subcontractors to provide some services. 

Our Operations Director and Services Managers shall closely manage our subcontractors and shall be 

the central points of contact with our subcontractors and suppliers. 

We shall have full Service Agreements in place with our premium business partners with defined 

SLAs for all aspects of the delivery they are responsible for. 

Our Account Managers and Service Managers shall be the central points of contact between 

ourselves and our customers. 

Contract management and helpdesk services shall be provided by our own dedicated in-house 

experts who are based in our dual resilient contact centre in Watford and Leeds. 

Provision of all elements of a complete solution 

Freedom Communications (UK) Ltd shall provide, as a minimum, all elements of Lot 1 – 

Communications Services within a complete service. 

608

Traditional and IP based voice services, audio conferencing 

We shall supply, as a minimum, Traditional and IP based voice services/ equipment suitable for all 

sizes of customer. System solutions shall combine traditional voice technology with an IP platform, 

providing an effective and complete communications solution. 

We shall offer solutions that improve productivity and enhance customer care, whilst reducing 

capital expenses and operational costs. The high-availability platform shall deliver communication tools, 

including business applications that simplify daily administrative tasks. 

The telephony equipment shall offer scaling up to a total of 15,000 endpoints from a single server 

and to 100,000 when transparently networked. There shall be the option to expand beyond this by 

combining multiple systems. 

Handsets shall be intuitive with a common look/feel with an option for an integrated QWERTY 

keypad for access to directories and other information deliverable in HTML/XML format. 

Solutions and services provided shall support industry standard protocols such as QSIG, DPNSS, 

H.323 and SIP. 

Control and management of the systems shall be via an LDAP compliant management application. 

Resilient solutions shall provide: 

1. Central Server redundancy – non-disruptive takeover 

2. Distributed servers with full transparency 

3. Passive survivable servers – remote takeover on central server(s) failure 

4. Remote signalling support over dial-up channel for WAN failure support 

5. Handset alternative gatekeeper support 

The solutions shall support: 

1. Softphones - both client and clientless (web accessible) 

2. Messaging – traditional messaging and Unified Messaging. Unified Messaging shall integrate 

with any IMAP4 compliant email system and shall offer both voicemail and email retrieval from 

the PC interface and the telephone, including text to speech. The Unified Messaging solution 

shall be Web accessible. 

3. Conference and Collaboration – the solution shall offer a highly scalable conference platform – 

including Instant Messaging and audio, data and video conferencing. It shall also offer 

multiparty Powerpoint sharing and recording for playback, application and desktop sharing, with 

clientless web access. 

4. Contact Centre – the solution shall offer all elements of contact centre operation from basic 

voice ACD to multi-channel multi-direction, with distributed deployment scalable from 5 to 

many thousands of agents. 

Voice call packages, Voice minutes, DDI, premium rate numbers, Non-geographic numbers, 118 

enquiries, Call preference services 

We shall supply, as a minimum, the following services: 

609

· PSTN/ISDN line rental 

· Carrier Pre Select (CPS) for Voice minutes 

· Call Billing 

· Non-geographic Numbers 

· SIP Services 

· DDI 

· Premium rate numbers 

· 118 enquiries 

· Call preference services 

· VOIP Services – Hosted, Managed & Maintained 

· IP Virtual Private Networks (IPVPN) 

· Mobile, Mobile Data (PDA’s) & Blackberry 

· Inbound Numbering Services – 0800, 0844, 0845, 0870 

· Network IVR Services 

· Internet Connections 

· Remote / Lone / Home Worker Solutions 

· CCTV over IP 

· Disaster Recovery Services (DR) 

Our solutions shall provide DDI functionality. DDI numbers shall be allocated at the time of ordering 

and where we can retain existing numbers, we shall do so. Resiliency shall be supported by: 

· Diverse Routing 

· DDI Dual Parenting 

The full range of Non-geographic Numbers(NGN) available from OFCOM for UK organisations shall 

be offered. We shall provide single numbers to complete ranges, with the different types outlined 

below: 

· 03XX 

· 0800/0808 

· 0844 (5 types) 

· 0845 

· 0870 

· Geographical 01/02 

610

Should OFCOM vary the NGN range, we shall offer the revised range. These numbers shall be 

delivered on a straightforward translation into a single telephone number, up to more complicated 

solutions, including IVR if required. 

All NGN numbers supplied by Freedom shall be supplied with web based access for management 

and the setting up of DR plans. 

Freedom shall supply SIP solutions which support full PSTN connectivity, available via DSL or 

Ethernet connection. 

Freedom’s billing platform shall provide over 300 summary reports providing information on usage 

of the service. A web based portal shall be available to access the information. 

Freedom shall provide a comprehensive on-line corporate reporting and provisioning tool called 

Voice Manager. The online system shall be available to those responsible for telephony and who wish to 

have more control over their telephony requirements. The system shall provide the ability to provision 

and allocate Number Translation Services, amend call barring options and provide traffic monitoring 

reports. Billing reports shall be detailed by site, cost centre and/or call type. 

Freedom shall provide 118 enquiry services already set up by others, via our Business Partnership 

and Whole sale Agreements with them. 

Desktop video conferencing and collaboration tools 

We shall provide, as a minimum, User Desktop services, supporting access to Telephony Services, 

One Number Services and Teamwork Services which include Instant Messaging, Presence Management, 

Audio and Video conferencing and collaboration. 

The features of the Telephony Service shall include: 

611 

Telephony 

Phone set management 

Call logging 

Phone book 

Nomadic 

Desktop integration 

Web conferencing 

We shall provide, as a minimum, Teamwork Services which enable knowledge sharing and 

collaboration through presence-aware, integrated voice and web conferencing. Audio conferencing shall 

be managed from a desktop client or web (HTML) interface. Web conferencing with Application Sharing 

shall allow users to share documents and presentations with other participants of the audio conference, 

through the desktop client. 

Internet services, Antivirus, Email scanning and filtering

We shall provide, as a minimum, Internet Access directly connected to the Internet, delivering a fast, 

reliable, scalable and cost effective connection. Freedom’s un-contended Direct Internet Access (DIA) 

shall deliver speeds of 1Mbps to 1Gbps, providing business-grade Internet Access. The solution shall: 

612 

Provide consistent, high speed access with unlimited upload & download 

Unblock performance bottlenecks for remote VPN sites & users 

Improve network security 

Provide Off-site Anti-Virus and spam filtering. 

Enable virtualisation & cloud migration 

Support simplification of adding on sites to evolve the network topology 

Firewall solutions shall support the following standards, as a minimum: 

EAL-4 Certification on Hardware 

EAL-4 Certification on Software 

FIPS 140-2 

ICSA V4.1 Certification for Firewall 

ICSA V1.oD Certification for IP Sec 

Email and website services 

We shall provide, as a minimum, Integration of voice mail into an e-mail environment 

(Integrated/Unified Messaging), achieved as follows: 

Unified Messaging by storing voice mails, providing full integration into the e-mail environment, 

resulting in a single ‘Inbox’. 

Integrated Messaging by storing voice mails and accessing the voice mail from IBM Lotus Notes, 

through IMAP (Internet Message Access Protocol). 

We cshall provide solutions that support: 

Connecting users with voice, email and web services wherever they are located. 

Email, text messaging and online collaboration such as web chat. 

Co-location and hosting 

We shall provide, as a minimum, Co-location and hosting services, secure housing and connectivity 

for businesses that wish to keep control of their web services and require space, bandwidth and security 

within the hosting services. Our managed hosting environments shall provide energy-efficient climate 

control, security access with CCTV, motion sensors and Intruder Detection Systems and eco-friendly fire 

detection and suppression systems 

On-line storage, Security services

We shall provide, as a minimum, Fibre channel or iSCSI SAN implementations. iSCSI technology shall 

offer enhanced file serving using an existing TCP/IP network without the high cost of fibre technology. 

Provisioning techniques shall be varied depending on requirements such as storage capacity, availability 

and budget. 

The solutions shall include entry level simple deployment processing, Application-Centric processing 

and management. RAID shall provide disk tolerance. Standard software shall allow disk-based snapshots 

to support rollback, offsite backup and archiving of all data. 

Mid-range systems based on Enterprise Virtual Arrays (EVA) shall provide redundant storage. The 

EVAs shall cater for faster fibre channel drives if required. In excess of 99.999% uptime shall be provided 

with redundant fibre-fabric SAN topology design. Being modular, EVAs shall provide exceptional upgrade 

capabilities and shall allow the upgrade of firmware without any disruption and secure interoperability 

within a multitude of operating systems and hardware platforms. 

High-end systems shall be based on Disk Arrays. This SAN level shall provide data technology that 

resolves exposure to downtime, disaster, error and exponential/unexpected data growth. Disk Arrays 

shall allow advanced business continuity protection and include the tailoring of the arrays to provide 

exceptional service, operational lifecycle management and a resilience program to ensure response to 

change, threat and opportunity. 

We shall offer a secure Telecoms environment through the deployment of both product and 

processes that meet industry recognised standards. 

The telephony solution shall be supported on a Linux-based platform which maintains only 

necessary programs. Security shall be multi-level across the system using the following policies: 

· Systems shall be encrypted using SSHv2 

· sftp (secure ftp) shall be used for file transfer 

· Http security shall be by SSH. 

· Passwords shall not be sent “in clear” nor stored in the password file, but shall be in coded format 

to prevent transfer and deciphering. 

· Client access shall be able to be authenticated using Radius and IEEE802.1x, including IP handsets. 

· Only defined trusted hosts shall have access to the system. 

· VLANs shall incorporate filtering in the underlying network. 

· Binary files downloaded from the Server to the Gateways shall have digital signatures based on the 

Elliptic Curve Cryptography (ECC) public key algorithm. 

· IP phone spoofing protection shall be incorporated. 

· Audio stream encryption shall use on-board software or security appliances and SRTP with AES 

(counter mode) algorithms. 

· Fax relay shall be supported on IPSec. 

· Call Control signalling shall be protected using IPSec ESP (transport mode) with AES encryption 

algorithm and integrity checked using HMAC SHA1 signature. 

613

Firewall Services 

We shall provide, as a minimum, Managed Firewall services which shall secure against external 

cyber threats and unauthorised network access, at all times. Deployed in conjunction with Freedom’s 

Direct Internet Access (DIA), our Managed Firewall service shall provide a strong and secure ‘fence’ to 

protect sensitive data. Our Managed Firewall service shall provide a secure service, protecting any 

number of sites and combining data, voice and video into one, multi-service, private service. Pro-active 

support and monitoring with modular Service Level Agreements shall span from the desktop to datacentre. 

Firewall solutions shall support the following standards, as a minimum: 

614 

EAL-4 Certification on Hardware 

EAL-4 Certification on Software 

FIPS 140-2 

ICSA V4.1 Certification for Firewall 

ICSA V1.oD Certification for IP Sec 

Intrusion and spyware detection, Authentication and access management, Web and application 

sign on services 

We shall provide, as a minimum, a corporate wide compliance infrastructure for secure automated 

business processes. 

We shall provide solutions for AAA (Authentication, Authorization and Accounting), to include but 

not limited to RADIUS servers, Microsoft Active Directory, digital certificates and secure tokens. 

We shall provide solutions for controlled and secured access to web services, through a Web 

Services Gateway, which builds on an XML stateful firewall offering single sign-on and partner access, 

and supporting a multitude of web services standards such as W3C, SOAP and UDDI. 

We shall provide a scalable and reliable service oriented infrastructure for information systems in 

areas such as human resources, enterprise resource planning (ERP), customer relationship management 

(CRM), and finance with security and regulatory compliance (policy enforcement and audit trail) that is 

required for secure business process automation. The service shall be deployable within data centres to 

secure business processes within an organisation and in the DMZ for automating business processes 

with partners. 

The service shall provide: 

· Stateful (multi-transaction), run-time policy enforcement and consolidated audit trails to ensure 

and demonstrate compliance with government regulations. The service shall mitigate risk through 

consistent policy enforcement across information systems with a user contextual knowledge of 

system events. 

· Information access and change control as well as data encryption with digital signatures, enabling 

a single digital identity within an organization that accepts authentication from trusted partners.

· Security features such as the application firewall and auditing, tracking and control functions that 

can be used to monitor all partner activity, including access to information by partner employees 

when on-site. 

Messaging Services, Real time information services, Desktop messaging, Messaging via email, 

SMS, pager and mobile or fixed line telephone 

We shall provide, as a minimum, Messaging Services which shall allow users to manage their email, 

fax and voice mail at/or away from the office, via a PC, a PDA, Microsoft Outlook/IBM Lotus Notes e-mail 

client or a telephone handset The Messaging service shall also be available through XML Web Services. 

We shall provide infrastructure to support Real time information services, Desktop messaging and 

Messaging via email, SMS, pager and mobile or fixed line telephone 

We shall provide Voice mail and Unified Messaging facilities which shall be accessible through the 

telephone user interface from any telephone device, internal or external to the business. Users shall be 

able to manage their personal options by using the web-based graphical management interface. A visual 

voicemail interface shall provide a clear overview of all messages with the capability to listen to them in 

any order. 

615

Fujitsu 

Traditional Voice Services 

The Contractor shall offer a range of standard TDM-based voice services, including: 

· Public Switched Telephony Network (PSTN) circuits: 

616 

· Direct Exchange Lines (analogue telephone line) 

· ISDN2 lines (2 x 64 kbit/s digital telephone line) 

· ISDN30 lines (30 x 64 kbit/s digital telephone line) 

· PSTN minutes and call packages 

· Non-Geographic Numbers: 

· 080x free calling 

· 087x revenue share 

· 084x revenue share 

· 03xx local rate 

· Access to 118 directory services 

· Call preference services 

IP Voice Services 

The Contractor shall provide and manage an IP Telephony and Unified Communications service 

utilising Cisco or Mitel products and services. The service shall provide fully integrated capabilities for 

Customer users to communicate via a hosted platform delivered from a pair of Tier III UK data centres, 

with options for Customer-premises equipment or hybrid solutions. 

The Contractor’s standard Voice Service shall be a managed feature set per user, delivered from a 

hosted, multi customer environment or a Customer-dedicated environment including Private 

Cloud. The hosted solution offers physical data centre hardware components that shall be shared 

between Customers at the same Impact Level, but each Customer shall receive a dedicated virtual 

solution. 

Voice Service Features 

The Contractors Voice Service shall support the following features: 

· Direct Dial-In (DDI) 

· Short Code Dialling (between Customer sites) 

· Call Transfer 

· Centralised Operator Service 

· Call Hold 

· Call Logging and reporting 

· Manual Diversion 

· Hot Desking 

· Memory Functions 

· Voicemail

· Call Pickup 

· Self Service Portal 

· Audio Conferencing Calls 

· Fax and Legacy Analogue Handsets 

· Group Working 

· Call recording 

· Listen and Monitor 

· Non-Geographic Numbers. 

The following shall also be available as optional extras: 

· Automatic Call Distribution (ACD) 

· Dynamic Extension. 

Service Features Summary 

The Contractor’s Voice Service feature sets shall be provided in four distinct tiers, each adding 

further capability, which are mapped to the service pricing scheme. 

· The “Essentials” feature set shall provide basic telephony features to the Customer, for either 

analogue devices such as fax and hallway phones, or basic Internet Protocol Telephony 

(“IPT”). The Contractor shall make available to the Customer appropriate handsets options 

where no additional functionality is required beyond dial tone and the ability to make calls 

· The “Foundation” feature set shall add enhancement of extension mobility, enabling users to 

log in to any physical endpoint within the service and use their own extension number. This 

capability shall fulfil the requirements for basic IPT in shared or communal areas, such as 

meeting rooms, warehouses or retail environments 

· The “Standard” feature set shall add Unified Communications capability, including presence, 

instant messaging, single-number reach and integrated voicemail services 

· The “Premium” feature set shall provide an end-to-end Unified Communications Service 

consisting of telephony, Messaging, Native Video, Presence and mobile integration. This shall 

offer enhanced mobility integration for mobile and field-based employees. 

These Feature Sets are tabled below: 

Functionality Essentials Foundatio 

n 

617 

Standard Premi 

um 

IP Telephony Yes * Yes Yes Yes 

Full Voice Control No Yes Yes Yes 

Single Number Reach No Yes Yes Yes 

Native Video No Yes Yes Yes 

Messaging Opt Opt Yes Yes

Presence No Opt Yes Yes 

Soft Client No Opt Yes Yes 

Session Management No Opt Opt Yes 

Mobile client license No Opt Opt Yes 

Endpoint Limit 1 1 2 10 

Operator Opt Opt Opt Opt 

Audio Conferencing Opt Opt Opt Opt 

Premium Event Service Opt Opt Opt Opt 

Web Conferencing Opt Opt Opt Opt 

Mobility Opt Opt Yes Yes 

Yes: This item of functionality is included in this Feature Set. 

No: This item of functionality is not available in this Feature Set. 

Opt: This item of functionality is not included in this Feature Set as standard, but shall be available at 

an additional charge. 

* There are a limited number of compatible endpoints for this Feature Set. 

Voice Service Core Availability 

The Contractor recognises the importance of high availability for the service and shall offer each 

Customer solution-specific Service Level Targets that are measured and reported on monthly. The Voice 

Service shall have resilient connections to the Contractor’s PSN-connected core network at the primary 

data centre, with a single connection at the secondary data centre. The connections shall be configured 

such that each link at the primary data centre shall carry approximately 50% of the total voice 

traffic. Load balancing the traffic across two active connections shall provide resilience for external 

voice calls by: 

· Reducing the impact of a link failure to approximately 50% of the total calls in progress at the 

time of the failure 

· Reducing the network convergence time following a link failure 

· Allowing the Contractor flexibility to perform software and hardware upgrades on the core 

network routers and the Voice Service routers without complete loss of service. 

Voice Service Edge Availability 

The Contractor shall offer solutions to increase the availability of voice services at the Customer’s 

sites. These options shall include: 

· Provision of UPS for local power sources and LAN equipment. 

618

· Use of existing or new Direct Exchange Lines (DELs) into the Customer’s site. These DELs can be 

used to provide fallback capability for the site in the event of a failure of the Voice Service or a 

component supporting the service (e.g. the LAN/WAN) 

· The use of mobile phones at site; various option packages based on user type/profile are 

available. 

End to End Performance 

The Contractor shall design and maintain its Voice Service to achieve a minimum R-Factor 

(measurement of the subjective quality of voice) of 80 for 99% of calls. 

Handset Options 

The Contractor’s Voice Service shall support a range of Cisco and Mitel handsets as well as third 

party SIP-compliant handsets. Supplying users with a common phone handset provides consistency 

when using features such as hot desking, and therefore the Contractor shall offer the Customer 

standard handset options based on the features required. The Contractor shall also offer softphone 

options. 

Call Plans 

The Provider shall make available to the Customer a range of call-plan options, such as inclusive calls 

to mobile phone provider networks, UK PSTN, and overseas PSTN. 

Voicemail/Messaging 

Where the Voicemail Service is included in the feature set selected by the Customer, the Contractor 

shall provide a dedicated voicemail box that is secured with a PIN number and shall be accessible via an 

IP phone or by dialling in remotely. Once in the voicemail box, the user shall be able to listen, save, 

replay or delete their messages as well as change their configured personal greetings. The Voicemail 

Service shall also allow a user to record an active call, providing an ad-hoc call recording function. The 

Voicemail Service shall be configurable to send a voicemail to the users email address as an attachment 

if required or send a simple notification (this capability is sometimes referred to as ‘integrated 

messaging’). 

Operator Service 

The Contractor shall offer the Customer a UK-located Operator Service to provide reception services 

whereby all external calls to nominated numbers are routed to central operators for answering, number 

look up and call forwarding. The operators shall answer the call with a pre-defined greeting. The 

operator shall also provide assistance to internal callers; for example, where an end user does not know 

an extension number. The Operator Service shall be manned by trained personnel 24x7. 


The Contractor shall offer the Customer an Audio Conferencing Service with access to a touch-tone 

dialling (DTMF) telephone, on-demand connectivity to an audio conference. No advanced booking shall 

be required and the service shall be available 24 x 7 to participants to join using a local dial-in number. 

Audio Conference users shall be allocated a bridge number and associated PIN. Call minutes for 

usage are chargeable. 

· Dial-Out Access – dial-out access to the Audio Conferencing Service shall be available as an 

optional feature. This feature is available to the chairperson only 

619

· Recording a call – the chairperson has the ability to start and stop a recording of a conference 

call, recordings are encrypted & stored securely. 

Premium Event Service 

The Contractor shall offer the Customer a Premium Event Service, a booked conference-call service 

suitable for any conference with over 20 participants. Premium Event Services must be booked in 

advance and shall have the following feature options: 

· Event Management at no extra charge to help plan and manage conferences 

· Pre-registration, allows organisers to track conference registration and attendance 

· Security ensured by a unique Passcode for each conference 

· Pre-booking to guarantee availability of lines 

· Choice of dial-in phone numbers to select how participants are to be entered into a conference 

· Co-ordinator assistance, as required. 


The Contractor shall offer the Customer a Web Conferencing Service, which shall provide a webbased 

meeting to share visual media. It shall have the following features; 

· Web Conferencing client software 

· Integrated audio conferencing 

· Dial-out function to invite participants to an established conference 

· Scheduling from Microsoft Outlook and Lotus Notes or directly from the Web Conferencing 

client 

· Instant feedback with real-time voting 

· Live Q&A sessions. 

Mobility 

The Contractor shall offer a Mobility Service that fully supports hot desking throughout the 

Customer estate, allowing a user to log onto any phone configured as a hot-desk phone. The following 

features shall be provided as part of the Service: 

· Callback for External Hot-Desk User - Disconnects the user's inbound call, and then calls the 

user back within a few seconds. On answering, the user is presented with a dial tone and can 

then dial the required number. The call is therefore charged at the rate for outbound calls from 

the Service, rather than the prevailing rate where the user is located (e.g. in a hotel) 

· Direct Inward Dial System Access (DISA) - Allows external callers to access the system by using a 

dedicated trunk. The system sees the DISA trunk as an extension with its own Class of Service 

and Class of Restriction. Calls that enter the system on DISA trunks have access to a variety of 

system features. The DISA trunk can be assigned account codes to provide security or additional 

options. 

The Contractor shall also support a full external mobile desk solution as an additional Service. This 

Service shall allow hot-desk users to configure any external telephone number (e.g. mobile phone, home 

phone) as a hot-desk phone. When the hot-desk user is not logged into one of the system’s hot-desk 

handsets, the system automatically routes the call to the external telephone number. As a ‘virtual’ 

extension, the external device user shall have access to extension dialing along with other system 

620

esources such as voicemail. The Service shall enable the ‘presence’ state of the external number to be 

treated the same as an internal number. 

Specialist Telephony 

The Contractor recognises that there is a wide range of specialist telephony devices required within 

a Customer telephony deployment, ranging from lift phones and phone lines used for alarms, fax 

machines, and accessibility phones. During site surveys, the Contractor shall gather the requirements 

for each of these specialist devices and propose an appropriate solution. 

There are a number of options available to: 

· Retain existing analogue Direct Exchange Lines, for lift phones, fax machines etc; 

· Retain existing digital ISDN lines, for BRENT phones; 

· Deploy analogue to IP gateways, to allow an analogue device to be connected to and managed 

by the hosted voice platform. Compatible devices include analogue phones (including specialist 

phones to support Assistive Technology requirements). 

Assistive Technology 

The Contractor shall make available to the Customer a range of solutions for users with particular 

telephony needs, including “big-button” phones and text-based telephones. The Contractor shall review 

specific requirements for these users at the time of the site survey and determine the most appropriate 

solutions. 

Ministerial “Listen and Speak” 

The Contractor’s Voice Services shall provide a Ministerial “Listen and Speak” capability. The 

features of this service shall include: 

· Join-in Parties (i.e. the aides to the minister) can join, in either “conference” or “listen” mode, 

through the use of a key 

· If the Principal Party (i.e. the minister) hangs up, then the conference is cleared 

· Single press of the “privacy release” key by the Principal Party is required to make the call nonprivate, 

so that all Join-in parties can easily participate in the conference. 

Reporting 

The Contractor shall provide the following to the Customer for each Service Level Period: 

· A consumption-based bill in a standard format 

· Service uptime report (availability of PSTN interconnect, Voice Service platform and 

applications) 

· Summary of Incidents (including root-cause analysis for Severity 1 Incidents upon request) 

· Summary of service requests for the period and associated charges 

· Schedule of planned work. 

Collaboration and Tools 

The Contractor’s Collaboration and Electronic Document and Record Records Management (EDRM) 

Service, based on Microsoft SharePoint, shall offer the following high-level features: 

621

· Secure Collaboration - Allows teams to collaborate on and publish documents, maintain task 

lists, implement workflows, and share information through the use of wiki and blogs 

· Records Management - Provides the ability for users to declare content as formal 

records. Once objects are declared as records, retention policies and audit trails shall be enabled 

to meet compliance requirements 

· Information Protection – Applies hierarchical control of who can access read and share 

documents and information. This shall permit a structured approach to document security by 

controlling access by groups rather than individual users 

· Metadata Management - Applies key business data terms and structures to content through 

the use of centralised services to all components of the SharePoint solution 

· Metadata and Content Search – search for people, expertise, and content within the EDRM 

environment. 

The Services shall be hosted in geographically separated Contractor data centres with redundant 

network architecture. Data centres shall act as mirror backups for each other: if one fails, the affected 

users shall be transferred to another data centre with limited interruption of service. The Service shall 

proactively monitor for faults in the environment, moving running instances to another location, 

transparently to the user. 

The Contractor shall also offer Collaboration and EDRM Professional Services which shall include: 

· SharePoint Exploitation. Advice and assistance in using an enterprise-scale Collaboration and 

EDRM Service to meet the Customer’s organisational needs, and building a roadmap for future 

exploitations. This Service shall also assist in making use of the Compliance Extender from 

Automated Intelligence included with the Collaboration and EDRM service to customise a set of 

templates, and in implementing a tailored Information Governance structure and process that 

complies with industry and government standards 

· Training Service. Customised and tailored SharePoint and EDRM training sessions for 

administrators, in-house developers and users, to suit the needs of each Customer 

· Data Migration Service. Specialist consultancy and technology to manage the migration of 

existing content both onto the Collaboration and EDRM system, and off it in the event of a 

migration to another service. This shall involve managing metadata transfer as well as raw 

content, handling of de-duplication, and management of additional elements such as retention 

policies and permissions 

· Service Integration Service. A validation and integration service for ‘add-ons’ such as third 

party Webparts. These may have been utilised on a Customer’s previous implementation of 

SharePoint, or to implement specific additional features not present in the Collaboration and 

EDRM Service. This Service shall include a security assessment to ensure that add-ons comply 

with appropriate guidance and to maintain the integrity of both the Customer’s and the overall 


Internet Service 

The Contractor is a Tier-2 Internet Service Provider, with peering to other UK ISPs via the London 

Internet Exchange (LINX) and transit connections to two global Tier-1 Internet providers. It shall offer 

Customers a range of Internet connections from 2 Mbit/s upwards, terminating in Customer sites or in 

Contractor hosting environments supplied under the Collocation and Hosting Services. It shall also offer 

622

Customers the option of protective measures such as firewalls, intrusion prevention and email content 

scanning, through the application of the Security Services described below. 

Email Services 

Messaging as a Service 

The Contractor shall offer Messaging as a Service, a Microsoft-based cloud email service, on a payper-use 

basis. 

The Contractor shall assess the impact and value of deploying the Messaging as a Service solution 

within the Customer’s business. During the planning phase, the Contractor’s consultants shall conduct a 

workshop to determine the Customer’s business objectives and existing infrastructure, licensing 

ownership and agreements. During the reporting phase, they will use the information gathered from 

the workshop and shall create an assessment report that describes the impact of deploying the 

Messaging as a Service solution. 

There shall be two platform options for Messaging as a Service: Enterprise and Dedicated: 

· Under the Enterprise option, Customers shall share email infrastructure with other Customers, 

benefiting from the lower costs of a shared platform 

· For Customers with specific requirements, the Dedicated option shall allow email to be 

customised and integrated within existing IT services. The dedicated email platform may be 

located in the Contractor’s data centres, or implemented as a private cloud service on Customer 

premises. 

Messaging as a Service shall offer a range of flexible mailbox options. Customers may select Gold 

and Silver options that include anti-virus protection, mailbox backup and also a range of optional addons 

such as archiving, compliance enforcement, BlackBerry and fax support. If required, data shall be 

stored and replicated across multiple data centres to ensure availability. 

Mailbox Service 

The Contractor shall offer a Mailbox Service, providing Post Office Protocol and Internet Mail Access 

Protocol (POP3 and IMAP) mailboxes. These shall be accessible using standard email clients, a dedicated 

client and mobile devices, or via a Webmail interface with features including address book, calendar, 

task list and document sharing. The Service shall be available on both shared and dedicated 

infrastructure. 

Website Services 

Simple Website Service 

The Contractor shall offer a Service to allow Customers to create simple webpages that shall be 

available to other PSN users at the appropriate Impact Level. 

The web-authoring interface will help Customers to create web content; its features shall include: 

· Pre-written templates. A range of pre-built site designs to allow sites to be created more 

quickly 

· On-screen editor. A built-in WYSIWYG editor that works like a word processor, so users do not 

have to learn new skills. It includes drag-and-drop capabilities for adding images, text boxes, 

menu items, etc 

623

· Colour selector. With the colour selector, the user can change the template’s entire colour 

scheme to better match Customer corporate colours or style guidelines. 

Self-service control panels shall allow Customers to perform many operations (such as managing 

users, roles, passwords, and permissions) without Contractor intervention. 

Complex Website Service 

The Contractor shall create web interfaces and infrastructure to meet complex Customer 

requirements. These bespoke Services may include elements such as: 

· Active content 

· Complex scripting and data validation 

· User authentication 

· Back-end databases 

· User personalisation 

· Integration with Messaging Services 

· Integration with external Customer systems (see below). 

The Contractor shall provide Customers with any or all of the following Services for complex 

websites: 

· Design, build, implementation and test of software solution 

· Design, build, implementation and test of hardware infrastructure 

· Hosting of the infrastructure 

· Update and modification of existing software and/or infrastructure 

· Basic monitoring and health-checks 

· Full infrastructure and service management. 

Integration and Connectivity Server Service 

The Contractor shall offer an Integration and Connectivity Server Service based on BizTalk Server, an 

integration and connectivity server solution. The Service can be hosted within the Contractor’s 

environment or the Customer’s. BizTalk Server-related Services shall include: 

· Technical Consultancy Services: Review of the overall estate of a Customer to produce a 

recommended roadmap for joining up Customer systems. This review shall assess the scale and 

scope of required integration and shall make recommendations on whether Point-to-Point 

integration is appropriate or whether a full Enterprise Service Bus is required 

· Architecture Design And Implementation Services: 

624 

· BizTalk Architecture – the Contractor shall design the overall structure of the system 

required to support the Customer’s strategic or tactical needs 

· BizTalk Design – the Contractor shall produce the detailed schema, mapping, 

transformation, pipeline and orchestration designs 

· BizTalk Implementation – the Contractor shall implement the solution based on the 

designs that have been produced. The finished solution shall be taken through an agreed 

test regime prior to roll out on the live environment

· Support and Monitoring Services: the Contractor’s BizTalk specialists shall provide first through 

to fourth-line support to Customers as well as monitoring of live systems. 

Collocation and Hosting Services 

The Contractor shall offer a range of data centre Services from a basic managed Collocation Service 

up to and including a fully managed Hosting Service depending upon the Customer’s 

requirement. These Services shall allow the Customer to host their servers and workloads in a secure, 

reliable and managed environment. The Contractor’s Services shall be compliant with ISO/IEC 20000 

standards and conformant with ITIL, and, where required by the Customer, conform to Uptime Institute 

Tier III level. 

The Contractor shall provide basic managed service plus a managed wrap (‘dark site service’), in the 

form of an SLA-governed managed service, which shall include some on-site proximity deliverables. This 

removes the need for the Customer to procure non-technical floor space for build, tape storage and 

general storage as the Contractor shall provide or manage all of this. 

The managed Collocation Service racks shall have a standard power and cooling provision of 4 kW 

per rack, which can be upgraded to 10 kW at an additional cost. There shall also be a module design of 

20 racks at a capability of 20 kW per rack for high-density solutions in one of the Contractor’s London 

data centres. 

Smart Hands Service 

The basic managed service shall include Smart Hands Service supported by the 24x7 on-site 

operations teams in the Contractor’s data centres. The onsite staff shall be available to assist the 

Customer in performing the common day-to-day activities that require hands-on access to the systems. 

The Smart Hands Support shall include the following basic operations: 

· Power cycling of the Customer IT equipment 

· Pressing of reset or other readily accessible buttons or switches 

· Reconfiguration of non-restricted cables with push-on connectors 

· Visual verification of Customer IT Equipment status 

· Delivery of Third Party Escort Services in the Contractor’s Data Centres for emergency 

situations only 

· Delivery of Tape Handling Services in the Contractor’s Data Centres 

· Space and cooling assessments in the event of a request for change 

· Escort and expert supervision of authorised Customer, Contractor and third party staff as part 

of secure access control measures. 

Backup and Media Management Service 

This Service shall include: 

· Tape/media handling in support of the backup timetable agreed with the Customer, comprising 

insertion and removal of tapes from the Customer’s hardware backup devices to an agreed 

offsite storage location. 

· Tape/media handling in support of data recovery comprising removal of relevant tapes from 

the offsite storage location and insertion into the Customer’s hardware backup devices 

· On and offsite media labelling, storage and fire-safe management 

625

· Archiving and recycling tape/media management to agreed timetable as described in the 

Service Schedule. 

Data Centre Administration – Space and Capacity Planning 

The Services shall include: 

· Asset/inventory and configuration management of the Customer’s hardware located on the 

Contractors premises 

· Data centre capacity and space planning, to ensure optimum use of space for the Customer’s 

requirements whilst meeting Uptime Institute good-practice guidelines with respect to weight, 

power and heat distribution 

· Use of the Aperture tool to maintain the configuration management database of collocation 

hosted servers. 

Managed Hosting Service 

The Contractor’s Managed Hosting Service shall offer a range of capabilities, including design 

guidance, improvement programmes, individual managed services and full outsourcing of data centre 

infrastructure, operations and premises. The Service shall include, where required: 

· Management of the data centre environment 

· Incident and Problem handling for the data centre 

· Acceptance and service establishment of the Customer’s specified hardware configuration 

within the Contractor data centre 

· Operational support activities including operating system and application monitoring 

· Incident and Problem management for Customer systems through an appropriate Contractor 


· Support of change, configuration, Problem and Incident management activities in relation to 

managed services 

· Media handling and storage management including tape loading, offsite storage and recycling 

of media. 

Data Centre Facilities 

The Contractor shall provide data centre facilities built to comply with HMG standards covering 

physical and personnel security measures such as: 

· Segregated data halls designed, built and designated for Government business 

· Physical security measures including cages 

· Access and control measures 

· Operational processes and audit 

· Staff security clearance. 

The systems that control these measures shall contain strong user authentication and access 

controls so that they cannot be easily compromised. The administration functions of the systems 

contained within the Contractor’s premises shall also have similar strong user authentication and access 

controls to provide further defence for the systems if the physical controls have been compromised. 

Security and resilience features at each data centre site shall include a minimum of: 

626

· 24 x365 security monitoring by specialist staff 

· Perimeter barriers, turnstile access and CCTV 

· Infra-red movement detectors 

· Internal access controls via swipe card or fingerprint controls 

· Standby power generators 

· Water leakage detection and control systems 

· Smoke detection and response systems. 

All sites shall have built-in resilience of key environmental features such as power and 

cooling. Service continuity within the data centres shall be managed through the planned preventative 

maintenance schedules for each data centre. 

On-line Storage Services 

The Contractor shall offer its Storage Managed Service (SMS) to provide Customers with a flexible 

data storage system on a pay-as-you-go basis. There shall be four versions, designed for specific data 

storage types: 

· SMS Capacity - tiered storage in a Storage Area Network environment including SCSI and SATA 

drives in a standard RAID storage model accessed by Fibre Channel. The storage types can be 

blended to optimise storage tiering and cost performance. It is normally co-located in the same 

data centre as the servers to provide performance, availability and fault-tolerant configurations 

· SMS File Services - a standard solution for file-based storage requirements. File shares can be 

made accessible to users as networked drives 

· SMS Archive – a data archive service with records management, storage management, security, 

audit and search, tiered from bulk archive repository up to the top tier for high-speed records 

searching. Platform integrations for applications include; Microsoft Exchange, Lotus Notes, SAP, 

MOSS and imaging systems 

· SMS Data Protection - a disk-based backup and recovery service providing faster operation than 

tape-based systems and enabling data de-duplication to reduce the amount of stored 

data. Daily and weekly backups shall be retained for 28 days as standard, with options for longer 

periods. 

SMS shall offer the following standard features: 

· Data transfer shall be free of charge (uploads & downloads) 

· Includes one increase or decrease in storage capacity per host per month 

· Capacity changes shall be applied in 1 working day 

· Capacity may be increased by up to 10% per month. Unlimited increases shall be available with 

3 months’ notice. 

· Unlimited capacity decreases for shared storage 

· Customer data shall be processed and stored only at the agreed data centre locations, 

auditable by the Customer and their official regulator 

· Usage reports shall be provided monthly. 

SMS shall offer the following options: 

627

· Replicated storage in another nominated Contractor data centre, including real-time or delayed 

data mirroring 

· Network optimisation and application acceleration 

· Capacity planning assistance 

· Customised service reports and compliance reports 

· Information management consultancy and assistance 

· Assistance to set-up SMS, including data migration 

· System management of Customer production workloads. 

SMS shall be available as: 

· A shared service, hosted in the Contractor’s data centres 

· A dedicated service, hosted in the Contractor’s data centres 

· A dedicated service, hosted in the Customer’s data centres. 


The Contractor shall provide a portfolio of Security Services based on security products from a range 

of vendors. It shall utilise its own professional services to support the assessment of risk, define 

requirements, provide technical and service design and architecture as well as ensuring the effective 

deployment and operation of the Security Services. 

The Security Services shall be monitored and supported 24x7 and shall be delivered as either on-site 

capabilities or network-based services. The Services shall include reporting, incident response, 

remediation, advice and guidance from the Contractor’s Security Operations Centre. 

The following table shows the Services that shall be available: 


Firewalls This Service shall offer a range of managed firewall capabilities to 

provide protection against unauthorised access to information assets. 

Intrusion 

Detection Systems 

(IDS) and Intrusion 

Prevention Systems 

(IPS) 

Security 

Information and 

Event Management 

(SIEM) 

628 

This Service shall offer appliances and software to monitor network 

traffic for malicious activity, provide security alerts for analysis and 

remediation, and block threats in accordance with the defined security 

policy. 

This Service shall underpin security compliance (CESG Good Practice 

Guide 13) through the collection, storage, correlation and analysis of log 

information from a range of security and other devices. It shall provide 

the core components for the prevention, detection and remediation of 

security incidents as well as enabling retrospective analysis to support 

security investigations. 

Web Security This Service shall protect the Customer against inbound and outbound 

web-based threats (anti-malware, spam, worms, botnets etc.) and enable

Endpoint 

Security 

629 

enforcement of web usage in line with the defined security policies and 

acceptable-use policies. It shall also block inbound web content that is 

not within the security policy. 

This Service shall ensure consistent endpoint protection across the 

Customer’s estate to meet malware threats, provide a consolidated view 

of the application of endpoint security and report any security alerts. The 

Service may include antivirus and anti-spyware, application and device 

control, desktop firewalls, host intrusion prevention and network access 

control. 

Email Security This Service shall protect the Customer from inbound and outbound 

email threats (including spam, malware, phishing etc.) and may also 

enforce security policies (including data leakage and acceptable use 

policies). 

Vulnerability 

Assessment 

Data Loss 

Prevention 

This Service shall scan the Customer’s infrastructure to identify and 

prioritise any known vulnerabilities. The scope of the vulnerability 

assessment shall be customised and the Service shall provide a detailed 

report containing advice on remediation options to enhance the 

protection of information assets. 

This Service shall protect against loss of sensitive information and 

subsequent reputational damage through the enforcement of defined 

policies, to mitigate the risk of sensitive data loss and also to report on 

compliance requirements. 

Authentication This Service shall provide the primary method for users to claim and 

verify their identity to systems. It shall be capable of supporting multiple 

factors as required by the Customer to provide additional assurance, 

which may include: one-time passwords; physical tokens; soft tokens; 

biometrics; out-of-band components. 

Access 

Management 

Web & 

Application Sign-on 


This Service shall provide a range of means and mechanisms to enable 

the Customer to define and control who has access to what 

information. Access rights and permissions may be applied by rules or 

roles or a combination of both, and the Service shall provide 

administration services to allow them to be controlled securely. 

These Services shall provide the means whereby Customer users can 

access both internal and external applications and services (such as cloudbased 

software-as a-service platforms) securely without being challenged 

for additional user credentials. The Service may extend to enable access 

to those applications and services from a range of devices including 

laptops, shared devices (e.g. Internet café access) and mobile devices such 

as smartphones and tablets.

CLAS 

Professional Security 


Identity and 

Access Management 

consultancy 

Business and 

Service Continuity 

630 

CLAS is the CESG Listed Adviser Scheme - a partnership linking the 

Information Assurance (IA) knowledge of CESG with the expertise and 

resources of the private sector. The Contractor shall provide CLAS 

Professional Security Services fulfilled by CLAS-accredited individuals with 

experience of designing and operating protectively marked systems. The 

CLAS Professional Security Services shall include the following service 

types which can be tailored to meet the Customer’s specific requirements: 

· Information Security Reviews. Assessment of alignment of 

existing policy with the requirements of the Security Policy 

Framework or a review of the Customer’s current security 

arrangements. This Service defines any shortfalls coupled with a 

detailed improvement plan. 

· Development and review of Risk Management and Accreditation 

Document Sets (RMADS) 

· Risk Assessment & Treatment Planning 

· IT Health Check planning and guidance 

· Advice on ‘off-shoring’ data 

· Strategies, solutions and services for realising protective 

monitoring within an organisation 

· System Decommissioning Services 

· Codes of Connection reviews 

· IA Maturity reviews and IA strategy development 

· Provision of experienced staff to take on senior security coordination 

roles or accreditation roles 

· Understanding and specifying security requirements within 

contracts 

The Contractor has staff experienced in the use and deployment of 

identity lifecycle management, and shall provide focussed consultancy to 

help Customers overcome their identity and access challenges, reduce the 

risk and impact of unauthorised access, enable secure mobility, realise 

business efficiencies and ensure regulatory compliance 

The Contractor shall provide consultancy Services to assist Customers 

to develop continuity strategies, then build, deploy and validate them to 

meet Customer requirements. The Contractor shall also provide 

continuity testing Services to ensure that the implementation meets the 

agreed continuity requirements ready for live operation. 

The Contractor shall provide an assurance programme, including 

audits, reviews and on-going testing, to help ensure that an effective 

response continues to be available to meet the continuity 

requirements. The approach shall align to industry compliance standards 

such as BS25999, BS25777 and ISO/IEC20000.

Security Review The Contractor shall provide Services that deliver an independent 

review of the current security status coupled with a clearly defined plan of 

action, tailored to the Customer environment. It shall identify the 

effectiveness of the security controls in place to protect critical assets, 

sensitive data stores and business critical interconnections. Reviews shall 

also include audits against regulatory requirements (e.g. PCI DSS), 

standards (e.g. ISO 27001), best practices, HMG policies and any relevant 

external parties’ codes of connection. Additionally, the review can focus 

on areas such as Data Loss Prevention (DLP) and Governance Risk and 

Compliance (GRC). 

Cloud Security 

Review 

Governance Risk 

Management and 

Compliance 

631 

The Cloud Security review shall provide an in-depth security 

assessment of a Customer’s current security situation regarding the 

delivery of cloud services, or the potential to move IT services and data 

into a cloud-services platform. Guidance shall be given in the selection 

and application of appropriate safeguards to meet Customer-defined 

security fundamentals, to helps the Customer meet its business objectives 

or mission by protecting its physical and financial resources, data, 

processes, reputation, legal position, employees, and other tangible and 

intangible assets in a cloud environment. 

The Contractor has staff experienced in the operation of, and working 

within, risk and compliance governance frameworks. The Contractor shall 

provide professional consultancy services to support Customers in 

establishing or maintaining their Governance and Risk Management 

systems (technical, commercial and security), and understanding their 

compliance obligations and determining remediation activities needed to 

reach or maintain compliance 

VPN Services VPN services ensure secure transit of information and enables secure 

remote and flexible working. The Contractor shall provide secure VPN 

services for remote access. Types of VPN solutions may vary according to 

Customer requirements, but include solutions suitable for corporate 

environments and suitable and accreditable in government environments 

up to Impact Level 4. 

Encryption 


Security Services Management 

The Contractor shall provide encryption products and services to 

protect Customer data in transit (on networks) and at rest (on endpoints) 

using appropriately certified and approved products suitable for corporate 

environments and suitable and accreditable in government environments 

up to Impact Level 4. 

The Security Services shall be integrated with resolver groups within an ITIL framework and be able 

to provide a consolidated view of security. Operation of the Services shall include:

· Maintenance of the Security Service including proactive and reactive support including: 

632 

· Patching and version upgrades 

· Monitoring for system health and utilisation 

· Remediation of faults 

· Malware protection updates 

· Tuning 

· Policy change management 

· Monitoring of security devices for threats, anomalous traffic or activity to enable a centralised 

view of security alerts and incidents to provide situational awareness across multiple accounts 

and services. This incorporates: 

· Event Analysis – Upon detection, security events shall be analysed to ascertain if they 

need to be upgraded to a security Incident for further action 

· Security Incident Categorisation – If the event is defined as a security Incident, it shall be 

categorised considering the cause, priority, potential impact and the urgency of response 

· Security Incident Response – The security analysts, resolver groups and service 

management team, plus identified Customer stakeholders as defined within the 

overarching Service Design and communications plan, will agree on the most appropriate 

course of action. When a course of action has been implemented, its effectiveness in 

resolving the Incident shall be assessed so that if the chosen course of action is not 

effective, further course/s of action can be taken. The security Incident shall be tracked to 

resolution 

· Post Incident Analysis - After each security Incident, post-Incident analysis shall be 

undertaken to: 

· Ensure that the conduct of the investigation was appropriate 

· Consider lessons identified, where conduct of the investigation could be improved 

· Ensure that all mitigating actions have been taken 

· Determine if any preventative measures are required to prevent repetition of 

security Incidents or events of a similar nature 

· Reporting on the Security Service performance, incidents and trends. 

Real-Time Information Systems 

The Contractor shall offer its Digital Media Network (DMN) service to allow Customers to provide 

information to their users and clients. 

Digital Media Network (also popularly known as Digital Signage, in-house TV and Digital Out Of 

Home) is a business solution enabling an organisation to manage and schedule the playback of 

multimedia content, combined with other sources of information and feedback, from a central location 

to a wide estate of remotely connected playback devices and associated display technologies. 

The DMN Service shall provide a centrally hosted storage and management facility, softwarecontrolled 

to allow individual multimedia files to be assigned to specific locations and screens within a 

playback schedule. Authorised users from remote locations shall be able to undertake administration of 

the system. The system shall provide a monitoring and reporting environment to manage the operation 

and to respond in the event of disruption, however caused.

Once scheduled, the system shall manage the distribution of relevant information across the 

networking environment, delivering content and operating instructions to playback devices associated 

with a wide variety of display technologies. The Contractor shall offer assistance to allow the Customer 

to select the most appropriate technologies to communicate in an effective and efficient manner to its 

target audience. 

In addition to distributing pre-prepared multimedia content to screens in remote locations, the 

DMN Services shall integrate with other systems and sources of information, allowing the display of 

dynamic and relevant content: 

· Integration with web-based RSS data 

· Third party databases, POS and information systems 

· Bluetooth, SMS, Q-Code and NFC/RFID integration 

· Integration of User Generated Content and social media 

· Localised information from local IT systems 

· Queue, appointment and call management optimisation systems 

· Live streamed video. 

As well as to communication-to-many via large display technologies, the DMN Service shall also 

offer interactive solutions: 

· Kiosks: interactive kiosks are an electronic communications tool that enables clients to serve 

themselves – accessing information, making purchases, etc. The Contractor shall offer 

customised, end-to-end interactive kiosk solutions to meet the needs of Customers and their 

clients by handling enquiries and transactions. 

· Multi-concurrent multi-touch surfaces: A hybrid between talk-to-many interactive digital 

signage screens and personal-space transactional kiosks, multi-touch surfaces provide a tabletstyle 

touch interaction to multiple users simultaneously. The Contractor shall offer applications, 

developed to take advantage of the interface, that engage clients and streamline transactional 

interactions. 

Messaging Services 

Desktop Messaging 

Desktop Instant messaging shall be offered under the Voice Services described above. While these 

are normally deployed as part of a unified communications solution, the desktop messaging and 

presence features shall be available separately. 

Messaging Gateway 

The Contractor shall offer a Messaging Gateway Service that supports the following message types: 

· SMS (UK and International) 

· Email 

· Pager – both UK networks 

· 2-way pager 

· Landline 

· Text-to-speech 

633

· Location requests - using mobile network location or GPS 

· Smartphone instant messaging app 

· Voice broadcast 

The desktop element of the Service shall include a master account, and child/user accounts that 

include the following features: 

· Send to individual or group 

· Send to any combination of SMS, pager, smartphone, email, landline 

· Address book – including user-defined custom fields 

· Create/edit message templates 

· Create and edit broadcast lists 

· Create multi-rule search filters 

· Pre-scheduled messages 

· Outbox message log, including delivery status 

· Inbox for SMS, 2-way pager and email replies, with auto-forward option to SMS/email 

· Reporting with export options 

Optional Service elements shall include: 

· Outbound voice broadcast 

· Location-based service including mapping 

· Campaign manager with shortcode/keyword campaigns 

The Service shall also offer a range of documented Application Programming Interfaces (APIs) to 

allow third party software and systems to integrate with the messaging gateway. APIs supported shall 

include: 

· SOAP/XML 

· REST 

· SMTP 

· SNPP 

· SMPP 

· TAP (dial-up). 

Definitions Of Terms 

Term Definition 

ACD Automatic Call Distribution – the automated handling of inbound calls based on 

a set of business rules 

API Application Programming Interface – a specification of the data structures and 

routines that an application supports to allow other applications to communicate 

with it. 

634

BRENT A range of encrypted telephones used for secure calls over ISDN lines. 

CCTV Close Circuit TeleVision; generic term applied to surveillance monitoring 

solutions applying generally to all IP based surveillance systems as well as legacy 

coaxial through to NDVR solutions 

CESG Communications-Electronics Security Group – the Information Assurance group 

within the Government Communications Headquarters. 

CLAS CESG Listed Advisor Scheme – a CESG-maintained list of security advisors who 

have been accredited to give advice on aspects of UK government security. 

DDI Direct Dial-In – a telephone extension that has an associated PSTN number, so 

external callers can dial directly to it without going via an operator 

DEL Direct Exchange Line – an analogue connection to the PSTN, i.e. a traditional 

phone line. 

DISA Direct Inward System Access – a system used to make external callers appear to 

be local extension users. 

DLP Data Loss Prevention – techniques to avoid the accidental or deliberate leakage 

of sensitive information outside its security domain. 

DMN Digital Media Network – a service offering digital signage, information displays, 

kiosks and other forms of public information and interaction. 

DTMF Dual-tone multi-frequency; used for telecommunication in-band signaling over 

analogue telephone lines between telephone handsets and other communications 

devices and the switching center. 

EDRM Electronic Document and Records Management – a system for the control, 

protection and retrieval of electronically held information. 

Fibre 

Channel 

635 

A networking technology for storage systems. 

GPS Global Positioning System – satellite-based geographic location service. 

GRC Governance, Risk management and Compliance – the approach an organisation 

takes in managing these areas, and how it integrates them. 

IA Information Assurance – the study and management of risk in an informationhandling 

environment. 

ID Identification

IL Impact Level 

IL2 Impact Level 2-2-x for Integrity, Confidentiality and availability (PROTECT) 

IL3 Impact Level 3-3-x for Integrity, Confidentiality and availability (RESTRICTED) 

IL4 Impact Level 4-4-x for Integrity, Confidentiality and availability (CONFIDENTIAL) 

IMAP Internet Mail Access Protocol – a protocol used to synchronise email between a 

mail client and server, so that both hold the same data. 

IP Internet Protocol; primary protocol for the transmission of data packets across 

computer-based networks 

IPT Internet Protocol Telephony – the processing and transmission of voice calls as 

IP data streams. 

ISDN Integrated Services Digital Network; a set of communications standards for 

simultaneous digital transmission of voice, video, data, and other network services 

over the traditional circuits of the public switched telephone network. 

ISO International Organization for Standardization – the international body 

responsible for setting global standards. 

IT Information Technology 

ITIL Information Technology Infrastructure Library (ITIL); a suite of practices for IT 

service management aligning IT services with the needs of business 

LAN Local Area Network – a local network within a building or a campus, normally 

based on Ethernet. 

LINX London INternet eXchange – a pair of national peering points between all major 

UK ISPs, used for the exchange of Internet traffic between their customers. 

PBX Private Branch Exchange 

PCI-DSS Payment Card Industry Data Security Standard – a standard for the secure 

handling of cardholder information when processing card payments. 

PIN Personal Identification Number – a multi-digit number (usually a minimum of 4 

digits) used to verify the identity of a user. 

POP3 Post Office Protocol version 3 – a protocol used by email clients to retrieve email 

from a server 

636

Presence An indication of the current state of a user, whether they are online, offline, 

active or away from their device (computer, phone, etc.) 

PSTN Public Switched Telephony Network – the public phone system 

Q&A Question and Answer. 

RAID Redundant Array of Inexpensive Disks – a set of disk drives that appear like a 

single larger or faster drive by spreading data across all drives, often with duplication 

or other data-integrity protection measures. 

REST REStructured Text – a simple markup language, related to the Python 

programming language 

R-Factor Measure of voice call quality, based on the percentage of users satisfied with the 

quality of a test signal sent over the network. 

RMADS Risk Management and Accreditation Document Set – the formal documentation 

associated with risk assessment and security accreditation. 

SATA Serial Advanced Technology Attachment– a standard for connecting disk drives 

to a computer. 

SCSI Small Computer Systems Interface – a standard for connecting disk drives to a 

computer. 

SIP Session Initiation Protocol – an open-standard protocol used to set up calls in IP 

Telephony. 

SLA Service Level Agreement – an agreed set of performance metrics that a service 

should deliver. 

SMS Either: Short Message Service – 160-character text messages over mobile 

networks, or Storage Managed Service – the Contractor’s cloud-based storage 

service 

SMTP Simple Mail Transfer Protocol – a protocol used to send and relay email between 

mail servers. 

SNPP Simple Network Paging Protocol – a protocol for sending messages to pager 

devices over the Internet. 

SOAP Simple Object Access Protocol – a protocol for exchanging information between 

Web-based applications 

637

Softphone 

, Soft Client 

638 

A software application for use in IP Telephony that emulates a phone on a user’s 

desktop or laptop computer 

TAP Telocator Alphanumeric Protocol – a protocol for sending alphanumeric 

messages to pagers or mobile phones 

TDM Time-Division Multiplexing – a technique to allow multiple signals to share one 

communications channel, allowing them equal time on the channel by taking turns. 

UPS Uninterruptable Power Supply; electrical device providing temporary emergency 

mains power to a system should mains power fail 

VPN Virtual Private Network – a private network created over a shared infrastructure 

using encryption or other data-separation techniques. 

WAN Wide Area Network – a network that runs between different locations (buildings 

or campuses). 

WYSIWYG What You See Is What You Get – a term used for content editing software that 

continuously shows the user how the document will appear. 

XML eXtensible Markup Language – a language used to create data structures that 

allows the creator to define their own extensions to the basic elements.

Global Crossing 

Level 3 has been providing a comprehensive range of traditional and IP based voice service to 

Government for over 15 years via the MTS and MTCF frameworks. As a MTCF provider Level 3 

currently has over 50,000 voice end-points in service with various Government departments 

with over 200,000 voice desktops in place across the public sector. 

Level 3 continues to invest in communications services and has the core capability to deliver a 

wide range of voice and communications services to support evolving customer requirements. 

Level 3 has key technical and commercial resources at various levels ensuring that we are at 

the forefront of technological and pricing benefits. Utilising Level 3’s knowledge and experience 

within the Government sector and our legacy customer base we have developed a service 

offering to meet Government department needs in this area. 

Level 3 understands that communications services must be flexible, tailored to meet 

communication needs, compliant with regulation and corporate governance and also aligned 

with PSN and industry standards. Most importantly, we know that services should simply work – 

seamlessly facilitating our customers’ changing communication needs. We will use our 

expertise in communications services to ensure that the customers get the service they require 

whilst also driving long term value for money. 

In summary the Level 3 communications service covers:- 

639 

Supply, installation, delivery, design, maintenance and support services 

Traditional and IP based services using our own infrastructure 

Voice call packages and call preference services 

Conferencing services including desktop video conferencing 

Internet service 

Email, website services, co-location and hosting 

On-line storage 

Security services and anti-virus 

Email scanning and detection 

Firewalls 

Intrusion and spyware detection 

Authentication and access management 


These services can be provided as commodity or managed services. 

Delivery Services 

It is recognised that one of the key tenets of PSN is guaranteed interoperability and to ‘make it 

work’. Level 3 has a broad range of delivery services designed to minimize risk and guarantee end to end 

SLAs.

In the UK we have more than a thousand Security Cleared (SC) staff and we sponsor over one 

thousand eight hundred SC clearances across contractors and suppliers. The majority of this operation is 

dedicated to supporting Government managed service customers giving us a strong base from which to 

deliver PSN services. This capability is complemented by several List X sites and a resilient data and 

command infrastructure cleared to operate IL3 and IL4 services. 

As an organisation comprising of more than ten thousand staff we are able to draw upon 

experienced resources where necessary to assist with the design, development, supply, installation, 

delivery and support of products and services for PSN. 

Level 3 offers a range of delivery, service and professional services capabilities relating to security 

for networks and accredited applications, and is already a leading trusted supplier to the UK public 

sector. Our organisation is staffed with fully qualified and experienced communications professionals 

covering all elements of the government security requirements from IL2-2-4 through to IL4-4-4. Staff are 

evaluated and chosen using the strict Level 3 vetting process ensuring full government security 

clearance at whatever level is applicable. 

Level 3 implements and adheres to the principles, standards and guidelines for the delivery of 

services as described in the ITIL framework. 

Level 3’s support model operates with a dual centre 24x7x365 service desk and network operation 

centre for incident management. Both support centres are UK based and have full capabilities to take 

on management in a disaster recovery/business continuity situation. The network operations centres 

proactively manage incidents identified through network monitoring tools and alarms. 

640


The Level 3 project management process is based on the PRINCE2 methodology but is modified to 

meet customer needs, a practice that is encouraged by PRINCE2. 

Level 3 has a strong track record of delivering large scale projects into the Government sector and is 

currently engaged with large consolidate and build projects in HMRC and MOJ. We can call on excellent 

resources and skill sets which can be demonstrated with the following breakdown: 

641 

40 in-house project management professionals and a pool of external professionals on whom 

we can draw 

Project leader/stage manager to programme director 

95% PRINCE2 accredited to practitioner level 

OGC Change Management, MSP (Managing Successful Programmes), MoR (Management of 

Risk) and PMO specialists 

80% of our professionals are security cleared 

20% of our professionals are multi-lingual 

Experienced, seasoned professionals with track records of implementing projects to time, 

budget and quality 

The disciplines of formal project start-up, initiation, transition, monitoring and closure are key 

stages of the project life cycle and are managed by a project manager qualified to a PRINCE2 practitioner 

level. Each project is controlled during its life cycle by adherence to the five generic project stages from 

which specific deliverables will be forthcoming. 

These five project stages are depicted in the following figure:

642 

Project Lifecycle Diagram 

Level 3 recognises that a successful PSN Services provider will understand 

and be committed to the overall programme and vision, including the 

delivery of services. Our on-going experience in delivering PSN 

compliant programmes and our commitment to best practice service 

delivery mean that Level 3 is fully aligned with the PSN vision. 


One of the key elements of the PSN programme is guaranteed interoperability and service level 

agreements. Level 3 takes this seriously and has an ITIL based service management methodology. 

The purpose of Level 3’s service management function is to provide a positive service management 

experience that develops and maintains positive long-term customer relationships. It provides on-

demand and proactive service support to customers whose unique set of service requirements drive the 

need for a close working relationship. 

Large PSN projects will be allocated a service manager, whose role is to be the client facing contact 

for the on-going service level and service performance reviews. With over 30 ITIL qualified service 

managers in the UK, the majority of whom have experience working with Government departments, we 

have a considerable resource pool and knowledge base upon which to provide flexible levels of service 

management for PSN. 

The Level 3 service management model is further explained in the diagram below: 

643 

Enhanced & Premium Service Management overlay - 

Tailored to customer need, bespoke, flexible, proactive, experienced, 

dedicated, ITIL qualified Service Managers 

OR 

Standard Service Management overlay – 

UK based team providing single point of contact for assistance & queries 

Incident Mgt Problem Mgt Change Mgt Finance Mgt 

Configuration 

Mgt 

Service Management Model 

Customer’s 


Team 

Customer’s 

Incident, 

Problem, 

Change, 

Finance, 

etc... Teams

When an incident is identified via proactive monitoring on a customer’s network a ticket is opened 

on the Level 3 incident management system to record the event. Automated notification emails can also 

be set up to provide immediate notification of the creation of a fault ticket to agreed parties, as well as 

being entered on to Level 3 customer portal “uCommand”. 

644 

View Tickets in uCommand 

In addition to the proactive monitoring Level 3’s support model also allows for incidents to be 

reported in by the customer’s service desk. Any incident reported into Level 3 will be handled by a 

technical front line team who will attempt first line diagnosis and fix. Where this is not possible, or the

incident is diagnosed as requiring more detailed technical investigation or third party support, the 

incident is transferred to the relevant resolution team. Level 3 has a number of specialist technical 

teams plus a dedicated team to manage third party suppliers. Throughout the incident lifetime updates 

are provided to the customer’s service desk either by email or telephone as well as in uCommand. 

Incident resolution times are calculated from the first report to the Level 3’s service desk until the 

action has been completed by or on behalf of Level 3 to repair the root cause of the incident or a 

workaround has been implemented by the contractor. 

There is an inbuilt escalation procedure in the Level 3 incident management system. This ensures 

tickets nearing their SLA are escalated for closer attention to ensure incidents are resolved within SLA. 

Additionally customers may request an escalation at any time, calling the same dedicated telephone 

number. 

The interaction and reporting provided by Level 3 will be tailored to meet the customer’s needs but 

will focus on the following areas: 

Service Introduction; The process of introducing the service management function, the systems 

available to the client and the process used to agree the detailed service interaction required on a 

regular basis. 

Service Review Meetings; Meetings to review service performance. Service manager to attend 

/chair and minute formal service review meeting and to own actions resulting from meeting. 

Reporting; Production of tailored customer reporting on SLA performance / availability / change etc. 

The output is captured for discussion as an agenda item at the service review meetings. 

645

Service Level Management; Proactive reporting of service level performance and calculation of 

service penalties (where applicable) 

Escalation Management; Single point of contact for customer assistance during escalation 

Operational Reviews; Arrange and chair operational reviews with the customer as required 

Continual Service Improvement; An on-going review of the operational processes to drive 

improvements in customer service experience. 

Service Improvement Plan; Proactive service improvement documented and captured in CSI Plan - 

owned and managed by the service manager in consultation with customer. The output is captured for 

discussion as agenda item at the service review meetings. 

Customer Information Guide; The production and on-going management of customised service 

lifecycle management handbook. 

Major Incident Management and Root Cause Analysis (RCA); To provide major incident 

management contact and production of major incident reports for P1 incidents. Co-ordination of 

associated follow up and closure with problem management 

Problem Management; Working in conjunction with the Level 3 problem management function in 

proactive trending of statistics and information. The output is captured for discussion as agenda item at 

the service review meetings. 

Operational Processes 

646

For effective management of the service a number of key activities will be carried out during the 

entire life of the service and will form part of the review process with the client. 

Change Control: proposed changes are thoroughly reviewed before any action is taken to 

implement the change. 

647 

Level 3 enforces a robust change management process. Its purpose is to ensure that ALL 

changes made to any network owned by Level 3, or for which it has responsibility, are managed in a 

proper, consistent manner, through a single point of contact. ALL changes to the networks 

irrespective of their simplicity or complexity will be managed through the change control process. 

SLAs. 

Level 3 will provide a product catalogue detailing all standard order codes and their associated 

Availability Management: Service level targets are a key service metric. 

Network management and monitoring tools are utilised within the network operations centre 

to ensure immediate response to a network incident and minimising service unavailability. Capacity 

management reports are reviewed by the operations team and provide an important input to 

availability management. 

Capacity Management: Ensuring that customers and multi-tenanted sites have no capacity issues 

Level 3’s design and technical consultants will work with customers to scope the size of the 

circuits and ports required for the varying site types based on current and projected usage and 

requirements and requirements for all tenants in a building. 

Capacity reports will be produced to show on a per site basis the utilisation for the previous 

months to enable the Level 3 operation and service management teams to identify potential 

capacity issues on or before issues potentially impact service. Capacity management reports will be

included in the monthly management report to show site by site utilisation and exception 

reporting. 

648 

On line monitoring tools also provide the Network Operations Centre (NOC) with the ability to 

view capacity issues during a service event. 

Release and deployment process: release management processes are in place for the introduction 

of new hardware and software upgrades to an existing service and for policy revisions for changes 

to services such as security and firewall management. 

Level 3 will ensure the scope of the service delivered has the full functionality to support the 

design of the service and as such the equipment is specified with the latest and most appropriate 

configuration. For example, if an incident is identified by our technical specialist teams or by our 

third party equipment providers where the root cause is attributed to a software issue: 

The integrity of existing customer service is number one priority to Level 3, and therefore the 

strict adherence to release and change management processes are mandatory. 

Maintenance: Level 3 provide a comprehensive range of maintenance options. 

All ports on our routers are monitored 24x7 by our network operating centre facilities to ensure 

our guidelines are being met. It is also worth noting that the majority of the IP network is carried 

over Level 3s own transmission network which is monitored, managed and maintained on a 24x7 

basis by Level 3 engineers. 

Level 3 offers a variety of different maintenance options to individual customers, dependent on 

their individual maintenance requirements. This is dependent on site priorities.

Level 3 has provided a range of both standard and enhanced service management facilities to a 

number of government departments including Skills Funding Agency, HMRC and Crown Prosecution 


Traditional and IP based voice services 

The Level 3 voice service will include the option of providing new TDM infrastructure or a next 

generation IP solution based on an IL2 or IL3 hosted IP telephony service or IP enabled PBX solutions 

located at the customer premise. Both solutions are offered as a fully managed service which includes 

provisioning and on-going support. 

Where traditional PBXs are required customers will be provided with a PBX having on-site switching 

capabilities using both TDM and IP. Connectivity will be required to connect the PBX to a public 

telecoms operator which could be to the Level 3 core switches using access circuits utilising PSTN 

signalling standards of DPNSS and ISDN/Q931 or SIP trunking as appropriate. 

Level 3 also provides an option of deploying a next generation voice service based on IL2 or IL3 

hosted IP telephony services. It is a high availability hosted IP voice platform using Cisco unified 

communication platform which shall be deployed across two Level 3 data centres with no single points 

of failure. The solution is based on industry standard SIP based architecture. The next generation voice 

service is a fully managed IP based voice service utilising a core, multi-tenanted soft-switch capability. It 

has been engineered to integrate with other technology platforms such as unified communications 

(Microsoft Lync) and call handling (Aspect Hosted Contact Centre) services. 

649

Level 3 ensures customers are provided with a low-risk, cost effective managed telephony service 

which will allow users to be transitioned from their existing service to a next generation voice service in 

a seamless approach. 

Level 3 has selected an industry leading partner to implement the next generation voice service in 

Cisco and together we provide a risk free migration to IP telephony. The proposed next generation 

services will be built around best of breed industry leading products and services that provide a resilient 

architecture which allows the flexibility and scalability necessary for a changing environment. The 

solution is based on IL2 or IL3 compliant telephony platforms based on open standard SIP architecture. 

Level 3 is a leading member of the PSN community and the proposed solution is fully compatible 

with all current PSN requirements and the company is fully committed to PSN standards. Level 3 and 

Cisco are major contributors to the various PSN work streams and therefore Government departments 

can be assured that the solution deployed will be taken through the PSN assurance process. 

The service will be connected to the customer infrastructure using PSN compliant/approved 

services. This connectivity will provide access to the main hosted IP telephony platform, session border 

controllers and media gateways in the core network which will provide access to all features and 

functionality including connections to any traditional voice customers. 

650

Next Generation service shown at high level including connectivity to Hosted services and PSN 

The following features and benefits are available for both traditional and next generation IP service: 

651 

Voice calls from desktop to desktop phone 

Voice calls to and from PSTN via DNSP or GCN connectivity using lease cost routing on-net calls 

will not traverse the PSTN 

Support for DDI numbers and number portal/migration as appropriate 

Support for emergency calls, does not require the user to be logged onto the endpoint 

Support for a numbering plan as defined by the framework authority 

Support for legal interception 

Provides access to directory enquires 118 services. Level 3 will also provide a facility to list DDI 

numbers in external directories. 

Unified voicemail 

Directory federation connecting the customer’s directory to our central directory

652 

Tones (beeps) will be inserted when calls are made to IL2 users 

Instant messages to IL2 users from IL3 will have warning banners inserted to warn users of lower 

impact level conversations 

This service will allow conversions: email to fax, fax to email, SMS to email, email to SMS, text to 

voice, voice to text. 

TDM and next generation voice services include basic functionality such as call-forwarding, call 

pick-up, add-on conferencing, short-code dialling, etc as commonly used within enterprises 

Users to retain current internal numbers as well as their existing PSTN number ranges 

Level 3 will work with the Framework Authority to administer the common numbering plan for 

the next generation voice services 

Gateway devices to support fax and analogue phones/devices will be made available 

Level 3 can build dedicated interconnects to other PSN Services framework contractors to 

ensure that calls between customers of different contractors pass directly between these 

contractors without traversing the PSTN 

Level 3 will ensure that voice inter-connects between other framework contractors shall support 

the PSN standards for signalling protocols for the set-up and tear down of voice calls – subject to 

further detailed discussion around the protocols to be used 

Calls between customers of Level 3 and customers of other PSN framework contractors will be 

carried without charge to the interconnect with the other PSN framework contractor 

IM and presence 

Web, audio and video conferencing 

Unified messaging (through Microsoft Exchange). 

Voice Endpoint Devices 

The functional specification of the handset proposed to meet the economy and administrative 

handset requirements are as follows: - 

Feature Benefit 

Lighted Hold key The key lights when pressed to put a 

call on hold and stays lit until the held 

call has been resumed, or flashes if one 

call is held while another is engaged; the 

key is dark when no calls are on hold.

Lighted Menu key The key lights when pressed to 

653 

access voicemail messages, call logs, 

network settings, user preferences, 

corporate directories, and XML services; 

it stays lit while menu items are active. 

Lighted message waiting indicator The key lights when there is new 

voicemail, and the light is visible on both 

the phone chassis and the handset; it 

stays lit until you process your new 

voicemail. 

Graphical display A 396 x 81 pixel-based, anti-glare, 

monochrome display with white 

backlight provides scrollable access to 

calling features and text-based XML 

applications. 

Deep-Sleep option Power savings can be recognized by 

cycling power by time of day and day of 

week. 

Co-branding Co-Branding button allows 

customers to include their logo on the IP 

Phone.

Multiple-language support The following languages are 

654 

supported: 

only) 

• Arabic (Arabic area) 

• Bulgarian (Bulgaria) 

• Catalan (Spain) 

• Chinese (China) 

• Chinese (Hong Kong) 

• Chinese (Taiwan) 

• Croatian (Croatia) 

• Czech (Czech Republic) 

• Danish (Denmark) 

• Dutch (Netherlands) 

• English (United Kingdom) (Prompts 

• Estonian (Estonia) 

• French (France)

655 

• Finnish (Finland) 

• German (Germany) 

• Greek (Greece) 

• Hebrew (Israel) 

• Hungarian (Hungary) 

• Italian (Italy) 

• Japanese (Japan) 

• Latvian (Latvia) 

• Lithuanian (Lithuania) 

• Korean (Korea Republic) 

• Norwegian (Norway) 

• Polish (Poland) 

• Portuguese (Portugal) 

• Portuguese (Brazil) 

• Romanian (Romania) 

• Russian (Russian Federation)

656 

• Spanish (Spain) 

• Slovak (Slovakia) 

• Swedish (Sweden) 

• Serbian (Republic of Serbia) 

• Serbian (Republic of Montenegro) 

• Slovenian (Slovenia) 

• Thai (Thailand) 

• Turkish (Turkey) 

Speakerphone Full-duplex speakerphone allows for 

flexibility in placing and receiving calls. 

Headset support RJ9 interface to optional headset 

Four soft key buttons and a scroll 

toggle bar 

allows customers to enjoy additional 

options for place and receiving calls. 

Your calling options are dynamically 

present; the scroll toggle bar allows easy 

movement through the displayed 

information. 

Network features Network features include IEEE 802.1

657 

p/q tagging and switching. 

Ethernet switch The phone has a 10/100BASE-T 

Ethernet connection through two RJ-45 

ports, one for the LAN connection and 

the other for connecting a downstream 

Ethernet device such as a PC. 

Volume control A volume-control toggle provides 

easy decibel-level adjustments of the 

handset, monitor speaker, and ringer. 

Dual-position foot stand The display is easy to view and the 

buttons and keys are easy to use; you 

can remove the foot stand for wall 

mounting, with mounting holes located 

on the base of the phone. 

Multiple ring tones The phone offers seven user- 

adjustable ring tones. 

Hearing-aid-compatible features The hearing-aid-compatible (HAC) 

handset meets the requirements set by 

the ADA; it also meets ADA HAC 

requirements for a magnetic coupling to 

approved hearing aids. The phone

658 

dialling pad also complies with ADA 

standards. 

Codec support G.711a, G.711, G.729a, 

G.729b,G.729ab and iLBC audio- 

compression codec’s are supported. 

Voice quality Comfort-noise generation and voice- 

activity-detection (VAD) programming is 

provided on a system basis. 

Security features • Certificates 

• Image authentication 

• Device authentication 

• File authentication 

• Signalling authentication 

• Media encryption using Secure 

Real-Time Transfer Protocol (SRTP) 

• Signalling encryption using 

Transport Layer Security (TLS) Protocol 

• Encrypted configuration files

659 

Cryptography is not enabled by 

default and may only be enabled 

through a cryptographically enabled 

CUCM. 

The functional specification of the handset proposed to meet the professional handset 

requirements are as follows: - 


Lighted Hold key The key lights when pressed to put a 

call on hold and stays lit until the held 

call has been resumed, or flashes if one 

call is held while another is engaged; the 

key is dark when no calls are on hold. 

Lighted Menu key The key lights when pressed to 

access voicemail messages, call logs, 

network settings, user preferences, 

corporate directories, and XML services; 

it stays lit while menu items are active. 

Lighted message waiting indicator The key lights when there is new 

voicemail, and the light is visible on both 

the phone chassis and the handset; it 

stays lit until you process your new

660 

voicemail. 

Graphical display A 396 x 81 pixel-based, anti-glare, 

monochrome display with white 

backlight provides scrollable access to 

calling features and text-based XML 

applications. 

Deep-Sleep option Power savings can be recognized by 

cycling power by time of day and day of 

week. 

Co-branding Co-Branding button allows 

customers to include their logo on the IP 

Phone. 


supported: 




• Chinese (China)

661 

only) 


• Chinese (Taiwan) 







• French (France) 






• Italian (Italy)

662 


• Latvian (Latvia) 








• Russian (Russian Federation) 






• Slovenian (Slovenia)

663 


• Turkish (Turkey) 

Speakerphone Full-duplex speakerphone allows for 

flexibility in placing and receiving calls. 

Headset support RJ9 interface to optional headset 

Four soft key buttons and a scroll 

toggle bar 

allows customers to enjoy additional 

options for place and receiving calls. 

Your calling options are dynamically 

present; the scroll toggle bar allows easy 

movement through the displayed 

information. 

Network features Network features include IEEE 802.1 


Ethernet switch The phone has a 10/100BASE-T 

Ethernet connection through two RJ-45 

ports, one for the LAN connection and 

the other for connecting a downstream 

Ethernet device such as a PC. 

Volume control A volume-control toggle provides 

easy decibel-level adjustments of the

664 

handset, monitor speaker, and ringer. 






Multiple ring tones The phone offers seven user- 

adjustable ring tones. 





approved hearing aids. The phone 


standards. 



compression codec’s are supported. 

Video Communications Video Application Integration 

Support


665 




• Image authentication 








• Encrypted configuration files 




CUCM.

The functional specification of the handset proposed to meet the professional handset 

requirements are as follows: - 


Graphical display 5-inch (12.5 cm), high-resolution 

666 

(320 x 222), graphical monochrome 4-bit 

grayscale display. Allows for greater 

flexibility of features and applications, 

and significantly expands the 

information viewed when using features 

such as Services, Information, Messages, 

and Directory. Display also supports 

localization requiring double-byte 

Unicode encoding for fonts. 

Wideband Audio Support for wideband (G.722 codec, 

adherence to TIA 920), including 

handset, headset, and speakerphone 

(see Q&A for details). 

Directories Key Ready access to missed, received or 

placed calls (plus intercom history and 

directories). Incoming messages are 

identified and categorized on the 

display, allowing users to quickly and

667 

effectively return calls using direct dial- 

back capability. Corporate directory 

integrates with the Lightweight 

Directory Access Protocol Version 3 

(LDAP3) standard directory. 

Settings Key Allows user to adjust display 

contrast, select background images (if 

available), and select ringer sounds 

through the User Preference menu. 

Network Configuration preferences also 

can be set up (usually by the system 

administrator). Configuration can be set 

up either automatically or manually for 

Dynamic Host Control Protocol (DHCP), 

Trivial File Transfer Protocol (TFTP), 

Cisco Unified Communications Manager, 

and backup Cisco Unified 

Communications Manager instances. 

Other available Settings submenus 

include Device Configuration, Security 

Configuration, and Model Information. 

Messages Key Provide direct access to voicemail

Buttons 

Help Button Online Help gives users information 

Speakerphone, Mute, and Headset 

668 

about the phone keys, buttons, and 

features 

Speakerphone includes Speaker 

On/Off, Microphone Mute, and Headset 

buttons that are lit when active. For 

added security, the audible dual tone 

multifrequency (DTMF) tones are 

masked when the speakerphone mode 

is used. 


supported: 




• Chinese (China) 


• Chinese (Taiwan)

669 

only) 







• French (France) 






• Italian (Italy) 


• Latvian (Latvia)

670 








• Russian (Russian Federation) 






• Slovenian (Slovenia) 


• Turkish (Turkey)

Speakerphone Full-duplex speakerphone with 

671 

acoustic echo cancellation. 

Headset Port Dedicated headset port eliminates 

the need for a separate headset 

amplifier and allows the handset to 

remain in its cradle, making headset use 

simpler. Both wideband (G.722) and 

narrowband headsets are supported. 

Volume Control Provides easy decibel-level 

adjustments for the speakerphone, 

handset, headset, and ringer. The 

handset is hearing aid-compatible. 

Additional volume control gain can be 

achieved using an inline handset 

amplifier. 

Network features Network features include IEEE 802.1 


Ethernet switch Internal 2-port Ethernet switch 

allows for a direct connection to a 

10/100BASE-T Ethernet network 

through an RJ-45 interface with single

672 

LAN connectivity for both the phone and 

a colocated PC. System administrator 

can designate separate VLANs (802.1Q) 

for the PC and phone, providing 

improved security and reliability of voice 

and data traffic. 

Expansion Module Support An optional add-on module provides 

14 additional buttons for programming 

directory numbers or speed dials. Up to 

two expansion modules can be used. 






Multiple ring tones More than 24 defined user- 

selectable ring tones are available. Ring 

tones may also be personalized through 

use of the Unified Phone Application 

Suite.


673 




approved hearing aids. The phone 


standards. 



compression codecs are supported. 

Video Communications Video Application Integration 

Support 

Quality of Service (QoS) Options Supports differentiated services 

code point (DSCP) and 802.1Q/p 

standards. 





• Image authentication

674 








• Encrypted configuration files 




CUCM. 

Configuration Options IP address assignment can be 

statically configured or configured 

through the DHCP client. 

A variety of handset options will be available from Level 3 and the proposed solution also has 

capabilities for hearing impaired users, using amplified headsets or in-line amplifiers. Also, as 

the solution supports SIP phones from third party vendors, specific phones such as large button 

phones can be supported.

Large button and impaired hearing phone example 

Level 3 has a number of partners that can provide specialist equipment for users with particular 

needs and these can be addressed on a case by case basis. Analogue devices are connected 

to the proposed solution using analogue adaptors. 

Level 3 can also provide a range of headsets to meet the individual needs of users. Testing has 

been undertaken with Plantronics, Jabra and Sennheiser. Level 3 uses a number of distributors 

for headsets and can source both DECT and bluetooth based wireless devices 

Level 3 is aware that customers have a requirement to support ISDN services to the desktop, 

primarily to support BRENT devices. The proposed solution supports the provision of ISDN 

services using two-port voice interface cards - BRI (NT and TE). 

For maintenance of handsets it is recommended that each site retains a number of spare phones to 

enable a swift replacement for the users. Level 3 will then accept the return of the faulty device from 

the customer and place an order for a replacement device to replenish local spare devices. 

Voice call packages and voice minutes 

Level 3 can offer customers the option to have an all-inclusive fixed charging approach to call usage. 

Customers may require this option to manage and control call costs and an all-inclusive bundled call 

package shall include all calls made between customers, local, national, mobile and international 

locations to achieve this objective. 

Alternatively, customers can pay for usage separately. All our call rates are regularly benchmarked 

to ensure best value. With an approach where usage is billed per second and payable in addition to core 

costs, customers can review usage and call profiles and can implement a good housekeeping approach 

675

to call usage. This approach would include the barring of premium rate numbers and close audit to 

identify inappropriate use. 

DDI 

Level 3 will provide all users of the TDM or next generation voice service with individual DDI 

numbers. These numbers can be geographic numbers relative to the location of the customer or a non- 

geographic number range. 

Premium rate numbers 

Level 3 will provide customers with the ability to make calls to premium rate numbers. Due to the 

high cost of premium rate calls, Level 3 would recommend that user access is controlled using system 

restrictions on a per extension basis. 


Level 3’s non-geographic number service (NGNS) enables customers to manage incoming calls 

allowing the flexibility to choose between revenue share, calling party pays, called party pays or free of 

charge. 

Calls can be delivered to a site or end user of Level 3’s traditional voice service, next generation 

voice service or a user of another service provider’s voice service. 

Calls can be routed to suit the location and time of day of the customer’s operation. 

Level 3 can provide a range of non-geographic numbers including 0800, 03xx, 0845 as well as 0871 

and 0844. 

676

The following diagram illustrates how the non-geographic number service works 

677 

Non Geographic Number Service – network diagram 

Technology used is Ericsson SCCPs running number translation. 

Callers from any PSTN telephone in the UK, including BT payphones, can dial these numbers. Non- 

geographic numbers are reachable from overseas locations. Calls can be delivered to a site via standard 

telephone lines, ISDN lines, directly connected telephone lines or integrated with Level 3’s software 

defined network access lines, whichever meets the customer’s business needs. There is no need for any 

special equipment by the caller of receiver of calls.

Administrators can use the Level 3 UCommand portal to configure how the call is routed depending 

on a variety of parameters such as time of day, business hours, day of the week, public holidays and 

area code of incoming caller. 

Use of NGNs promotes communication through an easily remembered number and its availability 

anywhere within a serviced region. It also enables end-users to have their calls re-routed based on the 

time or origin of the calls. 

118 enquiries 

Level 3 will provide access to directory enquires 118 services. Customers 

shall be provided with the facility to list DDI numbers in external 

directories. 

Call Preference Service 

Level 3 will work with the customer’s network provider to ensure all external calls made will utilise 

the most cost effective route using least cost routing. 

Level 3 can offer customers the ability to deliver all geographic or non-geographic numbers through 

intelligent dial plans within the Level 3 core network. The intelligent dial plan provides an increased 

level of control on where the calls route to. An example is that customers may need to move the 

delivery of calls to a specific number if there is a technical fault or an incident at the office. Other 

configurable options with the intelligent dial plan service are: 

678 

Time of day - business/out of hours 

Day of the week - weekdays/weekends 

Day of the year - working days/public holidays

Area code of incoming caller - routing of calls to particular sites based on the location of the 

calling party 

Emergencies - routing calls to emergency number in the event of a disaster or a declared 

emergency 

In addition to the above, Level 3 can also offer all customers the option to present an agreed 

telephone number to the person called. This number when called by inbound callers will be capable of 

delivery to a dedicated answer point or a recorded message. There are three options available for the 

presentation of outgoing calling line identity (CLI) presentation: 

679 

Corporate-wide CLI 

o Every call that is made from any telephone across the customer estate will present a 

single corporate telephone number to the called party. 

Individual CLI 

o Each call that is made will present the individual’s personal DDI number to the called 

party. 

No CLI 

o Each call that is made will have the CLI withheld. 

If customers decide upon a single corporate number, Level 3 can route any calls made to that 

number to a destination as advised by the customer. This can be a voicemail announcement or a 

dedicated answer point. 


The Cisco UC solution for next generation service and all PBX systems fully supports multi-way calls. 

The scale is dependent on the requirements of the customer. This capability uses the ad-hoc 

conferencing capabilities within the solution. This is a software audio bridge that can bridge up to 48 

calls into a conference. By default, the system is set to bridge a maximum of 8 calls. 

With Microsoft Lync, audio, video and web conferences are easy for users to set up (either from 

Lync or from the Outlook online meeting plugin), and easy to join – users who have already been

authenticated by Active Directory don’t need to enter any additional PINs or codes. Meanwhile, users 

who aren’t signed in can join from a conventional phone using dial-in information, or by following a URL 

in a browser and having Lync call them back. The Lync web-app provides a rich conferencing experience 

through a browser, and Lync Attendee enables users with Communicator 2007 or Communicator 2007 

R2 to join Lync online meetings. Within conferences, presenters can share desktop applications, 

PowerPoint presentations or create interactive whiteboards and polls. With a PowerPoint deck 

uploaded, meeting attendees can skip back or forward through the slides if they need to, and then jump 

back in line with the presenter. For users with Lync, Lync web app or Lync Attendee, a meeting roster 

shows everyone who is in the conference and allows the chairperson to mute, unmute, eject or grant 

presenter access to participants. 

For larger numbers of participants (up to 150 as standard), Level 3’s ready access reservationless 

audio conferencing service is available instantly, enabling an end user to initiate calls by informing 

participants of the conference dial in number and access pin number. An Outlook integration tool 

allows the end user to auto populate their meeting invitations with the call details, and provides a link 

that individuals can click on to initiate an automated dial out to their phone from the ready access 

bridges. Alternatively, each participant can manually dial the conference telephone number, enter the 

conference pin number and join the call. No pre-booking with Level 3 is required to initiate these instant 

access type audio conference calls. 

The Level 3 audio conferencing service is also available as an operator controlled (concierge) 

conference which can be used for major events where the number of participants can be very large (up 

to 3,000). In this type of conference the chairperson(s) usually presents with Level 3 conference 

operator assistance and then participants can ask questions under the control of the conference 

operator. 

680

IL3 (Impact Level 3) 

681 

Overview of the Level 3 Audio Conferencing Network Architecture 

Audio conferencing will be provided by the currently accredited hosted IP telephony service 

platform with additional services being offered by the unified communications platform which supports 

Microsoft Lync 2010 communicator services. 

The IL3 conferencing service will not have PSTN access. The impact level 2 conferencing service will 

be made available to IL3 users. When an impact level 3 user dials into the IL2 service a pre-call 

announcement (nominally “beeps” or a pre-recorded message – subject to customer approval) will be

played to warn the user that they are using an IL2 environment. The “beeps” are introduced by the 

session border controller or the conferencing bridge. 

IL2 (Impact Level 2) 

Ready Access (Level 3’s brand name for its instant access conferencing service) is a unique audio 

conferencing solution that leverages Level 3’s solely owned MPLS core and over 84,000 on-net audio 

conferencing ports (located in EMEA, North America and Pac Rim). Level 3 employs a standard bridge 

configuration, using Polycom ReadiVoice technology to deliver reservation-less audio conferencing to 

our customers. 

Through our Global Origination Service (GOS) Level 3 directly negotiates with local PTT’s and carriers 

to acquire local toll and toll free access numbers (over 100 currently available). These are routed from 

the LEC (Local Exchange Carrier or PSTN provider) to a local Level 3 POP (Point of Presence on network). 

This traffic is then backhauled across our VoIP core to the Conference Call Routing Server which 

intelligently routes conferencing traffic to the appropriate bridge resource across our DWDM backbone. 

Level 3 has also deployed Ditech VQA (Voice Quality Assurance) devices within these POPs. These 

devices, primarily deployed by mobile operators, have a significant impact in reducing both acoustic and 

hybrid audio echo. Since their deployment, Level 3 has seen a reduction in the number of trouble tickets 

(incidents) generated for echo by 80% 

For those countries where Level 3 cannot provide a GOS (Global Origination Service) number (due to 

local restrictions) calls are routed through the PSTN to centralised Level 3 hub locations that then 

682

provide the same call routing pattern as GOS numbers. Participants can now also join a Ready Access 

(instant access conference call) meeting through Level 3s Connect service. This blackberry or android 

device plug in and desktop client will provide ‘click to call’ access directly to the conferencing bridge. 

By removing costly international PSTN and 3rd party charges Level 3 can pass these costs savings 

onto our customers. Using a centralised system provides a standardised user experience regardless of 

where the chairperson is located. All users have access to the same features and online tools including 

web conferencing services. This will have a significant impact on the cost of change as consistent 

training can be provided on a global basis. As the owner of both the bridge and the network it is 

delivered over Level 3 have visibility and control over the traffic flow meaning we can react quicker in 

the event of issues and provide meaningful troubleshooting and repair for the majority of the transport. 

Level 3’s virtual port configuration also offers resiliency and redundancy in the event of disaster 

recovery. Level 3’s unique distributed provisioning application, offers optimum disaster recovery 

through the automatic and frequent distribution of subscription details to all bridging systems. In the 

event of a DR situation our engineers can quickly evaluate the situation and if traffic should be moved to 

a disaster bridge, then we have a redundant tool; Pulsar that moves all the customers’ numbers and 

their web conference control interface to an alternative bridge in less than a minute. Customers can 

continue to use their existing number sets, there is no requirement to change to a set of ‘DR’ numbers. 

Although, if required, Level 3 can create specific DR accounts which use a separate primary bridge then 

the normal number set. 

Another clear advantage is that these ports are on-net, creating a clear migration path from 

traditional PSTN / TDM access to VoIP. VoIP Ready-Access provides our customers with the same 

features and benefits of the Ready Access service but delivered through a dedicated IP connection to 

the Level 3 MPLS core. This gives customers an efficient and convenient way to combine the value of an 

683

on-demand audio conferencing service with the cost savings of VoIP. This achievement was highlighted 

in the award of the 2007 Internet Telephony Award for our VoIP Ready Access services. Level 3 accepts 

enterprise outbound IP voice traffic for national and international calling to more than 240 countries 

worldwide. This is supported by over 140 Sonus GSX switches (VoIP Switches and gateways to the PSTN) 

deployed within our network. Calls are routed through Acme and Sonus Session Border Controllers 

located globally for resilience. These send voice conferencing traffic (identified by unique DRIC 

routing/subscription numbers) to the CCRS (Conference Call Routing Server) for processing. 

Level 3’s IP VPN service is the ideal transport for real time conferencing applications. Built directly 

upon the world’s most extensive DWDM optical backbone there are no legacy services (like Frame Relay 

or ATM) within the Level 3 core. All traffic is routed within the same autonomous system (identified by 

Level 3’s AS number) and traffic routing and management intelligence are maintained within the core of 

Level 3’s network instead of the customer’s premises. This optimises network operational efficiency and 

reliability, increasing performance. These factors mean we can offer customer end-to-end service level 

agreements for availability, packet delivery, and latency appropriate for voice conferencing. VoIP 

packets on Level 3s IP network receive the highest priority, translating into consistent and predictable 

carrier grade call quality. 

Desktop video conferencing 

Level 3 can provide desktop video using Lync Server 2010 which enables real-time video between 

Lync 2010 endpoints and endpoints from third-party hardware vendors. This interoperability enables 

customers to leverage their existing video conferencing hardware investments while extending video 

conferencing features to other users with minimal incremental investment and user training. Users can 

use third-party video conferencing hardware while scheduling meetings and determining attendee 

684

availability using familiar tools, such as Outlook or Lync 2010. The Lync solution can be integrated with a 

customer’s existing IT and communications estate with the following options: 

685 

A customer’s existing on premise or hosted exchange server solution may be used to provide 

unified messaging for Lync 

A customer’s existing voice solution can be connected to Lync via SIP trunks into our session 

border controllers 

Alongside the core Lync applications, Level 3 is able to offer enhanced complementary 

products including integration of room-based video conferencing and mobile presence 

integration. 

Level 3 can also provide desktop video endpoints from other providers if required. We can also 

provide a range of professional services to support desktop video services including: - 

Video audit 

User migration/deployment 

Integration with Level 3/PSN service provider services 

Advice on Microsoft and other vendor licencing requirements 

Unified Communications and Collaboration tools 

Microsoft Lync offers a suite of collaboration tools out of the box and via a single user interface, and 

is already widely in use commercially today. The Level 3 Service is flexible in that users currently holding 

licences for Microsoft Lync (estimated at approximately 100,000 across Government today) can be 

integrated and reused as part of the solution, making use of existing assets, and reducing the software 

deployment costs. To ensure best on-going value Level 3 wish to make use of Government existing

Microsoft GSPLAR agreements and continue to use Government licences rather than resell new ones 

unnecessarily. 

The Level 3 hosted Lync service integrates with the Microsoft Office suite of applications including 

Microsoft Outlook / Exchange and SharePoint, as well as it’s, Office Communications Server and Active 

Directory products; and Directory products aiding ease of delivery. The Microsoft service also integrates 

into IBM's range of products including Lotus Sametime, Lotus Quick and Lotus Web conferencing. 

686 

Typical Customer Deployment and supporting core infrastructure

The Unified Communications Service will be hosted in Level 3’s resilient data centres in locations 

around the UK. These data centres will be IL3 accredited and co-located with next generation voice 

services and the existing HIPT service. 

The service will provide unified communications and collaborative services utilising the full 

Microsoft Lync under the scope of the specified framework. Using industry standards helps ensure a 

feature rich and wide communications ability across all departments wishing and agreeing to 

communicate. Minimal further investment is needed in products or services to translate and adapt 

services for interconnectivity or in additional training for the users or support staff. 

Where there is a need to share data and communicate information using a variety of tools, 

communication between Government departments served by Level 3 will be possible using the unified 

communications service. Level 3’s default position is that all unified communications calls between IL3 

customers operate at IL3 with a warning banner reminding the users of this fact. Where any live instant 

messaging session is passed between impact levels, Level 3 will introduce a warning. 

Level 3 would wish to facilitate ease of interworking and to help create the effect of a unified 

communications environment across the whole of the PSN environment. To help achieve this as an 

additional service Level 3 would:- 

Level 3 Unified Communication Customers would be required to federate to the Level 3 

directory, thus allowing intercommunication between Level 3 unified communication customer 

Level 3 will work with other Contractors delivering PSN unified communications services to 

ensure pan PSN transparent interworking and federation across Government. 

Such an approach is dependent on the adoption by all contractors of open industry standards and 

clarity from the Framework Authority and CESG on accreditation requirements and security standards. 

Lync features 

687

Microsoft Lync 2010 is Microsoft’s comprehensive enterprise communications platform. Powered by 

Lync Server 2010, Lync builds on the capabilities of its predecessor, Office Communications Server, 

providing instant-messaging and presence, desktop collaboration, voice, video and web conferencing, 

federation with other organisations, and a full-featured enterprise-voice feature set that can remove the 

need for many businesses to operate multiple on-premise PBX platforms for their users’ telephony 

needs. In this section, we give an overview of Lync 2010 as provided by Level 3, and how its features and 

capabilities fulfil the customer’s needs for a unified communications platform. 

Enterprise Voice for telephony 

As with previous versions of Office Communications Server (OCS), Lync provides click-to-call, 

presence-enabled enterprise voice. Lync 2010 adds a range of familiar telephony features, and the 

enhancements of presence and directory integration, which can make it suitable as the primary or sole 

telephony device for many users. 

688

Voicemail and Unified Messaging 

689 

Transfer a call to mobile from a Lync client 

The solution will employ the Exchange Unified Messaging role for Voicemail functionality. Exchange 

UM is the standard Voicemail solution for Lync 2010 and caters for direct dial-in to voicemail via PSTN 

for message retrieval, as well as delivery of voice messages into Outlook. In addition voicemail Messages 

can also be played and retrieved using the Lync client. 

Voicemail example with Lync

The phone tab of the Lync client shows users when they have a voicemail and lets them access the 

messages directly. The Lync client also allows users to view the corresponding Outlook item and an 

automatic transcription of the selected voice mail. 

Instant messaging and presence 

690 

Voicemail with transcription 

In the proposed solution, Instant Messaging and Presence are provided as standard features in the 

Lync Desktop Client. The Lync client employs Presence driven Communication which will be enabled to 

assist both incoming and internal contact requests to reach the best party, based on information in the 

corporate directory and availability as shown by Presence status. The Presence of a group of resources, 

such as a buddy list or all available skills in a particular category, will be shown as a list for the start of

any communication, including IM, voice calling, desktop sharing, or conferencing. Presence-driven 

communications can help to remove waste and delay from your business processes, as the appropriate 

resource can be found exactly when needed. Presence-driven communications can also help you better 

use your talent and resource base because the software can access all known resources at the same 

time. 

691 

Lync presence example

Mobility 

More and more information workers are using the mobile phone as their only phone. Mobile Clients 

for Microsoft® Lync 2010 take the power of unified communications mobile—including rich presence, 

audio conferencing, and access to multiple communication modes from a single, easy-to-use interface. 

Stay connected with mobile clients - Using mobile clients for Lync, information workers can view 

colleagues' availability and select the best way to communicate - initiating instant messaging (IM), e- 

mail, or a phone call. In addition, workers using their mobile device provide accurate availability status 

back to other users when using mobile clients for Lync. 

Connect to conferences with a single click - Mobile clients for Lync can enable information workers 

to join a Lync conference with a single click of a button, without requiring users to dial conference 

numbers and enter long numeric passcodes. 

Connect with others using a single, consistent identity - A single telephone number can be used 

across desk phone, PC, and mobile phone. Outbound calls from a mobile device with a Lync client can 

enable the use of a single identity and phone number, making it easier to recognize calls from the Lync 

mobile client by colleagues, partners, customers, and personal contacts. 

Connect more securely - With communication channel encryption, transport layer security (TLS) 

support, and perimeter/internal network protection, your communications experience is safer no 

matter where you are or what network you use. 

Video calling 

692

In the proposed solution, the Lync desktop client has native support for video calling (reference RFP 

section 6.1.5). Devices can be selected either as default or on a per call basis. Devices can be 

interchanged mid-call without disconnecting the call. The client supports a range of USB Webcams as 

well as the Polycom CX 5000 video collaboration device with 360-degree panoramic video. A 

comprehensive list of supported devices can be made available. 

Conferencing 

With Lync 2010 audio, video and web conferences are easy for users to set up (either from Lync or 

from the Outlook online meeting plugin), and easy to join –users who have already been authenticated 

by Active Directory don’t need to enter any additional PINs or codes. Meanwhile, users who aren’t 

signed in can join from a conventional phone using dial-in information, or by following a URL in a 

browser and having Lync call them back. The Lync web-app provides a rich conferencing experience 

through a browser, and Lync Attendee enables users with Communicator 2007 or Communicator 2007 

R2 to join Lync online meetings. Within conferences, presenters can share desktop applications, 

PowerPoint presentations or create interactive whiteboards and polls. With a PowerPoint deck 

uploaded, meeting attendees can skip back or forward through the slides if they need to, and then jump 

back in line with the presenter. For users with Lync, Lync web app or Lync Attendee, a meeting roster 

shows everyone who is in the conference and allows the chairperson to mute, unmute, eject or grant 

presenter access to participants. 

Internet services 

The Level 3 internet connectivity service provides a shared platform providing customer filtered 

internet access to users at IL2, IL3 and optionally at IL4. Level 3 offers a unique multi layered Impact 

Level approach where browsing traffic is filtered using a multi layered security approach. This 

693

architecture is illustrated in the below figure. This will utilise different vendors to give depth in defence 

and comply with good practice guides. In this way all users at IL4 have also used the IL3 and IL2 

infrastructure. This allows us to deploy common filters, virus signatures, attack signatures etc at the 

lowest levels hence give a high overall level of protection to all users. IL3 and IL4 users’ traffic will 

therefore have passed through the IL2 infrastructure. This gives volume and economy of scale. 

DLP (data leakage prevention) provides content based searching and allows mails or content to be 

released according to key words which may determine its classification (restricted, confidential etc) and 

also look for key words which may imply a classification. Each layer is firewalled using differing firewall 

vendors to comply with GPG8 recommendations. The system will utilise heuristics and offer bespoke 

pattern matching. The system will also use well known virus signatures. Combined this will give “zero 

hour” virus protection against new viruses. 

The IL3 service will draw traffic from the IL2 assured service. In this way the IL3 service creates 

depth in defence by drawing “clean” traffic from a separately assured IL2 platform. The IL3 filtering 

platform is in essence a customer of the Il2 filtering service. 

The IL2 service will draw internet traffic from the Level 3 internet backbone. This has inbuilt DDOS 

which due to the nature of DDOS is a globally distributed architecture. 

Level 3 currently has a global internet filtering service which can be assured to IL2. By utilising 

multiple global internet gateways we provide a higher awareness of live attack scenarios and a greater 

protection against common mode failures and DDOS attacks. 

694

Where customers take the proxy bypass service it is expected that this traffic will be delivered by a 

separate VPN to the customer’s site. This is such that traffic does not mix with traffic which has been 

fully cleaned by the full filtering service(s). 

695 

Multi-layered impact level approach to Internet browsing 

The following features and benefits are provided with the Internet Connectivity Service: -

Virus scanning (available at all impact levels) to scan email traffic only 

Content control (available at all impact levels) to filter and control html access 

implementing white and black lists per customer 

Proxy bypass (available at all impact levels) this will replicate a managed firewall 

service and is designed for users who have virus scanning and content control at 

their own sites. We see this as a migration path to move to the virus scanning 

and content control services. 

DLP data leakage protection , this is an optional service available at Il4 which we 

recommend to ensure the customers meet GPG guidance for Il4 to Il3 browse 

down access. DLP provides scanning for words such as “restricted” and can 

enforce release policies 

HTML virus scanning, this provided protection against HMTL borne viruses 

Anti spam email protection 

Anti porn email protection by content analysis (instead of white and black list 

protection) 

IDS & IPS can be provided as an option extra for the proxy bypass service 

DIA direct unfiltered internet access provided to the customer’s site 

Email, website services, co-location and hosting 

Managed hosting services are provided under the Level 3 on-demand and continuity solutions 

banner. Typically, IT services are architected using a set of building blocks, which are then tailored to 

meet a specific set of requirements, to meet the needs in line with the customer’s business. 

696

697 

Managed Hosting Service Model 

The above shows the Level 3 managed hosting service model with 3 underpinning capabilities; 

Infrastructure and Technology, Processes and Procedures, Human Resources and Skills. Level 3 has a 

programme of continuous development and improvement to ensure Level 3 can support the latest 

technologies and meet demanding IT delivery requirements. 

The services delivered cover a range from simple infrastructure services such as co-location and 

remote hands, through managed network & servers (platform service), through applications delivered 

by Level 3 or working with specialist 3rd parties and completed with a range of professional services. 

This complete range of services is delivered with a consistent customer engagement model which 

ensures our customers receive a single consistent approach for all of the products we provide to them 

whether data network, voice network or managed hosting. This engagement has a customer service 

manager leading it with agreed SLAs and regular reporting.

698 

Managed Hosting service technical building blocks 

The above figure provides an abstract high level view of the managed hosting services incorporating 

the following services: - 

Local Area Network Architecture 

Managed Firewall service 

Managed Storage 

Managed Backup 

Local Load Balancing 

Managed Server Hosting 

Managed Hosting Monitoring Service 


The service consists of a managed data storage and storage area network (“SAN”) service, which 

provides data storage capacity to server equipment as part of a managed service, or to equipment

owned or provided by the customer which is installed at the data centre. The Service will provide 

management and monitoring of SAN services in the Level 3 Data Centre. 

Level 3 will manage the customer equipment, and/or any software or ancillary hardware provided 

by the customer. 

Where the SAN architecture and SAN switching platform permits, the Service is capable of 

supporting solely the following operating systems: 

Microsoft Windows 32 Bit 

Microsoft Windows 64 Bit 

VMware 

Linux 

Unix (AIX, Solaris, HP-UX) 

The service has the features shown in the below table: 

699 


Design & Deploy 

Initial storage and SAN design Level 3 will agree the design for storage and SAN with the 

customer and produce the detailed design document. 

Installation Level 3 will install, configure and connect all server, SAN 

and storage hardware as specified in the detailed design 

including installation and configuration of resiliency of the 

server hardware. 

SAN fabric configuration Level 3 will configure the network components of the 

Logical Unit Number (“LUN 1 ”) creation 

SAN. The demarcation point will be the SAN switching fabric. 

design. 

Level 3 will create LUNs as required in the detailed 

1 “LUN” means a logical unit on the storage array that the Host Bus Adaptor hardware and software is configured to communicate 

with.

Controller initialisation Level 3 will initialise the storage controllers. 

Disk initialisation Level 3 will initialise the disk including drive firmware 

700 

loading and configuration of default disk group. 

Zone configuration Level 3 will configure the storage infrastructure into 

security zones as specified in the detailed design. 

Virtual disk creation Level 3 will create virtual disks as specified in the 

detailed design and present them to the server. 

Implementation of inter-site copy and failover Level 3 will, where specified in the detailed design, 

configure and test copy sets, disaster recovery and managed 

disk sets between SAN installations, recommending sufficient 

inter-site connectivity to support the proposed service. 

Monitoring and reporting Level 3 will configure SAN monitoring and reporting in 

Manage and Support 

Manage LUN volumes 

accordance with the detailed design to ensure that detective, 

preventative and corrective controls are in place. 

Level 3 will create, maintain and delete storage resources 

as approved through the service request process. 

Manage Hosts Level 3 will create, maintain, delete server relationships 

within the Service as approved though the service request 

process. 

Storage Monitoring Level 3 will identify and troubleshoot alerts associated 

with the Service. 

Manage disk groups Level 3 will create/maintain/delete disk groups as per 

service request submitted and approved as a

701 

change request. 

Manage SAN zones Level 3 will create/maintain/delete disk groups as per 

service request submitted and approved as a change request. 

Manage virtual disks Level 3 will create/maintain/delete disk groups as per 


Manage copy sets, replication groups and managed sets Level 3 will create/maintain/delete disk groups as per 


Firmware/Software maintenance Level 3 will be responsible for maintaining controller, 

Service Management & Reporting 

drive, appliance and software revision levels in line with its own 

service infrastructure under its normal operating procedures 

Monitoring The service is monitored using data centre 

monitoring tools 24 x 7. Monitoring capabilities 

are to be agreed with the customer in line with 

the technology capabilities but will include 

monitoring the following parameters: 

Data storage (what is assigned, where its 

assigned to) – ADHOC (when requested 

and when changes are made) 

Capacity management (current and 

historical utilisation of allocated storage) 

Cabling to the hardware 

Storage related hardware components 

Reporting A monthly service report is provided to the 

customer of the metrics monitored above. 

Security services and Antivirus 

Service Features Table

Level 3 has built a security operations centre in our network operations centre (NOC) facility. This 

has been built in partnership with one of our sub-contractors for PSN services - Integralis. The facility is 

based in our List X environment and staffed by Security Cleared (SC) staff. It has a full disaster recovery 

facility in the north of England with dual resilient server estates based at separate off site locations. 

We have a pilot customer; a Police force where we manage IL3 and IL4 security services for them. 

First and second line duties are performed by Level 3 staff with third line support available from 

Integralis. Integralis provides their ISIS platform which is a proprietary log correlation and security event 

management tool. To maintain IL3 and above compliance we run a separate version of ISIS within the 

estate. The service manages firewalls, IDS and IPS security devices and has the capability to manage 

virus scanners and other gateway devices. Integralis also operate a main commercial SOC located in 

Berkshire. The two SOCs collaborate and hence have the latest data on global security events. This 

Commercial SOC has access to 1000’s of security devices and sensors based worldwide. 

The SOC service has been submitted for PSN certification and this is expected in H1 2012. We 

anticipate this will be the first PSN certified security service of its type in the UK. PSN certification aligns 

to ISO27001 and is independently audited by KPMG. The audit process is currently underway. The 

service provides the relevant capability at GPG13 as required for IL3 and IL4 services. 

Level 3 can support anti-virus services using industry leading packages including McAfee and 

Kaspersky 

Email scanning and filtering 

702

Email and web-filtering services are provided together with our sub-contractor, Integralis, using a 

jointly built Security Operations Centres (SOCs) and underpinning security management architecture. 

There are essentially three levels of service available, from telephone-based technical support and 

problem solving, through to 24x7 monitoring and analysis services and full alert management and 

reporting. Key components of the managed gateway services include: 

- The ISIS Engine: The Integralis Security Information Service (ISIS) is the data correlation engine that 

underpins the managed security services. This includes a series of business rules developed by 

security analysts over time to help streamline the process of threat identification. 

- 24 x 365 monitoring and alerting: Level 3 monitors security appliance vital health signs, system 

operating-conditions and analyses available log data continuously. Problem conditions are either 

dealt with directly by Level 3, or escalated to designated customer security contacts. The service 

centres operate in a 24x7x365 manner with staff monitoring and managing thousands of devices in 

more than 40 countries worldwide. 

- System availability checks and health monitoring: System availability checks are built into the 

service. A system down condition can be escalated to the customer security contact. Availability 

graphs and statistics are provided via the Security Information Service (ISIS) Secure Web Portal. 

- Security event alerting and escalation: Alerts sent from the managed system will be logged, 

acknowledged, analysed and then escalated by the SOC. Alerts that would impact the Service 

delivery, the availability or functionality of the security device or other monitored devices, will be 

raised as an ‘Incident’, and dealt with in accordance with the incident management service. 

- Reporting service: A wide range of reporting options are provided via the ISIS portal. These reports 

provide information about network activity, traffic types and volumes, details of alerts, system 

availability statistics and graphs, system resources usage and of course security events. 

- Change control: rigorous change control is included within the service. Level 3 works only with 

designated security contacts within the customer organisation that are authorised to place change 

requests via the secure web portal. All requests are subject to two-factor authentication and a 

complete audit trail. Configuration changes are backed up regularly making it possible to quickly roll 

back the security policy if required. Change control requests are initiated and tracked via the ISIS 

secure web portal, with e-mail notification of updates to prompt the customer to access the portal. 

Integralis deploys its extensive network security expertise to validate, design and implement 

changes to the IDS policy. Requests for insecure changes are identified and avoided ensuring that a 

robust security policy is maintained. 

- Enrolment support: the Level 3 enrolment process allows the client to call on the experience of 

Integralis’ operations staff to assist and advise on enrolment activities. 

- Monitoring. The main interface between Integralis operational staff and our customers is the ISIS 

secure customer web portal. This is a web interface which customers can access providing they 

have secure access. The portal integrates a variety of underlying technologies to provide a secure 

single sign-on architecture for maximum availability and scalability. Once logged in the user is 

703

presented with a summary screen detailing their account status, any relevant security alerts and 

issues and open calls. 

- Whenever a customer-visible update occurs, an e-mail or other call is made to the customer asking 

them to visit the Integralis secure web portal for updated information – this e-mail includes a fully 

authenticated URL which the customer can just click-through to access the relevant information. 

Because of the strong authentication features used only the intended recipient of the information is 

able to receive it. Features of the portal vary depending on what services the customer has selected 

from Integralis. They include some or all of the following: 

- Trouble ticket and change control system access. Customers can raise, view and close calls in the 

Remedy system. 

- Messaging. In addition to being able to send secure e-mail to the Level 3 SOC, customers may use 

the web interface to send ad-hoc messages. These can be associated with calls in the customer 

support system, or may be standalone. Messages sent in this manner are received in the customer 

support system and acted on alongside other calls. 

- The secure web portal augments direct interaction with Integralis staff by allowing customers to: 

request changes; review alerts and related actions; review status of change requests; communicate 

with the SOCs; generate reports; download report data. 

An illustration of the SOC service is shown below. 

704 

Level 3 SOC Managed Security Architecture

Firewalls 

Level 3 have a number of customer firewall solutions to meet a variety of customer specifications 

and security impact Levels (IL2 and IL3). Across both impact levels Level 3 can offer the following 

topologies:- 

Shared Firewall Service – Gateways to common Government extranets e.g. MINT 

Customer dedicated integrated Router/Firewall e.g. Juniper SRX 

Customer dedicated firewall e.g. Cisco 5510 

Level 3 offers a secure watch and a secure manage service, providing differing level of service 

depending on the customer knowledge and skillet. The secure manage provides a fully managed service 

including threat analysis and configuration management. The secure watch service is a monitoring only 

service where the end customer provides initial and on-going device configuration. 

Level 3 will offer Impact Level 3 managed security services using our dedicated IPVPN or our access 

to the Government Secure Intranet (GSi) to Government customers wanting to pass data within a 

RESTRICTED environment. Level 3 will provide Managed Security Solutions for UK Government 

customers who require their data to run at RESTRICTED – Impact Level 3. These services are run from 

our List-X facilities which are situated on Level 3 Premises in the U.K. only. The managed security service 

will run alongside our restricted UK Gov IPVPN under the current cardinal accreditation rules set which 

Level 3 UK operate today. 

Additionally there is an IL2 managed firewall offering that is based on our commercial managed 

security service architecture. This service is designed for UK Government customers who require their 

data to run at PROTECT– Impact Level 2. These services are run from our commercial facilities. 

705

706 

Firewall options from Level 3 

Level 3’s customer firewall services include the following elements:- 

Customer requirements capture and due diligence - Level 3 offers UK Government customers a 

fully managed security service which means that we are responsible for the final design solution as part 

of our professional services offering to compliment this service. 

Detailed design - Level 3 will work with the customer to develop a design of managed devices to 

support the customer's Level 3 firewall solution. Level 3 engineers define all managed firewall and/or 

security devices, software, interfaces, and memory required to support the customer's requirements as 

communicated during the sales cycle.

Implementation/Project Management. - Level 3 will also work with the customer to develop a 

comprehensive work plan to implement and install the security network including transport and 

managed devices. 

Proactive 24x7 Operational monitoring/management - The firewall infrastructure and associated 

hardware will be maintained and proactively managed 24 x 7 from the Level 3 NOCs. Level 3 has 

multiple NOCs for resilience purposes. Level 3 will be immediately notified through our network 

management tooling if a device was to become unavailable. The Level 3 MSS team will actively 

investigate faults that occur on the network and will also be available 24x7 to address any specific 

operational issues that customer may wish to investigate. 

On-going service management - As part of the on-going service management Level 3 will provide 

regular service review meeting to discuss service issues. This may include performance against SLA, 

security breaches, service improvement initiatives. 

All services are intended to be PSN compliant were appropriate. 


Level 3 works with its sub-contractor Integralis to provide intrusion detection solutions that identify 

threats from both inside and outside of your network, both wired and wireless. Integralis pioneered IDP 

product acceptance in Europe and has deployed and maintains some of the largest and most technically 

advanced deployments in the UK. Level 3 is highly experienced in designing and delivering seamless IDP 

707

solutions into government departments and commercial organisations. Our IDP product range includes 

all the leading technologies including Sourcefire, Check Point, Juniper, IBM ISS, McAfee and more. 

Level 3 uses the latest tools and technology to manage and monitor industry-leading intrusion 

detection and prevention (IDS/IDP) platforms. We help you prevent costly downtime and potential 

revenue losses by delivering comprehensive real-time identification and analysis of security events by 

our security experts from our global Security Operations Centres (SOCs), helping to ensure you are 

protected against intrusion threats and attacks. Because we monitor thousands of devices worldwide, 

we can quickly detect and analyse anomalies, and link firewall and IDS/IDP data to ensure more effective 

incident context, and reduce false positives. 

Our intrusion detection capabilities offer a range of solutions covering: 

708 

Security strategy and policy services to assess and tune intrusion detection and prevention 

solutions 

Design, installation and configuration of all major IDP technologies 

24/7/365 monitoring and analysis to ensure rapid response and alerting based on threat 

potential and pre-determined response levels 

Consistent reporting and alerts based on data intelligence across a broad range of vendors, 

platforms and devices 

IDS/IPS rule set and signature management 

Detailed, easy-to-use reporting via our web-based ISIS portal, covering IDS/IDP device 

configuration, security intelligence, and security and health events 

Expert threat identification, correlation and comprehensive threat intelligence 


Level 3 will provide a managed remote access solution service to deliver a secure remote access 

point to the Level 3 network. The hardware encryption and secondary authentication devices used to 

deliver the service will include CAPS (Enhanced) approved equipment for the protection of data 

transmission up to IL3 across a public internet connection.

The proposed solution will provide users with access to corporate internal networks and available 

resources they would have when located at their workstation. This solution will provide dual factor 

authentication via an easy to use standard web browser. 

This remote access solution (RAS) is delivered by Prolinx as our sub-contractor. This RAS Solution 

provides a simple, flexible, secure and efficient remote access point to resources from a variety of 

internet-facing connectivity. This can include, but is not limited to, home-broadband including via 

wireless, 3/3.5G mobile access through a dongle or tethered mobile phone or even through a client- 

site’s internet access (client’s gateway restrictions permitting). Its simplicity is derived from an interface 

that uses any industry standard web browser, very familiar to business users. 

Level 3 is able to provide a fully managed, remote access gateway service, allowing access to the IL2 

and IL3 networks from accredited Level 3 user access devices. Level 3 will manage the provision of RAS 

user accounts and access tokens in line with Level 3 Systems requirements, currently based on a 

possible 10,000 IL3 users adopting this service within the first 2 years. The solution will also 

accommodate Level 3’s maximum user database up to 300,000 +. 

The solution is able to deal with large amount of concurrent connections utilizing hardware 

clustering concepts. The solution can be “scaled-out” to meet possible future growth requirements. 

When clustered, cluster pairs multiply aggregate throughput to handle unexpected burst traffic as well 

as resource-intensive application use. Clusters can be deployed in either active/passive or active/active 

modes across the LAN or across the WAN. 

709

The gateway solution proposed provides dual-resilient, load-balanced routes into Level 3’s 

substantial communications infrastructure. Scalable access bandwidth provides all remote users with a 

speed of access to networked resources comparable to their office workstation. 

The dual-factor authentication process is performed entirely through a standard web browser, 

requiring minimal training to master. The construct and operation of the RAS Service is at the request of 

Level 3, using “Realms” to customise the connections. Once a connection is established to the desired 

internal network, all of the internal system’s services will be reachable from the remote location, 

assuming the appropriate software exists on the user device. 

Additionally, the service does not require the user to update any connection software and all key 

generation and rotation is accomplished by the gateway device. Once a device is authenticated and a 

secure session established the host system provider will be able to distribute operating system and 

antivirus patches seamlessly to the endpoint. 

The service does not require the device to be periodically connected to the host system directly and 

enable seamless transition between the fixed and mobile operating environments. 

In addition to remote access solutions, Level 3 can provide additional authentication services. Given 

increasing compliance demands, tight management of the identities of consumers, customers, and 

employees is now a requirement. Multi-factor authentication to reduce or remove dependence on 

passwords is increasingly taking hold. Single sign-on solutions, the rise of networked applications, and 

partner and consumer based federated identity management solutions are all driving the complexity of 

identity management solutions to new levels. 

710

Level 3 authentication solutions are designed to help organisations strengthen and streamline their 

identity management, achieving higher levels of security while ensuring compliance. 

Efficiently operating and managing an effective identity management system can be a significant 

challenge. It places additional demands on internal resources, such as network administrators, which 

can distract them from critical operational activities. And when a user can’t authenticate because no 

one is available to help, productivity stops. 

Level 3 authentication solutions offer a cost-effective flexible approach that simplifies the challenges 

that come with identity management. Level 3 can design, deploy, configure, monitor and manage your 

authentication systems in a manner that is customised to your needs. 

Level 3 offers flexible identity management options that cover: 

711 

Assessment services to ensure business requirements and security policies are met 

Design of identity and access management architecture and solutions 

Provision of market-leading technologies including RSA SecurID, ActivIdentity and Cryptocard 

24/7/365 monitoring and alerting from our global Security Operation Centres (SOCs) 

System availability checks 

Platform and policy management with change control 

Remote system management and rebuild 

Detailed reporting via the ISIS web-based portal 

Comprehensive remote management 

Varying service level agreements (SLAs) for guaranteed uptimes, customised to your needs 


Level 3 can offer two web conferencing solutions. Cisco WebEx web conferencing and Cisco WebEx 

Connect.

Cisco WebEx web conferencing is a data collaboration service, intended for primary use in 

conjunction with the Level 3 Ready-Access audio conferencing. Users must have a web-enabled Ready- 

Access subscription in order to access Cisco WebEx solutions as a Host. Hosts use the same Ready- 

Access Number and 7-Digit Access Code to access Cisco WebEx solutions as they do to access their 

Ready-Access audio conferencing service. Ready-Access audio conference controls are available within a 

Cisco WebEx web conference and synchronized audio and web recording is available. 

Cisco WebEx web conferences can be used in any situation that requires collaboration or data 

sharing between two or more participants who are not able, for whatever reason, to meet in person. 

In addition to the Cisco WebEx web conferencing product, Level 3 also offers Cisco WebEx Connect, 

a presence and Enterprise Instant Messaging tool customers can use to collaborate securely with 

remote colleagues – inside or outside their organization. WebEx Connect IM brings together the most 

effective communication and collaboration solutions from Cisco including: Presence, Enterprise Instant 

Messaging, Voice, Video, UC Capabilities and 1:1 Conferencing. Additionally, customers that use 

Connect will be able to launch Meeting Centre meetings from the WebEx ball within the client. 

Cisco WebEx Web Conferencing Product Comparison 

712 

Cisco WebEx 

Meeting Centre 

Description Meet online 

to present 

information, 

Cisco WebEx 

Training Centre 

Deliver 

engaging, 

effective, and 

Cisco WebEx 

Event Centre 

Stage large- 

scale online 

events and web 

Cisco 

WebEx Support 

instant, 

Centre 

Provide 

personalized

713 

share 

applications, 

and collaborate 

on projects with 

customers and 

co-workers 

worldwide. 

Usage Scenarios Collaborative 

Recommended 

number of attendees 

sessions 

Internal and 

external 

meetings 

Product 

demos 

Sales 

presentations 

Up to 100; 

additional 

capacity 

available 

interactive 

instructor-led 

training to 

employees, 

customers, and 

partners in 

virtual online 

classrooms. 

Employee 

training 

Partner 

training 

Customer 

training 

Up to 1000; 

additional 

capacity 

available 

seminars to 

generate leads 

and train 

employees, 

customers, and 

partners. 

Web seminars 

Marketing 

events and 

conferences 

Product 

launches 

Employee 

communicatio 

ns 

Up to 3,000; 

additional 

capacity 

available 

customer or IT 

support 

worldwide. 

Enable your 

support staff to 

diagnose and 

fix problems in 

real-time, 

remotely, from 

their PCs. 

IT support 

using the 

Internet 

Customer 

support 

through the 

Internet 

10 or fewer 

per remote 

support session

Sharing 

Information 

Share desktop, 

application, web 

browser/content 

Whiteboard, 

presentation and 

document sharing 

Play Flash, 

streaming audio/video, 

WebEx recordings 

(Windows and Mac) 

Annotation 

tools/annotation in 

sharing mode 

Text Chat and Q&A 

(managed and 

moderated) 

714 

Cisco WebEx 


Cisco WebEx 


Cisco WebEx 

Event Centre 

Cisco 

WebEx Support 

Centre 

Yes Yes Yes Desktop 

and application 

sharing only 

Yes Yes Yes N/A 

Yes Yes Yes N/A 

Yes Yes Yes Yes 

Text Chat Yes Yes Text Chat

Transfer files Yes Yes Available on 

Publish event and 

course materials 

Audio and Video Cisco WebEx 

715 


Audio Ready- 

Access 

Video Single-point 

and multi-point 

(6); integration 

with Cisco 

Unified Video 

Conferencing 

available 

request 

Yes Yes 

Cisco WebEx 


Access 

Ready- 

Single-point 

and multi-point 

(6) 

Cisco WebEx 

Event Centre 

Ready- 

Access; Audio 

Broadcast 

Single-point 

available on 

request 

Basic and 

advanced file 

transfer 

Cisco 

WebEx Support 

Access 

only 

Centre 

Ready- 

Single-point 

Meeting Features Cisco WebEx Cisco WebEx Cisco WebEx Cisco

716 

Meeting Centre Training Centre Event Centre WebEx Support 

Attention indicator Yes Yes 

Polling: instant and 

planned 

Program/campaign 

management, post 

event surveys 

Lead source 

tracking and enrolment 

scoring 

Email management 

(automated invitations, 

reminders and tracking) 

Registration 

management 

Instant only Yes Yes 

Testing and instant Yes 

Yes 

Yes 

Text only Full- 

featured 

Yes Advanced Advanced 

Centre

grading, and instructor 

scoring 

Breakout sessions 

and hands-on labs 

Permissions-based 

remote control 

One-click remote 

system hardware and 

software information 

Options 

717 

only 

Yes – Web 

Yes Yes 

Reports Yes Yes Yes Yes 

Connection 

Operating system 

support (Windows, 

Mac, Linux, Solaris) 

Cisco WebEx 


Unix 

Yes, plus 

Cisco WebEx 


Cisco WebEx 

Event Centre 

Yes 

Yes Yes Yes 

Start meeting from Yes Yes Yes Yes 

Cisco 

WebEx Support 

Centre

within any Windows 

application, desktop or 

Internet browser 

Join and attend 

from 3G mobile device 

Click to join using 

SMS or email (audio 

only) 

Integrated 

ecommerce (pay to 

attend) 

request 

connect 

Inbound support 

Remote reboot and 

718 

Yes 

Yes Yes Yes 

Yes Requires 



Requires 



Click-to- 

Connect, 

WebEx 

WebACD 

Logon as Yes 

Yes

administrator and 

remote printing 

Options 

Other Tools and 

Recording, editing, 

playback 

Microsoft® 

Outlook® and Lotus® 

Notes Integration 

Flash-based 

attendee interface 

Localization 

(French, German, 

Italian, Japanese, 

Portuguese, Simple and 

Traditional Chinese, 

719 

Cisco WebEx 


Network- 

based and 

client-side 

Cisco WebEx 


Network- 

based and 

client-side 

Cisco WebEx 

Event Centre 

Network- 

based and 

client-side 

Cisco 

WebEx Support 

Centre 

Network- 

based,client- side, and client- 

side automatic 

Yes Yes Yes Yes 

Yes, plus 

Korean and 

Swedish 

Korean 

Yes, plus 

Yes 

Yes Yes, plus 

Korean

Spanish) 

720

KCOM Group Plc 

KCOM shall provide supply, installation, maintenance, technical architecture and system design, 

project management, and support for equipment, commodity and managed service for the services 

described below: 

Traditionally-delivered voice services 

KCOM provides traditionally-delivered voice services anywhere in the UK. 

Services are provided either via direct connection to KCOM’s own national network or as an indirect 

connection via the BT network, depending on location. Direct connections use Primary Rate ISDN30 with 

a choice of signalling (Q931e, DASS, DPNSS) dependent on Customer equipment, using KCOM fibre, or 

OLO (Other Licensed Operator) “tail” circuits. Indirect connections utilise the existing BT network 

infrastructure (Wholesale Line Rental ISDN30e/Dass, ISDN2 and analogue lines). KCOM uses ISDN digital 

technology for reliability, call clarity and seamless connection for voice/fax and video communication. 

To complement indirect connections, KCOM carries traffic via Carrier Pre-Select (pre-determined 

code programmed at the local BT exchange to automatically route calls via the KCOM network). This can 

be offered on its own where existing lines need to remain with BT, or both lines and calls can be 

transferred. 

KCOM also provides an indirect access code service (138) to extend to home-workers, so that 

business calls can be made using the access code, which will be billed to the business Customer, allowing 

private calls and line rental to remain with the incumbent. 

Business continuity options are available for direct and indirect connections for additional resilience. 

Existing numbers can be ported to KCOM to maintain marketing continuity. 

KCOM supports additional supplementary services such as Call Barring, Caller Display, Call 

Forwarding and Calling Line Identity presentation, to complement and enhance line functionality. KCOM 

also supports Type 5 number presentation when directly connected to the KCOM network, which 

presents a nominated number such as a freephone or local call number to the end user rather than the 

721

underlying network number to encourage return calls, or to implement traffic management on return 

calls. 

IP-based voice services 

KCOM SIP Trunking provides PSTN connectivity over an IP connection from the Customers telephone 

system. This can replace or co-exist with existing traditional voice connections such as ISDN. 

Unlike traditional ISDN or analogue line connections, SIP trunks are not tied to geographical 

locations and are scalable on a per line basis. Calls within and between connected locations are free of 

charge, whilst all other calls are on standard KCOM voice tariffs. Customers can retain existing numbers 

and get access to new number ranges from different area codes across the UK. SIP Trunking allows the 

integration and routing of calls between separate locations in a more flexible and efficient manner. 

Dynamic failover provides additional security by automatically re-routing calls if the 

normal telephone destination cannot be reached. 

KCOM offers a transition service to migrate Customers from existing voice lines to KCOM SIP 

Trunking ensuring that there will be no disruption to service. 

KCOM has undertaken interconnect and interoperability testing between its SIP Trunking product 

and the following PBX vendors: 

· Cisco 

· Avaya 

· Mitel 

· Siemens 

· Panasonic 

· Samsung 

· Toshiba 

· Microsoft 

722

· Splicecom. 

KCOM offers SIP Trunking over the following site access methods: 

· Broadband: ADSL(20CN) and ADSL2+(21CN), 

· Ethernet: Copper (EFM) and Fibre point-to-point and multi-point 

· IP VPN MPLS. 

Call packages 

KCOM offers standard call tariffs, or bespoke pricing based on a Customer existing traffic profile. 

KCOM does not operate minimum call charges or set up fees. Calls are priced on a pence per minute 

rate only and are BABT certified for accurate billing. 

Voice minutes 

KCOM operates several PSTN interconnect agreements with a number of Tier 1 UK, International 

and Mobile carriers to assure quality business grade call transit and termination and carries over 900 

million minutes per annum across the KCOM network. 

KCOM has a pro-active Fraud Management Team monitoring network usage and anomalies. 

DDI 

DDI is used to provide different telephone numbers for each telephone extension, and to route the 

call to the correct extension. The extension number forms the last part of the actual directory number 

and can be set from 2 to 6 digits. 

For ISDN2e, DDI installation shall be a minimum of 2 and a maximum of 60 channels. Groups of 

ISDN2e access channels can be allocated up to a maximum of 5 separate DDI ranges, where each 

number range will have a minimum of 10 consecutive numbers. All numbers in all ranges will have the 

same service profile (i.e. if one number is forwarded they all will be). The numbering options allow a 

mixture of SNDDI (Single Number Direct Dialling In) and DDI ranges on the same installation with all 

numbers using any of the available channels. A maximum of 5 SNDDI, including the main number, can be 

provided on ISDN2e. 

723

For ISDN30e – DDI provides number blocks in multiples of 10 numbers and can support a maximum 

of 10 DDI / SNDDI ranges. For ISDN30 DASS, only DDI ranges are applicable and SNDDI numbers are not 

supported. Up to 5 DDI ranges can be applied across the same channels. 

Premium rate numbers 

KCOM offers Premium Rate Numbers of 090 (content) and 091 (non content) of all price point 

ranges, with access via a secure online portal to manage Number Translation Service routing plans in 

real time. Calls can be routed by time of day, day of week, ratio (%) distribution, DTMF (emergency 

routing), divert on busy/no reply, and by geographic distribution. 

For business continuity (DTMF emergency routing), KCOM provides the ability to create multiple 

routing plans which can be held dormant until required. The activation of an alternative routing plan can 

be invoked instantly by remote activation at any time from either a phone using DTMF control, the 

online portal, or by the KCOM 24 hour Customer Services Helpline. 

KCOM builds all Premium Rate Numbers onto the KCOM Intelligent Network (IN) platform to enable 

intelligent routing of inbound calls. The KCOM IN platform delivers calls to any destination in the UK via 

on-net or off-net connectivity. All Premium Rate Numbers can be viewed for billing and reporting 

through the KCOM Online Billing & Reporting tool, and network usage is monitored 24/7 via the KCOM 

fraud management team. 


KCOM offers non-geographic numbers including 0800 freephone, 0845 local rate, 0870 national 

rate, 0844 & 0871 flexible tariffs & 03 national alternative numbers. All geographic number ranges can 

be managed via a secure online portal to update Number Translation Service routing plans in real time. 

Calls can be routed by time of day, day of week, ratio (%) distribution, DTMF (emergency routing), divert 

on busy/no reply, and by geographic distribution. 

For business continuity (DTMF emergency routing), KCOM service offers the ability to create 

multiple routing plans which can be held dormant until required. The activation of an alternative routing 

plan can be invoked instantly by remote activation at any time from either a phone using DTMF control, 

the online portal, or by our 24 hour Customer Services Helpline. 

724

KCOM builds all Non-geographic numbers onto the KCOM IN platform to enable intelligent routing 

of inbound calls and deliver calls to any destination in the UK via on-net or off-net connectivity. Existing 

Non-geographic numbers can be ported so existing numbers can be retained. All Non-geographic 

numbers can be viewed for billing and reporting through the KCOM Online Billing & Reporting tool, and 

network usage is monitored 24/7 via the KCOM fraud management team. 

KCOM also supports Local Presence Numbers, which are numbers that portray a local presence in 

areas where there may be no physical site location. They are managed in exactly the same way as other 

non-geographic numbers. 

118 enquiries 

KCOM is the UK’s largest wholesale provider for directory enquiry services, with over 20 customers 

and over 40 different 118 numbers. KCOM offers a 118xxx Directory Enquiry (DQ) service on behalf of 

customers for revenue generating business. This is a flexible service and provides a range of call handling 

features which can be tailored to specific requirements and desired target markets including, operator 

or automated greeting, basic service or call connect, single or multiple searches, national or 

international DQ, SMS number delivery and automated or operator number announcements. 

Alternatively, KCOM offers a national and international 118xxx DQ service with a flat fee rate for 

either 1 or up to 3 searches, and the option to onward connect or restrict. The service includes an option 

to re-route all outbound calls to DQ services to a specified 118xxx service. KCOM also provides a Multi- 

DQ service whereby multiple requests (over 10) can be faxed/emailed to the KCOM Operator Call 

Handling Centre. 

Call Preference Services 

KCOM offers registration to the Telephone Preference Scheme and Fax Preference Scheme which is 

administered by the Direct Marketing Association for both Indirect and Directly Connected circuits. 

For Directly Connected circuits, KCOM has set processes for managing “Nuisance” calls, where 

“Nuisance” is determined as any call which is unwanted. The reporting of Nuisance Calls is managed by 

the KCOM Network Management Centre (NMC) and appropriate action is taken dependent on the type 

of “Nuisance” call being reported. KCOM works in liaison with the police for line trace requests, and has 

a Malicious Call Indicator capability on the KCOM Network where the end user can dial “1” at the time of 

receipt of the call to trigger an immediate notification to the NMC team. The end user can also reject 

Anonymous Calls to the CLI that has been reported as receiving “Nuisance” calls. 

725

For Indirectly Connected circuits, all “Nuisance” calls are managed through the Openreach Nuisance 

Calls Bureau or directly through the Law Enforcement Agency. 

Audio conferencing 

KCOM Conferencing Pay as you Go is a reservation-less audio conference service available 24 hours 

a day, 7 days a week. The service allows three or more people to participate on a single call with 

unlimited number of participants. This is charged on a pence per minute, per user rate for the duration 

of the call. The account is managed via a secure customer portal allowing customers to view invoices, 

add new users, adjust security options and manage recorded conferences. Audio conferencing is either 

hosted internally, or as a managed call by a conference moderator, with the option to have interactive 

mode for all participants, or muted for host-only speak. 

KCOM also provides on-premise IP telephony audio conferencing products allowing multiple callers 

to dial into a multi party voice conference call. The voice conference servers provide VOIP access to 

voice conferences using headsets, short-code dialling within the company, and external bridges for PSTN 

access for company staff and other users such as partners, suppliers and Customers. 

On-premise audio conferencing is set up using a web page or is built into standard email tools such 

as Microsoft Outlook and Lotus Notes so that the dial-in details and PIN numbers can be attached to the 

voice conference invite. 

Voice conference services from KCOM scale to hundreds of ports allowing a number of simultaneous 

conferences to be happening at any one time. 

KCOM provides the following on-premise voice conference products: 

· Cisco – Cisco Meeting Place 

· Avaya – Avaya Aura Conferencing 

· Microsoft – Lync 2010. 

Desktop video conferencing and collaboration tools 

726

KCOM provides the following desktop video conferencing and collaboration tools: 

· Unified Communication clients that enable users to see the presence of colleagues, escalate to 

an Instant messaging chat and then to a voice conference call and video conference on a point 

to point, or point to multipoint basis. Users also have the option to share documents, web sites 

and other applications 

· A reservation conferencing tool based on Cisco Webex or Avaya Aura Conferencing that 

integrates web conferencing, video conferencing with multi parties, note only the speaking 

party is seen at any one time. This can also be fully integrated into voice conferencing 

applications. The scheduling of these meetings can be made via a web browser or plug-ins 

available for applications such as Microsoft Outlook. 

KCOM provides the following manufacturer products: 

· Cisco – Jabber, Cisco Webex connect, Cisco Webex meeting centre 

· Avaya – Avaya Aura One X, Avaya Aura Conferencing. 



KCOM provides both cloud based and on premise web conferencing products that are accessed 

either through a web site or integrated via an API into applications such as Microsoft Outlook, Lotus 

Notes and other email applications. The KCOM web conferencing services gives users the following 

capabilities: 

· Run live or streamed video for training or company briefings 

· Run VoIP or Real time audio communication through the computer allowing people to access 

via the network or internet 

· Run web tours - where URLs, data from forms, cookies, scripts and session data can be pushed 

to other participants 

· Record meetings for later viewing and/or distribution. 

· Use whiteboards with annotation to edit a variety of applications such as Microsoft Excel, 

Word, and Powerpoint presentations 

· Text chat, either public (echoed to all participants) or private (between 2 participants). 

· Run polls and surveys to obtain feedback 

727

· Share screens, desktop and applications. 

KCOM provides these services using the following products: 

· Cisco – Cisco Webex, Cisco Meeting Place with Webex node for MCS 

· Avaya – Avaya Aura Conferencing 



KCOM is a VMware Premier Service Provider, provides Internet services including email and web 

services, antivirus, email scanning/filtering, firewalls, intrusion/spyware detection, authentication, 

access management. KCOM is a member of LINX (London Internet Exchange) and peers with other major 

providers. All primary hosting is performed in Tier III or higher data centres and KCOM has 

geographically-resilient facilities. 

KCOM provides fully uncontended internet access services using fibre or copper bearer circuits. 

Bandwidths from 2Mbps to 10Gbps will be delivered over fibre circuits, whilst lower-cost copper circuits 

support bandwidths of up to 10Mbps, subject to availability. 

KCOM provides resilient fibre circuits in either failover or load-balanced configurations. A failover 

service provides two active circuits, each providing back-up for other. A load-balanced service provides a 

second, inactive circuit which shall be automatically used should the primary circuit fail. 

KCOM also provides reactive Distributed Denial of Service (DDoS) monitoring of the network as 

standard and shall provide an option to upgrade to a proactive service. 

Bandwidth levels on all services have the option to flex the committed level of bandwidth, upon 

request, within the constraints of the access bearer. KCOM provides a managed Cisco router, configured 

with public IP addresses for use with the service. 

Email and website services 

728

KCOM provides a hosted email service based on Microsoft Exchange 2010. Two main types of 

mailbox are provided: 

· Basic mailboxes, providing personal calendars, task lists and contacts 

· Full MAPI (Messaging Application Program Interface) compliant mailboxes providing shared 

calendars, global address lists, shared contacts, and mobile access including Blackberry 

Enterprise Server. Mailboxes can be up to 25GB in size. 

Management is via a web portal which can optionally be Customer-branded. The Exchange 2010 

platform is fully resilient and the service is provided with a 99.9% availability SLA. Access to email can be 

via Microsoft Outlook, any web browser using Outlook Web App or a mobile device via Activesync. 

Outlook Anywhere ensures the security of emails travelling across the Internet as transmission is via RPC 

over HTTPS. 

KCOM also provides an Email Archiving service with role based administration and options for full 

search and discovery tools to monitor and report adherence to internal email policy, and user or 

administrator recovery of emails. The Email Archiving service will be provided as an option for the 

Hosted solution of can be provided as a standalone solution. 

KCOM provides website services from KCOM data centres via the KCOM managed hosting platform. 

Websites can be delivered and managed on Microsoft Windows and Red Hat Linux platforms with 

availability SLAs of up to 99.99% 

Co-location and hosting 

KCOM provides unmanaged and managed co-location services in several, redundant data centres 

across the UK, all of which are Tier III or higher. All sites have multiple internet connections as well as 

standard telecommunications connectivity. MPLS, point to point and internet connections can be crossconnected 

in all locations. All data centres have 24x7 monitoring and remote hands available. Fullymanaged 

hosting services are provided at the primary site in Docklands, with a redundant site in 

Reading. Hosting services can be delivered on either virtual (VMWare) or physical servers, fully-licensed 

on either Microsoft Windows or Red Hat Linux platforms. Managed hosting services include equipment 

supply, solution design, uptime monitoring, operating system management, patching, antivirus, DDoS 

monitoring and licensing. 


729

KCOM provides online storage services in the KCOM primary and secondary data centres, which are 

linked via dual, redundant 10Gb/s links. All storage is provided utilising high performance shared 

SAN/NAS infrastructure on redundant NetApp equipment, which is backed up to the redundant site. 

Access solutions to the On-line storage platform will be provided by connection via 1Gibit or 10Gbit 

Ethernet using iscsi, NFS or SMB protocols On line storage can be provide by connection over 1Gibit or 

10Gbit Ethernet using iscsi, NFS or SMB protocols. 

Security services 

KCOM provides security services as a hosted service or an on-premise service on customer owned 

equipment. 

Hosted Security Services 

KCOM provides hosted security services as a physical, dedicated, high availability service or on a 

shared platform depending on Customer requirements. KCOM shall provision, configure and install the 

solution; undertake testing in conjunction with the Customer and participate in any external penetration 

testing where required by the Customer; monitor and support the service 24x7; deploy firmware 

updates and security patches under change control. 

All services are provided out of KCOM enterprise-class Tier 3 data centres. 

On-premise Security Services 

KCOM designs and provides managed services for security devices from key vendors including Cisco, 

Checkpoint, Juniper and Thales. The managed service comprises: 

· Design and Integration 

· License and Subscription services for updating of Anti Virus signatures 

· Maintenance including on-site engineering support, hardware replacement and software and 

security patch updates 

· Hardware and critical software status monitoring 

· Change and configuration management supported by back up and restore processes 

· Device incident management 

· Optional Security Event Correlation and Management 

730

· Optional Security Event Filtering and Log Retention 

· Optional Vulnerability Scanning and Assessment. 

On-premise services can be used in conjunction with hosted services for e-mail and web filtering. 

Antivirus 

Hosted Services 

The KCOM hosted antivirus service provides fully automated updates to ensure protection against 

the latest signatures. It employs advanced virus, spyware, and heuristic detection engines to enable 

KCOM end point security agents to prevent both new and evolving threats from gaining access to 

Customer networks and their content and applications. KCOM provides global updates via the 

FortiGuard Network for comprehensive protection against all content-level threats. Scanning is done in 

real time at near wire speed. 

On-premise 

KCOM provides firewall appliances configured to access vendor provided updates for Anti Virus 

software and management of the associated subscription service. This is normally provided as part of a 

wider security managed Service. 

Email scanning and filtering 

Email scanning and filtering is provided via MailDefender. This is a cloud product, requiring no 

software to be installed on-premise. It uses multiple industry leading AntiSpam and AntiVirus engines 

and also contains Anti-phishing and quarantine elements. The system is updated every five minutes with 

new virus information. It can be setup to operate at the domain level or at an individual user level with 

user defined white/blacklists. User administration can be done via the MailDefender interface or via 

Active Directory synchronisation. The quarantine area can be configured to be end-user or supervisor 

managed. Messages within the quarantine database can be searched by keyword, date, from, to, etc, to 

find specific emails. The MailDefender system includes detailed auditing and reporting and the ability to 

add a disclaimer to outgoing emails. 

Firewalls 

731

KCOM offers Firewall services as a hosted service or an on-premise managed service on customer 

owned equipment. 

Hosted services 

For co-location and managed hosting Customers, KCOM provides fully-managed Fortigate and Cisco 

firewall services on a rental model. All services provide stateful inspection, deep packet inspection, 

packet filtering, real time anti-virus and anti-spam delivered in an application context. 

On-premise services 

KCOM designs and provides Firewall solutions based on vendor platforms including Cisco, 

Checkpoint and Juniper. The service provided includes: 

· Design, implementation and transition into operational management 

· Maintenance 

· Managed service where required 

· Optional Security Event and Information Management (SEIM) 

· Optional subscription services for Anti Virus updates 


KCOM offers Intrusion Prevention Service (IPS) services as a hosted service or an on-premise 

managed service on customer owned equipment. 


The KCOM IPS provides Customers with robust defences against stealthy network-level threats. It 

uses a customizable database of more than 5,100 known threats that enables KCOM to stop attacks that 

evade conventional firewall defences. It also provides behaviour-based heuristics, enabling the system 

to recognise threats for which no signature has yet been developed. The combination of known and 

unknown threat prevention provides a robust defence to attacks. 


732

KCOM design and provide solutions based on vendors platforms including Cisco, and Checkpoint. 

The service is based on IPS modules configured in Firewalls or on standalone IPS appliances and 

includes: 

· Design, implementation and transition into operational management 


· Managed Service where required 

· Optional Security Event and Information Management (SIEM) 

· Optional subscription services for IPS signature updates. 


KCOM offers authentication and access management as a hosted service or an on-premise service. 


KCOM deploys a range of authentication and access management services, from forms-based 

authentication, through Microsoft Active Directory and up to and including two factor authentication 

(Fortinet or RSA-based). All are delivered as a managed service as part of a larger managed hosting 

project. 


KCOM provides Internet based Virtual Private Network (VPN) and Access Control Systems based on 

Cisco equipment for on-premise authentication and access management. 

The VPN service uses Firewalls supporting SSL and IPSEC clients. IPSEC VPN includes client software 

for end user devices including laptops, smart phones and tablet. 

Authentication and access is provided by the deployment of the Cisco Access Control System (ACS), 

Network Access Control (NAC) appliances and the Cisco Identity Services Engine (ISE). These solutions 

are used to control access in wired and wireless environments as well as an additional layer to VPN 

services. 

733

Access control is used for Policy Enforcement, Identity Aware Access, Role Based Access and Guest 

Access. 

The service includes: 

· Design, implementation and transition into operational management including integration 

with Customer’s directory services as required 


· Managed Service where required. 

Web and application sign on services 

KCOM provides web-based sign on services for accessing (e.g.) a fully-managed SharePoint platform 

via Forms-Based Authentication. Application sign on services (e.g. Microsoft Active Directory) are 

deployed as part of a larger managed service and are dependent upon the specifics of the application or 

platform. 

Messaging services 

KCOM provides Voice-mail systems that provide a user interface to select, play, and manage 

messages; a delivery method to either play or otherwise deliver the message; and a notification ability 

to inform the user of a waiting message. 

KCOM provides Unified Messaging systems that allow users to access voice-mail and email messages 

using either the graphical user interface (GUI) on their PC, mobile device or using the telephone user 

interface (TUI). When viewed using a PC, voice-mails and emails are displayed together in the user’s 

email inbox. 

KCOM provides more advanced systems that are integrated with a company’s PABX, with a call 

centre ACD for automatic call distribution. Interactive Voice Response (IVR) systems use digital 

information stored in a corporate database to select pre-recorded words and phrases stored in a voicemail 

vocabulary to form sentences that are delivered to the caller. 

KCOM provides the following manufacturers Voice Mail or Unified messaging products: 

734

· Cisco – Cisco Unity and Unity Connection. 

· Avaya – Call Pilot, Avaya Modular Messaging , Avaya Aura Messaging 

· Microsoft – Exchange 2010 

Real time information services 

KCOM shall provide intelligent building solutions to monitor and deliver real time information on 

hazards such as smoke detection and fire control, building access management and telemetry for 

example temperature thresholds, air flow and smoke detection in environments such as data centres. 

The KCOM intelligent building solutions also enable the automation of processes and tasks in an 

estate environment. The solution KCOM provides uses integrated energy management systems 

supporting power management and energy conservation, for instance, lighting automation solutions can 

be delivered over the converged IP network meaning that lights can be switched off when it senses the 

building or room is not occupied. It also provides the monitoring and control and facilities such as 

switching off, or reduced power to other systems such as air conditioning, heating at either set times or 

when buildings are not occupied for periods. Additionally, servers, PCs, IP Phones and Wireless Access 

Points can be powered down during non operational hours. 

KCOM Intelligent Building solutions include: 

· Cisco Routing , Switching and Security Products 

· Cisco VPN Products 

· Building Automation and Management Systems 

· Energy Management Systems 

· HVAC Systems 

· Lighting sensor systems 

Desktop messaging 

KCOM provides desktop instant messaging and presence for text-based communication between 

two or more participants over the Internet, corporate network or mobile network. Presence and Instant 

Messaging (IM) chat happens in real-time. 

735

The instant messaging service includes a separately installed software client, or a browser-based 

client. IM Chat can be escalated into a voice call and then into a wider conference using voice and web 

conferencing. 

Using IM Federation a company’s IM application can be made visible to other communities allowing 

interaction with other public sector bodies such as Police, Fire and Rescue etc, as well as suppliers and 

internet based IM providers such as Google Talk, Yahoo messenger and MSN Messenger. 

KCOM provides the following manufacturers presence platforms and clients: 

· Cisco – Jabber, Cisco Unified Personal Communicator, Cisco Unified Presence, Cisco CUCILYNC 

(Cisco Unified Communications Integrated with Lync), Cisco Integration to IBM Lotus Notes 

· Avaya – One X and Aura Presence 


Messaging via email, SMS, pager and mobile or fixed line telephone 

KCOM Connect provides options for delivering messages via email, SMS, paging and multimedia 

messages to any combination of mobile and fixed line phones, PDAs, Blackberrys, email, pagers and fax 

destinations. These shall be: 

· - sent directly from user desktop via a web site, 

· - integrated into business applications through plug-ins/APIs into email systems such as 

Microsoft Outlook, Lotus Notes, allowing emails to be sent as text messages, or 

· - integrated into backend systems and software such as Salesforce.com 

Messages can be delivered to mobile phones and fixed line telephones using text to speech. 

KCOM provides integration into other messaging services through its partnership with Pageone 

Paging Services. KCOM Pageone paging service sends pager messages to a group of users, initiated 

simply by landline, SMS, or from any PC with web access allowing messaging to the organisations 

pagers. 

736

KCOM Connect includes audit details of all message delivery and receipt. 

Provision of all elements of a complete solution 

KCOM provides UC services including the following components: 

· Instant Messaging 

· Soft (computer-based) telephony 

· Fixed to mobile integration 

· Physical (handset-based) telephones 

· Collaboration software 

· Desktop video or the integration to a larger room-based system 

· Presence integration into your current activity, calendar or locality 

· Integration into Contact Centre 

· Federation to other organisations. 

The components that allow Unified Communications may include the following, depending upon the 

specific capabilities a particular organisation includes: 

1. Applications Servers from KCOM main vendors Cisco, Avaya, Microsoft 

737 

o Call Processing server 

o Presence server 

o Messaging server (instant messaging, email, voicemail, facsimile) 

o Collaboration server 

o Mobility servers 

o Billing and Compliancy Servers 

2. Gateways from Cisco, Avaya and Microsoft

738 

o TDM-PSTN connectivity 

o SIP trunking and Session Border Controllers 

3. Endpoints, from Cisco, Microsoft, Avaya: 

o Phones, Softphones, Mobiles, Tablets, Smart Phones

Logicalis UK Ltd 

Section 1 Logicalis Communication Services Overview 

Logicalis has designed a range of Services that map onto the Lot 1 provision for Communications 

Services, these include: 

1. Provision of all elements of a Complete Solution. 

2. All traditional and IP based voice services; 

739 

voice call packages; 

voice minutes; 

DDI, 

premium rate numbers; 

non-geographic numbers; 

118 enquiries; 

call preference services, 

SMS, pager and mobile or fixed line telephone; 

messaging services; 

real time information services; 

desktop messaging;

740 

messaging via email, 

3. Conferencing Services 

audio conferencing; 

desktop video conferencing and collaboration tools; 

web conferencing; 

4. Internet Services 

Internet; 

email and website services; 

co-location and hosting; 

on-line storage; 

5. Security Services; 

antivirus; 

email scanning and filtering; 

firewalls; 

intrusion and spyware detection; 

authentication and access management;

741 

web and application sign on services; 

6. Supply of Equipment 

7. Consultancy and Professional Services including: 

technical architecture; 

system design; 

installation. 

8. Project & Service Management 

9. Training 

10. Support Services including: 

maintenance; 

support for equipment, commodity and managed service. 

Section 2 Provision of all elements of a Complete Solution. 


Logicalis’ service approach to Unified Communications is modular, allowing Customers to take the 

services that they require, overlaid onto the foundations that they already have.

For instance, it is likely that many of the Partners that intend to connect to the PSN at this stage 

already have IP or TDM based telephony platforms that are likely to be retained for at least another two 

years. In this case, local call control is handled by these existing systems. This does not preclude these 

organisations from taking other services in the portfolio however such as PSTN access, mobile 

integration or conferencing. In some cases, Partner organisations may have more than one service 

already in place such as call control, instant messaging and e-mail. In this instance, federation, 

integration and interconnection services are provided by Logicalis to interconnect them with other PSN 

Customers as required. 

Where there is no UC infrastructure in place or it is unlikely to be retained, the Customer can choose 

to take the full suite of services from Logicalis, safe in the knowledge that they are able to interwork 

with those organisations or sites that have taken the modular approach. 

Call Control and Interconnection 

742

The core services delivered to PSN Customers in the first instance enable the connection of each 

Partner site, securely over the PSN network. This allows organisations to communicate between their 

sites with zero call charges based on their existing call control platforms (Avaya, Nortel, Alcatel etc). In 

addition, they are able to access the PSTN centrally using two secured and geographically separated SIP 

connections. This allows the Customers to consolidate their ISDN estate, removing line rental costs and 

providing a more flexible connection that can grow to accept peaks in demand. 

Should Customers, or sites, not have a suitable PBX then Logicalis can provide an IP based call 

control service as the foundation of the overall UC solution. This provides the option of both hard (IP) 

and soft (IP) phones, single number reach for mobile integration, click to dial, voice messaging and other 

features such as home working. 

This solution is based on Cisco technology and it integrates seamlessly into the PBX interconnection 

service which is based on the same platform, allowing a single dial plan to exist across the PSN and 

migration possibilities across the two service offerings. 

Carrier Independent PSTN Access and Mobile Integration 

Centralising services in this way allows the Partners to share in infrastructure savings whilst 

maintaining their own individual, highly competitive contracts with BT and other carriers. 

Logicalis intends to take the same approach to mobile provision whilst allowing the Customers to 

maintain their existing direct relationship with their mobile provider. 

743

External IP Communication for “Free” 

The Logicalis voice service takes advantage of new Cisco technology which allows organisations to 

take advantage of the Internet for call routing. This technology is called Intercompany Media Engine 

(IME). 

IME allows federation over the Internet in terms of voice and video communication without 

complex configuration within the network or any intervention by the caller. IME uses a ring topology 

with each IME dynamically learning and then maintaining a database of routes. Companies that have a 

Cisco voice infrastructure use IME to link into the ring, gaining access to any connected IME member 

over the Internet by just dialling their PSTN number. 

Internet calling has not been considered as an Enterprise technology in the past due to worries over 

voice quality and security. Cisco has overcome these two issues by ensuring that the connection is 

continually monitored and should it exceed the specified metrics of delay and jitter, the call is 

automatically re-established over the PSTN, without any user intervention or loss of service. Security is 

handled too, with anti-spam controls, certificates and encryption coupled with packet inspection and 

proxy services. In the future, IME also extends these capabilities to video, simplifying remote face to 

face communications with external parties such as non PSN connected bodies. 

Providing access to the IME ring in this way will reduce the call costs for Customers wishing to make 

calls outside of the PSN network. The scale of the cost reduction is unknown at this stage, however it is 

envisaged that over time, IME technology will be adopted by other vendors into a new standard. 

Instant Messaging, Integrated and Federated 

744

Instant Messaging (IM) and Presence are becoming common place and are well adopted in the 

consumer sector. This adoption has caused many employers to examine IM and presence as a 

productivity tool, decreasing the amount of e-mail and increasing interaction between staff members. 

The ability to see who, out of a team of possible colleagues, can help you with a simple question and 

get an answer straight away is invaluable in increasing productivity and staff satisfaction. Within offices, 

where colleagues sit together, this is less important but as services become shared between sites and 

potentially other Partners, the frequency of face to face communication with teams or virtual team 

members is likely to reduce. Instant Messaging can provide a way to improve interaction, by ensuring 

that the person you need is available before contact is initiated and by allowing the addition of voice, 

video and file sharing. 

Logicalis understands that numerous organisations have already started to see the benefits of 

Instant Messaging and so to ensure that users can continue with the interface that they are familiar 

with, the IM service for PSN supports both federation and integration. 

The IM platform uses XMPP, the protocol that is fast becoming a standard across the industry for 

Instant Messaging interworking. This means that the solution can federate with existing IM installations 

such as OCS within the PSN allowing users to keep the interface they already have, removing the need 

for additional user training. 

As well as federating with existing installations, the service is also federated with external bodies 

such as Google and AOL, allowing users to build contacts outside of the PSN. 

Control is instigated through the Organisational Administration interface, allowing each PSN 

Customer to implement the policy that they require in terms of federation and access to the IM 

745

platform. This control can be used to restrict file sharing, desktop sharing, external federation and other 

elements between users within the same organisation or between separate organisations. 

Contact Centre 

Whilst the term Contact Centre can conjure up negative images, the use of the technology in the 

right way improves customer satisfaction and service levels. Logicalis has worked with a number of local 

authorities on deploying these tools to reduce waiting times and answer simple, repetitive queries 

automatically, 24 hours a day, resulting in a better service to their customers. 

Logicalis’ Contact Centre solutions provide inbound, outbound and e-mail integration. The solution 

uses the call control element of the Logicalis service which could be interconnected to the existing PBX if 

required. 

Seamless Integration 

A modular approach allows PSN Customers to make the most of their existing investments whilst 

capitalising on Logicalis’ strength as an integrator. By taking elements from both Logicalis’ service 

portfolio and the Partners own delivery, Logicalis can provide a solution that is bespoke for the Partner 

but based on a common, proven architecture. 

UC on the Move 

746

The modular units described above are designed to work with mobility in mind, allowing the user to 

choose the best location for them to work, whether at home, in the office or somewhere else. For 

example, mobile integration allows users to be contacted using a single number with the most 

appropriate device (IP phone, POTS phone or mobile) being used to accept the call. Instant Messaging is 

also available from home or the mobile device with this extending to desktop video, e-mail and other 

services. 

Contact Centre Agents can also be based at home to make the most of the local employment base 

and to provide seasonal overflow. This type of flexibility allows PSN Customers to respond to the needs 

of their customers and staff more easily, resulting in service improvements. 

Conferencing - Web, Video and Audio 

Needing to share information across a distributed team of people is becoming commonplace and is 

only set to become more so as services are increasingly shared between a larger group of organisations 

within the PSN. 

To address this need, Logicalis has a range of conferencing solutions powered from our own 

Immersive Conferencing Service through to on site solutions and externally hosted solutions such as 

WebEx. All of these approaches enable PSN Customers to conference internally and externally, sharing 

documents and presentations with voice and video. 

Using these platforms allows integration with the IM service to click to conference capability as well 

as Outlook scheduling to ensure ease of use. 

747

Video can be integrated as desktop feeds from individual users for ad-hoc and scheduled meetings 

and access to the Janet Video Bureau service provided through the PSN network. 


Logicalis offers a wide range of Internet based Services via our dual Tier 3 Data Centres, providing 

direct Internet connectivity and a range of hosted or ‘as a Service’ offerings from low level solutions 

such as co-location and hosting, through to storage, email and website services ‘as a Service’ via our G- 

Cloud solution. 


Logicalis provides a variety of security solutions delivered either as on-site deployments or' ‘as a 

Service’ offerings from Logicalis’ G-Cloud platform. Our solutions cover all aspects of the security 

spectrum from securing end points with antivirus, to detecting malicious threats with email scanning 

and filtering/intrusion and spyware detection, protecting access through authentication/access 

management and application access through web and application sign on services. The final aspect is 

securing the perimeter through firewalling technologies. 

Communication Services 

Logicalis has developed eight main service areas which relate to the Communication Services for our 

PSN Customers: 

748

749 

1. Consultancy and Design Services; 

2. Equipment Provision 

3. Implementation Services; 

4. Managed Services. 

5. Unmanaged Services; 

6. As a Service; 

7. Hosted Services; 

8. Break/Fix Services; 

Logicalis is able to provide: 

pre-sales support to scope the design effort, equipment lists and estimate the installation 

effort – a pro bono piece of work; 

production of the detailed design document, covering the physical and logical 

Communication design; 

a service design to support ongoing service operations; 

provision and implementation of Communication Services equipment 

full monitoring and management of the new or existing systems;

750 

ongoing support for new or existing equipment; 

service management. 

Supply of Equipment 

As part of the service catalogue, Logicalis provides hardware for Communications solutions which 

can be purchased by the Customer via the change control process. Logicalis updates the equipment 

pricing on a regular basis. Any additions or deletions from the Service Catalogue are managed by the 

Service Delivery Manager. 

Logicalis can procure an extensive range of equipment direct from the vendors and achieve 

significant savings, which are passed on to the Customer, based on a fixed margin model. 

A brief summary of the extensive range of equipment and services that can be procured and some 

basic specifications are as follows: 

All traditional and IP based voice services; 



DDI, 








desktop messaging; 

messaging via email,

Conferencing Services 

audio conferencing, 


web conferencing. 


Internet; 



on-line storage. 


751 

antivirus; 


firewalls; 


authentication and access management; 

web and application sign on services. 

Section 4 Consultancy and Design Services 

Technical Architecture and System Design Services 

Logicalis’ approach to Communication design services is that of a Systems Integrator, whereby we 

take a vendor agnostic approach. We have the highest partner accreditations with vendors such as Cisco 

and can work with a Partner to provide integration capabilities with additional manufacturer 

technologies, to utilise existing investments but still work towards a common call handling architecture. 

Logicalis intends to engage with the Customer in a consultative manner in understanding the 

requirements and then engaging with vendors to ensure that the best technical and commercial solution 

is proposed.

Our design consultancy takes into consideration the existing investments to reuse any 

infrastructure/equipment wherever possible. 

This consultancy is packaged and available, via the Service Catalogue, when required by the 

Customer. 

The deliverables from this Communication consultancy exercise can then be used by the Customer, 

or by Logicalis on behalf of the Customer. 

As part of the design service, Logicalis works with the Customer to transform an existing contact 

centre into an innovative, dynamic customer-driven tool, and create a platform to radically redesign 

business processes around the demands of customers. 

Logicalis approaches these projects in a consultative manner to understand the business and 

technical drivers. Once we have a clear understanding of requirements our Solutions Architects team 

works alongside the main manufacturers in the industry to design the solution. 

Our design process includes pre-sales customer workshops, technical solution proposal to ensure 

that the correct solution is specified and post-sales design workshops. 

Logicalis is able to design Communication Solutions that range from a handful of users through to 

many hundreds. 

Installation – Communication Implementation Services 

Logicalis’ Implementation Services’ primary focus is to deliver technical services for projects 

including implementation and support to our customer base. This is achieved primarily by working in 

752

close collaboration with Logicalis’ Pre Sales, Project Management and Managed Service teams. The 

Implementation Service is available on a 24 x 7 basis and comprises: 

Engineering Team 

This is a home based, mobile engineering workforce located all over mainland Britain, providing the 

bulk of the Logicalis SLA responses for all on-site maintenance contracts and managed service support 

issues. These issues range in diversity from the swapping of hardware, to further information gathering 

& diagnostics, problem simulation, command line configuration, firmware & software upgrades and the 

testing of spares prior to use in the field. 

Supporting the home based force, is a team of office based engineers providing the interface 

between our Service Desk and the wider Field Support Team. This Technical Support Group delivers their 

services remotely, direct to our customers. While a high percentage of incidents are resolved by this 

team, their role also encompasses the gathering of additional technical data to allow further 

investigation by their field based colleagues if required. 

The hands-on skills in both teams are available across varied technology solutions, including routing, 

switching, unified communications, Communications, security, wireless and content. This portfolio 

combines hardware and software elements spanning multiple vendors, delivered to a diverse range of 

customer environments. 

A key factor in successful service delivery is the use of engineers local to their customer base. While 

clearly SLA compliance is important, equally so is the longer term relationship between the local 

engineer(s) and their customers. Part of the objective setting with each engineer, includes the 

establishment & maintenance of the customer relationship. This directly caters for improved customer 

753

knowledge and greater SLA management, as well as providing wider benefits which include better 

defined local spares holdings etc. 

While the focus for the Field Support Team is clearly for the benefit of our customers with existing 

maintenance contracts, they are also active in delivering other services. These services include but are 

not limited to, projects & implementations, maintenance take on audits, surveys/audits and any 

associated documentation. 

Solution Implementation Team 

The Solutions Implementation Team is a 24 x 7 service, entirely made up of home based engineers 

throughout mainland Britain. Their roles are focussed around the delivery of customer project & 

implementation based requirements, which incorporates a number of related, specific activities to 

guarantee success. 

This typically starts with a review of the documentation supplied by Pre Sales (SOW or SDD) and 

Project Management (Project Plan), to understand the solution and timeframes. This is carried out by a 

‘Lead Engineer’, who has the responsibility for leading the project from a post sales perspective. Next 

follows the building and configuration of any hardware & software elements in one of the Logicalis Pre 

Staging Labs, where any design constraints or issues can be resolved in a risk free environment. Only 

then is the equipment boxed up and sent out to customer site for installation. 

Once on-site, the kit is installed and a full connectivity, commissioning and acceptance procedure is 

conducted. The Lead Engineer completes any documentation requirements for the customer, as well as 

providing further information for Logicalis’ Contracts Admin and Field Support Team (if the installed 

solution is being supported by Logicalis). 

754

The hands on skills of this team are available across a variety of technology solutions, including 

routing, switching, unified communications, Communication, security, wireless and content. This 

portfolio combines hardware and software elements spanning multiple vendors, delivered to a diverse 

range of customer environments. 

While the focus of this team is delivering project based work, they are also active in delivering many 

other technical services. These services include maintenance contract break/fix, information gathering 

and diagnostics, problem simulation, pilot/proof of concept testing, surveys/audits customer knowledge 

transfer etc. 

Principal Engineering Team 

The Principal Engineering Team is a 24 x 7 service, entirely made up of home based engineers 

throughout mainland Britain. Their roles are entirely focussed around the service delivery of the most 

complex technical solutions required from the Post Sales Engineering Team. 

This role effectively offers direct ‘expert level’ technical support to both the Solutions 

Implementation and Field Support teams. Typically this means the lead of the most challenging 

customer project solutions, as well as the technical escalation ownership for the most complex 

contracted maintenance customer incidents. The various work streams required to deliver the role 

include working with Pre Sales to produce detailed design & configuration data, proof of concept 

testing, providing best practise configuration advice and templates, mentoring across all technology 

areas to all of the other teams etc. 

In addition, the Principal Engineering Team is able to carry out all of the activities described within 

the remit of the Field Support and Solution Implementation Teams. The highest levels of technical 

755

vendor accreditation reside within this team, and as such this technical relationship is a key focus for 

them all. This is particularly evident from managing the bulk of our vendor support escalations, but is 

also visible in the various vendor technology forums and update sessions. 


Project Management - Overview 

Logicalis provides the full range of skills essential to assure effective Programme and Portfolio 

Management. Logicalis’ Programme and Project Managers have many years of experience of working 

within Government programmes across a wide variety of sectors. 

Programmes and Projects range from major infrastructure change programmes to software 

development and systems implementation with budgets ranging from several thousand to multi-million 

pounds. Our portfolio of core programme and project management services includes: 

756 

Benefits Management; 

Programme Management; 

Project Management; 

Project Review & Lessons Learned; 

Risk Management; 

Stakeholder Management.

Benefits Management 

Benefits management aims to ensure that the desired project has been clearly defined, is 

measurable, and provides a case for investment. Furthermore it seeks to make sure that the proposed 

changes or policy outcomes are actually achieved. 

The benefits management team recognises that projects require a constant focus on the intended 

benefits if they are to deliver value and remain aligned with the Customer’s business goals. 

The delivery of value begins with defining the expected high-level outcomes and continues through 

the identification, profiling, tracking and embedding of the identified benefits. It also involves assessing 

risk against the proposed outcome. 

The benefits management team is experienced in the delivery of benefits management in the secure 

information domain. 

Logicalis help to identify, track and realise benefits, throughout the delivery programme and into the 

Operations phase, where we can also assist managers with the responsibility for service delivery to 

ensure that the planned benefits are both monitored and optimised. 

Programme Management 

Logicalis considers its programme managers to be holistic change agents. We believe that the role of 

a programme manager has evolved from that of managing multiple projects, to that of implementing 

business strategy. Whilst the programme manager of today requires a refined set of business and 

leadership skills that are vastly different from that of a project manager, we believe that an effective 

757

programme manager requires a sound understanding of project management and all its varied 

techniques. 

Logicalis’ programme managers are familiar with the culture of large Public Sector organisations and 

the measurement of benefits at a strategic level. We currently service an integrated portfolio of Secure 

Information projects, involving the management of multiple teams of professionals, as well as executive- 

level stakeholders. 


Logicalis’ project managers manage and support all phases of the project lifecycle where 

experienced and effective security cleared PMI and PRINCE 2 qualified practitioners are needed to: 

758 

project manage a major change; 

enhance and strengthen your current team; 

provide an exclusive set of security cleared skills or experience on a transitory basis; 

execute or accelerate a specific standard or bespoke service implementation; 

build up a new business, division or team; 

coach your current project managers and their teams. 

Logicalis’ approach to project management is experience based; we believe that most business 

challenges can be solved effectively with the application of the right management talent, expertise and 

action. 

Project Review and Lessons Learnt

The objective of a project review is to identify how success can be assured. A Logicalis led project 

review ascertains the issues that need to be addressed, both positive and negative. Our project review 

and lessons learned service typically focuses on: 

• Scope 

759 

Whilst major scope changes are relatively easy to identify and manage, scope changes often 

occur in the form of "scope creep". Scope creep is the amalgamation of small changes that, 

individually, appear minor but in aggregate are significant. Logicalis understands that you cannot 

effectively manage the resources, time and cost of a project unless you actively manage every 

element of the project scope. 

• Project Team 

A successful project manager must effectively manage all of the resources assigned to that 

project. This also includes managing all relevant subcontracts. 

• Project Planning & Control 

Logicalis excels at detailed project planning to assure full visibility and control of 

multifaceted, high value projects. Our specialist knowledge assures the review of, and warrants 

the production of accurate, practical and informed schedules and plans whilst ensuring they are 

rigorously executed and monitored. 

• Communication

760 

It is crucial that effective communication exists between the team members and project 

stakeholders. Logicalis assesses if these channels are effective and highlights where and how 

improvements can be made. 

Risk Management 

Logicalis’ risk management practitioners are expert in the design and implementation of risk 

management techniques. We help organisations to understand their business and security risks and 

then apply practical risk management practices to help mitigate them. Our risk practitioners are highly 

experienced leaders in the discipline of client-side risk assessment; most especially security vulnerability. 

Our Risk Practitioners help your business to: 

understand and manage operational risk; 

achieve compliant corporate governance; 

display effective management of risk to stakeholders; 

make practical decisions and maximise ROI; 

deliver projects to agreed criteria. 

Stakeholder Management 

Logicalis recognises stakeholder management as the process by which Clients identify their key 

stakeholders and win their support.

Whilst the value of relationships is difficult to determine, it is recognised that successful stakeholder 

management is a key source of competitive advantage. Understanding, forecasting and influencing what 

other people think about your programme or project is essential to a winning venture. We believe that 

the secret to this success is not just about leading the team, but also about dealing with the multitude of 

issues and communicating successfully around the periphery of the programme. 

Logicalis knows that it is crucial to recognise the key points at which stakeholders must be involved 

in development and decision making. It is further recognised that streamlining the approval process 

results in cost savings across the programme. Our team of business consultants has comprehensive 

experience in this diverse field. 

Project Management Service Offerings 

Project management services are offered either on a T&M or fixed price basis. The number of days 

required is estimated, based on the size and complexity of the project. Any special customer 

requirements (for example mandatory on-site attendance at weekly meetings) will also influence the PM 

estimate. It is therefore important that this is discussed with the customer prior to any quotation being 

prepared. 

The project management team is split in to three regional teams and has a supporting project 

management office (PMO) function. Team leaders have dual roles to include senior project and 

programme management as well as a managerial role for the PMs in their team: 

Overall the team supports 20 Project Managers and Project Coordinators. 

The following table identifies the various categories of PM offerings that are available and 

summarises for each offering the elements that are delivered as part of the service. 

761

of PM 

Deliverable 

purchased 

Project 

Initiation 

Resource 

Allocation 

Process 

Process 

Project Risk 

Project Log 

(throughout 

project) 

Project 

Definition 

Email/phon 

e as point of 

762 

Project 

Coordination 

PM 

2-4 days 

PM 

5-10 

days 

PM 

11-20 

days 

PM 

20+ days

contact 

Project 

Initiation 

Meetings by 

conf call 

Project 

Initiation 

Meetings on 

Customer site 

PID – 

Project 

Initiation 

Document 

Plan 

MS Project 

Project 

Execution 

On-Site 

763

Project Review 

Meeting x1 

On-Site 

Project Review 

Meetings - 

Multiple 

Meetings by 

Audio or Video 

Conference 

Status 

Reports 

Risk 

Management 

Issue 

Resolution 

Project 

Review of 

documentation 

764

Project 

Change Control 

Process 

Arrange 

Equipment 

Delivery 

Handover to 

Support & 

Customer 

Manageme 

nt of Sub 

contractors 

Arrangemen 

t of Customer 

Training 

Invoicing, 

Stage Payments, 

etc 

765

Closure 

Project 

Completion 

of works email 

Final 

Invoicing 

Review of 

Issue Log 

Project 

Closure Meeting 

Programme/Project Management Services 

ServiceID: PSN 4040 Programme/Project Management Service 

Service Specification 


766 

When a Project Manager (PM) is assigned he or

767 

she will be PRINCE2 accredited and knowledgeable in 

delivering projects of a similar nature. 

The PM divides the Project into discrete stages, 

ensuring that agreement is reached at each stage with 

the Customer which assists in the understanding of 

project deliverables and confirming expectations are 

matched throughout the project. 

Interfaces Account Manager, Service Delivery Manager and 

Lead Solutions Consultant. 

Dependencies A Scope of Works is required to identify and 

define an agreed requirement. 

Lifespan Contract term. 

Minimum Term Fixed project management program, as per the 

Compliance 

Subcontractor No 

scope of works. 

Services will be compliant to the sector specific 

requirements as identified within the PSN Standards. 

Overall compliance to CoCo where applicable. 

Termination Logicalis will provide clear information as to

Payments and Notice termination notice and costs including where any 

Service levels 

768 

termination points are within the ordered service 

term. 

As per the contract for Professional Services. 

Response time for 

confirmation of resource 

availability 

2 working days 

Initial Audit Meeting Within 10 working days (3 days for small 

Deliverables 

requirement) 

Project Management Package 2 – 4 days 

The Project Office is responsible for managing 

short term engagements. It is likely that a junior 

Project Manager will be assigned to these activities. It 

is also possible that the project management duties 

will be allocated to the lead consultant or engineer. It 

is unlikely that Project Managers will be engaged for 

less than 2 days on any project. 

Deliverables: 

Ensuring resource allocated and booked

769 

correctly; 

Manage equipment deliveries; 

Liaise deliveries and installation with customer; 

Assessing and reporting progress; 

Issue escalation & resolution; 


Managing subcontractors, training, invoicing, 

etc. 

Project Management Package 5 to 10 days 

Within the agreed 5 to 10 days project 

management package, Logicalis provides a Project 

Manager to coordinate and facilitate the timely and 

successful delivery of the project. Generally meetings 

are performed by audio or video conference although 

for significant meetings such as the kick-off, the 

project manager travels to the customer site. 

Deliverables: 

Primary point of contact for service delivery; 

Attend initial kickoff/planning meeting; 

Produce minutes from the planning meeting; 

High level risk management and issue 

resolution; 

Produce and agree high level milestone plan; 

Carry out mid project review & produce

770 

minutes; 

Provide formal project closure and agree follow 

on actions; 

Attending ad-hoc conference calls; 

Project planning with MS Project; 

Resource planning; 

Assessing progress; 




etc. 

Project Management Package 11 to 20 days 

Logicalis provides a project manager to coordinate 

and facilitate the timely and successful delivery of the 

project. Generally meetings are performed by audio 

or video conference although for significant meetings 

such as the kick-off, the project manager travels to 

the customer site. 

Deliverables: 

Primary point of contact for service delivery; 

Attend planning meeting; 

Produce minutes from the planning meeting; 

Risk management and issue resolution;

771 

Produce an agreed high level milestone plan; 

Produce a project initiation document; 

Produce and maintain the project log; 

Produce highlight reports at agreed intervals; 

Attend mid project reviews & produce minutes; 

Provide formal project closure and agree follow 

on actions. 

Attending conference calls; 

Resource planning; 

Assessing progress; 




etc. 

Project Management Package >20 days 

Projects with >20 days of project management 

time are medium and large projects usually requiring 

a bespoke service suited to the requirements of the 

customer and project. In order to scope out the 

project management effort in these types of project it 

is important to understand the customer’s 

requirements. For example frequency of on-site 

attendance, specific reporting requirements, 

management of customer/3 rd party personnel, etc.

Service Credits 

772 

The Project Initiation Document, produced by the 

Project Manager in the early stages of the project, 

defines the scope of the project management 

activities as well as the project itself. 

Service Credit Regime Not applicable fixed project management. 


Included Resources 



Commercial Quote team 

Security provisions Services will be compliant to the sector specific 

Pricing 

requirements. Minimum compliance will be PSN 

design standard. 

Charging Model As per Service Catalogue 

Price Model As per Service Catalogue 

Ordering Procedures Ordering will be via the Customer Portal.

Service commitment 

Logicalis will provide the following 

Delivery lead time 5 Days from the point of order 

Delivery lead time 

exceptions 

773 

Failure of the Partner Organisation to accept the 

first three start dates offered. 

Changes to order As per the contract. 

Customer obligations 

Ordering 

Transition 

Transition 

Methodology 

The PSN Agreement Number under which the 

Order is being placed; 

The Site where the services are required (full 

postal address or addresses); 

On site contact (including email address and 

phone number) and Authorised Officer. 

As per ISO standards 

Compliance Services will be compliant to the sector specific 

requirements as identified within the PSN LAN



774 

Standard. Minimum compliance will be to technical 

compliance to CoCo. 

At Logicalis we deliver service design through to out-tasked/outsourced service operations against 

the ISO 20000 standard. 

Our accredited portfolio of core functions includes: 


Service Architecture

Logicalis service architects work with our customers to gain a complete understanding of their 

requirement. They define the technical aspects of the service and produce the blueprint solution; 

explaining the different support strategies we can offer and their viability with respect to the customer’s 

business needs. 

Logicalis designed solutions are underpinned by robust service models that support the client’s 

business processes. This approach both informs stakeholders and assists maintainers, by assuring a fully 

managed programme for all service functions, throughout the life of the contract. 

The service architect manages the service design team to ensure that the service we provide meets 

the customer’s current and future requirements. 


The service design team takes the preliminary service scope and works closely with the customer to 

tailor the in-service support procedures such that they are aligned with their service requirement. 

Service Design is delivered through the following functions: 


The team expands on the service architect’s output to produce a high-level technical solution. 

Process Design 

The team designs the in-service support procedures that are specific to the customer’s service 

requirement. 

Measurement Systems, Methods and Metrics Design 

775

The team defines the service reporting process by agreeing what data is to be captured, how that 

data is to be captured, and how that data is presented. The data is used to underpin the continual 

service improvement activity that is delivered throughout our partnership with the customer. 

Management Systems Design 

At the system design stage, our team ensures that the service management systems, tools and 

human resources are in place. The team works closely with our service managers to refine the 

customer’s requirements. This ensures that, as the service evolves to meet changing business needs, the 

support we offer is always comprehensive. 

Integrated Logistics Support (ILS) 

ILS analysts take the service model, processes and technical architecture and then plan availability, 

reliability and maintainability so as to capture the complete service envelope. 


Service Transition Management 

Logicalis Service Transition Managers manage the overall service integration (transition from design 

to operations). The transition manager interfaces directly with the customer to ensure project risks, 

issues and escalations are managed in alignment. 

Logicalis understands the challenges and risks facing organisations as they implement complex 

service solutions. Our expertise enables us to support both the full and partial integration of Service 

capability. 

776

Service Transition is delivered through the following processes: 

Transition Support Plan Development 

We produce a plan and schedule detailing the resources that are used to ensure the smooth 

transition from service design to live operations. 

Organisation & Service Change Coordination 

Customer and Logicalis resources, identified in the service transition plan, are put in place to provide 

support for the service in live operation. 

Testing and Delivering the Service 

Final checks and configuration are rigorously performed to ensure smooth transition into live 

operation. 

Logicalis is committed to providing a service transition phase that is consistent, controlled, and 

creates minimum disturbance to day-to-day operations. We assure this control through the use of our 

service introduction approach which ensures that: 

777 

All processes, descriptions and work instructions required to support the service are considered; 

Particular attention is paid to both environment and domain when defining support processes 

that are fit for purpose across the totality of the customer’s operational envelope; 

Services are flowed into the live environment following a structured approach, delivered against a 

tailored project management background.

Service Management Services 

778 

ServiceID: PSN 4041 Service Management Services 

Service Specification 


Logicalis service architects work with our 

customers to gain a complete understanding of 

their requirement. They define the technical 

aspects of the service and produce the blueprint 

solution; explaining the different support 

strategies we can offer and their viability with 

respect to the customer’s business need. 

The service architect manages the service 

design team to ensure that the service meets the 

customer’s current and future requirements. 

Interfaces Account Manager, Service Delivery 

Manager, Lead Solutions Consultant, Project 

Manager. 

Dependencies ‘Scope of Works’ is required which identifies 


thresholds/capacities 

and defines the agreed requirement. 

Services are delivered based on fixed 

consultancy program.

779 

Lifespan Contract life. 

Minimum Term Fixed service management program, as per 

Compliance 

the scope of works. 

Services will be compliant to the sector 

specific requirements as identified within the PSN 

Standards. 

Overall compliance to CoCo where 

applicable. 


Service term As agreed 

Termination 

Payments and Notice 

Service levels 

As per the contract for Professional Services. 

Response time for 

confirmation of resource 

availability 

Logicalis will provide details with Order. 

2 working days 

Initial Audit Meeting Within 10 working days (3 days for small

780 

Deliverables 

requirement) 

Logicalis service architects work with our 

customers to gain a complete understanding of 

their capability requirement. The deliverables 

are the following high level headlines which are 

agreed with the scope of works. 

Service Design: 

Service Architecture; 

Service Design; 

Solution Design; 

Processes Design; 

Measurement Systems, Methods and 

Metrics Design; 

Management Systems Design; 

Integrated Logistics Support (ILS). 


Service Transition Management; 

Transition Support Plan Development; 

Organisation & Service Change 

Coordination; 

Testing and Delivering the Service; 

Training. 

Change Managed through change control process. 


Service Credit Regime Not applicable.

781 


Included Resources 

Security provisions 

Pricing 

Resources included: 


Transition Management 


Commercial Quote team 

Services will be compliant to the sector 

specific requirements. Minimum compliance will 

be PSN design standard. 

Charging Model As per Service Catalogue 

Price Model As per Service Catalogue 

Ordering Procedures Ordering will be via the Customer 

Portal. 

Contractor’s Service commitment 

Logicalis will provide the following

782 

Delivery lead time As agreed on order 

Changes to order As per the contract. 

Customer obligations 

Ordering 

Via the customer portal and the service desk. 

Logicalis will define the minimum required 

information for the Order to be made including: 

The PSN Agreement Number under which 

this Order is being placed 

The Site where the services are required (full 

postal address or addresses) 

On site contact (including email address and 

phone number) and Authorised Officer 

Testing As per the agreed scope of works. 

Transition 

Transition 

Methodology 

As per ISO standards 

Compliance Services will be compliant to the sector 

specific requirements as identified within the PSN

783 


Section 5 Training 

LAN Standard. Minimum compliance will be to 

technical compliance to CoCo. 

Logicalis has proven experience in the provision of user and maintainer systems training. 

We are able to tailor our training offering to meet the customer’s support requirements, throughout 

the life of the Service. 

We offer a diverse range of innovative training solutions that includes bespoke solutions and 

freestanding courseware design and delivery. 

Section 6 Communication Infrastructure Provision 

Logicalis provide Communications Infrastructures which include both Traditional and IP based voice 

solutions as on-site provisions. These solutions are designed for Customers, to their specific user 

requirements and can include; 

Traditional and IP based Solutions providing: 



DDI, 


non-geographic numbers;

784 







messaging via email, 

Conferencing Services: 




Internet Services: 

Internet; 

email and website services: 



Security Services: 

antivirus; 


firewalls; 



web and application sign on services. 

Communications at 3-3-x 

LAN Provision

For IP based Communications, the underlying LAN service functionality for 3-3-x networks is the 

same as for 2-2-x. 

The 2-2-x and 3-3-x networks on a site do not share the same active equipment and are provided 

with physically separate LAN infrastructure. Although it is technically possible to share equipment, any 

cost savings gained by so doing are more than offset by the additional management complication and 

security risk in doing so. 

The 3-3-x network uses copper cabling for access to users, although faceplates are labelled, and 

patch cables colour coded to avoid incorrect connection of end equipment. If an incorrect device were 

connected, connection into the network itself can be blocked by user authentication if the customer 

selects this option. Fibre optic cabling is used between all equipment locations and between buildings. 

Where a fibre run between buildings is not protected i.e. it can be accessed externally or leaves an 

area where IL3 traffic can be contained, encryption is provided to maintain confidentiality of the data 

path. 

A resilient network time source will be provided for the 3-3-x layer. 

It is assumed that this is outside the scope of this Lot; however advice can be provided where 

required. 


Logicalis does not propose to provision Services at this Level. 

785

How the relevant Impact Levels are to be achieved and the services accredited 

Logicalis’ approach to meeting the needs of any client is based on a sound technology solution. The 

full definition of this solution has to be both practical and cost effective. 

This can only be achieved through the employment of skilled CLAS consultants to advise Logicalis on 

the design and through working with the Accreditor to understand the risk profile and appetite within 

the customer to accept and manage risk through non-technical mechanisms. Logicalis uses the retained 

services of a third party CLAS consultant. This brings outside expertise with exposure to a range of 

options to bear, and balancing the pressures with their wider credibility in the closed world of CLAS 

consultants, ensures the solution is done in the correct manner for both the customer and the supplier. 

The process to achieve the relevant impact levels is a standard approach: 

Design with a security standpoint in mind; 

Use products with appropriate accreditation where-ever possible; 

Consider all aspects around secure design; 

Undertake an IS1 risk assessment; 

Construct the RMADS; 

Agree with the Accreditor the components of the security solution that require mitigating 

action or some form of waiver; 

Submit for accreditation; 

Annual review of RMADS with Accreditor. 

At each stage the Accreditor will be engaged to offer advice as early in the design exercise as 

possible. 

Section 6 Communication Infrastructure Provision 

786

Logicalis provide Communications Infrastructures which include both Traditional and IP based voice 

solutions as on-site provisions. These solutions are designed for Customers, to their specific user 

requirements and can include; 

Traditional and IP based Solutions providing: 

787 



DDI, 









messaging via email,

Conferencing Services 


788 




Internet; 

Security Services; 




antivirus; 


firewalls; 

intrusion and spyware detection;

789 




LAN Provision 

For IP based Communications, the underlying LAN service functionality for 3-3-x networks is the 

same as for 2-2-x. 

The 2-2-x and 3-3-x networks on a site do not share the same active equipment and are provided 

with physically separate LAN infrastructure. Although it is technically possible to share equipment, any 

cost savings gained by so doing are more than offset by the additional management complication and 

security risk in doing so. 

The 3-3-x network uses copper cabling for access to users, although faceplates are labelled, and 

patch cables colour coded to avoid incorrect connection of end equipment. If an incorrect device were 

connected, connection into the network itself can be blocked by user authentication if the customer 

selects this option. Fibre optic cabling is used between all equipment locations and between buildings. 

Where a fibre run between buildings is not protected i.e. it can be accessed externally or leaves an 

area where IL3 traffic can be contained, encryption is provided to maintain confidentiality of the data 

path. 

A resilient network time source will be provided for the 3-3-x layer.

It is assumed that this is outside the scope of this Lot; however advice can be provided where 

required. 


Logicalis does not propose to provision Services at this Level. 

How the relevant Impact Levels are to be achieved and the services accredited 

Logicalis’ approach to meeting the needs of any client is based on a sound technology solution. The 

full definition of this solution has to be both practical and cost effective. 

This can only be achieved through the employment of skilled CLAS consultants to advise Logicalis on 

the design and through working with the Accreditor to understand the risk profile and appetite within 

the customer to accept and manage risk through non-technical mechanisms. Logicalis uses the retained 

services of a third party CLAS consultant. This brings outside expertise with exposure to a range of 

options to bear, and balancing the pressures with their wider credibility in the closed world of CLAS 

consultants, ensures the solution is done in the correct manner for both the customer and the supplier. 

The process to achieve the relevant impact levels is a standard approach: 

790 

Design with a security standpoint in mind; 

Use products with appropriate accreditation where-ever possible; 

Consider all aspects around secure design;

791 

Undertake an IS1 risk assessment; 

Construct the RMADS; 

Agree with the Accreditor the components of the security solution that require mitigating 

action or some form of waiver; 

Submit for accreditation; 

Annual review of RMADS with Accreditor. 

At each stage the Accreditor will be engaged to offer advice as early in the design exercise as 

possible. 

Section 7 Hosted Communications 

Logicalis can provide Communications Infrastructures, either as an on-site, hosted or ‘as a Service’ 

delivering a highly secure, available, virtual, and sophisticated customer interaction management 

solution. 

IP based voice services; 



DDI, 

premium rate numbers;

792 








messaging via email. 

Conferencing Services; 





Internet;

Security Services; 

793 




antivirus; 


firewalls; 




Hosted Communications 

Logicalis provides hosting services in accordance with the following: 

Logicalis will: 

Provide the Hosting Services 24 hours per day every day of the week;

794 

Provide the Support Services during Normal Working Hours; 

Provide the Remote Hands Services [during Normal Working Hours] [24 hours per day every 

day of the week]; 

Use all reasonable endeavours to maintain the temperature within the Customer Designated 

Area within the parameters described in Hosting Services and Service Details; 

Provide the Remote Hands Service. 

The Customer is entitled to locate and use the hosting equipment in the customer designated area 

subject to and upon the terms of the final Agreement. 

The Customer is entitled to allow Users to have access to the customer designated area and the 

Logicalis Data Centre or to use the hosting services, subject to having obtained Logicalis’ prior written 

consent, following the Permit to Work Procedure and completing the Permit to Work Form. 

Logicalis will permit the Customer upon giving reasonable notice: 

to enter the Logicalis Data Centre during Normal Working Hours for the purpose of 

inspecting the Hosting Equipment and allowing the Customer’s potential clients to inspect the 

facilities provided by the Contractor; and 

to enter the Logicalis Data Centre at all times, 24 hours a day 7 days a week, for the 

purpose of carrying out any necessary services, maintenance and/or repair to the Hosting 

Equipment. In cases where emergency maintenance and/or repair work is necessary, the 

Customer will give Logicalis a minimum of one hours notice.

Customer Obligations 

The hosting equipment and additional hosting equipment will be at the customer’s risk at all times 

and the customer will be responsible for insuring the hosting equipment and any additional hosting 

equipment against all risks. The Customer will, in addition to the Charges, be responsible for all costs 

(including costs reasonably incurred by the Contractor) associated with installing installation of the 

hosting equipment, cables and other material and any additional hosting equipment at the Logicalis 

Data Centre is out of scope. 

The Customer will comply with the Data Centre Installation Standards set out in the Data Centre 

Installation Standards in respect of all hosting equipment and additional hosting equipment. 

Customers will not make any alteration or modification to the Logicalis Data Centre, or any of the 

racks, storage facilities, fixtures and fittings or any other facilities provided by Logicalis. 

The Customer will keep the Customer Designated Area clean and tidy and free from rubbish and 

other debris and refrain from obstructing any doors or access to that space at all times. 

The Customer will comply with the Acceptable Use Policy. 

The Customer will not load the rack(s) in which the hosting equipment is installed in excess of the 

manufacturer’s recommended maximum loading. 

Use of Electrical Power 

795

Pricing includes a charge for the usage of electrical power up to the maximum amount stated in Co- 

location Services and Service Details. 

Logicalis may also make an additional charge for, or grant a rebate against the charge for, the 

Customer’s actual usage of electrical power at the end of each quarter. 

The Customer acknowledges that should it wish to install additional hosting equipment, Logicalis 

cannot guarantee to provide electrical power in excess of the electrical power provision. 


Logicalis will perform the Hosting Services in accordance with the service level requirements set out 

in Co-location SLA. 

Relocation of Hosting Equipment 

Logicalis may, having given the Customer as much notice as is reasonably possible in the 

circumstances, relocate the hosting equipment to another area within the Logicalis Data Centre, which 

will upon moving to it, become the customer designated area. Logicalis will arrange and pay for the 

relocation of the hosting equipment to the new customer designated area and will provide the hosting 

services at the new customer designated area. 

Removal of Hosting Equipment 

796

On expiry, or termination of the service, the Customer will be solely responsible for the removal of 

the hosting equipment from the customer designated area within fourteen (14) days of the date of 

termination or expiry. 

Logicalis may disconnect, switch off or remove any of the hosting equipment at any time without 

the prior approval of the Customer if it is necessary to take such action immediately in order to protect 

health and safety or to prevent damage to the customer designated area, or the Logicalis Data Centre. 

Disaster Recovery 

Any disaster recovery requirements will be subject to a separate quotation and a specific contract 

for such purposes between Logicalis and the customer. Unless specifically listed in the service schedule, 

Logicalis does not provide any disaster recovery services as part of the standard co-location agreement. 

System and Security Requirements 

Logicalis will be responsible for providing physical and electronic security systems for the Logicalis 

Data Centre perimeter and common areas leading up to the customer designated area. Logicalis will 

provide physical access and security controls will comply with the Security Policy applicable to the 

customer designated area. 

Reporting and Reviews 

797

Logicalis will, on a quarterly basis, provide the reports relating to the hosting services as set out in 

the hosting SLA. 

Logicalis and the Customer will meet regularly at mutually determined times and intervals to discuss 

and review reports that Logicalis will present regarding any incidents that may have occurred and the 

general state of the Logicalis Data Centre. 

Hosting SLA 

Service Level Requirements 

Logicalis will perform the Hosting Services in accordance with the service level requirements set out 

below and if Logicalis fails to perform, the Customer will be entitled to receive the service credits set out 

below. If one failure or incident leads to two or more service credits being payable only the higher or 

highest service credit will apply. 

y 

Power 

Categor 

798 

Description 

Level 


Measure 

ment Period 

Power Simultaneous 100% Quarterly 

Service Credit 

Temperature 

799 

failure of power to 

any power circuit 

(A-feed) and its 

associated 

redundant power 

feed circuit (B- 

feed) 

uptime Fee 

y 

ture 

Categor 

Tempera 

800 

Description 

Customer Area 

temperature of no 

more than 26 o C 

and no less than 

17 o C as measured 

in the Cold isle at 

the front of 

customer racks 1m 

above floor height 

Level 


Not in 

excess of 

27 o C 

Measure 

ment Period 

Quarterly 

Service Credit 

Fault Resolution 

Logicalis will be responsible for coordinating all incident isolation, testing and repair work relating to 

the Logicalis Data Centre. Severity levels will initially be as determined by the Customer but Logicalis 

may increase or decrease the severity level if it is reasonable to do so after investigation of the 

incident. During the incident isolation and troubleshooting process, Logicalis will communicate with the 

Customer and escalate its problem resolution efforts based upon the times specified in the table 

below. Logicalis will proactively inform the Customer when an issue or condition arises that may cause 

potential problems. Logicalis will provide status updates as described below: 

erity 

Level 

801 

services affected; 

start time of incident; 

current status of resolution; 

description of problem; 

estimated time of resolution. 

The following steps will be taken when the Customer reports an incident: 

Sev 

Description Cove 

rage 

onse 

Time 

Resp 

Resolu 

tion Time 

Effort 

Work 

mer 

Status 

Custo 

Updates 

Time 

-based 

note

S1 Customer’s 

802 

Service is not 

operational and 

no workaround 

is possible 

24x7 15 

minutes 

1 hour 24 

hours per 

day until 

resolution 

or change 

of 

severity 

hour 

Every 

S2 Customer’s 24x7 1 2 16 Every 

15 

minutes: 

the 

Logicalis 


Desk 

2 

hours: 

Logic 

alis Data 

Centre 

Manager 

4 

hours: 

ces 

Servi 

Director 

1

803 

Service is 

operational but 

performance is 

seriously 

degraded. If a 

workaround 

has been 

provided, the 

loss of 

performance 

can only be 

sustained for a 

few Working 

Days. 

S3 Customer’s 

Service is 

24x7 2 

hour hours hours per 

hours 

4 

hours 

day until 

resolution 

or change 

of 

severity 

ard 

Stand 

2 hours hour: the 

Every 

4 hours 

Logicalis 


Desk 

4 

hours: 

Logic 

alis Data 

Centre 

Manager 

1 

Working 

Day: 

ces 

Servi 

Director 

1 

Working

804 

operational. 

However a 

problem has 

been identified 

that causes 

slight 

degradation in 

performance. A 

workaround is 

available. 

Working 

Day 

Day: the 

Logicalis 


Desk 

2 

Working 

Days: 

Logic 

alis Data 

Centre 

Manager 

5 

Working 

Days: 

ces 

Servi 

Director

follows: 


Logicalis will notify the Customer regarding maintenance of the Logicalis Data Centre as 

805 

Type of Maintenance Description Notification Period 

Routine 

Standard 

Routine maintenance 

with no likely affect on RICS 

Designated Area; and 

maintenance which is part of 

the Contractor’s PPM 

Routine maintenance 

and repair which the 

Contractor believe may 

involve an outage 

Urgent Repair needed urgently 

Emergency 

Reporting 

Repair or other action 

needed on health and safety 

or security grounds. 

No notification required 

14 day advance 

notification 

1 hour advance 

notification 

No advance notification 

required but the Contractor 

will notify Customer as soon 

as is reasonably practicable

Logicalis will provide the following reports and documents within ten (10) Working Days of each 

month end: 

806 

Power Distribution Unit (PDU) meter readings in Amps (A) of electrical load for each PDU, both 

primary and redundant, together with the previous months’ readings. 

Monthly details of temperature within the customer designated area recorded. 

Access register for the customer designated area together with all requests for access by both 

the Customer and Non-Customer personnel including those where access may have been due to 

an emergency situation. 

Log and/or register of all remote hands services requests. 


Logicalis will have in place a business continuity and disaster recovery plan which it will make 

available to the Customer for review. The business continuity plan / disaster recovery plan will: 

address all critical functions and operations of the services used by Customer; 

specify recovery time frames for each critical function and operation used by Customer; 

be thoroughly tested at least annually; be regularly updated to the extent necessary. 

Remote Hands Services 

Logicalis will provide the remote hands services consisting of technical support for basic operational 

functions, and diagnostic and repair activity for hosting equipment, facilities, spares and other materials 

owned or leased by the Customer. 

Logicalis will charge for the remote hands services in accordance with the rates in the Service 

Catalogue. 

Logicalis will be contactable 24 hours a day, 7 days a week and will provide remote hands services 

24 hours a day, 7 days a week if required.

Logicalis will relay on request and on receipt of instructions from the Customer: 

807 

the visual status of hosting equipment to assist in remote troubleshooting; 

undertake basic remedial tasks on hosting equipment; 

power cycle hosting equipment when and should the need arise; unload/load data tapes at 

the Customer tape library equipment. 

Logicalis will conduct physical layer testing and test and confirm that all cross-connects are 

functioning normally to the patch panel in the Logicalis Data Centre. 

Logicalis will install and maintain cabling at additional charges in respect of the following: 

install copper patch cords between devices in the customer designated area; 

install fibre patch cords between devices in the customer designated area; 

source and provide copper and fibre replacement patch leads and cables at the Customer’s 

request; 

install or patch copper or fibre patch cords at the Customer’s request; 

troubleshoot physical layer issues with fibre and copper. 

The Customer may elect to have Customer materials such as data tapes delivered to, configured at, 

installed at, stored at, maintained at, serviced at, and/or shipped from the Logicalis Data Centre. 

Logicalis Hosting and aaS Security

Logicalis can locate our Data Centre within the Security Boundary of the PSN and can therefore 

provide Hosting and aaS at IL2-2-x and IL 3-3-x in accordance with: 

808 

HMG CESG/CPNI Guidance 

NIST Guidelines 

Industry best practice 

In order of preference and where available. 

Section 8 Communication as a Service 

For simplicity and commonality, Logicalis has mapped our UC provision onto the current MTS 

solution. Therefore, as part of the UC Service Logicalis provides the following: 

Managed Telephony Services which include; 

Managed Traditional Telephony Services 

Managed Next Generation Telephony Services (Unified Communications as a Service) 

Telephony Handset Provision; 

Telephony Call Logging Service; 

Voicemail & Voice Processing Service; 

Voice Mobility Services; 

Voice Disaster Recovery Services; 

Voice Call packages; 


DDI, premium rate numbers;




SMS, pager/mobile/fixed line telephone. 

Service Management which includes: 

809 

Telephony Maintenance and Support Services; 

Telephony Software & Hardware Moves and Changes; 

Traditional Telephony Services 

Logicalis provides Traditional Telephony Services which are fully managed services using supplied, 

premise based, PBXs connected which can remain stand alone and managed on premise or connected to 

Logicalis’ centralised IP based Telephony platform. 

The PBX supports the extensions at the Customer site and also remote workers and hot-desking 

staff that are associated with the site. Solutions provide support for analogue, digital handsets and IP 

handsets. 

The Traditional Telephony Service can provide each user with the below functionality depending on 

the end user requirements: 

access to a port on the Traditional Telephony Service; 

an analogue telephone handset (if the Customer does not require a digital or IP handset); 

A DDI number; 

A full suite of Telephony functionality such as call divert, group pickup, manager/secretary 

working etc.; 

Voicemail; 

Voice Mobility (voice nomadic features, e.g. hot-desking and remote working); 

Telephone Operator Service; 

Access to “always on” and “event based” audio conference services.

The Traditional Telephony Service supports sites with as few as two extensions to very large sites 

and campuses hosting many hundreds or thousands of extensions. For the smaller sites a PBX may be 

deployed but some small sites are served by a “satellite” device hosted off a large site PBX. 

Calls between telephony sites (designated ‘on-net’ calls) are carried over the PSN with calls to non- 

PSN sites breaking out to the PSTN at an appropriate point. 

For PBXs which are not connected directly to the PSN network are connected to the PSTN network 

via ISDN or SIP with the call traffic being onward routed to the destination through this medium. Such 

sites are deemed indirectly connected sites. 

Standard & Additionally Charged Offerings 

The table below lists the Traditional Telephony Service functionality currently delivered. The table 

shows which services are provided by Logicalis as part of the standard quarterly extension (SAP) rental 

and which are additionally charged. 

810 

Service Provision/ Functionality 

Provision and ongoing management of required 

premises-based PBXs 

Provision and ongoing management of required 

“satellite” equipment (for small sites) 

Included in 

standard 

quarterly 

extension 

rental 

√ 

√ 

Additionally 

priced 

Provision and management of all network links √ 

Access to a port on the premises based PBX or 

satellite equipment for each user 

Full Direct Dialling (DDI) for each user √ 

√

811 


Included in 

standard 

quarterly 

extension 

rental 

Calls within Logicalis’s estate (on-net calls) √ 

24 hour proactive service management √ 

Additionally 

priced 

Hot-Desking & remote working capabilities √ 

Access to a call logging facility √ 

Access to Audio Conferencing (calls are additionally 

charged) 

Central management capabilities for moves and 

changes to be undertaken 

Software remote moves and changes √ 

Project Management resources for initial 


System management training for new site 

installations 

Floor walking services on first day of service for a 

new site installation 

Telephone Operator Service for incoming calls and 

directory support 

Voicemail for each user √ 

Service Centre service for user assistance and fault 

resolution 

Calls to the PSTN (however, note that currently 

Buying Solutions aggregates the call charges and bill 

customers a standard call inclusive quarterly charge) 

Directory enquiry service √ 

Provision and ongoing management of a range of 

analogue, digital, IP and soft client terminals. 

Basic rate ISDN connectivity to the desktop √ 

Call Handling Solutions √ 

Onsite moves and changes by the Contracator √ 

Refresher handset or system functionality training √ 

Telephone directory update service (providing entries 

to BT and Hull telephone directories) 

√ 

√ 

√ 

√ 

√ 

√ 

√ 

√ 

√ 

√

812 


Included in 

standard 

quarterly 

extension 

rental 

Additionally 

priced 

Non-geographic number services √ 

Standard & Optional Offering –Traditional Telephony Service 

Traditional Telephony Service - Operator and Service Management Consoles 

Depending on the PBX being pre-existing or provided, this will dictate the Console provision. 

Traditional Telephony Service - Network Service 

Logicalis assumes that the PSN will be used to provision private circuits to all sites. Where these are 

not provided, Logicalis can provision these at additional cost. 

Sites can be provided with fallback analogue exchange lines to enable a limited number of 

Customer’s access to the PSTN in the event of a catastrophic PBX switch failure. In the event of a 

complete power failure or catastrophic PBX system failure, a bypass feature is automatically invoked 

(where provided) so that direct connections between designated fallback analogue exchange lines and 

certain extensions are made. 

Each SAP is capable of least cost routing to On Net and PSTN. 

Telephone Handset Provision

For the Traditional Telephony service Logicalis provides, operates and maintains the telephone 

handsets and key systems. All SAPs (except SAPs supporting facsimile machines, modems and ISDN 

ports or where more advanced handsets are requested by the Customer e.g. digital or IP handsets) are 

provided with a standard analogue handset as part of the SAP Service Charge. 

The standard analogue telephone handsets have a specification that, as a minimum, provides the 

following facilities: 

813 

Redial last number; 

Speaker volume control; 

Ring tone adjustment; 

5 number memory - each accessible by a single key; 

visual message waiting indication. 

The Managed Next Generation Telephony Service – Unified Communications (UC) as a Service 

Logicalis UC as a Service is provisioned by Logicalis’ G-Cloud platform using the underlying Compute, 

Storage and Network as a Service, underpinned by the Hosting Service. 

Logicalis provides a centrally hosted, next generation (IP Telephony-IPT) Service which provides an 

IP-based alternative to traditional on-site PBX. UC functionality is provided from Logicalis’ hosted Cloud 

based softswitch which is host to Skinny Call Control Protocol (SCCP) or Session Initiation Protocol (SIP) 

endpoints located on Customers’ sites. SCCP/SIP endpoints include SIP telephone handsets, PC-based 

soft-clients and Integrated Access Device (IADs) that provide analogue connectivity for telephones, fax 

machines and modems. 

The operating environment of the software layer is customised to the Customer requirements 

through the features and capabilities of the product set.

Endpoints are capable of being connected to the UC Service via a PSN connection or via a Customer 

(or third party) provided data network. If a Customer or third party data network is used, a network 

gateway (optionally duplicated) is established between the third party network and the PSN which 

supports the IPT service. 

Integration between UC as a Service and Traditional Telephony Services can be provided, allowing 

seamless connectivity for calls and facilitates communication during the transition of service from TDM 

to IPT. This is not provided as standard. 

The current UC as a Service and Traditional Telephony Services are not accredited. Logicalis is 

presently awaiting approval for our DNSP status. Following approval Logicalis will move to accredit our 


Additional service resiliency options, such as the provision of Survivable Media Gateways (SMGs), 

are supported (where the accreditation will support their use). A SMG is an on-site softswitch that can 

facilitate on-site desk to desk dialling and PSTN connectivity in the event of complete network failure or 

IPT service outage. 

The UC as a Service package provides each user with: 

Access to a port on the IPT service; 

A DDI number; 

A full suite of Telephony functionality such as call divert, group pickup, manager/secretary 

working etc.; 

‘Follow-me’ extension (aka hot desking) – i.e. a user can login at any access point within their 

organisation and have their extension automatically redirected to that IP phone/softphone; 

Audio/Video conferencing – allowing any user to set up an ad hoc multi-party conference call 

without the need for any advance notification or third party involvement. 

Software based moves, adds and changes. 

The following features are also available to the Customers’ users as service options: 

814

Voicemail; 

Telephone Operator Services. 

The table below summaries the UC as a Service functionality that is provided as standard (that is as 

part of a quarterly rental charge per IP service access point) and that which is provided as an option, at 

an additional charge; 

815 

UC as a Service Provision/ Functionality 

Provision and service management of IPT 

endpoints 

Included as 

standard 

Full Direct Dialling (DDI) per user √ 

On-net calls i.e. calls within the PSN √ 

√ 

Additionally 

charged 

Local, national, mobile and international calls √ 

24 hour proactive management √ 

Hot-Desking capabilities √ 

Access to a Call logging facility √ 

Desktop audio conferencing facility √ 

Software remote moves and changes √ 

Project management resources for initial 

implementation 

Floor walking services on a site on first day of 

service 

Self service web portal √ 

Service Centre service for user assistance and 

fault resolution 

Directory Enquiry Service √ 

Handset or system functionality training. √ 

LAN provision and management √ 

LAN UPS provision and maintenance service 

(for powering IP handsets) 

LAN/WAN assessment consultancy √ 

Network Gateway(s) from Customer’s data √ 

√ 

√ 

√ 

√

816 

UC as a Service Provision/ Functionality 

network into Service Provider’s network 

Included as 

standard 

Additionally 

charged 

Non-geographic number services √ 

Out of Office telephone working capabilities √ 

Survivable Media Gateway √ 

Telephone directory update service (providing 

entries to BT and Hull telephone directories) 

Telephone Operator Service for incoming calls 

and directory support 

Voicemail for each user √ 

Network Gateway 

Standard & Optional Offerings – UC as a Service 

Logicalis provides Network Gateways for Customers who wish to utilise their existing Wide Area 

Network (WAN). This Network Gateway connects the customer’s WAN with the IPT Service. There are 

two Network Gateway options: 

Premium Gateway Connection 

Standard Gateway Connection 

The premium gateway connection provides two geographically diverse connections, the first from 

one of the Customer’s WAN points-of-presence to Logicalis’ point-of-presence and the second from 

another of that same Customer’s WAN point-of-presence to another Logicalis point-of-presence. 

The standard gateway connection provides a single connection between one of the Customer’s 

WAN points-of-presence and one of Logicalis’ points-of-presence. 

√ 

√

Telephone Handset Provision 

Logicalis provides a selection of digital, IP and advanced telephone handsets which will vary based 

on the existing or provisioned PBX or the UC as a Service. 

UC as a Service 

The UC platform operates on Logicalis’ G-Cloud platform utilising our Computing as a Service, 

Storage as a Service and Network as a Service to deliver the underlying Services. 

follows: 

Computing as a Service 

Specification and Service Description 

Logicalis has standardised on the half width Cisco UCS Blades for this service which are configured as 

MK2 Blades 

Dual 2.66GHz Xeon E5640 processors with 8Mb cache (i.e. 2 x quad core = 8 core); 

80Gb of RAM; 

Qlogic Converged Network Adapter with dual 10Gb uplinks; 

10Gb boot LUN of storage. 

Further storage capacity is available using Logicalis’ Storage as a Service. Connectivity to the system 

is provided through a resilient 10Gb Ethernet network connection which can be accessed using Logicalis’ 

Network as a Service. 

The Customer has the following service options within Computing as a Service: 

817

Dedicated Blade Service – A commitment to providing a dedicated Blade for 365 days per year, 

24hrs a day. 

Guaranteed Blade Service – A commitment to provide a dedicated Blade for 30 days per annum 

to be invoked by the Customer as required. Logicalis will provide the Blade according to the 

SLA. This service is typically used to support a customer’s Business Continuity Plan (BCP) by 

providing computing resources in a DR situation and to allow for the invocation and testing of the 

service during the contracted period. Each invocation utilises one MAC. 

Uncommitted Blade Days – Provides a dedicated Blade for a number of days per annum, but 

delivered on the basis that Logicalis may revoke such provision should another customer invoke a 

DR requirement through the Guaranteed Blade Service. Each invocation utilises one MAC. 

Blade Harbour Option – provides a managed full or half slot in a Cisco UCS chassis for the 

installation of a UCS Blade to the Customer’s own specification. 

The following service facilities will be provided: 

Setup of Computing as a Service 

1. Design and documentation of connectivity and configuration options; 

2. Implementation of connectivity to Computing as a Service and configuration of service options. 

Day to Day Operation & Service Management 

As defined within the Managed Services. 

Computing as a Service can be combined with other Logicalis ‘as a Service’ offerings such as 

‘Network as a Service’ and ‘Storage as a Service’, to generate a bespoke managed service environment 

to meet a customer’s business needs. 

Computing as a Service can be supplemented with additional managed services to provide higher 

level management of operating systems and applications if required. 

Storage as a Service 

818


Storage is available in multiples of 1Gb and can be provided as two storage types: 

819 

Application Storage Units – Based on high speed SAS disks for application style workloads. 

Archive Storage Units – Based on higher density SATA disks for archival style workloads. 

Both types can be scaled to provide the storage capacity and peak IOPS rating required by the 

Customer. 

The service is based on a consumption model that provides a specified amount of storage allocation, 

the required IOPS performance and SAN connectivity. 

Logicalis provides a ‘multi protocol’ approach to storage provisioning that supports the following 

standards: 

CIFS – Common Internet File System, that provides native Windows file services with access 

managed through Windows Server Manager (on an associated Windows host). Server Manager 

allows for remote connection to allocated storage units, share definition and management of 

security. 

NFS – Network File System, that provides a method of volume exports typically utilised and 

mounted in Unix style environments and managed using RSH/SSH command line scripts. 

iSCSI – Allows for the provisioning of LUNs over IP infrastructure. Mounted by hosts to be 

formatted with native file systems and seen as local disk by O/S and applications. LUN creation, 

associated presentation and security can be defined and managed using RSH/SSH command line 

scripts. 

Logicalis is able to provide customers with additional NetApp SnapDrive / SnapManager 

management products as separately priced services should these be required by the Customer. 

The total storage allocated to the customer is limited to the storage volume capacity included in the 

Contract Particulars. Where the Customer uses functions such as Snapshots and Mirroring, storage 

space in the supporting volumes will need to be reserved for this and other storage changes.

Storage as a Service standard features comprise: 

Backup and Recovery - Snapshot - This feature is only available within a customer’s storage 

allocation and can be used to secure a single file or a complete data infrastructure. It is managed 

using RSH/SSH command line scripts – allowing the Customer to trigger individual snaps while 

applications are running or to set them up on a scheduled basis. File level recovery is available using 

Windows Explorer through the browsing of the .snapshot directory, or RSH/SSH command line 

access. Up to 253 Snapshot copies per volume can be created, instantly, to provide online backups 

in minimal storage space. 

In addition, if agreed, a daily backup to tape media of a single named snapshot per volume will 

be taken, and once written, securely transported and stored offsite. The taking of the snapshot will 

either be at a customer defined time (hour and minute) or via Customer initiated snapshot as 

described earlier, and retained by the Customer for the 24hr period starting and finishing at 00.01 

hrs. The timing of taking the Snapshot to tape will be at the discretion of Logicalis within the 24hour 

period. 

820 

Storage space consumed by, and reserved for, snapshots is counted within the total storage 

footprint of the Customer and limited to the storage volume capacity agreed within the Contract 

Particulars. 

Data Replication – Asynchronous SnapMirror – This service feature offers a data replication 

solution that can provide disaster recovery protection for business-critical data. Leveraging the 

unified storage architecture, SnapMirror simplifies the management of data replication so a 

customer can use a single solution across all NetApp storage arrays and protocols for any application 

in both virtual and traditional environments in a variety of configurations. The feature would 

typically be used to mirror data from, say, the Logicalis Storage as a Service allocation to a 

customer’s own NetApp array running within their organisation (or perhaps in the Logicalis Data 

Centre). This service feature uses asynchronous replication with replication periods no lower than 

30mins. The recovery process also supports low recovery time objectives, enabling businesses to get 

back on-line faster. 


Setup of Storage as a Service 

1. Design and documentation of connectivity and configuration options.

2. Implementation of connectivity to Storage as a Service and configuration of service options. 



Storage as a Service can be combined with other Logicalis ‘as a Service’ offerings such as ‘Network as 

a Service’ and ‘Computing as a Service’ to generate a bespoke managed service environment to meet a 

customer’s business needs. 

Storage as a Service can be supplemented with additional managed services to provide higher level 

management of operating systems and applications if required. 

Network as a Service 


Network as a Service allows customers to choose a range of fully managed connectivity options 

including Data Centre LAN Services which provide interconnection between services within the Data 

Centre and Data Centre WAN services, providing resilient Internet access and WAN access to other 

services. 

Data Centre LAN Services provide a variety of connectivity options for customers ranging from a 

resilient pair of ports up to a complete network service; all delivered using a resilient, flexible and secure 

underlying network infrastructure. 

821

This service is delivered using a resilient architecture of Cisco Data Centre-class switches. This 

infrastructure is fully managed by the Logicalis Managed Service Centre (MSC) using the CA Spectrum 

Infrastructure Manager and eHealth Performance Manager toolsets. 

The following connectivity packages are offered: 

822 

10/100/1000Mb Access Port – This option provides a resilient pair of RJ45 presented copper 

based Ethernet ports delivered as one port from each pair of resiliently connected Cisco 

Switches. 

1GbE Access/Core Port – This option provides a resilient 1GbE Fibre Access Port Pair delivered 

as one 1GbE port from each of a pair of resiliently connected Cisco switches. If a core port is 

specified this may be used for Layer 3 switching. 

10GbE Access/Core Port – This option provides a resilient 10GbE Fibre Access Port Pair 

delivered as one 10GbE port from each of a pair of Cisco switches. If a core port is specified this 

may be used for Layer 3 switching. 

Rack Level Switching – This option uses a dedicated Cisco Nexus 2000 with 48 x 100/1000-T 

Ports delivered within a Customer Rack with resilient up-links to the distribution layer. 

All ports are provided in pairs, with the service level being measured as the availability of the service 

via either port, not simultaneously. 

The following configurations are supported: 

Segregation - VLANs are available and can be scaled depending on the number of ports taken. 

However, in order to support high numbers of VLANs on a low number of ports an additional 

charge may be made. This will be agreed with the Customer during the design phase. 

Addressing - A customer’s own IP addressing is supported with IPV4 and IPV6 options 

available supporting public and private structures based on best practice principles. The 

addressing structure will be agreed with the Customer during the design phase. 

Resilience – The service provides a pair of resilient ports where the aim is to use these either, 

to connect a single device in a resilient fashion or to connect to two devices operating their own 

resilience. Where a ‘Top of Rack’ switch is provided, port configurations will be agreed with the 

Customer during the design phase. 

Logicalis’ Data Centre WAN services are based on a carrier neutral approach to the provision of 

bandwidth services and have the potential to support any carrier within its Data Centres.

823 

External Carrier Services: To provide resilience for carrier services Logicalis has dual diverse 

routes into its Slough Data Centre from both sides of the site. These terminate in separate 

‘Meet-Me’ rooms providing termination points for the Carrier services. The service profile for 

each Customer will be agreed during the design phase and the agreed network connectivity will 

be delivered directly to the Customer’s rack. 

Internet as a Service: Those Customers requiring Internet access can contract with Logicalis 

for an agreed bandwidth rate (such as 10Mb) at an agreed rate, for which charges will be 

invoiced separately. Where a Customer requires additional bandwidth, the service can be 

‘flexed’ (either permanently or for a period of time) by simply ordering more bandwidth from 

Logicalis. This will be implemented quickly and simply under change management control, 

typically requiring no service downtime or the installation of physical upgrades. 

JANET Connectivity: Logicalis can provide connectivity to the JANET network for authorised 

Customers. 


Setup of Network as a Service: 

1. Design and documentation of connectivity and configuration options 

2. Implementation of connectivity to Network as a Service and configuration of service options 



Network as a Service can be combined with other Logicalis ‘as a Service’ offerings such as ‘Storage as 

a Service’ and ‘Computing as a Service’ to generate a bespoke managed service environment to meet a 

customer’s business needs. 

Network as a Service can be supplemented with additional managed services to provide higher level 

management of operating systems and applications should this be required.

Information assurance – Impact Level (IL) at which the G-Cloud Service is accredited to hold and 

process information 

Logicalis does not formally hold accreditations for this service, however the security architecture 

under which the Cloud operates has been modelled on the Welsh PSBA architecture which has been 

accredited up to IL3.Our expectation is that CESG would have no issue with accrediting Logicalis’ 

Cooperative Cloud. 

Having been awarded G-Cloud status, Logicalis is working towards this accreditation. 

Details of the level of backup/restore and disaster recovery that will be provided 

The ‘As a Service’ service provides a fully managed backup and recovery solution and is managed 

and monitored by our MSC. The service utilises a mature, enterprise-class data protection platform that 

provides broad interoperability across all leading IT environments, as well as superior integration. The 

service delivers fast backup and recovery of dozens of major applications used by enterprises. The 

solution includes provision of LTO5 data cartridges for use in the tape rotation cycle, schedule on a 

nightly basis and defined within Logicalis' ITIL retention policy. All tapes are rotated on a daily basis and 

relocated to a secure off-site facility provided by Iron Mountain. 

Logicalis manages all scheduled maintenance in accordance with the operational change control 

process. The scheduled maintenance is controlled by our MSC. All configuration changes are updated 

and maintained in the dedicated CMDB, held in our CA toolset, and controlled in line with ISO27001 

accreditation. These processes and controls are followed across our whole business and in place for all 

of our current customers. 

824

As a Service SLA 

The Services comprise a number of discrete components, namely Contact/Call Centre as a Service, 

Computing as a Service, Storage as a Service and Network as a Service. This section defines the Service 

Level Agreement (SLA) between the Customer and Logicalis for the delivery of the Services. 

This SLA identifies and defines the Service Levels to be provided by Logicalis to the Customer in 

respect of the monitoring, maintenance, management and provision of the Services. Logicalis will be 

responsible for the provision of the Services in accordance with this SLA. 

Availability Definition and Service Levels 

Definition: The following formula will be used to calculate Availability for each individual Service for 

the measurement period expressed as a percentage: 

where: 

c = number of hours of service during the measurement period (e.g. 31 days per month, 24 hours 

per day = 744) 

f = duration (measured in hours) within the measurement period during which an individual Service 

was not available (i.e. did not respond to a poll) 

825

k = duration (measured in hours) within the measurement period during which an individual Service was 

unavailable due to circumstances beyond Logicalis’ control. 

Availability metrics for the Services are detailed below: 

826 

Service Component Availability Metric 

Measurement Period 1 calendar month 

Network as a Service 99.99% 

Internet as Service 

(Component element of 

Network as a Service) 

External Carrier Services 

(Component element of 

Network as a Service) 

99.99% 

As specified by the relevant Carrier 

in its SLA 

Computing as a Service 99.99% 

Storage as a Service 99.99% 

Where elements of a Service are provided in pairs, including but not limited to the Network as a 

Service port pairs, the availability SLA will be deemed to be met whilst either port in the pair is 

available. The availability metric of either port will be 99%.

Where multiple Services are taken by the Customer, each SLA metric will apply only to the element 

of the Service to which it is stated to apply. 

Should more than one SLA metric be applicable to any one element of the Service, only the lowest 

SLA metric will apply to that element of the Service. 

Should the failure of a Service be caused by the failure of an Enabling Service, only the failure of the 

Enabling Service will be applicable for Service Credits 

Typical Changes 

Logicalis will ensure that all changes are carried out in a planned and authorised manner. The 

following lists the implementation timetable for standard changes. The implementation timetable for all 

other changes will be agreed in advance with the Customer. 

827 

Completion 

Time 


Change 

24 hours Reconfigure physical networks (i.e. ports). 

24 hours Reconfigure logical networks. 

Internet as a Service 

4 hours Reconfigure connectivity services (e.g. customer WAN, Internet

828 

Completion 

Time 


bandwidth). 

24 hours Reconfigure Blades. 

Change 

1 hour Activate/deactivate Blades provided under Guaranteed Blade 

service. 

2 hours Activate/deactivate Blades provided under Uncommitted Blade 


Days service. 

2 hours Reconfigure/grow/shrink volumes. 

2 hours Create/delete flex clones. 

2 hours Create/delete/revert to storage snapshot. 

48 hours Recover storage volume from tape backup. 

2 hours Snapshot of boot LUNS 

Service Interruptions

Planned maintenance of the hosting equipment, facility, software or other aspects of the services 

that may require interruption of the service will not be performed during normal working hours. 

Logicalis may however, interrupt the services outside of normal working hours for planned 

maintenance, provided that it has given the Customer at least three days' notice. Any maintenance 

events which occur during normal working hours, and which were not requested by the Customer, will 

be considered downtime for the purpose of service availability measurement. Logicalis will at all times 

endeavour to keep any service interruptions to a minimum. 

Service Reports 

Logicalis will provide the following monthly reports: 

Communication as a Service 

Service reporting: 

829 

Service availability for the month; 

Summary of network Incidents in the month (total Incidents, % within SLA); 

Performance trends and issues to monitor. 




Summary of network Incidents in the month (total Incidents, % within SLA); 

Port utilisation (average and peaks);

830 

Port errors (frame loss and CRCs); 

Internet service analysis; 

Performance trends and issues to monitor. 




Summary of computing Incidents in the month (total Incidents, % within SLA); 

Guaranteed Blade Service – Summary of days used; 

Uncommitted Blade Days – Summary of usage. 




Summary of storage Incidents in the month (total Incidents, % within SLA); 

Storage space utilisation (average and peaks). 

Contract Management 


Number of MACS implemented in the month; 

Number of additional MACS purchased in the month; 

Number of unused MACS carried forward to next month; 

Service Credits payable. 

Service Credits

To be agreed with Customer. 


Service Management will be in line with the processes defined within our Support Services. 

Logicalis Hosting and aaS Security 

Logicalis can locate our Data Centre within the Security Boundary of the PSN and can therefore 

provide Hosting and aaS at IL2-2-x and IL 3-3-x in accordance with: 

831 

HMG CESG/CPNI Guidance 

NIST Guidelines 

Industry best practice 

In order of preference and where available. 

Generic Telephony Services 

Call Logging 

Logicalis provides a Call Logging Service for Customers (with the exception of the Indirectly 

Connected Sites). Logicalis: 

provides self service call logging reports; 

for Customers with multiple Sites, provides the capability to produce reports for all Sites from 

a single point; 

provides call logging training for new system managers at the agreed prevailing Charge

ensures that each Telephony platform (except those located on Indirectly Connected Sites) is 

equipped to provide call record information; 

ensures that records are created for all calls made or received; 

The call management system is configured to provide reports at all levels within the managed 

service from individual extensions to the whole Service. 

Logicalis provides access to the following set of reports. Three Months worth of data is available on 

line. Data between 3 Months and 6 Months old is available on request at nil Charge. 

832 

Summary by most used extension; 

Calls listed as recorded; 

Calls listed by extension; 

Summary by time and operator; 

Summary by extension and response; 

Extensions and calls reports; 

Summary by extension and rate; 

Summary by extension and zero-rated calls; 

Summary by time and line; 

Summary by daily response; 

Summary by department and category; 

Mobility summary transaction; 

Mobility per site per extension; 

Summary by department and area; 

Summary by extension and area. 

The Customer can request additional reports from Logicalis at additional charge. 

Logicalis provides reports on calls that pass between switching nodes. An additional record set gives 

details of the identity of local and remote parties to allow tracking of network break-in and breakout 

activity. Additional information includes: 

Date & time at termination of call 

Duration of call 

Answer delay response time 

Meter pulses (if available) 

Trunk access code

833 

Call account code 

Remote party details 

Trunks that have been reported as being faulty are indicated in the reports. 

The Telephony Call Logging Service is provided as an optional service for Indirectly Connected Sites 

at additional charge. 

Voicemail and Voice Processing Service 

Logicalis operates a centrally controlled/located voicemail service. The voicemail service is available 

for all users of the Managed Telephony Services (with the exception of those users on Indirectly 

Connected Sites) and offers: 

voicemail boxes to users; 

the ability to call forward through the voice-processing systems to locations wherever 

Customers might be, together with the ability to change the location remotely; 

remote alarming of the delivery of a message into a mailbox; 

digital access to the switching infrastructure; 

access to mailboxes from any DTMF telephone: 

o internally by dialling the voicemail service number which is pre-configured on their site; 

o externally by dialling a PSTN number which gives access to the voicemail service; 

o the numbers dialled depend on the programming of the host voice switch; and 

o access to mailboxes is controlled by a security code, which is set by the mailbox user. 

sending of messages to other voicemail service users on an individual or group basis; 

full system management; 

full integration with the switching infrastructure; 

help desk available for Customers 24 hours a day 7 days a week; 

fault reporting facility available 24 hours a day 7 days a week; 

implementation of new voice processing services to both existing and new Sites. 

Calls to the voicemail are made in one of four ways: 

automatic redirection; 

user invoked or configured diversion; 

direct access;

guest access. 

The method of message waiting notification for the centrally controlled/located voicemail service 

depends on the type of PBX system the SAP is attached to and the type of telephone itself. The 

following message notifications are available: 

"tinkle" - a short, distinctive burst of ringing repeated at intervals; 

"light" - a visual indication of message waiting either on a lamp or LCD screen. This is the 

standard deployment for new installations; 

"stutter DT" - a form of interrupted dial tone which indicates a message waiting; 

"out dial" - involves the voicemail system dialling the extension and announcing a message; 

high pitch tone - an audible change in dial tone when handset lifted; 

notification to an appropriate pager where no manual intervention from a paging bureau is 

present. Where this facility is used, the Customer funds any resultant call usage costs; 

a combination of light and stutter dial tone is the standard deployment for all new 

installations. 

All centrally controlled/located voicemail service Customers are provided with a personal assistance 

facility that provides the caller with the option of pressing "0" and being transferred by the voicemail 

system to a SAP. The personal assistance SAP must also be a voicemail user. If the personal assistant 

fails to answer or is itself diverted to voicemail, the caller is transferred back to the voicemail system 

that then offers a choice of leaving a message or being transferred to the operator appertaining to the 

Site. 

Voice Mobility Services 

Voice mobility services are offered to Customers with sites served by certain PBX systems. Voice 

Mobility is not available for Indirectly Connected Sites. The voice mobility service supports remote 

working and hot desking. 

834

Remote Working 

The Remote Working Service provides Customers with the ability to work remotely from their 

normal place of work. Once a Site is mobility enabled, Customers are configured for the remote working 

service by Logicalis upon request by the Customer. Once configured, the Customer is referred to as a 

“remote worker”. 

Remote workers are able to invoke the following features by using the appropriate feature codes 

(where the PBX supports these features): 

835 

Call back when free; 

Conference call; 

Inquiry call; 

Busy extension diversion; 

Call forwarding; 

Call offer; 

Call park; 

Call pick up; 

Call waiting indication; 

Do not disturb; 

Enquiry; 

Executive assistance; 

Executive intrusion; 

Group pick up; 

Hunt and distribution groups; 

Immediate extension diversion; 

Pull diversion; 

Ring no reply extension diversion; 

Save/repeat dialled number; 

Stored number dialling; 

Transfer. 

Hot-Desking

Hot-desking service provides Customers with the ability to work from either their normal place of 

work or certain other Sites. The Customer’s telephone number will terminate on the physical 

extension/SAP at which they are hot desking. 

The following aspects are applicable to the hot desking service: 

836 

A User becomes a hot desker by having their DDI number changed from a physical 

extension/SAP to a personal number. The personal number may be associated with a physical 

extension if the Customer has their own allocated SAP. Alternatively, it does not need to be 

associated with a physical extension at all, if the Customer does not have a physical 

extension/SAP at a Site. 

When a User is hot desking, the extension at which they work assumes the numbering and 

features of their own personal number, including dial access and divert settings. 

A hot desking user guide is made available in electronic format only. 

A personal number may be configured for either remote working or hot desking, or both. A 

personal number may be associated with a physical SAP or have no SAP associated with it. 

The PIN associated with a personal number (for remote working, hot desking, or both) should be 

changed from the default PIN the first time the service is used. 

Numbering Services 

Non Geographic Number Service 

Where requested by the Customer, Logicalis provides all or any of the following Non Geographic 

Number Services (NGNs) to Customers: 

0800 numbers which will provide a freephone number facility; 

0845 numbers which will provide a local call rate number facility;

0870 numbers which will provide a national call rate number facility; 

Golden Numbers; 

Platinum Numbers. 

Where the Customer has no preference as to the number allocated then Logicalis allocates a Non 

Geographic Number that is neither a Golden Number nor Platinum Number. 

Non Geographic Numbers which can be used from overseas locations can be made available by 

Logicalis upon request by the Customer. 

Directory Enquiry Services 

Logicalis provides access to national and international directory enquiry services through the 118 

number range. 

Data Centre 

Logicalis’ Data Centre Services delivers the following 

837 

Internet services; 

email/website services; 

co-location/hosting; 

on-line storage. 

Conferencing/Messaging Services 

Logicalis ImmersiV hosted conferences services, on demand, can be enabled via Customer’s own 

video-enabled network, or if the network cannot guarantee Quality of Service (QoS), Logicalis can

connect individual video-enabled sites to Logicalis’ Managed Video Network (MVN) and provide a full 

out-of-band service. That removes the requirement for costly and lengthy network upgrades, and 

ensures video doesn’t compete with your other business critical applications for bandwidth or 

resources. 

ImmersiV 


Endpoint 

Subscription 

Network Trunk 

Connection 

Overlay Network 

Connection 

Personal Client 

User Account 

838 

Description Consumption Model 

The fee payable for a video endpoint 

(hardware-based system) to be registered 

to and managed by the ImmersiV service 

platform. Services include: 

Dialing Address Allocation (URI and 

Number) 

Address Book Provision 

Internet calling capability 

Network Security (Firewall and 

Firewall traversal) 

A high bandwidth connection between the 

customer WAN and the ImmersiV service 

platform. Inclusive to the connection is the 

provision of hardware required for endpoint 

registration and management, and firewall 

traversal to serve multiple video systems 

concurrently. 

A network connection dedicated for video 

traffic, which does not interact with the 

customer WAN. Overlay connection carry 

video traffic directly between endpoints and 

the ImmersiV service platform. 

A software based video communications 

tool, providing High Definition video and 

audio, address books, presence and 

content sharing, collaboration, email 

/desktop messaging-services; real-time 

information services. 

Per user per month 

Per connection 

Per connection 

Per user per month

Virtual Meeting 

Room (VMR) 

Video Personal 

Assistance 

(VideoPA) 

Video Call 

Recording 

Audio 

Conferencing 

Audio Personal 

Assistance 


839 

A centralized resource, available 24/7 

provided by the ImmersiV service platform, 

allowing up to 5 video systems to connect 

in the same call at the same time. 

Online personal video support to help set 

up single or multi-way calls and provide 

Quality of Experience interventions. 

Video recording for compliance or 

cataloguing and sharing of video 

conferences 

A reservation-less, on demand 

conferencing service available 24 hours, 

365 days a year. No end user equipment 

is provided by Logicalis. Logicalis provides 

every registered Customer with access 

numbers to access the conferencing 

service. To access this service each 

participant must call their local number and 

enter the participant PIN. All calls will be 

launched and managed by the 

chairperson. 

Online personal audio support to help set 

up single or multi-way calls and provide 

Quality of Experience interventions. 

Per VMR per month 

Per VideoPA interaction 

Per recorded minute 

Per minute 

Per minute 

Logicalis provides a resilient and scalable managed Internet Gateway solution for all Framework 

members that can be selected as an optional service. 

The Internet Gateway is a high speed un-contended solution that ensures maximum reliability with 

connectivity from multiple Internet transit providers and Internet Exchange points. The solution 

provides enhanced service levels with the ability to ‘flex’ the bandwidth rapidly and on demand. 

Logicalis manages the distribution of internet traffic depending on the most efficient routing to the 

destination network. In the event of a failure of a carrier’s network, traffic is automatically re-routed 

across the remaining connected networks at no additional cost.

840 

Schematic: Internet Gateway Service 

Logicalis’ Service Catalogue provides all framework members with a detailed guide to framework 

inclusions such as WAN Services, Internet and Centralised Internet Services and Voice solutions so that 

service selection and the associated price are easy to understand. 

Email/website services

Logicalis provides a range of software from a range of vendors. These solutions are bespoke to the 

client’s environment. 

Co-location/Hosting 

Logicalis provides racks from 4 to 32kws within our facilities which are a perfect environment for 

even the highest performance computing environments. 

Our co-location service provides options covering - floor space, power and cooling according to your 

requirements. Optional ancillary services offered include: 

Local hands and eyes for routine support like tape/library maintenance and cyclic changes; 

Media rotation services and off-site storage for backups; 

Local and wide area network connection services; 

Local electrical connection work to cater for specific rack power supplies; 

Receiving and storing previously notified deliveries and despatch of equipment; 

Liaison with the customer’s technical and engineering staff and contracted third parties. 

Security management of access to the site is through formal pre-approval and identification 

processes. A dedicated rack level security package offers remote access management, control and 

monitoring negating the need for caged areas. 


Logicalis delivers our On-line storage solutions via our Storage as a Service described within the 

previous sections. 

841

Security 

Logicalis’ Security Service delivers the following: 

Antivirus 

842 

antivirus; 

email scanning/filtering; 

firewalls; 

intrusion/spyware detection; 

authentication/access management; 

web/application sign-on services. 

Logicalis provides a range of antivirus software from a range of vendors. These solutions are 

bespoke to the client’s environment. 

Email scanning/Filtering 

Logicalis proposes a central Internet Filtering service, delivered from the PSAS platform, The service 

provides consistent Internet Filtering capabilities, features, functionality and levels of security to PSN 

customers. It has been specifically engineered to integrate and operate as a single platform within a 

service provider grade network - delivering high performance, high availability, massive scalability and 

granular management, through a unique multi-tenant architecture. 

A high-level, topological overview of the Internet Filtering service is shown in the schematic below.

843 

Diagram: High-Level Topology – Internet Filtering 

Internet Filtering Service – Capability/Feature Summary 

A summary of the capabilities and features of the Internet Filtering service is summarised below: 

Internet Filtering Security Controls

844 

supports controlling bi-directional traffic flows (e.g. filter outgoing web requests, virus scan 

incoming content); 

URL Categories and Application Control for filtering access to websites, file types and 

applications; 

flexible, customisable white-lists; black-lists; usage quota; and time-of-day policies; 

end-user policy actions to block; allow; inform/coach when accessing sites possibly against 

policy; or restrict access against a usage quota; 

blocking content deemed illegal, explicit and/or inappropriate; 

support enforcement from legal authorities like the Internet Watch Foundation (IWF); 

filtering of traffic to block and/or remove any, spyware, virus, malware, phishing or other 

malicious content; 

real-time analysis, cleaning and/or blocking of content via an antivirus scanning mechanism; 

enforcement of browser standards (reducing exposure to browser vulnerabilities); 

transparent, in-line, deployment mode provides the ability to intercept evasive applications, 

such as Skype and peer-to-peer traffic; and identifying and blocking evasive outbound "phone 

home" traffic such as Bots; 

bandwidth management capabilities to ensure that internet traffic ; applications; and 

protocols, do not affect important network services; 

caching of internet content; 

inspection and control of SSL encrypted web content. 

Internet Filtering Security Management 

web based administrative GUI for the provider level and Partner/User level management, 

control and reporting; 

customisable Service Provider/Global, Partner and User-level policies; 

directory integration for individual username authentication, authorisation, accounting; group 

association; and policy mapping; 

each PSN Partner/User has access to their own management portal to where they can apply 

their own Internet Filtering configuration options, including the ability to generate reports; 

full multi-tenancy architecture which enables each PSN Partner/User to have a different 

experience and a self-customised service adapted to their specific requirements; 

policies and rules provisioned at the service provider level take a higher priority than the 

policies and rules provisioned at the Partner/User level, allowing centralised enforcement of 

rules like the IWF black list, if required. 

Internet Filtering Security Reporting 

hierarchical reporting, with global summary reports generated at a provider level, and then 

Partner/User level detailed reporting;

845 

reporting module to provides standard reports, with more than 100 templates and/or 

customised programmed reports, on-demand or by schedule; 

reporting on information for a predefined time period or set reports including daily, weekly, 

monthly and yearly; 

client level reporting provides the ability for each PSN Partner/User to self-generate reports 

for their organisation’s web activity, down to the individual username level. 

Firewall Services 

Logicalis offers Firewall-as-a-Service and Managed Firewall Service options as an alternative to 

current in-house firewall solutions. 

Firewall-as-a-Service 

Firewall-as-a-Service consists of highly available, EAL4 certified, hosted firewalls, to provide access 

controls, network address translation and connectivity to a variety of networks, including, but not 

limited to, the following: 

Internet & Remote Access Systems; 

GCSx; 

N3 National Health Network; 

Government Conveyance Network (GCN); 

Joint Academic Network (JANET); 

Other External and Third-Party networks (3rd Party Landing Zone). 

Stateful-inspection firewalls are used to provide access controls to enable controlled 

internetworking between the various networks and to limit the external attack surface of the network. 

The firewall technology has been specifically engineered to integrate and operate as a single platform 

within the network, delivering high performance; high availability; scalability; and management, with a 

unique multi-tenant architecture.

In order to meet various Codes of Connection, there are two products used to deliver the Firewall- 

as-a-Service; Cisco and Juniper. However Logicalis is open to exploring the use of Checkpoint in to the 

Service if necessary. 

In addition, Logicalis provides a Managed Firewall Service to facilitate communication between 

MPLS VPNs and VRFs if necessary. The Customer may additionally elect to take the Managed Firewall 

Service, from the Service Catalogue, and apply it to their Firewall-as-a-Service instance. 

Managed Firewall Service 

The delivery of high-quality security is a function of the time to respond effectively to an incident. 

That time includes the time required to get to the problem, the time to understand the problem, and 

the time to instigate a resolution process for the problem. Dedicated service and specialist input is the 

only way to provide low response times for business critical services. Where incidents occur out of 

normal working hours, this becomes even more critical. 

A brief summary of the Managed Firewall Service is summarised below: 

846 

24x7 remote monitoring and management of firewall infrastructure; 

support staff available on a 24x7 basis; 

monitoring is delivered using industry standard protocols such as SNMP and Syslog, and 

through vendor-specific channels, integrated into the management and security event 

monitoring systems; 

monitoring and management technologies are a mixture of intellectual property, open source 

software and commercial applications, developed and integrated to provide security specific 

system management and monitoring capabilities; 

management at a service level to diagnose and correct problems associated with the complex 

traffic flow and inter-operation of service elements, and at a security level to ensure that no 

weak points exist in this critical infrastructure; 

administrative management and maintenance of software and hardware licences; 

minor patching and updating of system to deal with security threats;

installation of upgrades under software and hardware licences; 

pro-active notification of system upgrades, required or desirable, to deal with security threats 

(dealt with under Change Management process) 

careful and timely preventative maintenance, particularly the implementation of patches, 

bug-fixes and upgrades; 

incident response, action, updates and resolution in accordance with SLA; 

managed change and incident control; 

security assessment of system change requests; 

replacement/repair in the event of failure; 

reports and management information available to back up the service provided. 

By working with the Customer, third parties and accreditors, the detailed design, configuration and 

documentation of the firewalls, is confirmed and implemented. Once live, further changes are 

undertaken through a change control process. Regular assessment of the configuration, including formal 

annual health checks, is an important part of any accreditation and re-accreditation assessment and is 

done at agreed intervals. 

Managed Intrusion Detection Service (IDS) 

Logicalis offers Managed Intrusion Detection Services options across key Core WAN aggregation 

points, Customer Edge (CE) routers and individual customer deployments. The service provides real-time 

monitoring and interpretation of important system events throughout the managed network, including 

unauthorised activity, malicious attack, early-warning of malware infection such as worms, anomalous 

behaviour and trend analysis, providing the first, and most critical, step in an incident response process. 

The Managed Intrusion Detection Service provides the following benefits to customers: 

847 

lower total cost of ownership – managing your host and network intrusion detection systems 

on your behalf saves you time and money by reducing your staffing, training, and maintenance 

costs; 

enhanced capability to assess return on security investment; 

24x7 management, monitoring, and support – security analysts work nights, weekends, and 

holidays because hackers and malware pose a threat all day, every day;

848 

reduce the window of exposure of systems, thereby limiting spread and damage of attack; 

reduce network down-time through measured response to intrusions; 

increase the accuracy of detection of attacks against networks; 

provide visibility of malicious activity right down to critical components; 

highlight anomalous network activity due to malware and badly configured hosts; 

trained and dedicated professionals – an extensive team of certified security professionals 

who are trained to manage the intrusion detection systems of leading industry vendors; 

receive comprehensive threat investigation through trusted processes, people and 

technology; 

receive early notification of worm activity and other malicious activity. 

Managed IDS - Core WAN Aggregation Points 

Logicalis uses a variety of automated methods to monitor the Core WAN and identify malicious 

traffic. The solution is monitored in accordance with CESG recommendations and Logicalis uses the 

Incident Management processes to manage security incidents, to take appropriate actions as required, 

and to notify affected parties. 

The Intrusion Detection Service monitors network traffic flows in the environment for anomalous, 

malicious and unwanted traffic, in turn feeding logs and events into a Protective Monitoring and Logging 

Service. The following data is consumed as part of the service: 

NetFlow Data to provide information about network behaviour and traffic patterns, which is 

used as a baseline for anomaly detection routines; 

Intrusion Detection/Prevention Systems (IDS/IPS) provide deep-packet level inspection as a 

further security control for enabling safe internetworking between various networks, and to 

monitor for unwanted and potentially malicious traffic; 

Network Telescopes (Darknets and Greynets) are used to observe traffic sent to the unused IP 

address-space of the network, as this is normally suspicious and one can gain information about 

possible attacks by observing it. Suspicious traffic is directed to a contained, black-hole 

environment, monitored by intrusion detection systems for further in-depth analysis by the 

following techniques: 

o stateful signature detection techniques are applied to relevant portions of the network 

traffic, determined by the appropriate protocol context, to help reduce false positives;

849 

o protocol anomaly detection confirms protocol usage against published RFCs is verified to 

detect any violations or abuse and proactively protects networks from undiscovered 

vulnerabilities; 

o heuristic-based anomalous traffic patterns and packet analysis detects trojans and 

rootkits, to prevent proliferation of malware, in case other security measures have been 

compromised; 

o traffic anomaly detection is done using heuristic rules to detect unexpected traffic 

patterns that may suggest reconnaissance or attacks. This can help proactively prevent 

reconnaissance activities or block Distributed Denial of Service (DDoS) attacks; 

o Denial of Service (DoS) detection using SYN cookie-based protection from SYN flood 

attacks is provided, to protect your key network assets from being overwhelmed with 

SYN floods; 

o Network Based Application Recognition (NBAR) is a classification engine within Cisco IOS 

software that uses deep and stateful packet inspection to recognise a wide variety of 

applications. When used in a security context, NBAR can detect worms based on 

payload signatures. 

Managed IDS - Customer Edge (CE) Routers 

Logicalis provides options for Customer Edge (CE) signature-based IPS that allow effective mitigation 

of a wide range of network attacks, which in turn allow the network to defend itself while accurately 

identifying, classifying, and stopping/blocking malicious or potentially damaging traffic in real time. 

The CE Router IPS services include the following: 

enables distributed network wide threat mitigation; 

protects against worms, viruses, and a large variety of network threats and exploits; 

Uses CE routing capabilities to deliver integrated functionality; 

supports inspection of traffic passing through any LAN/WAN interface in both directions; 

compliments dedicated IPS appliances and provides protection against a dynamic subset of 

network attacks; 

supports more than 1600 of the same attack signatures that the IPS appliances support; 

compliments CE Firewall and VPN solutions for superior threat protection at all entry points 

into the network. 

Managed IDS - Processes

The service follows approved processes in delivering high quality service management and security 

best practice. The key steps cover the following critical elements: 

850 

alert - data is gathered, aggregated, correlated and analysed from multiple network and 

security systems, and alerts raised when events occur which require attention; 

react – analysts provide skilled, intelligent and timely monitoring of threats as they are 

identified through the security management systems. As soon as the technology flags a warning, 

trained security analysts are cross-checking, reviewing and initiating response processes; 

prepare – analysts undertake threat reconnaissance, information gathering and 

countermeasure recommendations on the issue, communicating with appropriate teams to coordinate 

and agree the right response to the situation in hand; 

contain - as appropriate, assist or advise in the execution of action to limit the attack, end the 

attack in progress and recover from any damage caused; 

report - event collection and monitoring from servers as well as security devices enables the 

ability to provide the clearest and most detailed reports on threats and incidents; 

improve – the philosophy in security management is firmly grounded in the development of 

close communication and trust of our customers. Continuous feedback and review cycles 

improve customer’s security posture, ensuring that future incidents are handled more smoothly 

and that security gaps are plugged. 

Remote Access Service - Authentication/access management/web/application sign-on services 

The Remote Access Service consists of two main components: 

1. SSL VPN functionality, delivered by FIPS140-2 and CCTM certified, highly-available appliances; 

2. strong, two-factor authentication functionality, delivered using one-time password hardware 

fobs/tokens. 

Logicalis offers a central Remote Access Service, delivered from the PSAS platform, as an alternative 

to the current remote access solutions. The service provides consistent remote access capabilities, 

features, functionality and levels of security to PSN customers. 

It has been specifically engineered to integrate and operate as a single platform within the network - 

delivering high performance, high availability, scalability and granular management through a unique

multi-tenant architecture. It has the ability to scale to thousands of individuals with additional licenses 

and upgrades of hardware components as necessary. 

A high-level, topological overview, of the Remote Access Service is shown in the schematic below. 

851 

Diagram: Remote Access Service

Remote Access VPN Service 

Logicalis offers a carrier class, managed and unmanaged, SSL VPN remote access service as an 

alternative to current in-house remote access VPN solutions. Logicalis is partnering with vendors that 

have over a decade of experience delivering carrier class solutions for service providers around the 

world, to deliver this service. 

The service is based on technology that has the CESG Claims Tested Mark (CCTM), while CESG 

Tailored Assurance Services (CTAS) is enlisted to evaluate and accredit the service where appropriate. 

The CCTM certificate covers the use of the technology for security environments up to and including 

IL2 (PROTECT), but the same technology has been approved by CESG for use at IL3 (RESTRICTED) – 

through specific guidance, and to meet CESG guidance indicated in: 

852 

GPG10 – Remote Working; 

GPG13 – Protective Monitoring; 

Manual T – Use of Transport Layer Security (TLS); 

Manual V – Use of IPsec. 

A description of the capabilities and features of the Remote Access VPN service is detailed below: 

Remote Access VPN - Access Methods 

The service uses SSL transport - the secure access protocol built into every standard web browser. 

SSL sessions enable any web-enabled device such as a corporate laptop, PDA, smartphone, or kiosk to 

securely access an organisation’s resources without the cost and complexity of installing, configuring,

and maintaining any client software on the user device. The temporary VPN connections that SSL 

browsers establish also eliminate the firewall and network address translation (NAT) issues of traditional 

IPsec VPN products. 

The service includes three different access methods. These different methods are selected as part of 

the user’s role, allowing the administrator to enable the appropriate access on a per-session basis, 

taking into account user, device, and network attributes in combination with enterprise security policies. 

The three different access methods are: 

Clientless Core Web Access provides access to web-based applications, including complex 

JavaScript, XML, or Flash-based apps and Java applets that require a socket connection, as well as 

standards-based email like Outlook Web Access (OWA), Windows and UNIX file share, telnet/SSH 

hosted applications, terminal emulation, Sharepoint, and others. This provides the most easily 

accessible form of application and resource access, and enables extremely granular security control 

options; completely clientless approach using only a Web browser. 

Secure Application Manager (SAM) is a lightweight Java or Windows-based download which 

enables access to client/server applications and also provides native access to terminal server 

applications, without the need for a preinstalled client. This enables access to client/server 

applications using just a Web browser; no client software is necessary. 

Network Connect provides complete network-layer connectivity via an automatically provisioned 

cross-platform download and users need only a Web browser to initiate the connection. 

Remote Access VPN - Capabilities & Features 

The service provides complete, end-to-end layered security, including endpoint client, device, data, 

and server layered security controls, including the following: 

Instant Virtual Systems (IVS) enable complete customer separation and provides segregation of 

traffic between multiple customers. Each customer is provided access to their own unmanaged, or 

optionally managed, virtual SSL VPN appliance, per customer. This enables the secure segregation of 

an individuals’ traffic, even if two customers have overlapping IP addresses. 

Logicalis can tailor the offering to control the degree of management and configuration that 

customers wish to have, using the built-in Role-Based Access Control of the service. The service is 

flexible enough to cater for variations and is agreed on a customer-by-customer basis. 

853

Resource Authorisation features deliver granular tailored access to resources through roles, 

policies, mappings, authorisation and individual look and feel for users. 

Single Sign-On allows users to access other applications or resources that are protected by 

another access management system without re-entering login credentials, alleviating the need for 

end-users to enter and maintain multiple sets of credentials for web-based and Microsoft 

applications. 

Cross-platform support delivers the ability for any platform to gain access to resources such as 

Windows, Mac, Linux, or various mobile devices including iPhone, Windows Mobile, Symbian, and 

Android. This provides flexibility in allowing users to access corporate resources from any type of 

device using any type of operating system. 

With the Host Checker, client computers can be checked, both prior to and during a session, to 

verify an acceptable device security posture requiring installed/running endpoint security 

applications (antivirus, firewall, encryption), other built in checks including verifying ports 

opened/closed; checking files/processes and validating their checksums; verifying registry settings; 

machine certificates; distinguish between managed/unmanaged devices; and more. This 

verifies/ensures that endpoint devices meet security policy requirements before granting access, 

remediating devices, and quarantining users when necessary. 

Secure Virtual Workspace provides a secure and separate environment for remote sessions that 

encrypts all data and controls I/O access (printers, drives). A cache cleaner that erases all proxy 

downloads and temp files at logout. This ensures that no potentially sensitive data and/or metadata 

is left behind on the endpoint device and all corporate data is securely deleted from a kiosk or other 

unmanaged endpoint after a session. 

Virtual Desktop Infrastructure (VDI) support, allows interoperability with VMware View Manager 

and Citrix XenDesktop to enable administrators to deploy virtual desktops with the Service. This 

provides seamless access to remote users to their virtual desktops hosted on VMware or Citrix 

servers, dynamic delivery of the Citrix ICA client or the VMware View client, including dynamic client 

fallback options to allow users to easily connect to their virtual desktops. 

granular auditing and logging can be configured to the per-administrator/user, per-resource, perevent 

level for security purposes as well as capacity planning. This provides fine-grained auditing 

and logging capabilities in a clear, easy to understand format. 

optional Enhanced Endpoint Security provides a full-featured, dynamically deployable antimalware 

module that is an OEM of an industry-leading spy sweeper product, using a signature 

database to detect and remove a wide array of contemporary threats including types of malware, 

trojans, worms, and adware. New anti-malware updates and capabilities are delivered to each user 

device via a .msi package, downloaded to each endpoint and silently installed during the remote 

access VPN logon process 

optional In-Case-of-Emergency (ICE) licensing enables the service to temporarily support a large 

number of users, for up to eight weeks, during unexpected events like disasters; pandemics; mass 

travel disruptions; weather conditions; etc. 

the optional Premier Java RDP Applet is a platform independent solution for accessing Microsoft 

Terminal/Remote Desktop Services, centralising administration of all user and configuration data - 

including extensive print functions to cut administration and avoid hassles with local and/or network 

printing. 

854

Section 9 Support Services 

Logicalis is able to provide differing levels of support services for Communication solutions, including 

all network, voice, data centre and storage fabric elements and interfaces to other systems – firewalls 

etc. Support services include Break/Fix Maintenance and Fully Managed Services. 

Customers are offered the flexibility to mix and match these services within their estate. 

Break/Fix Maintenance 

Parts Replacement & Reactive Break/Fix 

Logicalis offers customers the ability to maintain their estate through a reactive support contract 

providing either a ‘parts replacement’ service or a ‘break/fix’ service where Logicalis provides 

replacement parts and an engineer to correct any faults. 

These services are modular and can be tailored to meet exact fix time requirements based on each 

unit of hardware covered, depending on the business critical nature of that piece of hardware and the 

SLA required. 

Support of Legacy Equipment 

Where Logicalis is assuming support for legacy equipment, Logicalis audits the estate. The audit 

provides us with a base inventory to work from. 

On completion of the audit, the equipment list is analysed to identify those with a simple cost 

effective support route, normally with a vendor involvement for software and third line 

855

support. Products which are more difficult to support will require analysis to ensure the best support 

service such as using legacy spares holdings or replacement with new, on failure. 

Take-on of Existing Equipment 

The first stage of the take on of existing environments is to ensure the current standards actually 

fulfil service to a best practice standard. This is important to understand the potential costs of the setup 

of a service and also allows analysis of the gap between the standard and the current solutions that are 

in place. 

Should a full refresh be required this is undertaken through a consultancy process and charged in 

accordance with the rate card included in the Service Catalogue. Consultants used for this exercise are 

qualified with vendor accreditations for the equipment specified. 

Service Levels 

Hours of cover can be split across three different services levels: 

24x7; 

856 

8 am to 6 pm (in hours operation); 

6 pm to 8 am (out of hours operation). 

Fault Reporting and Diagnosis 

In the event of the Customer detecting any fault in the maintained equipment the Customer will 

notify Logicalis’ Service Desk during cover hours specifying the maintained equipment concerned, the 

serial number(s) and site address and whatever information is available regarding the fault, including 

any results of any the Customer-performed diagnostics.

Following the reporting of a fault by the Customer (or the detection of a fault by Logicalis through 

monitoring of the Equipment where this service is provided) Logicalis will raise an incident on the 

Incident Management System (IMS). 

The Service Desk will assess the nature of the fault giving rise to the incident and attempt to provide 

a resolution. 

Initially, the Service Desk and the Customer may if necessary conduct a discussion over the 

telephone, or an exchange of emails, to attempt to carry out diagnosis and resolution of the fault in 

question. 

The Service Desk may also use remote access to carry out diagnosis of faults; subject always to 

complying with pre agreed security controls. 

Logicalis will be responsible for notifying the Customer of the incident reference number, entering 

updates on the IMS regarding the status of the Incident, resolving the fault remotely and or dispatching 

an engineer and/or replacement parts to Site. 

Following resolution of the fault giving rise to an Incident, the Service Desk will be responsible for 

obtaining the Customer’s agreement that the fault has been resolved to the Customer’s 

satisfaction. Logicalis will record who, at the Customer, agreed that the fault had been resolved in the 

call log comments. The log will then be closed. 

If Logicalis diagnoses that the problem lies with equipment that is not Maintained Equipment it will 

confirm this with the Customer to update and close the Incident. 

On Site Services 

Any part of the Maintained Equipment which develops a fault will at Logicalis’ option either: 

857

Be repaired; or 

Be replaced by parts with equivalent functionality on an exchange basis, whereby the removed part 

will become the property of Logicalis and the replacing part will become the property of the Customer 

(if the Customer does not to allow the removed part to be taken by Logicalis then Logicalis reserves the 

right to charge the Customer for the replacing part); or 

Be replaced by parts with equivalent functionality on a loan basis, whereby Logicalis will continue to 

own the replacing part and will repair and reinstall the original part as soon as is reasonably possible. 

The services include the replacement of disk drives subject to the Service Exceptions and provided 

that the fault is not caused by the use of storage media not recommended by Logicalis. Should a 

replacement disk be required,Logicalis will, at the request of the Customer, reinstall the operating 

system. 

If a service call is made and Logicalis is unable to gain access to the Maintained Equipment, Logicalis 

reserves the right to charge for any call-out at Logicalis’ then standard time and materials rates. 

Advance Hardware Replacement 

Logicalis will supply replacement parts to the Customer to replace the Customer’s faulty Maintained 

Equipment before, or at the same time as the Customer returns the faulty equipment to Logicalis. 

Logicalis retains the right to charge the Customer for the replacement part or an equivalent piece of 

equipment with similar specification should the Maintained Equipment in question not be returned to 

Logicalis within five (5) working days of delivery of the replacement part. 

The Customer will retain all packaging for the replacement part provided in accordance with this 

paragraph and re-utilise the same, or provide packaging of similar performance for the return of 

858

Maintained Equipment. The Customer will take all due care to pack the faulty Maintained Equipment in 

such a way as to protect it from damage during transit. 

Logicalis will pass to the Customer so far as it is legally able to do so, any warranty provision 

applicable to the replacement part and provided by the original manufacturer of the replacement part. 

Service Exceptions 

Logicalis will not be obliged to provide Services to remedy faults in the Maintained Equipment 

caused by: 

1. Installation or repair of the Maintained Equipment (including electrical work) by someone other 

than Logicalis; 

2. Failure to comply with the conditions of use of the Maintained Equipment or (save where the 

Maintained Equipment is also Co-location Equipment) environmental conditions as set out in the 

manufacturer’s documentation; 

3. Accident, fire or water damage, neglect, misuse or abuse of the Maintained Equipment other than 

by Logicalis; 

4. The relocation, modification or addition to any of the Maintained Equipment without the approval 

of Logicalis or a defect caused by equipment not supported by Logicalis or by any other service not 

performed by Logicalis; 

5. Use or connection of the Maintained Equipment to or with software or equipment not suitable for 

such use or connection or which interferes with the proper functioning thereof, other than by 

Logicalis; 

6. Maintained Equipment is End of Life. Logicalis will use reasonable endeavours and in accordance 

with the original manufacturers recommendations advise the Customer when Maintained 

Equipment is coming towards its end of life to give the Customer an opportunity to bring the 

Maintained Equipment up-to-date; 

7. The Customer failing to implement Quality of Service on its data network as required to operate a 

Voice Service. 

The Services do not include: 

859 

Supply of consumables; 

Replacement of impact or inkjet print heads; 

Replacement of laser printer fuser units or transfer/pick up rollers; 

Replacement of flat screens, displays or liquid crystal displays;

Repair or replacement of additional items installed in PCs or servers unless the item is listed 

on the Equipment Schedule or fitted as standard by the manufacturer; 

Failures caused by faulty media. 

If on investigation Logicalis reasonably determines that a fault is as a result of any of the matters 

referred to in the Exceptions then the Customer will pay Logicalis for all time and materials reasonably 

expended by Logicalis in investigating the same. 

Logicalis will not be obliged to provide Services at any Site if Logicalis reasonably considers that the 

conditions at the Site represent a risk to the health or safety of any Logicalis personnel. 

Access to the Sites 

Where Logicalis requires access to the sites in order to remedy a fault or suspected fault in the 

Maintained Equipment it will arrange such access via the Customer. The Customer will provide Logicalis’ 

Service Desk with all necessary information to enable Logicalis’ representative to gain access to the 

relevant Site, including site rules and security arrangements, the name and telephone number of a 

contact at the Site, parking arrangements, specific access requirements for the Site and any out of hours 

access arrangements which apply. 

Logicalis will abide by such health and safety, site access and security procedures of the Customer as 

are made known to Logicalis in advance. 

Escalation 

Logicalis has a published escalation procedure and will implement this escalation procedure in 

agreement with the Customer. 

Additions and Deletions 

The Customer may add Equipment to or delete Equipment from this Agreement in accordance with 

the Additions and Deletions of the main contract. 

860

Contractor Items 

Logicalis Items remain the exclusive property of Logicalis. The Customer may use such Logicalis 

Items only for activities related to the Services and may not modify, remove or transfer Logicalis Items 

or make them, or any resultant diagnostic or system management data, available to other parties 

without Logicalis’ written consent. Upon termination of this Agreement the Customer will, at Logicalis’ 

option, destroy or return all Logicalis Items in its possession. 

Fully Managed Services 

This service provides pro-active life-cycle management of the Customer’s infrastructure and is 

delivered to compliment the work of the ICT department. It takes away their day-to-day operational 

tasks and is serviced by front-line MSC staff providing first and second line support services backed up 

by a third line support team and 4th line going backed off to the equipment vendor or manufacturer. 

The service is typically provided remotely, but can be enhanced by the deployment of on-site 

resource which may involve TUPE considerations. 

The remote and on-site resources operate the same toolsets and processes across the infrastructure 

management service, utilising Logicalis’ Enterprise Class Management platforms including CA’s Spectrum 

Infrastructure Manager and eHealth Performance Manager. 

Logicalis provides a front-line Single Point of Contact (SPOC) for the infrastructure which can include 

the management of third party resolution agencies. This ensures consistent and effective service 

management. 

The Fully Managed Service includes the following: 

861

862 

equipment procurement; 

implementation services; 

comprehensive 24 x 7 monitoring service; 

incident monitoring and notification; 

liaison with 3rd party resolution agencies such as carriers for line faults etc; 

hardware break/fix service; 

configuration backup and archival ; 

standard or enhanced Service Management – Service Delivery Manager (SDM); 

o regular service reviews 

o service review reports; 

o incident management visibility; 

o performance reports through portal 

additional Enhanced Level Services; 

full incident and problem management; 

managed change control; 

o configuration management; 

o moves, adds and changes; 

o patch and release management advice; 

The following Service Matrix summarises the service components that are provided as part of this 

service as standard: 

Service Component 

Service Delivery Management 



Provided 

for Voice 

Provided 

for ACD

863 


Maintenance 





Release Management 


Service Reviews & Reporting 

Continuity Management 

Equipment Reporting 


Continuous Service Improvement 

Escalation Management 

Performance Standards

Logicalis will provide the Services in accordance with the performance standards as set out in this 

section and in the Maintenance Services section. Where applicable, Logicalis’ failure to meet a Service 

Level will entitle the Customer to receive the financial credits. 


Service Responsibilities 

A service desk facility will be provided within the MSC that will act as the focal point for the 

management and delivery of the Services. 

The service desk will co-ordinate the actions of the support staff, both on the Customer’s site and its 

own site, in the delivery of the Services. 

The service desk will interface with the Customer’s own service desk facility and not directly with 

the Customer’s end users. 

Hours of Cover 

The following table details the hours of cover for the above service elements: 

Service Element Hours Days 

Service Desk availability 24 per day 7 per week 

864

Service Level Targets 

The service desk will be staffed by appropriately qualified personnel. 

865 

the Customer Responsibilities 

the Customer will provide its own service desk facility that will be the first line of support for 

its end users. 


The Logicalis Incident Management process for PSN is owned and operated by the MSC and Service 

Desk. The MSC and Service Desk have a defined Disaster Recovery plan, so that in the event of a disaster 

service delivery and support functions can be moved to an alternate location, or otherwise switched 

across to another Service Centre. 

Logicalis acts as a seamless extension of the existing service management regime, interfacing with 

the Customer through clearly defined demarcations of responsibility, informational exchanges and – 

where relevant - common process workflows.

Logicalis’ standard service operating model is to provide a 2nd line Service Desk that integrates into 

a customer’s internal 1st line IT Service Desk (in this case the Customer). As such, we are experienced in 

understanding how to construct (or integrate into) common end-to-end service delivery and support 

processes that involve multiple parties taking part in multiple workflows, and the importance of 

demarcations of responsibility, handover regimes, and stop clock procedures. This involves providing an 

integrated peer-to-peer support environment (as can be seen from the diagram above) based on robust 

Service Desk processes and a Service Delivery Management and governance overlay. 

Logicalis utilises our standard ITIL based processes and systems to manage faults and incidents as 

required. Using our service management system Logicalis manages incident notification, the stopping 

and starting of support clocks and any escalations required (both internally and with the Customer). The 

system is also used to manage any Operating Level Agreements with the Customer. Monthly service 

866

eviews present the opportunity to identify, review and address any issues related to the operational 

interface between Logicalis and the Customer. 

The referential integrity of incident ticket data will be maintained between Logicalis and the 

Customer, with incident references from the respective Service Management systems being recorded 

for any given incident. 

As described earlier, integration of the Logicalis and the Customer’s service management systems 

(for incident ticketing) is possible, either by API, scripting, automated e-mailing of incident event data, or 

otherwise manual entry. Further dialogue is required to determine the most appropriate and effective 

mechanism to achieve timely population of the respective systems with information relating to any 

given incident, and ensuring referential integrity between the two. 

During the transition phase, a Service Definition Document and ‘Run Book’ is compiled, which 

defines all the operational touch points between Logicalis, the Customer, the processes for exchange of 

information and data, and any process or procedural anomalies that need to be taken into account with 

this particular Service. It is during this phase that requirements such as support scripts is captured and 

defined to assist the Customer with identification, triage and classification of issues at the 1 st line. 

A flexible approach is also taken to report generation, allowing specific metrics to be reported on 

directly to the Customer. The Service Delivery Manager is as the operational liaison between Logicalis 

and the Customer for matters of process, governance and escalation. 


867

Logicalis will provide, manage and support an incident management service through the service 

desk that will be the focal point for managing the resolution of incidents in accordance with service 

levels agreed between the Customer and Logicalis. 

The incident management service will be available on a 24 x 7 x 365 basis for incidents to be raised 

by authorised Customer staff, the Customer’s 3rd party staff and Logicalis’ own support teams. 

The following methods of raising incidents within Logicalis’ incident management service will be 

provided: 

By telephone call to Logicalis’ service desk; 

By email to Logicalis’ service desk; 

By raising an incident in the Customer’s service desk; 

By capturing an alert from Logicalis’ management platform. 

Logicalis’ service desk will proactively update the relevant the Customer teams of the progress of 

incident resolution at the agreed intervals. 

Logicalis’ service desk will be responsible for obtaining agreement from the Customer’s incident 

owner that the fault has been resolved to their satisfaction. Only once confirmation has been received 

will the incident be marked as “closed”. 

Where any incident is discovered in software forming part of the Equipment which cannot be fixed 

by replacing any units or parts of the Equipment, Logicalis will use its reasonable endeavours to provide 

a work-around and to obtain a permanent solution from the Equipment manufacturer. 

Connectivity Services 

868

It will be the responsibility of the Customer to arrange the provision, installation and maintenance 

of the network services and associated termination equipment necessary to connect the infrastructure 

in Logicalis’ Data Centre to the Customer locations. Payment for all such works and services will be the 

responsibility of the Customer. 

The Customer and/or their nominated network service provider will liaise with Logicalis to ensure 

such network services conform to the standards required by Logicalis for performance of the Services. 

The performance of such network services will not be the responsibility of Logicalis, nor will Logicalis 

be liable for any service credits for the non-performance of such services. 

If Logicalis determines that an incident relates to equipment or services which are maintained or 

provided by the Network Services Provider, or otherwise that an Incident requires intervention from the 

Network Services Provider for it to be resolved, Logicalis will, subject to the Customer’s Responsibilities, 

liaise with the Network Services Provider to assist in resolution. 




Management of Incidents 24 per day 7 per week 

869

Service Levels, Hardware 

The following service levels will apply for incident management of the hardware, service & remote 

management hardware and DC LAN switching hardware, where: 

870 

Target Remote Response Time is the time for an engineer to begin investigation of an 

Incident; 

Target Resolution Time is inclusive of Target Remote Response Time; 

Target Resolution Time includes any requirement for attendance to site. 

Priority 

Level 

P1 

-or- 

Critical 

Definition 

Serious business impact affecting 

production systems and cash flow is 

affected. 

Example: complete system 

failure, network down, total or major loss of 

functionality, one or more server outage, 

major business affecting problem where 

production is severely affected (for instance; 

loss of site, line or equipment). 

Target 

Remote 

Response 

Time 

30 

minutes 

(24 x 7) 

Target 

Resolution 

Time 

3 hours 

(24 x 7) 

P2 Significant business impact on 1 hour 6 hours

m 

Priority 

Level 

-or- 

Major 

P3 

-or- 

Mediu 

871 

Definition 

production or cash flow is affected. 

Example: Extremely slow system 

performance, an element of functionality is 

down or has a bug. Partial outage - Severe 

limitation to customer operations caused by 

a degraded network or server. Production is 

capable but business is affected. 

Serious impact affecting a single 

customer or group. 


performance, a piece of functionality is 

down or has a bug. Component failure, 

infrastructure problem or functional loss 

resulting in limitations to customer 

operations. 

P4 Impact on single customer or isolated 

device. 

Target 

Remote 

Response 

Time 

Target 

Resolution 

Time 

(24 x 7) (24 x 7) 

5 hours 

(Normal 

Office Hours) 

10 hours 

(Normal 

10 hours 

(Normal 

Office Hours) 

24 hours 

(Normal

Priority 

Level 

-or- 

Minor 

872 

Definition 

Example: Problem or incident where 

single users can operate some of the system 

activities normally, but a definite problem is 

identified. Assistance is required to aid in 

troubleshooting. 

Target 

Remote 

Response 

Time 

Target 

Resolution 

Time 

Office Hours) Office Hours) 

The service levels specified above will not apply to equipment that is obsolete and/or not eligible for 

active support from the corresponding Vendor; in which case all support will be provided on a 

reasonable endeavours basis. 

include: 

KPI, Service Levels, Reporting 

Metrics used to evaluate the effectiveness and efficiency of the service model integration will 

Percentage of incidents resolved/reclassified by the Customer’s Help Desk through use of 

support scripts 

Number of incident ticket reference codes incorrectly logged 

Number of staff suggestions, requests for transfer, disputes etc.

The following KPIs will apply for incident management of the hardware, service & remote 

management hardware and DC LAN switching hardware: 

Priority 

Level 

P1 

-or- 

Critical 

P2 

873 

-or- 

Major 

Definition 

Serious business impact affecting 

production systems and cash flow is 

affected. 

Example: complete system 

failure, network down, total or major loss of 

functionality, one or more server outage, 

major business affecting problem where 

production is severely affected (for instance; 

loss of site, line or equipment). 

Significant business impact on 

production or cash flow is affected. 


performance, an element of functionality is 

down or has a bug. Partial outage - Severe 

limitation to customer operations caused by 

Target 

Diagnostic 

Time 

1 hour 

(24 x 7) 

2 hours 

(24 x 7) 

Customer 

updates 

Every 30 

minutes or on 

status change 

Every 30 

minutes or on 

status change

m 

Priority 

Level 

P3 

-or- 

Mediu 

P4 

-or- 

Minor 

874 

Definition 

a degraded network or server. Production is 

capable but business is affected. 

Serious impact affecting a single 

customer or group. 


performance, a piece of functionality is 

down or has a bug. infrastructure 

component failure, network problem or 

functional loss resulting in limitations to 

customer operations. 

device. 

Impact on single customer or isolated 

Example: Problem or incident where 

single users can operate some of the system 

activities normally, but a definite problem is 

identified. 

Service Levels, IP Recording and Quality Monitoring Hardware 

Target 

Diagnostic 

Time 

6 hours 

(Normal 

Office Hours) 

12 hours 

(Normal 

Office Hours) 

Customer 

updates 

Every hour 

or on status 

change 

change 

On status

The following service level targets will apply for Incident Management of the IP Recording and 

Quality Monitoring hardware: 

Fault 

Severity 

P1 

-or- 

Critical 

or- 

P2 

- 

Major 

P3 

-or- 

Mediu 

m 

P4 

875 

Category of Impact 

Major impact to system; e.g., lines not 

being recorded 

Some impact to system; e.g., recording 

okay but no playback available or quality 

very poor 

Some impact to system; e.g., Recording 

and playback working, but other features not 

working 

Hours 

Hours 

Target 

Response 

Time 

Up to 6 

Up to 10 

Up to 

Hour 48 

Target 

Resolution 

Time 

5 days 

20 days 

40 days 

No functionality loss - recorder works Up to 40 days

Fault 

Severity 

-or- 

Minor 

Resolution 

876 

Category of Impact 

with no degradation of service but a minor 

fault or query 

Target 

Response 

Time 

Hour 48 

Following the diagnosis of the cause of a fault in the Equipment Logicalis will either: 

Target 

Resolution 

1. Where Logicalis considers that the fault can be remedied remotely Logicalis will use remote access 

to the Equipment to attempt to remedy the fault, subject always to Logicalis complying with preagreed 

security controls; or 

2. Where Logicalis considers that the resolution of the fault requires on site attendance and Logicalis 

has contracted to provide on-site break/fix maintenance to the Customer then Logicalis will initiate 

a response in accordance with the Maintenance service; 

3. Where Logicalis considers that the resolution of the fault requires on-site attendance and Logicalis 

has not contracted to provide on-site break/fix maintenance to the Customer then Logicalis will 

either inform the Customer or contact the relevant third party resolver group as previously agreed 

with the Customer. 

Customer Responsibilities 

Time 

The Customer will provide its own incident management process and function into which Logicalis 

will interface; 

The Customer will procure that the Network Services Provider will accept fault calls from Logicalis 

and will provide Logicalis with such management information as Logicalis reasonably requests in order 

to fulfil its obligations.


below. 

The problem management process which Logicalis operates is shown in the workflow diagrams 

Problems are defined as the unknown underlying cause of one of more incidents, and a problem is a 

Known Error when the root cause is known and a temporary or a permanent alternative has been 

identified. As such, Logicalis employs Problem Management to minimise the effect on users of defects in 

services and within the infrastructure. 

The problem management process is instigated in all cases of recurring incidents, and in cases 

where a temporary work-around has been applied to close an incident and a permanent fix is required. 

Ownership of any particular problem depends on the nature and origin of the problem. 

The objective of Logicalis’ problem management process is to ensure that any problem is captured, 

properly identified, effectively resolved and its root causes established, so as to prevent recurrence, 

interruption to, or degradation of the service. 

877

In many cases a problem will have been identified through two or more incidents having been 

recorded and identified in the incident management database. However, this does not preclude anyone 

identifying a potential problem and escalating it to the Problem Management Forum. 

The problem reporter ensures that the problem is registered and sufficient information is recorded 

in the problem management database. If the problem reporter does not have direct access, the problem 

should be reported via the MSC Service Desk. Once the problem is recorded it is escalated via priority e- 

mail, with the subject ‘Problem Alert No. XXX’, to the group address ‘Problem Management Forum’. 

Upon receipt of a ‘Problem Alert’ e-mail, the leader of the problem management forum will convene 

a ‘Virtual’ meeting to address the problem. 

The Problem Manager will feed back to the forum when the problem is believed to be resolved. At 

the earliest opportunity the forum will review the records for each problem and agree closure. The 

Known Error Database is updated. 

878

Where a Problem has created an adverse situation between Logicalis and its Client, this is managed 

through the Critical Accounts Process. Action is taken by the Forum to minimise the risk of recurrence 

and to decide on any system or process improvements. 

The Forum regularly convenes on a monthly basis to discuss: 

879 

Trend and Pattern Analysis - Analysis of reports from the Known Error Database, to ascertain if 

there are high level Problem patterns which require a broader approach. Where a higher-level 

technical change is deemed appropriate, and has not been covered during Problem resolution, a 

change request may be a submitted by a person nominated by the forum, and submitted in 

accordance with the Change Control Procedure. 

Continuous Improvement - Analysis of any non-technical, process, system or organisational 

issues identified during the problem management process. Where potential improvements are 

identified these are agreed with the relevant department or team manager and recorded in the 

Continual Service Improvement Plan (CSIP) for action. 

Captured incidents are reviewed for similarities and the root causes identified. If this activity fails, 

the problem is reviewed and - if necessary - escalated in order to categorise the incident and apply 

appropriate resolution activities. Service Desk systems enable agents to translate incidents into problem 

records and as a result, helping in the tracking, notification, escalation, allocation and resolution of 

future incidents. 

In the case of major problems, a major problem review is undertaken after each occurrence, and 

reported upon at the next scheduled service review meeting, to ensure the Customer is aware of the 

steps taken and the plans put in place to avoid recurrence of the problem.

880 


Logicalis also maintains a knowledge base of Problem data in the form of a Known Error Database, 

for referral to by service desk agents to allow quicker diagnosis and resolution if problems re-occur.

include: 


Metrics used to evaluate the effectiveness and efficiency of the problem management process will 

881 

Percentage of incidents defined as problems 

Number of problems logged 

Number of problems fixed 

The number of Major Problem Reviews completed successfully 

Number of problems outstanding. 


Where service is restored but an underlying fault still remains the Customer will invoke the 

Customer’s problem management process. 

Remedial action for hardware faults: Logicalis will manage the resolution of the fault through its 

own resources or through 3rd party suppliers as appropriate. 

Remedial Action for software faults: Logicalis will take appropriate remedial action to modify, 

restore or upgrade the device configuration, or provide a software work around, working with 3rd party 

suppliers and manufacturers as required. 

Logicalis will undertake all reasonable appropriate remedial action to diagnose and resolve 

problems that have been reported to the Customer’s Service Desk and assigned to Logicalis.




Problem management availability 

Implementation of a change to resolve 

the problem 


882 

09.00 – 

17.00 

Monday - 

Friday 

24 per day 7 per week 

There are no specific metrics governing the delivery of this service element. 


The Customer will provide its own change management process and function into which Logicalis 

will interface. 

Escalation 

Using standard processes Logicalis will ensure that the correct level of management visibility of 

incidents is maintained at all times to ensure a swift response to service problems when they arise.

The Logicalis MSC will perform initial incident diagnosis, triage, classification and initial resolution 

attempts. Where Level 2 support is required, incidents are escalated to the appropriate Logicalis 

Engineering Support Group, where skilled and experienced engineering staff investigates incidents 

further. 

If required, highly skilled technical resources (typically at CCIE level for Cisco equipment) will provide 

Level 3 support and if necessary escalate to the corresponding vendor for Level 4 support. 

Whilst this is the internal, technical escalation route associated with incident management, there is 

a comparable customer-driven escalation route that keeps the Customer notified of incident progress, 

allowing decisions to be made on the setting of priorities and the allocation of additional resources 

when required. 

Out of hours, escalation is to the Customer’s Service Duty Manager or an appropriate contact in a 

recipient organisation. 

883

Escalation Management 


Logicalis will operate an escalation management process in order to promote the rapid resolution of 

incidents. The escalation management process will be documented and will include as a minimum: 

1. Clear indication of the escalation path to be followed at specific incident resolution status points. 

2. Escalation contacts within Logicalis (fixed line telephone numbers, mobile telephone numbers, 

email addresses). 

3. Escalation contacts within the Customer (fixed line telephone numbers, mobile telephone numbers, 

email addresses). 

Logicalis will ensure that the escalation management process document is regularly updated to 

ensure that changes to personnel in both the Customer and Logicalis’ organisation are captured. 




Escalation management availability 24 per day 7 per week 

Key Performance Indicators 

Logicalis will adhere to the following table for escalations within normal office hours. 

884

885 

Normal 

Office 

Hours 

lapsed Time 

0% of SLA 

5% of SLA 

0% of SLA 

00% of SLA 

The 

Contractor 

MSC Team 

Leader 

MSC 

Manager 

Head of 

Managed 



Director 

Severity 1 Severity 2 

E 

5 

7 

9 

1 

Client The 

Contractor 

MSC Team 

Leader 

MSC 

Manager 

Head of 

Managed 



Director 

Client 

Logicalis will adhere to the following table for escalations outside of normal office hours. 

Out of 

Hours 

Severity 1 Severity 2

lapsed Time 

0% of SLA 

5% of SLA 

00% of SLA 

886 

The 

Contractor 

MSC shift 

Engineer 

MSC Senior 

Shift Engineer 

Duty 

Manager 


E 

5 

7 

1 

Client The 

Contractor 

MSC shift 

Engineer 

MSC Senior 

Shift Engineer 

Duty 

Manager 

Client 

The Customer will provide contact details of the functions, or individuals, which comprise the 

escalation matrix and timely notification of any changes thereto. 

Proactive Monitoring Interfacing to Incident Management 

Proactive monitoring forms an input into the incident management process, which Logicalis will 

provide from our Service Desk. 

The Service Desk provides the Customer’s 1 st line staff or nominated contacts with a centralised 

Single Point of Contact for service management. It is staffed with agents with a high degree of business

and technical knowledge, for the purpose of resolving the maximum number of service requests 

remotely and during first call. 

Agents receive and record calls, handle inquiries and complaints, monitor event data from the 

proactive monitoring systems, perform initial fault diagnostics and resolution attempts, transfer 

incidents to on-site resources, field engineers or the 2 nd line support of the MSC or 3 rd line support from 

the advanced technical resolver groups as required. They also manage SLA-based escalation, and 

communicate the progress and status of service requests to the Customer’s IT staff. 

Logicalis utilises field engineer resources, in those cases where incidents require on-site remediation 

and/or part replacement. Logicalis generally gain remote access and perform remote 2 nd line diagnosis 

prior to dispatching field or on-site resources. Where local attendance is required, then Logicalis’ field 

engineers are deployed. 

In addition, Logicalis manages all third parties under our contracted management, and provides 

cross-boundary communication where necessary. 

Logicalis is responsible for notifying the Customer of the incident reference number, and entering 

updates on the Logicalis service management system regarding the status of the incident. 

Following resolution of the fault giving rise to an incident, the Logicalis Service Desk is responsible 

for obtaining the Customer’s confirmation of service restoration. Logicalis records who, at the 

Customer, agreed that the fault had been resolved, in the call log comments. The log is then closed. 

If Logicalis diagnoses that an incident relates to equipment that is not managed or supported by 

Logicalis, we either inform the Customer, or manage with the problem through the relevant third party 

resolver group (where contractually agreed as part of the scope of the Service). 

887


Logicalis operates the incident management process shown in the workflow diagrams below. 

For the purposes of proactive identification of incidents and degradations in service, Logicalis 

provides 24 x 7 proactive fault monitoring of the infrastructure. Logicalis monitors the Equipment and 

identifies service-affecting events or thresholds that have been exceeded in accordance with the 

parameters agreed with the Customer. 

Proactive Monitoring is delivered from our MSC on a 24x7 basis, via secure IP connectivity into the 

PSN network, utilising automated exception management to detect and notify any device or service 

availability or operational anomalies. 

All identified alerts are recorded in the Logicalis service management system and managed in 

accordance with the SLA. 

888

889 

Incident Management Part 1

890 

Incident Management Part 2 

Proactive Monitoring comprises two core components: 

1. monitoring the on-going availability and health of the infrastructure and CPE devices;

2. monitoring the on-going availability and capacity of the infrastructure. 

The availability, performance and health of equipment are monitored as part of the proactive 

monitoring service. Monitored metrics and threshold alerts are highly configurable and are agreed with 

our customers during consultation, but can include: 

891 

Bandwidth Buffer status 

Circuit status Cisco Traps 

Connectivity status CPU 

Discards Errors 

Fan Notification Interface up/down traps 

IP packet throughput ISDN Dial Backup 

Latency Link congestion 

Link connection status Memory 

Module Up /Down Packet loss rate 

Physical port status Quality of Service 

Redundant Supply Notification Shutdown Triggers 

Temperature Up/Down Status 

Utilisation 

All identified alerts are recorded in the Logicalis Service Management system, and managed in 

accordance with the SLA.

All equipment and services, provided by Logicalis, are monitored and supported utilising a 

standardised platform. Logicalis utilises an integrated toolset consisting of CA Spectrum and CA eHealth: 

• CA Spectrum: Spectrum is the primary fault management tool employed by the MSC and 

provides status monitoring and a root cause analysis engine. Spectrum monitors the infrastructure by 

polling with SNMP. In addition to polling, it can process SNMP Traps to assist in the detection of 

faults. 

892 

All alarms are automatically correlated, have a ‘root cause’ highlighted and ‘probable cause’ 

determined. This inherent functionality enables Logicalis to quickly identify faults on a Customer’s 

infrastructure and to quickly identify, resolve and prevent potential problems before they happen – 

to maximise system availability and efficiency. 

All event and alert data related to the performance and availability of the infrastructure is 

presented to Logicalis’ MSC agents via the Spectrum interface, so that Spectrum provides a central 

view of all fault event data across the whole PSN estate. 

• CA eHealth: In addition to the Spectrum Fault Monitoring platform, Logicalis also utilises 

the eHealth (Live Health) performance monitoring platform, in order to provide integrated fault and 

performance monitoring. 

eHealth integrates performance management across the most complex multivendor and multi- 

technology — encompassing IPv4, IPv6 and mixed dual stack IPv4/IPv6 environments — and presents 

it in a single, consolidated, actionable view. 

eHealth collects performance data, evaluates it for threshold violations and issues early warnings 

in real-time so Logicalis can address problems before they become critical. The data is stored in a 

historical database and used for a wide variety of out-of-the box reports to understand the 

availability and performance of IT infrastructure components.

893 

Reports are role-based to meet the specific needs of IT and business management, operations 

staff, administrators, engineers and capacity planners. Developing bottlenecks and impending 

failures can be spotted, and the need for repair, reconfiguration or additional capacity documented. 

Conversely, under-utilised assets can be identified. 

eHealth includes granular service level management for defining different classes of service and 

assigning goals, core thresholds and other performance metrics to them. 


Logicalis will monitor the Equipment during hours of cover and will perform the following specific 

activities: 

1. Logicalis will monitor the Equipment and identify service-affecting events or thresholds that have 

been exceeded in accordance with the parameters agreed with the Customer. 

2. Logicalis will liaise with the appropriate Customer contact to ensure that appropriate fault handling 

is initiated. 

3. Where Logicalis is responsible for remedying a fault in the Equipment it will raise an incident on 

Logicalis’ incident management system. 

4. If, due to equipment or circuit failure, Logicalis is unable to monitor the Equipment it will continue 

to provide all other aspects of the services that are not dependent on the monitoring of the 

Equipment. Logicalis will maintain the inventory of monitored Equipment by the: 

addition of new equipment to be monitored; 

removal of deleted equipment from monitoring; 

amendment of equipment configurations to facilitate monitoring. 


The following table details the hours of cover for the above service elements:


Monitoring of Equipment 24 per day 7 per week 


Logicalis will adhere to the service levels as detailed within the following table: 

894 

Description Metric 

Performance data collection 

intervals 

LAN monitoring alerts, 

notification to relevant the 

Customer teams 

NOH 

OOH 

Updates for Severity 1 in 

Updates for Severity 1 in 


None applicable. 

Every 5 minutes nominal 

Within 15 minutes 

30 minutes or status change 

30 minutes or status change


Logicalis assumes responsibility for the Logicalis-side change control process (i.e. where Logicalis 

make changes for supportability reasons) for the environment, and manages change requests from the 

Customer for infrastructure managed by us. 

For the avoidance of doubt, Logicalis assumes that the Customer retains responsibility for user-side 

change requests (i.e. interacting directly with end users), and Logicalis takes responsibility for 

infrastructure-side change requests from the Customer. 

Change Requests are accepted 24 hours a day, but the approval process only takes place during 

normal office hours, with relevant CABs being held on a weekly basis. Both Logicalis and the Customer 

can generate change request documents. 

The Logicalis MSC acts as a single point of contact for the receipt, acknowledgement and 

progression of changes raised and ensures that they are actioned in accordance with the SLA. 

Implementation of remote, simple or template, changes is done under defined change management 

and performed remotely from the Logicalis MSC. 

Implementation of changes requiring on-site work, and major changes (i.e. those requiring elements 

of technical design work) is treated as chargeable works or projects. 

Logicalis ensures that all changes are carried out in a planned and authorised manner. To this end 

Logicalis has categorised changes and change requests as shown in the table below. 

895

Logicalis is at any time entitled to re-classify the description of a change following submission. This is 

subject to justification by Logicalis and agreement with the Customer. 

All changes are subject to resource availability, with an implementation date being confirmed by 

Logicalis. 

Tasks carried out during the ‘authorisation window’ include ensuring that there is a business reason 

behind each change, identifying the specific configuration items and IT services affected by the change, 

planning the change and having a back-out plan should the change result in an unexpected state of the 

configuration items. For medium changes and above, this information is presented to the weekly CAB 

for authorisation. The ‘change window’ is the actual time within which Logicalis staff undertakes the 

authorised change. 

Logicalis will ensure that all changes are carried out in a planned and authorised manner. To this end 

changes and change requests will be classified as follows: 

896 

ry 

e 

Catego 

Routin 

Change type Authorisation 

Day to day minor 

changes that require 

minimal authorisation, have 

no design element with no 

service impact and require 

no system downtime. These 

window 

Chang 

e window 

Changes done within 24-48 

hours (may be longer if MSC is 

dealing with an exceptionally high 

level of severity 1 faults)

897 

Minor 

Major 

can typically be undertaken 

with no pre-planning and 

within short 

timescales (less than 2 

hours) during normal 

service operation. 

Template changes that 

have pre-agreed processes 

but require management 

authorisation. These are 

likely to be more 

complicated changes and 

may be implemented out of 

hours. 

These changes are 

complicated, service 

effecting and therefore 

require design validation 

and planning (typically less 

than a day’s effort). These 

are complicated changes 

and will be implemented 

Weekly 

CAB Weekly 

CAB/Senior CAB 

4 

Hours 

8 

hours

898 

ency 

Project 

Emerg 

out of hours 

Large scale projects 

typically involving additional 

equipment or system re- 

design that need to be 

scoped and costed 

accordingly. 

Urgent request typically 

as a result of a serious 

service affecting incident. 

Weekly 

CAB/Senior CAB 

Retrospective 

TBA 

Within 

4 hours 

Logicalis’ objective is to provide a simple, efficient and effective change management service for 

routine, non-service affecting changes, with a minimal approval overhead and time delay; such changes 

are typically authorised within the Logicalis MSC and/or by the SDM, and implemented at the earliest 

opportunity. 

In order to de-risk more complicated changes (i.e. those classified as ‘Minor’) a templated approach 

is used. This involves design agreement with the Technical Design Authority and technical team, where 

an agreed template is created to simplify requests for change and limit the possibilities of errors. These 

changes are approved at the weekly CAB meeting. 

Requests that fall into the ‘Major’ and ‘Project’ categories might require additional input from other 

areas. For these changes, a risk analysis of the potential impact of a change on existing live services is

carried out, a suitable schedule for the change is defined, and an implementation and fallback plan is 

agreed. Such changes are reviewed at a CAB, commensurate with the associated risk and implications. 

The following flow chart indicates the processes for Emergency, Major and Minor changes: 

899 

Emergency Changes

900 

Major Changes


901 

Minor Changes

Logicalis will be responsible for the Contractor-side change control process (i.e. where Logicalis 

makes changes for supportability reasons) for the environment, and will manage change requests from 

the Customer for infrastructure managed by Logicalis. 

For the avoidance of doubt, Logicalis assumes that the Customer retains responsibility for user-side 

change requests (i.e. interacting directly with end users), and Logicalis takes responsibility for 

infrastructure-side change requests from the Customer. 

Change Requests will be accepted 24 hours a day, but the approval process will only take place 

during normal office hours, with relevant Change Authorisation Boards (CABs) being held on a weekly 

basis. Both Logicalis and the Customer can generate change request documents. 

Logicalis’ MSC will act as the single point of contact for the receipt, acknowledgement and 

progression of changes raised and will ensure that they are actioned in accordance with the SLA. 

Implementation of remote, simple or template, changes will be under defined change management 

and performed remotely from Logicalis’ MSC. 

Implementation of changes requiring on-site work, and major changes (i.e. those requiring elements 

of technical design work) will be treated as chargeable works or projects. 

All changes will be subject to resource availability, with an implementation date being confirmed by 

Logicalis’ resource management function. 

Tasks carried out during the ‘authorisation window’ will include ensuring that there is a business 

reason behind each change, identifying the specific configuration items and IT services affected by the 

902

change, planning the change and having a back-out plan should the change result in an unexpected state 

of the configuration items. 

For minor changes and above, this information will be presented to the weekly CAB for 

authorisation. The ‘change window’ is the actual time within which staff will undertake the authorised 

change. 

Logicalis is at any time entitled to re-classify the description of a change following submission. This 

will be subject to justification by Logicalis and agreement with the Customer. 

An agreed number of remote routine or minor changes per annum will be included within the 

service charge, where requests for such are received during the working day. The following categories of 

changes will be chargeable: 

903 

Any remote routine or minor changes above the agreed allowance; 

Changes requiring attendance on site; 

Major changes (including changes requiring technical design work); 

Project changes; 

Any changes completed out of hours. 

Telephone Software and Hardware Moves and Changes 

Logicalis carries out modifications to the configuration of Telephony systems. These modifications 

are referred to as Moves and Changes (MAC) and cover changes including the following: 

Class of Service; 

Trunk access class; 

Move of an extension; 

Enabling a new extension; 

Disabling a disused extension; 

Set-up and amendment of communication groups; 

Set-up and amendment to hunt and distribution Groups.

MAC are covered up to a limited number for each annual service charge, these are agreed at the 

outset of the contract with each client. Where MAC have been consumed further top up can be 

purchased from the Service Catalogue. 

Logicalis also carries out the following Moves and Changes. 

External site relocations; 

Internal PBX relocations; 

External peripheral devices relocations; 

Internal peripheral devices relocations. 

Logicalis is able to recover all costs associated with relocation requests. 

Logicalis liaises with Customers to agree when the work should be carried out and to arrange access 

to Site where required. Logicalis has the right to charge for any aborted Site visits in the instances when 

Site access has been previously arranged with the Customer. 

Where a Site requests any element or elements of the Service to be re-located within the existing 

Site or campus (an internal move) then Logicalis is able to recover its full costs associated with the re- 

location. 



904 


Change management process 09.00 – Monday -

905 


Change Implementation 


17.00 Friday 

09.00 – 

17.00 

Logicalis will adhere to the following service levels targets: 

updates 


Configuration documentation 

Notification to the customer 

of planned down time 


Monday - 

Friday 

3 working days from change 

completion 

14 working days prior to start 

of down time 

The Customer will provide the following: 

its own change management process and function into which Logicalis will interface. 

the relevant resources for participation in any required change authorisation and CAB process.

Availability Management 

Logicalis will employ availability management targets to sustain service availability to support the 

Customer’s business requirements at a justifiable cost. Associated high-level activities will include: 

realise availability requirements; 

compile availability plan; 

monitor availability; 

monitor maintenance obligations. 

Availability management is used to address the ability of the infrastructure components to perform 

at an agreed level over a period of time, and Logicalis will use this as a key process in measuring and 

controlling the level of service availability for use in the monthly service reviews with the Customer. 

In order to measure overall service availability Logicalis produces and agrees an availability plan, 

including: 

906 

Agreement statistics –what measurement statistics are included within the agreed service; 

Availability – agreed service times, response times, etc; 

Service desk calls – number of incidents raised, response times, resolution times; 

Contingency – agreed contingency details, location of documentation, Third Party 

involvement, etc; 

Capacity – performance timings for online transactions, report production, numbers of users, 

etc. 

Availability is typically calculated based on a model involving an availability ratio. Typically the 

calculation of this ratio includes the following elements: 

Serviceability –the expected availability of a component; 

Reliability – the time for which a component can be expected to perform under specific 

conditions without failure;

907 

Recoverability – the time it takes to restore a component back to its operational state after a 

failure; 

Maintainability – the ease with which a component can be maintained, which can be both 

remedial and preventative; 

Resilience – the ability to withstand failure; 

Security – the ability of components to withstand breaches of security. 

Once agreed, the ratio metric is measured using the management tools to gather and alert on 

relevant elements, and reported on through the monthly service reviews. 

include: 


Metrics used to evaluate the effectiveness and efficiency of the availability management process will 

Agreed service hours, per service; 

Total down time per service; 

Response times per incident; 

Time taken to repair per incident; 

Actual versus contracted availability; 

Availability Ratio. 

Capacity/Performance Management 

Logicalis will utilise capacity and performance management to ensure that the availability of service 

resources meets the needs of PSN users. In order to keep the infrastructures running efficiently,

Logicalis utilises predictive capacity planning to obtain real-life data related to the current status of 

resources, identify congestion and trouble spots before they affect users, and plan capacity effectively 

for the future. 

Capacity planning is used to ensure current resources are being used efficiently, evaluate trends in 

demand, and project future resource needs, achieving the following: 

908 

Reduce costs through the reduction or elimination of under-used resources; 

Improve performance though identification of both over-used and under-used elements, and the 

re-balancing of capacity with demand; 

Reduce Service and downtime by anticipating overloads before they occur, and ensuring adequate 

capacity is in place; 

Improve budget predictability by tracking trends and modelling the effects of new services or 

infrastructure, avoiding unnecessary emergency purchases and ensuring an optimum profile of 

additional charges. 

Performance reporting will utilise CA eHealth Performance Manager to combine historical and real- 

time metrics with intelligent analysis, to generate role-based views that is used to rapidly pinpoint and 

correct developing performance degradations before service quality is jeopardised. 

The following reports are used to provide a high level of granularity related to trend analysis and 

capacity planning. 

AT-A-GLANCE REPORTS - provide a comprehensive view of the availability and performance of a 

particular resource, displaying the key statistics over a specified time interval. By automatically 

capturing performance data and presenting it uniformly, these reports can significantly reduce the 

time spent troubleshooting. 

HEALTH REPORTS - evaluate the health of groups of components by comparing current 

performance to historical performance over the course of a day, week or month. The report 

provides a list of situations to watch and identifies errors, unusual utilisation rates, or volume shifts 

that warrant investigation. The overall status of a component is measured by its Health Index, a 

performance metric based on multiple variables.

TREND REPORTS - track the value of one or more performance variables over a period of time. 

Trend Reports is used to reveal traffic patterns over time, and relationships between components 

and variables. Components that Logicalis can track this way include: CPUs, disks, LANs, WANs, 

processes, process sets and more. 

TOP N REPORTS - sorts the elements that meet user-defined criteria. Logicalis typically use Top N 

Reports to find the best, worst, fastest, slowest or least-utilised circuits or devices. Top N Reports 

can be scheduled to run automatically at specified intervals, and also make a useful on-demand tool. 

Logicalis agrees a set of these reports that is regularly generated and made available through the 

web portal. Further ad-hoc reporting can be provided when required and is managed through the 

service delivery process. 

Output recommendations from the above are fed into the Continual Service Improvement 

Programme (CSIP). The goal of this process is to ensure that customers are realising the greatest return 

on investment from the service, and have a clear understanding of where further investments will lead. 

This programme is based on three key enablers - firstly our experience and application of ITIL, secondly 

909

our experience in managing complex services on behalf of our customers, and thirdly the Logicalis 

consulting capabilities that have been developed and proven over many years of operation. 

The CSIP is delivered through the appointed Logicalis SDM, who is the primary point of contact for 

all management issues related to the service, and in turn chairs the monthly service review and 

performance meetings. One of the key aspects of these meetings is to provide a forum for the planning 

or review of activities related to the agreed CSIP, as well as the opportunity to discuss new initiatives 

(which may have been identified in the course of incident, problem or service delivery management, and 

could be undertaken to address known service defects or implement potential service enhancements 

and improvements). 


Metrics used to evaluate the effectiveness and efficiency of the capacity management process is 

agreed during transition but will typically include: 

910 

utilisation statistics; 

capacity summary; 

device performance summary; 

device performance detail; 

performance summary; 

performance detail. 

Service Responsibilities

Logicalis will produce a Capacity Plan covering the infrastructure. This is to include: 

1. Reporting of utilisation and performance statistics within the infrastructure and recommendations 

to relieve degradation of performance beyond agreed thresholds, specifically the production of: 

at-a-glance reports 

health 

trend reports 

top N reports 

2. Interpretation of forecasted demand (obtained from liaison with the Customer) for services, versus 

the available capacity in those services, and the making of appropriate recommendations. 

3. Interpretation of trends and changes to the Customer’s business requirements. Logicalis will 

recommend changes required to meet future capacity demand to ensure that the agreed service 

levels are met. 

4. Provision of recommendations for replacement of infrastructure components, should this be 

required to maintain service at the appropriate level. 


The following table details the Hours of Cover for the above service elements: 

911 

Service Element Hours Days Exclusions 

Capacity 

Management 


09.00 – 

17.00 

Monday - 

Friday 

Logicalis will produce the capacity plan twice a year. 


Holidays

The Customer will: 

912 

provide forecast demand data related to capacity requirements on a quarterly basis. 

provide its own capacity management process and function into which Logicalis will interface. 


Logicalis will maintain software and firmware revisions within to an agreed minimum level. Logicalis 

offers access to features offered in later revisions of code if required to support the PSN service. 

Logicalis will provide recommendations (including risk analyses) as to software updates and patches 

within the service, together with an allocated amount of inclusive resource towards the implementation 

of such releases. Access to features offered in higher releases should be raised to Logicalis for us to 

prepare an analysis and recommendation for discussion at a CAB, so that the risks, implications, benefits 

and costs can be properly considered. Implementation of such releases - if agreed - is chargeable. 

Where a software fault is reported, Logicalis will work closely with the Customer, and the hardware 

vendor, to establish the impact to users, and from there agree a course of action. If necessary Logicalis 

will provide a workaround to establish business continuity, provided it is possible to do so technically. 

Any additional equipment required for a workaround may be charged at Logicalis’ discretion or loaned 

on a temporary basis. Subsequent patching or configuration changes required to resolve the fault is 

provided as part of the service. 

Through the service delivery process, Logicalis provides releases and version update 

recommendations for all supported devices. This is a consultative exercise, led by Logicalis, and carried 

out in conjunction with best practice principles and relevant 'Safe Harbour' recommendations from the 

Vendor(s), with Customer interaction and an understanding of future requirements. Any subsequent

upgrades are treated as a project in order to minimise risk to the business and to ensure that the 

implications of the upgrade, on the original design principles, do not unduly affect infrastructure 

stability. 

When agreed, minor patching within software versions and remote engineering to carry out this 

work (which requires a break in normal service to implement) is included in the service. 


Metrics used to evaluate the effectiveness and efficiency of the release management process will 

include: 

913 

the number of successful software updates; 

percentage of installations performed to time; 

number of failed or backed out implementations; 

number of unauthorised software versions detected within the environment. 


Where a software fault is reported, Logicalis will work closely with the Customer, and the associated 

hardware vendor, to establish the impact to the Customer, and from there will agree a course of action. 

If necessary Logicalis will use reasonable endeavours to provide a workaround to establish business 

continuity, provided it is possible to do so technically. 

Any additional equipment required for a workaround may be charged at Logicalis’ discretion or 

loaned on a temporary basis. Subsequent patching or configuration changes required to resolve the 

problem will be provided as part of the service.

On a bi-annual basis, Logicalis will provide release and version update recommendations for all 

supported devices. Any subsequent updates will be treated as a chargeable project in order to minimise 

risk to the business and to ensure that the implications of the update on the original design principles do 

not unduly affect stability. 

When agreed with Logicalis in advance, minor patching within software versions of software and 

remote engineering to carry out this work (which will require a break in normal service to implement) 

may be included in the provision of the service. However, lab testing, additional memory or any other 

hardware parts are not included, and therefore Logicalis reserves the right to make additional charges 

for them. 

Version upgrades (i.e non-maintenance or supportability-driven requirements) will be treated as a 

chargeable project. 



914 




09.00 – 

17.00 

Monday - 

Friday 

Holidays

High priority notifications will be evaluated when received. Lower priority notifications will be 

evaluated once every 6 months. 


The Customer will provide: 

915 

project funding where required to implement patches to supported devices uncovered by 

support agreements; 

facilitation of the required down time for the supported devices to enable the installation of 

patches. 


Logicalis is responsible for ensuring that all relevant element configurations and data are managed, 

controlled, current and up to date, and provides the Customer with electronic updates of all such 

information quarterly, or as otherwise agreed. Logicalis also provides details of all hardware and 

software under our management. 

The configuration management process monitors, deploys, manages and controls Configuration 

Items (CI) related to the infrastructure, in turn storing all CI data within a central Configuration 

Management Database (CMDb), which will act as a repository for information related to the authorised 

configurations of all elements within the PSN network. 

Configuration management activities are operated in-line with the prevailing change control 

procedures, with input and authorisation from the Logicalis SDM and, where relevant, the Project 

Manager. All scheduled engineering will take place outside normal working hours and in a mutually 

agreed time slot that is dependent on the affected infrastructure and the resultant impact on service.

For configuration management, Logicalis has standardised on the use of CA SPECTRUM 

Configuration Manager (NCM). This platform integrates with our overall management architecture and 

automates the management of critical device configurations, giving us the tools to capture, modify, load 

and verify configurations for hundreds of devices from leading equipment vendors. Each configuration is 

time-stamped and identified by the revision number and, with automatically scheduled configuration 

comparisons, delivers immediate notification of unauthorised changes. 

As part of the configuration management process Logicalis will undertake configuration changes as 

required using NCM, with all configuration changes being delivered remotely. In addition Logicalis is 

responsible for ensuring that all managed elements are backed up at agreed intervals, and before and 

after any change. 

Logicalis MSC staff will use NCM to correlate appropriate or inappropriate configuration changes 

against availability and performance failures of critical services, comparing configurations or viewing the 

configuration history of any selected device within the infrastructure. 

Further to this, configuration items, their versions and their changes are audited periodically by 

Logicalis to ensure their validity and accuracy. 

The MSC will perform the following tasks as part of configuration management: 

916 

manage configurations for supported devices; 

capture device configurations and store them in the NCM database; 

check running versus start-up configurations; 

export, backup and restore configurations; 

load/merge configurations to one or more devices of the same family type; 

verify that the correct configuration is running on a device;

917 

set up a schedule of automatic captures and policies to ensure reliable device configurations; 

detect performance problems by verifying device configurations; 

maintain a history of device configurations for comparison and reconfiguration purposes; 

provide automated software updates; 

create policies to monitor content in configurations and verify that device content is 

compliant. 

Telephony Configuration Management 

Logicalis carries out modifications to the configuration of Telephony systems where necessary 

and/or where explicitly requested. Such modifications include: 

modifications requested by the Customer in order to accommodate the connection of, 

modifications to and cessation of PTO provided network services to the Telephony systems; 

modifications requested by the Customer to alternate routing tables, route optimisation 

tables, digit translation tables; 

modifications requested by the Customer to implement lifting of barring at Sites of selected 

numbers or groups of numbers as requested by the Customer; 

modifications requested by the Customer to ensure that calls are correctly routed; and 

modifications requested by the Customer or other relevant authority, in order to comply with 

regulatory and statutory changes or enforcements. 

Logicalis carries out modifications described in the paragraph above provided that such 

modifications are within the configurable limit of the hardware and software of the Telephony systems 

concerned. These are provided without cost, where Moves, Add and Changes are available as part of the 


KPI, Service Levels, Reporting

Metrics used to evaluate the effectiveness and efficiency of the configuration management process 

will include: 

918 

the number of successful configuration changes; 

the number of correct device configuration verifications; 

the number of successful configuration/CMDb audits; 

frequency and number of CMDb errors; 

number and severity of breaches in SLA caused by inaccurate CMDb information. 


Management of device configurations: All devices within the scope of the services are to be 

managed in accordance with best industry practice, in order that service level agreements are adhered 

to. Logicalis will be responsible for supplying, supporting and maintaining any management platforms 

required to deliver this service. 

Backup & Recovery: The configurations of all managed devices will be backed-up on a regular basis 

and, specifically, after changes to the device configuration have been made. 

Logicalis will be responsible for ensuring that all relevant configuration documentation in respect of 

equipment is current and up to date, and will provide the Customer with electronic updates of all such 

documentation annually or as otherwise agreed. 

Logicalis will deploy and manage configurations of the equipment where required. This will be done 

remotely from Logicalis’ Service Desk.

The above activities will be operated in-line with agreed change control procedures, with input and 

authorisation from the SDM and project manager. All scheduled remote engineering will take place 

during a mutually agreed time slot that will be dependent on the affected infrastructure and the 

expected resultant impact on service. 



919 


Configuration management 24 per day 7 per week 


Logicalis will adhere to the following SLA for configuration management actions: 


Backup of Configuration Files and 

Access Control Lists 

Restoration of Configuration Files 

following Device Incident, Failure or 

Replacement 

In accordance with 

agreed Backup policy 

In accordance with 

Service Levels


Device Configuration Backups To 

Management System 

920 

1 Working Day 

Management System Backup Monthly 

Restoration & Testing of 

Configuration Files 


None applicable. 

Service Delivery Management 


Quarterly 

Logicalis will provide the services of a Service Delivery Manager (SDM). 

The SDM’s duties are to manage the Services, ensuring that adequate resources are made available 

by Logicalis so that Logicalis meets the Service Levels and that any new services introduced meet agreed 

service levels. 

The SDM will act as the Customer’s primary focal point for operations and support services during 

normal working hours.

The SDM will hold regular reviews with the Customer, co-coordinating and delivering service and 

performance report information. 


To be agreed for each contract. 


Logicalis will provide interim SDM services in order to cover for holiday and sickness. 


The Customer will provide a business interface role through which the SDM may liaise and escalate 

service management issues as required. 



The Supplier will manage the commercial and operational relationship with its own 3rd party 

suppliers. 

921



922 


3 rd party supplier management 24 per day 7 per week 


None 


None 

Reporting 

Regular service review meetings between Logicalis and the Customer are an important control 

mechanism, to ensure that any potential issues can be identified before they become problems, and can 

be managed accordingly.

Such meetings present the opportunity for both parties to ensure the direction that the service is 

taking is the right one, and also provide a forum to ensure the development of the service is in line with 

expectations. 

Logicalis propose the following meetings be scheduled: 

923 

monthly service review meetings; 

quarterly service review meetings; 

annual strategic review meeting. 

The agenda and attendees of the above meetings are agreed between Logicalis and Customers, 

during the transition period, and reviewed as required at each meeting. 


Service Reporting: Logicalis will produce regular performance reports as shown below: 

Monthly Service Review Meeting 

Logicalis produces a report prior to the monthly service review meetings, and distributes this report 

to the agreed list of attendees for that meeting. 

The report summarises the service performance (against the contracted service levels) in text and 

graphical formats in the ‘Reporting Period’, and forms the basis of discussion at the monthly service 

review meeting.

The monthly service review meeting will follow the following agenda: 

924 

Continuous Service Improvement Plan; 

Performance against service level targets; 

Performance against service levels; 

Service performance summary; 

Commercial summary; 

Complaints summary; 

Change control summary; 

Updated service risk register; 

Integration of future projects and analysis of their impact on the operational environment. 

Quarterly Service Review Meeting 

The focus of the quarterly service review meetings is medium to long term, and is structured to 

focus on ongoing service provision and development of the service. The agenda comprises the following: 

Minutes of last meeting; 

Outstanding action points; 

Service level reports; 

Performance reports 

Service failures, service credits; 

Escalations; 

Feedback on customer performance;

925 

Considerations for continuous improvement; 

New business; 

AOB 

Date of next meeting. 

Annual Service Review Meeting 

An annual service review meeting is held at least one month prior to each anniversary of the full 

service date. 

The focus of an annual review meeting is long term and strategic, and designed to focus on a review 

of performance over the period, including strategic development of the service and a detailed price 

review. 

The agenda comprises the following: 

Minutes of last meeting; 

Outstanding action points; 

Review of service issues; 

Review of service failures, service credits; 

Review of escalations; 

Technology developments; 

Strategic opportunities for new business and service development; 

Considerations for continuous improvement; 

Review of new products and services; 

AOB;

926 

Date of next meeting. 

Web-based Portal - A web-based secure customer portal provides account-controlled access to 

reports including device availability, and performance from a summary and detail perspective. Portal 

reports include: 

Availability; 

Availability Detail 

Device Performance Summary 

Device Performance Detail; 

Performance Summary; 

Performance Detail. 

These reports are scheduled and available on a daily, weekly and monthly basis, and are 

retrospectively available for a rolling 12-month period. Data can be archived for longer periods if 

required. 

A documentation tab is also provided on the portal, which can be used as a depository for key 

project documentation; this is often used for storage of monthly service reports. 



Service Element Hours Days Exclusions

927 


Service Reviews and Reporting 


Report 

09.00 – 

17.00 

Monday - 

Friday 


English public 

holidays 

Issue of Monthly service report Within 10 working days of month end 

Issue of Annual Service Level 


No later than 4 weeks after the end of the 

annual period. 

The Customer will ensure that representatives from its service management organisation attend the 

agreed service review meetings. 



Logicalis will maintain a document record of the equipment under their management (the 

Equipment List).

The Equipment List will consist of a list of equipment under management by Logicalis, including part 

numbers, quantities and locations. 

Logicalis will provide the Customer with an electronic copy of the Equipment List upon request and 

at 3 working days notice. 



928 




None 


None 

09.00 – 

17.00 

Monday - 

Friday 

Holidays

Continuity Management 


Logicalis will support the Customer’s business continuity planning process by attendance at the 

relevant planning meetings. 

Support of failover testing will be provided as required, as a chargeable activity. 

Logicalis will provide details of its own business continuity plan as relates to its service delivery 

activities for the Customer. 

Logicalis’ business continuity plan will be tested at least once per annum. 




Business continuity planning and testing 

929 

09.00 – 

17.00 

Monday - 

Friday 

Business continuity invocation 24 per day 7 per week 

Service Level Targets

Logicalis will resolve all issues arising from business continuity testing within the timescales agreed 

with the Customer’s Project Manager. 

Logicalis’ Business Continuity Plan will be tested at least once per annum. 


The Customer will develop and maintain a business continuity plan. 

Continuous Service Improvement 


The Contractor will operate a process of Continuous Service Improvement, through which 

improvement initiatives to the managed services can be initiated, captured and managed through to 


Service improvements will be managed by means of a Service Improvement Plan (SIP). The SIP will 

be used to manage and log improvement initiatives triggered by Continual Service Improvement. 

The Service Improvement Plan will include: 

930 

The process or service concerned; 

The person in charge of the process (Process Owner) or service (Service Owner); 

The initiative owner, description of the initiative; 

The source of the measure (e.g. service review, process audit). 

The implementation schedule and status including target date, current status.



931 


Continual service 

improvement 


None 


09.00 – 

17.00 

Monday - 

Friday 

English public holidays 

The Customer will review and approve the SIP within a reasonable timescale in order that 

improvements may be implemented promptly. 

Additions and Deletions 

Additions 

Subject to the environmental considerations below, the Customer may at any time add Equipment 

to the service by giving Logicalis at least 30 days notice in writing and providing Logicalis with such 

information concerning the Equipment as Logicalis may reasonably require, including but not limited to:

the make and model of the equipment; 

the serial number of the equipment; 

the location of the equipment; 

any available service records relating to the equipment 

Logicalis may make a pro-rata additional charge for the added Equipment from the date that it is 

added to the service. 

Logicalis reserves the right not to add new equipment if thirty or more days have passed since the 

expiration of the original warranty period or the expiration of a previous maintenance agreement 

covering the Equipment, until the Equipment has been inspected by Logicalis to determine whether the 

Equipment is still in good condition. All time and materials required to place the Equipment in good 

operating condition will be charged at Logicalis’ current rates. Required repairs must be made prior to 

the beginning of cover under the service. 

Deletions 

No equipment may be deleted during the first Service Year. Thereafter the Customer may at any 

time delete equipment by giving Logicalis not less than 90 days notice in writing. Logicalis will make a 

pro rata adjustment to the Charges for the period from the date the equipment has been removed to 

the end of the term but reserves the right (i) to re-calculate its charges based on the amount of 

Equipment then supported under the Agreement and taking account of any volume discounts that are 

no longer applicable due to the reduced volume of Equipment being supported; and (ii) to make a 

reasonable administration charge; and (iii) to recover from the Customer the balance of any third party 

support charges incurred by Logicalis in respect of the Equipment and not previously charged to the 

Customer. Any refund then due to the Customer will be credited to the Customer once the deletion has 

been processed by Logicalis. 

Service Catalogue 

932

To facilitate the efficient and timely change management of frequently required, non-complex 

change requests, Logicalis will provide a Service Catalogue (SC). The service catalogue is typically a 

catalogue of charges for additional fixed price products and services. The SC both simplifies the ordering 

process (as the requestor orders a single SC item rather than all the component parts it contains), and 

assists the requestor with budgeting, as each SC item is fixed in price (within constraints). 

Each SC item can contain a mix of capital and recurring costs; in some cases (for example when a 

Smoothed Pricing model is being used for the main contract), SC items are priced on a recurring charge 

only, where that recurring charge typically includes the cost of any equipment (amortised over the 

Term), any associated professional services, bandwidth charges, maintenance and managed services. 

item. 

SC charges are inclusive of all components of cost related to the provision and support of each SC 

The specification of each SC item is fixed (i.e. the equipment and services configuration for each 

item are fixed, and defined in a Bill of Materials); this means that SC items are by their nature non- 

configurable. For this reason, only items that are fixed-content (and frequently ordered) are included in 

a SC. For requirements that are configurable, the prevailing quotation process is used. Typical SC items 

are professional services (rate card services), consumables, licenses and non-configurable equipment. 

If it becomes clear that any existing SC items are unlikely to be ordered, or conversely that there are 

fixed products & services which are frequently required, then SC items can be added and removed as 

needed - usually following an annual review. 


933

None 

Environmental Considerations 

Infrastructure 

This section describes the conditions that the Customer must ensure are in place for the effective 

operation of the equipment at each site: 

934 

mains electrical supply as required; 

sufficient 13A power outlets; 

sufficient 32A or 16A “commando” power outlets; 

space for 19” equipment racking of sufficient size with front and rear access, where required. 

Air Conditioning 

The temperature in the equipment rooms must be maintained below agreed temperatures (typically 

24°C) as required by the equipment specifications. 

Customer’s Obligations 

The Customer will: 

Provide access to the sites during hours of cover to facilitate Logicalis’ provision of the 

services; 

Maintain in good condition the accommodation of the equipment, the cables and fittings 

associated therewith and the electricity supply thereto; 

Ensure that the equipment is operated by competent staff; 

Advise Logicalis in writing of any modification to the equipment;

935 

Keep and operate the equipment in accordance with the manufacturer's operating 

instructions, ensuring that the external surfaces of the equipment are kept clean and in good 

condition, including, where appropriate, changing the air filters; 

Notify Logicalis if the equipment is to be moved from its installed sites, specifying the date 

and thereafter to comply with any reasonable instructions from Logicalis in relation to such 

equipment stipulated prior to such relocation. Services in relation to equipment moved from its 

original sites will be provided at Logicalis’ discretion and may be subject to additional charges to 

be agreed between the parties. Logicalis’ provision of services will not be unreasonably 

withheld; 

Bring to the attention of Logicalis the Customer’s policies and procedures in respect of 

security and health and safety and notify Logicalis of any potential health or safety risks that 

may exist at any site; 

Provide Logicalis with full, safe access to and adequate working space in the sites for the 

purposes of Logicalis’ provision of the services; 

Make available to Logicalis free of charge all facilities and services reasonably requested by 

Logicalis to facilitate Logicalis’ performance of the Services; 

Provide remote access facilities and procure that such facilities can be used without restriction 

or fee by Logicalis to gain remote access to the maintained equipment; 

Enable Quality of Service on its data network. 

The Customer must provide Logicalis with 5 Working Days notice of all planned power downs. 

Logicalis provides, at the request of the Customer, staff with the appropriate expertise and 

experience to attend Sites to ensure that the Telephony Systems are taken out of service and restored 

to full operation in an orderly fashion as and when required as a result of power supply testing, planned 

mains power outage and other building and works maintenance activities. 

Notes: 

A standard power down service will include the following: 

o Attendance at site to power down the Telephony System (maximum 3 hours on site 

visit); 

o Software back up prior to re-load; 

o Revisit to site to power up switch; 

o Post power up check and acceptance test to include all supplied peripherals (maximum 3 

hours on site visit);

936 

On site peripherals such as screen based consoles, ACD management terminals etc. are not 

included in the power down activities and any data back up of these peripherals is the 

responsibility of the Customer. 

Routine Maintenance 

Logicalis, through our Partners, provides routine maintenance services at all Managed Telephony 

Services sites so as to: 

verify or ensure that the PBX systems, including uninterruptible power supply (UPS) and 

batteries, perform in accordance with the manufacturer's specification or as may be required by 

the Customer; and/or 

verify or ensure that the PBX systems, including uninterruptible power supply (UPS) and 

batteries continue to comply with any current condition contained in an approval of each 

component PBX under section 22 of the Telecommunications Act 1984 or in the designation of a 

standard under the section; and/or 

to verify or ensure that any terms or conditions regarding the PBX, systems including 

uninterruptible power supply (UPS) or its connection or use that may be stipulated by any of the 

operators of any of the Public Switched Networks to which the PBX systems are, or are to be, 

connected (and which must be observed if the PBX systems are or are to remain so connected) 

are observed. 

In providing the services outlined in above, Logicalis ensures that we: 

comply with the requirements of the manufacturer of the PBX systems, including UPS and 

batteries specification for routine maintenance; 

comply with Logicalis' own Quality Procedures for that equipment. 

If scheduled maintenance or planned work is considered by Logicalis to be service affecting, then 

Logicalis informs the Customer at least 10 Working Days in advance. 

Logicalis agrees with the Customer at least 48 hours in advance of any engineering attendance 

at a Site. 

If scheduled maintenance is not considered to be service affecting by Logicalis, then Logicalis agrees 

with the Customer in advance of any engineering attendance.

Site Documentation 

Logicalis amends the relevant documentation for Systems, to reflect any maintenance activities 

carried out on the systems. 

Logicalis updates the system documentation, following completion of the modification that 

necessitated the amendment. 

made. 

Logicalis ensures that all site documentation is updated within 5 Working Days of any changes being 

Boundary of Responsibility 

The boundary of responsibility for the equipment will be the “Entry/Exit Point” where the cables or 

fibres to equipment not covered by the Agreement are connected: these cables or fibres themselves are 

not covered. 

Where the equipment is connected to any other equipment both managed and maintained by 

Logicalis (whether under this or some other extant agreement), then the monitoring extends to the 

cables or fibres between the two items of equipment. 

Telephony Services – Service Boundaries 

For analogue and digital extensions the service management boundary of the Traditional Telephony 

Service is up to and including the test jack frame (TJF). The cabling system from the TJF/link cable 

interface is outside of the service provision scope for the Service. However the Logicalis provides the 

link cable and other cabling, mod taps, extension leads and splitters on a supply only basis at the initial 

time of site installation. 

937

For IP extensions within the Traditional Telephony Service the service management boundary of the 

Service is up to the LAN interface on the Telephony Switch (for those sites which have a switch capable 

of supporting IP handsets). 

For those sites which are being served by the Next Generation Telephony Service the service 

management boundary is up to the LAN interface of the on-site router. The Customer side LAN 

infrastructure is outside of the scope for the Service and Logicalis is not responsible for any loss of 

service due to the performance of the LAN unless the on-site LAN is supported by Logicalis. 

Only the handsets or other terminal equipment provided by Logicalis are the responsibility of 

Logicalis. Cabling, links, mod taps, extension leads and splitters are the responsibility of the Customer to 

provide and manage. For moves and changes the Customer is responsible for all on site cabling and 

patching, unless otherwise agreed. 

Block Wiring & Cabling 

Logicalis provides full routine and remedial maintenance services for the telephony block wiring at 

Sites where it has been agreed, on a Site by Site basis, that such maintenance is provided. 

Logicalis, at the request of the Customer, carries out a survey of the block wiring at any Site or 

prospective Site. 

Logicalis: 

938 

documents the survey fully and specify any remedial or upgrade work necessary to bring the 

wiring up to current technical and health and safety standards, and 

provides the Customer with a quotation to carry out the remedial work and the survey.

Logicalis prepares, where this is necessary, and maintains up to date block wiring diagrams and 

associated records for all Sites. Such activities attract additional charges. 

Logicalis makes copies of, and extracts from, block wiring diagrams and associated records which are 

available to the Customer on request. Such activities attract additional charges. 

Logicalis liaises, and co-operates with the Customers' own dedicated maintenance contractors, 

where such arrangements exist and where such arrangements have an impact on the provision of the 

Service. Such activities may attract additional charges. 

Logicalis provides cabling in accordance with the relevant technical specification, which is agreed on 

a per Site basis, where this is required in order to comply with the requirements of the Service Level 

Agreement. 

939

NextiraOne UK Limited 

NextiraOne offers a comprehensive set of services relevant to this Lot, built around the ITIL services 

lifecycle model, from requirements to design, from integration to deployment and incorporating 

operation, support, management and optimisation services. 

The services are listed below: 

940 

Assessment of Requirements – this service consists of: an information gathering phase carried 

out by our Consultants with the Customer; the production of a report defining the Customer’s 

business and technical requirements associated with the specific technology in scope; and a 

workshop with the Customer to review the findings. For this Lot, the service is applicable to: 

o Voice solutions (incorporating requirements for dial plans, calls and Voice minutes plans 

and packages, Call Routing options, call preferences, system distribution and resilience, 

handset and switchboard specifications, CTI requirements, migration strategies and 

Voicemail) 

o Communications solutions, specifically Audio/Web/Video Conferencing (desktop-based), 

Internet access, Email, Instant Messaging and Presence. The following are examples of 

what the assessment covers: 

§ For a corporate Email solution: details of the current messaging architecture, routing 

topologies, underlying directory services, storage and backup platforms, physical or 

virtual server infrastructure, current products being used including editions and 

versions 

§ For a desktop-based Conferencing solution: details of the existing underlying Voice 

solutions and call control architectures, directory services, storage and backup 

platforms, physical or virtual server infrastructure, mobility strategies, User usage 

profiles and current products being used 

o Security solutions for Communication systems, by addressing specific security requirements 

for Email and Instant Messaging, Anti-virus, Email scanning, Email filtering, Malware and 

Spyware identification and blocking, intrusion detection and prevention, identity and access 

management. As an example, the assessment service for the security of an Email solution 

covers a review of the Customer’s end user security policy and its alignment with existing 

Antivirus configuration settings, Firewall rules, Email content scanning & filtering policies 

and Malware and Spyware settings 

Technical Audit and Assessment – this service delivers a comprehensive view of the Customer’s 

current network and security infrastructure, its capability to support the systems and 

technologies relevant to this Lot and recommendations for changes and improvements. For

941 

example, the service ascertains the network readiness to support an IP-based Voice solution, or 

communication services such as Instant Messaging, Email, Audio/Web/Video Conferencing and 

Internet access. For a corporate Email solution, the assessment covers current storage capacity 

and scalability, mailbox capacity settings, volume of Emails, categories and profile of Users, 

bandwidth of Internet links used for the delivery/receipt of Email traffic and remote access 

capabilities. The information is delivered in a report supplemented by network diagrams as 

necessary 

Technical Architecture & System Design – this service provides the Customer with a fully 

defined design of a secure Communication solution, based on agreed requirements. It includes 

physical and logical network, infrastructure and architecture diagrams; details of the system 

physical installation and its configuration; full hardware and software equipment list; a 

description of the security, resilience and redundancy of the system; and the list of features that 

the solution will provide. As an example, for an IP-based Voice system, the following is 

delivered: 

o Network diagrams showing the physical and logical layout of Communication Servers, 

Voice Gateways and associated equipment 

o Diagrams showing Call Routing paths 

o Network logical diagrams showing the integration and interfaces between the telephony 

solution and existing Directory services and/or other applications 

o A full list of the system features that are enabled for this design 

o The distribution of handset models within the user population 

o Full details of dial plans 

o Full details of PSTN services 

o Full details of on-net routing services 

o IP addressing schemes 

o DHCP schemas 

o Disaster Recovery diagrams 

· Supply – we provision hardware and software relevant to this Lot: 

o we supply all elements of an IP-based Voice solution: Communication Servers, Voice 

Gateways, handsets, switches, headsets, call control software, Softphones, CTI clients, and 

Voicemail

942 

o for Internet access services, we provision circuits, routers, web access control software, 

web security software and appliances for protection against Malware and Spyware, and 

intrusion detection and prevention systems 

o for Email systems, we supply server, storage and backup hardware, Email software 

applications, Email archiving hardware and software, reverse proxy servers, Anti-virus 

software, hardware and software for Email content scanning and filtering 

· Installation – this service delivers the off-site pre-staging, factory testing, pre-build and test of 

hardware relevant to this Lot, ensuring that all the correct equipment for a specific solution has 

been delivered and is operational, followed by the physical delivery and installation of the 

equipment at its final location: Customer premises, co-location centre, or hosted Data 

Centre. For software, this service delivers the physical installation of software systems on the 

appropriate Customer hardware, or NextiraOne’s hardware (in the case of hosted 

solutions). Examples of how this service applies to Communication solutions are: installation of 

communication and application servers (Email, Messaging, desktop-based Conferencing), Voice 

and Media gateways, handsets, switches, storage and backup systems, Internet and Email 

security appliances, Anti-virus software, Email scanning and filtering software and Internet 

access login software 

· Transition and Integration – management of the transition of new services to operational/live 

status and their integration with existing business applications, IT systems and Directory 

environments. As an example, this service delivers the integration of a Voice solution with an 

existing Email system for Voicemails and unified mailbox management, or the integration of a 

desktop messaging and Audio Conferencing system with an existing telephony solution 

· Migration – this service delivers the physical and technical migration of legacy systems onto 

new platforms, or the upgrade of existing systems to the latest version. An example of this 

service can be illustrated by the migration from an Email solution based on Lotus Notes to a 

Microsoft Exchange environment. Another example is the migration from legacy TDM 

telephony to VoIP IP Telephony 

· Configuration – this service delivers the physical and logical configuration of a new 

Communication solution and is concerned with software and parameters settings. As an 

example, for an Email solution, it delivers the configuration of operating systems, server 

applications, databases, user and address lists, mailboxes, remote access and parameters for 

mailbox, storage and archiving management. As an example, for Voice or desktop Conferencing, 

it delivers the configuration of the servers and applications, including user databases and access 

lists. The final system design and configuration is documented as part of this service

· Testing – the definition and execution of agreed tests at various stages during its 

implementation. It covers: Factory Acceptance Tests, Site Acceptance Tests and final acceptance 

tests for system hand-over, mutually agreed between NextiraOne and the Customer. As an 

example, typical tests for an Email and Messaging solution include: server roles and services, 

external access services, public folder replication, remote and mobile access, unified messaging, 

backup and restore, user features and functionality, Email routing (in/out of the organisation) 

and server failover/failback in a DR scenario. Typical tests for a Voice solution include system 

resilience tests, PSTN and on-net routing of inbound and outbound calls, switchboard 

operations, user features including classes of service and system management functionality 

· System Training for Administrators and Trainers (Train-the-Trainer style) - delivers hands-on, 

practical knowledge on the day-to-day administration of the system, or training videos for ondemand 

access. As an example, for a Voice solution, the training covers setting up new users 

and removing old ones, adding/removing DDIs, changing Voicemail settings, setting up/changing 

hunt groups, setting up/changing user class of service profiles 

· End-User Training - delivers hands-on usage training to the users of the system, or training 

videos for on-demand access. As an example, for a Messaging & desktop Conferencing solution, 

this typically includes maintaining user lists, checking presence, instigating a text chat, starting 

an Audio Conference, starting a one-to-one or a multi-party Video Conference, recording 

conversations, sharing information and collaboration approaches 

· Project Management – this service delivers the required governance for the delivery of a 

Communication solution. The methodology followed, based on Prince2, is consistent for all 

technology projects delivered by NextiraOne, including Communication solutions. The service 

includes: Scope Definition (Statement of Works); Project Gantt chart; Test Definition; 

Acceptance Certificate; Hand-Over; Project Management Plan; System Design; Issue 

Management; Highlight Reporting; Scope Management; Performance Review; Risk Process & 

Management; Financial Planning; Quality Assurance Plan; Project Closedown 

· Service Management – this service provides governance for the delivery of Communication 

maintenance, support, management and optimisation services to Customers, management of 

Service Level Agreements and management of third parties. Delivered by ITIL-trained Service 

Managers, this service includes: design and management of service and service strategy; 

management of service levels agreements; creating and managing scorecards, account plans, 

service improvement plans and service review meetings; management of transitions; 

management of escalations within NextiraOne and its partners; management of dedicated onsite 

resources; regular reporting and action plans on service levels; reporting on system 

943

944 

performance and Communication solutions’ optimisation plans; management of Customer’s 

third party providers. As an example for Voice solutions, this service provides management of 

carriers and Service Providers 

· Welcome Centre (Service Desk) - Our Welcome Centre provides first point of contact for our 

Customers worldwide, 24 hours a day, 7 days a week and 365 days a year, owning all of their 

service calls, incident reports and assistance requests from placement to resolution. The 

processes and procedures in place to support the operation of the Welcome Centre are 

consistent across all the solutions offered by NextiraOne and they apply to the Communication 

solutions and services provided for this Lot. This service delivers: incident logging; routing of 

calls to the appropriate team; allocation and management of Customer Service engineering 

resources; dispatch of spares; management of third-party service providers; incident lifecycle 

management - technical and management escalations 

· Maintenance and Support (Incident Management) – our Incident Management service 

delivers the logging, recording and solving of incidents, through remote and on-site technical 

support and break-fix services for solutions relevant to this Lot. The service restores ‘normal 

service operation’ as per agreed Service Levels Agreements. The service specifically includes: 

Remote Diagnostics; Remote Support (telephone support response to a service request; 

problem logging; diagnostic fault isolation; help with problem identification through technical 

advice; troubleshooting to verify causes of suspected errors or malfunctions); On-site 

Engineering Support; Hardware Replacement; Software Patches; Escalation Management 

· Moves, Adds and Changes (Change Management) – Our Change Management service delivers 

management and implementation of changes to a Communication solution including hardware, 

software, services or related documentation. The service minimises any potential disruption to 

the users of the solutions caused by change and keeps records of hardware, software, services 

and documentation up to date. Change Management deals with both software (remote) and 

hardware (on-site) changes. Typical examples of software changes for a Voice environment are: 

change DDI, change hunt group; change class of service profile; change handset model; add a 

new user, changing music on hold, reconfiguring handset keys. For an Email solution, typical 

software changes are: change of user name or Email address; change to a distribution list; 

change maximum size of a user mailbox. For security solutions relevant to this lot, typical 

software changes include: change of policy rules on firewalls or intrusion detection/prevention 

systems, updates of Anti-virus signature files (when not performed automatically); upgrades of 

Anti-virus software on servers and gateways 

· Remote Fault Monitoring - our Remote Fault Monitoring Service delivers 24x7x365 availability 

monitoring of key devices within a Customer’s network, by continuously checking the 

operational status of active network nodes and their interfaces. The service delivers: pro-active

945 

availability checking; incident identification and status analysis; classification, prioritisation and 

escalation, real-time access to status information via our Network Operating Centre Service 

Information Portal. Incident tickets are generated when faults are detected and managed via 

our Incident Management service and according to the applicable Service Level Agreement. For 

Communication solutions, this service applies to all IP-based hardware components of such 

solutions, including but not limited to: Email and Voicemail servers; Call Managers; Messaging 

servers; Voice gateways, Presence servers; Internet Routers; and security devices such as 

firewalls, Anti-virus servers, intrusion detection and prevention appliances, Email scanning and 

filtering servers and website protection appliances 

· Remote Performance Monitoring - our Performance Monitoring service provides real-time 

collection of performance information for key network infrastructure devices and 

communication applications, 24x7, 365 days a year. The service delivers: continuous availability 

checking on monitored devices; continuous monitoring to agreed Key Performance Indicators; 

analysis and rapid reaction to problems; classification and prioritisation of incidents with 

escalation as per agreed Service Levels; real-time access to status information via the NOC 

information service portal; on-line technical reporting and periodic historical reporting. For 

Communication solutions, this service applies to the following IP-based hardware components: 

Email and Voicemail servers; Call Managers; Messaging servers; Voice gateways, Presence 

servers; Internet routers; and security devices such as firewalls, Anti-virus servers, intrusion 

detection and prevention appliances, Email scanning and filtering servers and website 

protection appliances 

· Remote Configuration Backup – this service delivers a regular backup of communications 

systems and applications configurations, performed daily, weekly or monthly as agreed with the 

Customer. The service is delivered from our Network Operations Centre (NOC) and is available 

for the following hardware components of communication solutions: Voice gateways, Internet 

routers, firewalls, intrusion detection and prevention appliances 

· Trend Analysis & Capacity Planning – this service provides: 

o Identification of trends in peaks and troughs of usage, finding points of failure that may 

have already occurred and identifying capacity issues in Communication solutions 

o Identification of improvements that can be made to prevent availability or capacity 

problems before they happen; this includes housekeeping or increasing capacity, 

identifying trouble spots and eliminating single points of failure 

For Communication solutions, this service applies to all servers, gateways, Internet routers, security 

appliances, and firewalls. As an example, for an Email solution, the service will review and analyse:

mailboxes quotas; mail send/receive quotas; utilisation of the server resources such as memory, CPU, 

network cards and storage; volume of mail sent/received; database sizes; backup times and windows; 

storage allocations and available capacities. 

· Software & Hardware Lifecycle Management – a preventative maintenance service which 

minimises downtime by delivering a consolidated report focused on the software and hardware 

status of the components of Communication solutions, which identifies: 

946 

o software patches, software updates and software upgrades, as released by 

manufacturers 

o security patches, as released by manufacturers 

o vulnerabilities, as announced by the manufacturers 

o end-of-life, end-of-development and end-of-support hardware components, as 

announced by the manufacturers 

The report is targeted to the specific Customer Communication solution and its components, and 

includes recommendations for installation of patches, updates and upgrades and hardware 

replacement. The service applies to all components of Communication solutions supported by 

NextiraOne, including servers, Call Managers, Voice gateways, Internet routers and security appliances. 

· Vulnerability Assessments and Penetration Tests – delivered by our own CLAS and CISSP 

Consultants and accredited ethical hackers, these services investigate, test and verify the level of 

protection and security of a Communication solution and infrastructure, evaluate any new risks, 

and recommend the measures to mitigate such risks. Security levels of solutions can be tested 

against Impact Levels 0-3. The services cover the following: 

o Vulnerability Assessments: identify potential weak areas in a Communication solution 

and attached systems 

o Penetration Tests: identify if the components of a Communication solution present an 

opportunity for an attacker to gain access to a trusted system 

As an example, PSTN access tests can be carried out to identify if the components of the 

Communication solution present an opportunity for unauthorised access to PSTN services via Voicemail, 

IVRs and users class of service profiles.

· Health Checks – these services deliver preventative maintenance for the components of a 

Communication solution, to minimise and prevent downtime which may be caused by faulty 

hardware, misconfiguration of hardware and software, and/or out of date software. As an 

example, for communication solutions, this service can be applied to all servers and storage 

elements, and typically includes routine testing of UPS battery performance and review of 

system logs. For an Email solution, typical checks include capacity and performance of servers 

and storage databases 

· Resident Expert – bespoke service for the provision of on-site technical expertise for 

Customers for an agreed period of time. Such technical resources are managed by a NextiraOne 

Service Manager and work at the Customer premises for the duration of the contract 

period. Their skills, accreditations, job function, role and responsibilities are agreed with the 

Customer prior to commencement of the contract and are appropriate for the Customer’s 

Communication solutions being supported. The resources remain employees of 

NextiraOne. Typical examples of this service are Resident Engineers specialising in Voice, Email 

and Messaging systems, and related security solutions 

· Hosted IP Voice Service – this service delivers an IP-based Voice solution to Customers, where 

the equipment and the software are physically located in a third party Data Centre, accredited 

as a minimum to Impact Level 2. No equipment is required on the Customer premises for the 

delivery of this service, except for handsets and connectivity devices. The service delivers all the 

features of a CPE (Customer Premise Equipment) IP telephony solution (requirements and 

features are agreed with the Customer via an Assessment of Requirements) and is fully managed 

by NextiraOne, via a Service Manager. For the duration of the contract, NextiraOne remain 

responsible for the maintenance, support and management of the solution, based on agreed 

Service Level Agreements. The management services included are: service management, 

incident management, change management, software and hardware lifecycle management, 

remote monitoring, backup, scheduled health checks and reporting 

· Managed Service for Communication solutions – this service delivers full management of 

Communication solutions (specifically, for IP-based Voice, Email, Messaging, Desktop-based 

Audio and Video Conferencing, Internet access and related security solutions). For the duration 

of the contract, NextiraOne takes on the responsibility for the maintenance, support and 

management of the solution, based on agreed Service Level Agreements. The Managed Service 

includes the following: service management, incident management, remote monitoring, backup, 

change management, software and hardware lifecycle management, scheduled health checks, 

and reporting 

· Co-location service for Communication solutions – this service provides Customers with 

physical housing facilities for their own equipment for Communication solutions in a third party 

947

948 

Data Centre accredited, as a minimum, to Impact Level 2. This service can be combined with the 

NextiraOne Managed Service for Communication solutions

Siemens Communications 

1. Executive Summary 

949 

Summary of product range 

1.1 The Contractors Service comprises of the following Services; 

1.1.1 Voice and Unified Communications Services available as traditional and IP based voice 

Services; voicemail, a range of terminals, ACD or contact center facilities voice call packages; 

voice minutes; DDI, premium rate numbers; non-geographic numbers; 118 enquiries; call 

preference Services, audio conferencing, desktop video conferencing and collaboration 

tools; web conferencing; messaging Services; real time information Services; desktop 

messaging; messaging via email, SMS, pager and mobile or fixed line telephone; and 

Telephone Operator Service. 

1.1.2 Data Services, comprising of Internet Services; email and website Services; co-location and 

hosting; on-line storage; security Services; antivirus; email scanning and filtering; firewalls; 

intrusion and spyware detection. Delivered as a Hosted solution or on site with Managed 

Service options. 

1.1.3 Identity and Access Management Service (IAM) comprising of directory, authentication, 

certificate management (CM) and access management, and web and application sign on 


1.1.4 The supply, installation, maintenance, technical architecture and system design, project 

management, and support for Equipment. 

1.2 The Contractor has defined Commodity as the availability of individual products (an 

Openstage SIP Terminal) and or Services (installation of a product/s, hosted email) or a 

combination of both available under this Lot 1. The Contractor shall make available such 

individual products and or Services for the Customer to purchase in accordance with the 

main Call of terms and associated schedules. 

2. Definitions 

The definitions used within this Service description are contained in paragraph 2. 

Term Definition 

Voice End Points Handsets for use by End Users 



Calls to remote parties, both internally and outside the 

organisation 

Call Control Incoming and outgoing call control via the Unified

950 

Communication desktop application 

Call Exclusive Call package excluding the cost of calls 

Call Journal Provides record of incoming, outgoing and missed calls 

Call Logging Collecting and analysing phone call data to report on 

cost, performance, capacity and quality of Service (QoS) 

Communications 


Shall mean all or part of the Service defined in this 

paragraph 

Contact Management Allows End Users to identify specific End Users in their 

regular contact lists, within groups and with various levels 

of control managed by the End User from the Unified 

Communication desktop application 

Contractors 

Telephone Operator 


Customer Site 

Requirements 

Data Collection 


Contractor employed operators will answer calls that 

are presented to Contractor Telephone Operator Service on 

behalf of the Customer. 

Defined Customer requirement for hosting On-Site 

Equipment 

Contractor offered Service to collect the configuration 

and routing information from existing Customer contact 

centres. 

Data Equipment Data Service that is On-Site Equipment 

DDA Compliant End 

Points 

Direct Dial Inwards 

(DDI) 

Voice endpoints compliant to the Disability 

Discrimination Act legislation 

Allow the Customer to have allow the user to have 

multiple telephone numbers 

Deployment Methods Implementation models for installing each Service 

Desktop Video 

Conferencing 

Video calls to remote parties, both internally and 

outside the organisation

Directory Enquiry 


951 

Service available, via 118, to locate telephone numbers 

Directory Service Web access to the Directory Service containing details 

of Customer End Users 

DNSP Direct Network Service Provider 

End Users Shall mean any staff of the Customer that uses the 

Communications Service 

Equipment Shall mean Data Equipment, Voice, Unified 

Communications Equipment and application services 

Identity Management 


Management of individual identities, their 

authentication, authorisations and permissions for system 

access 

Instant Messaging End Users can exchange real-time text messages with 

other End Users using an Instant Messaging (IM)-like 

interface 

IP Internet Protocol 

LAN Local Area Network 

Lightweight Directory 

Access Protocol (LDAP) 

Internet protocol that allows programs to look up 

information from a server. 

MAC Move, Add and Change 

Managed Service Management of day-to-day related tasks and 

procedures 

Meet Me Service As defined in 8.2.5 

Off-Net Calls Externally routed calls via the PSTN 

One Number Service Determines routing of calls via a single number 

delivered to an end Device defined by the End User via the

952 

Unified Communication desktop application, telephone 

user interface or mobile client 

On-Net Calls Calls routed within the Contractors Managed Service 

On-Site Equipment Telephony Equipment located on the customers 

premises 

Presence End Users can view the availability and status of their 

contacts, enabling them to choose the best method and 

time to communicate 

Professional Services A range of Services that can be purchased from the 

Contractor 

Service Delivery 

Model 


Agreement 

Standard 

Configuration Plan 

Implementation strategy for supply of Services 

Agreed performance levels 

The Contractors system configuration 

TDM Time Division Multiplexing 

UC Unified Communications 


Platform 

The Contractors Site that contains Equipment to deliver 

the Communications Service 

Web Conferencing Ability to share desktop, multi-party video conferencing 

3. Voice and Unified Communications Services 

3.1 Service Provision 

3.1.1 The Contractor shall provide the following Services for Voice and Unified Communications 

Services; 

(i) The Customer can request the Contractor to supply new Equipment, together with 

the associated and optional installation, and maintenance;

953 

(ii) The Customer can request the Contractor to upgrade the existing Contractors 

supplied Equipment, together with the associated and optional installation, 

maintenance or managed Service; 

(iii) The Customer can request the Contractor to provide a managed Service to include 

the support, maintenance, installation, upgrades, and can include management or 

replacement of legacy third party Customer owned Equipment, where paragraph 

3.5 will apply; 

(iv) The Customer can request the Contractor to provide a Hosted Service which 

combines the delivery of Equipment and high availability Service against fixed 

Service Levels hosted in the Contractors Datacenters; 

(v) Unless otherwise specified (in accordance with this paragraph 3.1.1 (iii)) by the 

Customer the following Equipment or Service options shall be provided by the 

Contractor; 

(a) HiPath 4000 software version 5 or higher (on site); 

(b) HiPath DX and software version 9 or higher (on site); 

(c) OpenOffice and software version 3 (on site); 

(d) OpenScape Voice and software version 6 (on site version); 

(e) The Contractors Hosted Service Platform (based on the Hosted OUCS) a 

managed Service offering only. 

3.1.2 The Contractor Telephony Equipment (3.1.1(e)) Hosted Service Platform shall be provided 

as a Managed Service from Contractor’s Datacenters. 

3.1.3 The deployment of Services provided by the Contractor shall be managed by the 

Contractors Project Management Office in accordance with paragraph 7.2. 

3.1.4 The Contractor shall provide Service Management and Maintenance of the Services in 

accordance with paragraphs 8 and 9. 

3.2 On-Site Equipment 

3.2.1 The Contractor will provide Licences Extension cards, Network Interfaces, Software and 

optional maintenance Services to meet the feature and functionality requirements of the 

Customer. 

3.2.2 On Site Equipment provided by the Contractor shall be subject to the configuration 

limitations as advised by the Contractor prior to Service. 

3.2.3 The Contractor shall meet the optional Service levels detailed in paragraph 9. 

3.2.3.1 Bespoke Service Levels may be amended to meet specific Customer requirements 

as specified in Appendix 4, the Call-Off Form. 

3.2.4 The Contractor shall provide an ITIL based Service desk and Service request management in 

accordance with paragraph 8.

954 

3.2.4.1 Bespoke Customer requirements may be amended in accordance with Appendix 

4 Call Off Form. 

3.2.5 The Contractor shall provide a chargeable Moves Adds and Changes (MAC) Service for the 

On-Site Equipment. For those Customers that prefer to perform their own MAC, the 

Contractor shall provide the Customer through suitable privileges the ability to perform 

their MACs. 

3.2.6 For the Contractor supplied Equipment, IP and TDM Voice Endpoints shall be in accordance 

with paragraph 4.1.9. 

3.2.7 The Contractor shall provide an optional onsite call management system for the Customer 

to produce its own call logging reports. 

3.2.8 The Customer may source its own alternative handsets, provided they are compatible with 

the system. The Customer is responsible for the support and deployment of third party 

devices, if not supplied by the Contractor. 

3.2.9 The Contractor shall provide as a minimum the following headline system based 

functionality: 

· Call Forwarding 

· ACD functionality 

· Call Hold 

· Call Park 

· Consultation Hold 

· Call Transfer 

· Call Pickup 

· Hunt Groups 

· Call Waiting 

· Call Diversion 

· Call Back 

· Speed Dialling 

· Internal extension calling 

· Do Not Disturb 

· Manager/secretary working 

· Distribution groups 

· Conference calls 

· Executive Access Override / Busy Override 

· Last Number Redialled 

· Message Waiting

955 

· Music On Hold 

· Direct dialling in (DDI) 

· Mobility 

· Hot-desk 

· Ministerial listen and speak (HiPath DX only) 

· Access to Voicemail Service 

· Conferencing 

· Support for Operator Console 

· Call Logging Port 

· Mobile Extension 

· Mobility Service by using Siemens HiPath Mobility Service. 

· Fraud Prevention 

3.2.10 The Customer may invoke a range of optional Services in accordance with paragraph 4. 

3.2.11 The Contractor shall offer Professional Services described in paragraph 7. 

3.2.12 The Contractor shall provide project management as described in paragraph 7.2 to deliver 

the On-Site Equipment. 

3.2.13 The Contractor shall offer a Call Exclusive Service where the Customer will be responsible 

for all PSTN connectivity and charges. 

3.2.14 The Contractor shall offer a Call Inclusive Service where the Contractor will be responsible 

for the provision of PSTN charges by way of a bundled call minute option. 

3.2.15 The Contractor shall provide Network Interfaces required to support connection to a 

Customer provided PSTN provider and DNSP provider. The Customer shall be responsible for 

all network connection charges. 

3.2.16 An Accredited Service supporting IL2 and IL3 requirements. 

3.3 Hosted Telephony Service (Managed Service) 

3.3.1 The Contractor will provide Licences, Network Interfaces Maintenance and all required 

Capacity Management to meet the feature and functionality requirements specified by the 

Customer, the Number of Licences required may be changed (with a corresponding increase 

or decrease in the Charges) on a quarterly basis by the Customer to reflect the number of 

users required. 

3.3.2 The Contractor shall provide the following Managed Hosted Services. 

3.3.3 The Contractor shall meet the Service levels detailed in paragraph 9. 



3.3.5 Bespoke Customer Service Levels shall be created to meet specific Customer requirements 

in accordance with Appendix 4, the Call Off Form. 

3.3.6 The Contractor shall appoint a Service Delivery Manager (SDM) to oversee the performance 

of the Service to agree additional capacity requirements and to provide an escalation point 

for the Customer in accordance with paragraph 8. 

3.3.7 The Contactor shall produce regular performance reports on all aspects of the Service in 

accordance with paragraph 8. 

3.3.8 The Contractor shall provide access to a secure web portal or the Contractors ITIL Service 

Desk for the Customer to request moves adds or system changes, which shall be performed 

by the Contractor, charged on a per move basis. 

3.3.9 The Contractor shall provide inclusive moves add and changes Service for the Customer. 

The Customer may request via a secure web portal or the Contractors ITIL Service Desk 

moves adds or system changes, which shall be performed by the Contractor. 

3.3.10 The Contactor shall provide the Hosted Service IP Telephony Exclusive of any call bundle 

(PSTN minutes) but with DNSP connectivity using the IP Voice Endpoints described 

paragraph 4.2.13. 

3.3.11 The Contractor shall provider the Hosted Service IP Telephony Inclusive of a call bundle (UK, 

International and Mobile PSTN calls) and DNSP connectivity subject to a published fair usage 

policy. 

3.3.12 The Contactor shall provide the Hosted Service IP Telephony Exclusive of any call bundle 

(PSTN minutes) and DNSP connectivity using the IP Voice Endpoints described paragraph 

4.2.13. 

3.3.13 The Contractor shall provide an optional call management report Service which provides 

eight standard reports. Call management reports shall be accessed via the Contractors Web 

Portal or via alternative secure means as required by the Customer. The report formats 

(information) reporting method and access to ad hoc reports including the ability for the 

customer to create its own reports is included and shall be agreed between the Contractor 

and the Customer. 

3.3.14 The Customer may invoke a range of optional Services in accordance with paragraph 4 


3.3.16 The Contractor shall provide Project Management for the deployment of Services in 

accordance in paragraph 7.2. 

3.3.17 An Accredited Service supporting IL2 and IL3 requirements. 

3.4 Onsite Managed Equipment Service (Managed Service) 

3.4.1 The Contractor will provide on site Licences, Network Interfaces Maintenance and all 

required Hardware or Server Capacity Management to meet the number of feature and 

functionality requirements specified by the Customer. The Number of Licences or Extensions 

may be changed (with a corresponding increase or decrease in the Charges) on a quarterly 

basis by the Customer, after a minimum period of twelve months from bring into Service. 

956

3.4.2 The Contractor shall provide the following managed Equipment Service. 

3.4.3 The Contractor shall meet the Service levels detailed in paragraphs 9. 



3.4.5 Bespoke Customer Service Levels shall be created to meet specific Customer requirements 

in accordance with Appendix 4, the Call Off Form. 


of the Service to agree capacity requirements and to provide an escalation point for the 

Customer in accordance with paragraph 8. 









3.4.10 The Contactor shall provide Onsite Managed Equipment Service Exclusive of any call bundle 

(PSTN minutes) but with DNSP connectivity using Endpoints described in paragraph 4.3.14. 

3.4.11 The Contractor shall provide the Onsite Managed Equipment Service with an Inclusive of a 

call bundle (UK, International and Mobile PSTN calls) and DNSP connectivity subject to a 

published fair usage policy. 

3.4.12 The Contractor shall provide the Onsite Managed Equipment Service Exclusive of any call 

bundle (PSTN minutes) and DNSP connectivity. 


eight standard reports, which can be accessed via the Contractors Web Portal or via 

alternative secure means as required by the Customer. The report formats (information) 

reporting method and access to ad hock reports including the ability for the customer to 

create its own reports is included and shall be agreed between the Contractor and the 

Customer. 



3.4.16 The Contractor shall provide project management for the delivery of the Services in 

accordance with paragraph 7.2. 

3.4.17 An Accredited Service supporting IL2 and IL3 security requirements. 

3.5 Other Vendor (Legacy) Equipment Managed Service 

3.5.1 The Contractor will provide Licences, Equipment Network Interfaces Maintenance and all 

required Capacity Management to meet the number of users specified by the Customer, the 

957

958 

Number of Licences or Extensions required may be changed (with a corresponding increase 

or decrease in the Charges) on a quarterly basis by the Customer, after a minimum period of 

twelve months from bring into Service. 

3.5.2 Upon request by the Customer for the Contractor to provide a managed Service for the 

Other Vendor (Legacy) Equipment, the Contractor shall; 

3.5.2.1 Confirm suitability of the Legacy Equipment and maintenance capability to 

support the Services required by the Customer for the term required, as advised 

by the relevant manufacturers and published support policies 

3.5.2.2 Advise the Customer of any Service impact, Service level impact and suitability to 

connect to the Legacy Equipment to the PSN or DNSP 

3.5.2.3 Create a Walk in and Take over Service description detailing any changes required 

to the Equipment, any impact to the published Service levels or Services detailed 

in this schedule, and any resulting commercial impact 

3.5.3 Bespoke Service Levels shall be offered to meet specific Customer requirements as 

specified in Appendix 4, the Call-Off Form. 




of the Service and to provide an escalation point for the Customer in accordance with 

paragraph 8. 









3.5.7 The Contactor shall provide the Other Vendor (Legacy) Equipment Service Exclusive of any 

call bundle (PSTN minutes) but with DNSP connectivity. 

3.5.8 The Contractor shall provide the Other Vendor (Legacy) Equipment Service with an 

Inclusive of a call bundle (UK, International and Mobile PSTN calls) and DNSP connectivity 

subject to a published fair usage policy. 

3.5.9 The Contractor shall provide the Other Vendor (Legacy) Equipment Service Exclusive of any 

call bundle (PSTN minutes) and DNSP connectivity. 


eight standard reports, which can be accessed via the Contractors Web Portal or via 

alternative secure means as required by the Customer. The report formats (information) 

reporting method and access to ad hock reports including the ability for the customer to

959 

create its own reports is included and shall be agreed between the Contractor and the 

Customer. 

3.5.11 The Contractor shall provide Project Management in accordance with paragraph 7.2. 



3.5.14 The Contractor shall confirm the security impact level the Other Vendor (Legacy) Equipment 

can support (if any) prior to deployment of the Service for the Customer. 

4. Optional Services available for the Customer 

4.1 Where the Customer has asked the Contractor to manage 3 rd party vendor Legacy 

Equipment the Contractor shall use its reasonable endeavours to provide a similar Service or 

Equipment, subject to compatibility. In all cases the Contractor will upon request confirm 

compatibility and lead times prior to deployment for the Customer. 

Optional Services for Contractor Provided Equipment (On-Site) 

4.1.1 The following Equipment or Applications shall be made available as an optional Service 

from the Contractor which shall, unless otherwise advised, be deployed on the Contractors 

supplied Equipment Onsite. The system based features and functionality of the Equipment 

and Software shall be made available. 

4.1.2 Xpressions Voicemail, a unified messaging platform (Voice and Email integration) delivered 

as hardware and software to the Customer specification the number of users required will 

dictate the size of Xpressions server to be implemented. The minimum number of mailboxes 

shall be 30 UM mailboxes. The maximum number of UM mailboxes shall be 10,000 per 

cluster. The provision of any LAN or Firewall Equipment shall be excluded from this option. 

4.1.2.1 Number of Voicemail Licences; 

4.1.2.2 Number of Fax Mail Licences; 

4.1.2.3 Email / Interface Licences; 

4.1.2.4 SMS Option; 

4.1.2.5 Text to Speech Licences. 

4.1.3 The supply of additional extension cards or Licences to provide telephony Services. The 

Customer may source its own handsets or use the Contractors range as detailed in 

paragraph 4.1.9. 

4.1.4 PSN DNSP Interfaces and or Digital Line Interfaces based on Customer requirements. 

4.1.5 SIP Telephony Interfaces. For the connection to DNSP PSTN providers. 

4.1.6 Analogue Exchange Lines and Equipment Bypass Circuits for power fail conditions only. 

4.1.7 Operator Screen Based Consoles and internal Directory Schema. 

4.1.8 Provision of ISDN Adaptors to support Bent and or Legacy ISDN 2 devices. 

4.1.9 Handset or OpenStage Terminals or Soft clients and adapters.

960 

Point 

400 

Voice End 

Analogue 

Berkshire 

OpenStage 

Features Supported 

12 permanent memories 

external memory programming port 

memory programming disable switch 

pause key 

MF dialling 

latching mute 

last number redial 

switchable TBR/ELR 

switchable RI/MW 

ringing Indicator 

headset port 

adjustable headset volume 

adjustable ringer pitch 

adjustable ringer volume 

BT & RJ45 linecords 

hearing aid compatible 

desk & wall bracket (optional) 

RJ11 linecord (optional) 

available in light or dark grey 

8 programmable keys with red LEDs

961 

5 key labelling with paper strips 

15 

40 

OpenStage 

OpenStage 

control keys +/- 

wall-mountable 

full-featured full duplex speakerphone with 

display 

8 illuminated function keys 

graphical display 

2 lines monochrome (not tiltable) 

3 fixed function keys with red LEDs, 

8 programmable keys with red LEDs (upgradable 

with Key Module) 

key labelling with paper strips 


3 navigation keys 


tiltable 6 lines monochrome ,backlit graphical 

display 

optical call alert. 

8 fixed function keys (partly equipped with red 

LEDs) 

6 programmable touch keys (illuminated)with red 

LEDs 

(function, speed dialler line keys 

control keys +/-, 

5-way navigator,

962 

60 

Client 

OpenStage 

OpenStage 

DECT 

OpenStage 

acoustics Hands free talking (full duplex 

headset jack 

wall-mountable. 

tiltable graphical backlit colour TFT display 

320 x 240 pixel (QVGA), 



LEDs) 

8 programmable touch keys (illuminated) with 

blue LEDs (function, speed dialor line keys) 

6 mode keys (touch keys, illuminated) with blue 

or blue/white LEDs 

touchslider for volume adjustment with 

blue/white LEDs 

touchguide for navigation. 

hands free talking (full duplex) 

polyphonic ringer tones 

headset jack 

bluetooth facility (subject to security constraints) 

USB master. (subject to security constraints) 

The Contractor shall provide a soft phone device for 

IP telephony users only. Providing telephony functions 

and access to function keys via a PC. It can be optionally 

displayed and placed in any position on the screen. This 

device offers the option of integrating corporate 

directories and personal call lists via LDAP 

The provision of SIP DECT Handsets 

key modules – from 18 to 90 programmable keys

963 

Accessories Wall mounting kits. 

GN Netcom and Plantronic Headsets 

4.1.10 HiPath Mobility for the provision of Home working and Hotdesking with audio prompts and 

audit records (available for HiPath DX only). 

4.1.11 HiPath DX or HiPath 4000 system administrator for single or multi-user site management. 

4.1.12 Tiger Call Management for the production of Onsite call logging reports. 

4.1.13 The Provision of UPS systems for Customer On Site applications. 

4.1.14 The provision of dual server PBX systems or IPT systems for increased availability, and dual 

network connectivity as defined by the Customer in consultation with the Contractor. 

4.1.15 The provision of Onsite and Remote maintenance Services (with Service cover and response 

time options) and provision of a Service Desk in accordance with Paragraphs 8 and 9. 

4.1.16 Remote Moves and Changes Service (for non inclusive Managed Service contracts). A 

Remote Move and Change is defined as the creation, addition, deletion and the moving of 

Software extension details but not including hardware. The Service Provider will manage 

changes to link numbering plans, site codes, class of Service and trunk access levels. For the 

avoidance of doubt each number moved allocated deleted or created is the equivalent of 

one change. Remote Moves and Changes include: Moves & changes; User classifications; 

Abbreviated dialling; Clock changes; Translation over private network; Route optimisation 

tables; Routing tables; Trunk access tables; Route restriction tables; DDI changes; Network 

numbering. 

4.1.17 On Site engineering Service (simple moves) subject to a Site survey conducted by the 

Contractor, the Services available are; 

· Move Extension Sockets, up to 30 meters; 

· Re-configure system, including jumpering at TJF or MDF; 

· Visit Site to power up and power down system (inclusive of Software back up and 

reload); 

· Provide engineer labour on hourly basis (inclusive of minor consumables); 

· Provide engineer on a daily basis (09:00-17:00, 45 minutes lunch); 

· Provide engineer labour on weekly basis (5 Days, 7.25 hours per day); 

· Relocation of CPU TJF and Equipment; 

· Relocation of CPU to new location in same building; 

· Relocation of CPU to a different site or building; 

· Additional Equipment installation Service, to support the commissioning of 

analogue handsets, feature terminals and any additional site cabling, (subject to site 

survey). 

4.1.18 The Contractor shall provide Project Management in accordance with paragraph 7.2 to 

deploy the Services.

Optional Services for Contactor Provided Hosted Managed Service 

4.2 The following Equipment or Applications shall be made available as an optional Service 

from the Contractor Hosted Managed Service. The system based features and functionality 

of the Equipment and Software shall be made available. 

4.2.1 OpenScape Xpressions Hosted Voicemail Software: 

964 

4.2.1.1 Xpressions Voicemail Licences; 

4.2.1.2 Xpressions Unified Messaging Licences; 

4.2.1.3 Xpressions Integration Software to support voicemail or unified messaging 

solutions with MS Exchange or Lotus Notes. 

4.2.2 OpenScape Unified Communications Software, providing Unified Communication 

applications, voicemail, collaborative working presence and user mobility. 

4.2.3 OpenScape Fusion Software and associated Hardware required to support the integration 

of OpenScape Unified Communication Server into a third party applications such as but not 

limited to Microsoft OCS, Microsoft Exchange and or IBM Lotus Notes. 

4.2.4 OpenScape Branch Proxy, to provide an on site (up to IL2) Accreditable survivable media 

gateway. The following OpenScape Branch devices are available: 

4.2.4.1 OpenScape Branch 50; 



4.2.4.4 OpenScape Branch 6000. 

4.2.5 OpenScape Concierge Operator Consoles Concierge Software and associated Hardware 

required. The following optional Services are available; 

4.2.5.1 OpenScape Concierge Business Group (per customer); 

4.2.5.2 OpenScape Concierge User Licences. 

4.2.6 OpenScape Call Management Software and associated Hardware. The following optional 

Services shall be available from the Contractor; 

4.2.6.1 OpenScape Call Management Interface SMDR per Business Group; 

4.2.6.2 Tiger Call Management Software (call logging system) based on a per user charge; 

4.2.6.3 Optional Managed Call Logging Service more fully defined in paragraph 5.17. 

4.2.7 The provision of Session Border Controllers (for DNSP connectivity). The provision, 

maintenance and support of appropriately sized Session Border Controllers for network 

security. The default number of concurrent SIP trunking Licences shall not exceed fifteen 

percent of the total number of active Licences connected to the Hosted Equipment.

4.2.8 A Non Live Test Environment (NLE) facility for the use of the Contractors Customers and 

DNSP’s. The System is designed and implemented to replicate the Contractors Service 

Provider platform to test all DNSP and other Service Provider applications, including client 

model office installations (for UC integration). For the avoidance of doubt, a Non Live 

Environment is a test system for End Customer infrastructure and compatibility tests only. 

4.2.9 OSCILLA Directory schema and Management Application The provision of an optional End 

User Directory System partitioned per business group: The OSCILLA platform will be 

configured to provide a full directory schema provided by the Contractor. This application 

will provide End Customers with a directory solution, a Web based Phonebook for access by 

OpenStage devices, providing a White and Yellow Pages directory. The Service is more fully 

defined in paragraph 5.18. 

4.2.10 The Contractor shall provide optional alternative ISDN Media Gateways supporting E1 

Connections for Client DNSP PSTN providers who can not currently offer SIP PSTN Interfaces. 

4.2.11 Provision of Terminal Adaptors to support Bent and or Legacy ISDN 2 devices. 

4.2.12 Handset or OpenStage SIP Terminals or Soft clients and adapters 

965 

Point 

5 

15 

Voice End 

OpenStage 

OpenStage 


8 programmable keys with red LEDs 




full-featured full duplex speakerphone with 

display 





8 programmable keys with red LEDs (upgradable 

with Key Module)

966 

40 

60 

OpenStage 

OpenStage 





tiltable 6 lines monochrome ,backlit graphical 

display 



LEDs) 


LEDs 



5-way navigator, 


headset jack 






LEDs) 

8 programmable touch keys (illuminated) with 

blue LEDs (function, speed dialor line keys) 

6 mode keys (touch keys, illuminated) with blue 

or blue/white LEDs

967 

Client 

OpenStage 

DECT 

OpenStage 

Accessories 

Mediatrix 

4102 

Mediatrix 

4104 

Mediatrix 

4108 

Mediatrix 

4116 

touchslider for volume adjustment with 





headset jack 


USB master. (subject to security constraints) 

The Contractor shall provide a soft phone device for 

IP telephony users only. Providing telephony functions 

and access to function keys via a PC. It can be optionally 

displayed and placed in any position on the screen. This 

device offers the option of integrating corporate 

directories and personal call lists via LDAP 

The provision of SIP DECT Handsets 

key modules – from 18 to 90 programmable keys 

Wall mounting kits. 


2 Port SIP Terminal Adaptor 




Phybridge An Adaptor to provide LAN connectivity over 

standard Customer supplied block wiring where IP 

Telephony can not be supported 

Terminal The Contractor shall provide extended warranty

968 

Maintenance services. 

4.2.13 The Provision of UPS systems to support any required Customer On Site applications. 


Contractor, the Services available are; 




reload); 







· Additional Equipment installation Service, (after the TJF demarcation) to support 

the commissioning of analogue handsets, feature terminals and any additional site 

cabling, (subject to site survey). 

4.2.15 The Contractor shall provide Project Management in accordance with paragraph 7.2 to 

deploy the Services. 

Optional Services for Contactor Provided Managed Equipment Service 

4.3 The following Equipment or Applications shall be made available as an optional Service 

from the Contractor which can be deployed on the Contractors supplied Managed 

Equipment Onsite. The system based features and functionality of the Equipment and 

Software shall be made available. 

4.3.1 Xpressions Voicemail, a unified messaging platform (Voice and Email integration) delivered 

as hardware and software to the Customer specification the number of users required will 

dictate the size of Xpressions server to be implemented. The minimum number of mailboxes 

shall be 30 UM mailboxes. The maximum number of UM mailboxes shall be 10,000 per 

cluster. The provision of any LAN or Firewall Equipment shall be excluded from this option. 

The Service may be delivered as On Site or use a of Site Server. 

4.3.1.1 Number of Voicemail Licences; 

4.3.1.2 Number of Fax Mail Licences; 

4.3.1.3 Email / Interface Licences; 

4.3.1.4 SMS Option;

969 

4.3.1.5 Text to Speech Licences. 

4.3.2 PSN DNSP Interfaces and or Digital Line Interfaces based on Customer requirements. 

4.3.3 SIP Telephony Interfaces. For the connection to DNSP PSTN providers. 

4.3.4 Analogue Exchange Lines and Equipment Bypass Circuits for power fail conditions only. 

4.3.5 OpenScape Unified Communications Software, providing Unified Communication 

applications, voicemail, collaborative working presence and user mobility. 

4.3.6 OpenScape Fusion Software and associated Hardware required to support the integration 

of OpenScape Unified Communication Server into a third party applications such as but not 

limited to Microsoft OCS, Microsoft Exchange and or IBM Lotus Notes. 

4.3.7 OpenScape Branch Proxy, to provide an on site and IL2 Accreditable survivable media 

gateway. The following OpenScape Branch devices are available: 




4.3.7.4 OpenScape Branch 6000. 

4.3.8 OpenScape Concierge Operator Consoles Concierge Software and associated Hardware 

required. The following optional Services are available. 

4.3.8.1 OpenScape Concierge Business Group (per customer); 

4.3.8.2 OpenScape Concierge User Licences. 

4.3.9 OpenScape Call Management Software and associated Hardware. The following optional 

Services shall be available from the Contractor; 

4.3.9.1 OpenScape Call Management Interface SMDR per Business Group; 

4.3.9.2 Tiger Call Management Software (call logging system) based on a per user charge; 

4.3.9.3 Optional Managed Call Logging Service more fully defined in paragraph 5.17. 

4.3.10 The provision of Session Border Controllers (for DNSP connectivity). The provision, 

maintenance and support of appropriately sized Session Border Controllers for network 

security. The default number of concurrent SIP trunking Licences shall not exceed fifteen 

percent of the total number of active Licences connected to the Managed Equipment 


4.3.11 The Contractor shall provide optional alternative ISDN Media Gateways supporting E1 

Connections for Client DNSP PSTN providers who can not currently offer accredited SIP PSTN 

Interfaces. 

4.3.12 A PBX Operator Screen Based Consoles and internal Directory Schema. 

4.3.13 Provision of ISDN Adaptors to support Bent and or Legacy ISDN 2 devices. 

4.3.14 Handset or OpenStage Terminals or Soft clients and adapters

970 

Voice End 

Point 

Analogue 

Berkshire 

400 

5 

15 

OpenStage 

OpenStage 


12 permanent memories 

external memory programming port 

memory programming disable switch 

pause key 

MF dialling 

latching mute 

last number redial 

switchable TBR/ELR 

switchable RI/MW 

ringing Indicator 

headset port 

adjustable headset volume 

adjustable ringer pitch 

adjustable ringer volume 

BT & RJ45 linecords 

hearing aid compatible 

desk & wall bracket (optional) 

RJ11 linecord (optional) 

available in light or dark grey 

8 programmable keys with red LEDs 




full-featured full duplex speakerphone with display 





8 programmable keys with red LEDs (upgradable

971 

40 

60 

OpenStage 

OpenStage 

with Key Module) 





tiltable 6 lines monochrome ,backlit graphical display 


8 fixed function keys (partly equipped with red LEDs) 


LEDs 



5-way navigator, 


headset jack 





6 fixed function keys (partly equipped with red LEDs) 

8 programmable touch keys (illuminated) with blue 

LEDs (function, speed dialor line keys) 

6 mode keys (touch keys, illuminated) with blue or 


touchslider for volume adjustment with blue/white 

LEDs 




headset jack 


USB master. (subject to security constraints)

972 

DECT The provision of SIP DECT Handsets 

Openstage 

Accessories 

Mediatrix 

4102 

Mediatrix 

4104 

Mediatrix 

4108 

Mediatrix 

4116 

key modules – from 18 to 90 programmable keys 

Wall mounting kits. 






Phybridge An Adaptor to provide LAN connectivity over 

standard Customer supplied block wiring where IP 

Telephony can not be supported 

Terminal 

Maintenance 

The Contractor shall provide extended warranty 

services 

4.3.15 HiPath Mobility for the provision of Home working and Hotdesking with audio prompts and 

audit records (available for HiPath DX only). 

4.3.16 HiPath DX or HiPath 4000 system administrator for single or multi-user site management. 

4.3.17 Tiger Call Management for the production of Onsite call logging reports. 

4.3.18 The Provision of UPS systems to support Customer On Site applications. 

4.3.19 The provision of dual server PBX systems or OUCS systems for increased availability, and 

dual network connectivity as defined by the Customer in consultation with the Contractor. 

4.3.20 Remote Moves and Changes Service (for non inclusive Managed Service contracts). A 

Remote Move and Change is defined as the creation, addition, deletion and the moving of 

Software extension details but not including hardware. In addition the Service Provider will 

manage changes to link numbering plans, site codes, class of Service and trunk access levels. 

For the avoidance of doubt each number moved allocated deleted or created is the 

equivalent of one change. Remote Moves and Changes include: Moves & changes; User 

classifications; Abbreviated dialling; Clock changes; Translation over private network; Route 

optimisation tables; Routing tables; Trunk access tables; Route restriction tables; DDI 

changes; Network numbering. 


Contractor, the Services available are;

973 




reload); 







· Additional Equipment installation Service, (after the TJF demarcation) to support 

the commissioning of analogue handsets, feature terminals and any additional site 

cabling, (subject to site survey). 

4.3.22 The Contractor shall provide Project Management in accordance with 7.2 to deploy the 


5. Value Added Services 

5.1.1 The Contractor shall provide Project Management of the deployment of the Services 

detailed in this paragraph 5 in accordance with paragraph 7.2 

5.2 Voice Call (Bundle) packages 

5.2.1 The Contractor shall provide an optional Call Bundle packages based on a fair user policy to 

be defined with the Customer (charges against a live extension or virtual user). Voice Call 

bundles will be managed by the Contractor based on the aggregation of anticipated volume 

spend by the Customer. Calculation of volume can be a combination of spend by many 

customers all agreeing to share the fair user policy. 

5.2.2 The Contractor will create a bespoke Service level Agreement and agreed measurement 

criteria for the measurement of the Call Bundle to meet the specific Customer requirements 

and this will be specified in Appendix 4, the Call-Off Form. 

5.2.3 The Contractor shall review with the Customer /s the applicability of the voice call bundle 

to ensure value for money is maintained for the user. If it is identified by the Customer or 

the Contractor that savings or improved Service can be obtained, the Contractor shall after 

the expiry of any contract commitment replace the current scheme and suppliers with 

identified alternative suppliers. 



paragraph 8.

5.2.5 The Contactor shall produce regular performance reports on all aspects of the Service by 

way of the call logging reports detailed in paragraph 5.17 in accordance with paragraph 8; 

Or as agreed with the Customer. 

5.2.6 The Contractor shall if requested by the Customer implement any call bundle package 

secured by the Customer direct and shall apply a fixed management charge of 7% against all 

relevant call charges. 

5.2.7 The minimum term for a call bundle package is 12 months. Thereafter the Customer may 

terminate the call bundle in favour of a DNSP provided Service. 

5.2.8 Upon termination of call bundles the Contractor will assist the customer in any porting or 

relevant information required by the Customers replacement Service provider, provided 

that the information requested is to support the transition of the call bundle Service for that 

Customer only. 

5.3 Voice Minutes 

5.3.1 The Contractor shall provide an optional Voice Minute charging tariff against a minimum 

call spend agreed between the Contractor and the Customer. Voice Call Minutes will be 

managed by the Contractor based on the aggregation of anticipated volume spend by the 

Customer, such volume can be a combination of spend by many customers. 


criteria for the measurement of the Call Bundle to meet the specific Customer requirements 

and this will be specified in Appendix 4 the Call-Off Form. 

5.3.3 The Contractor shall review with the Customer /s the applicability of the Voice Minute 

charges to ensure value for money is maintained for the user. If it is identified by the 

Customer or the Contractor that savings or improved Service can be obtained the 

Contractor shall after the expiry of any contract commitment replace the current scheme 

and suppliers with identified alternative suppliers. 



paragraph 8. 


way of the call logging reports detailed in paragraph 5.17 in accordance with paragraph 8 or 

as agreed with the Customer. 

5.3.6 The Contractor shall if requested by the Customer implement any Voice Minutes contracts 

secured by the Customer direct and shall apply a fixed maximum seven per cent (7%) third 

party pass through fee against all relevant call charges. 

5.3.7 The minimum term for Voice Minutes is 12 months thereafter the Customer may terminate 

the call bundle in favour of a DNSP provided Service. 

5.3.8 Upon termination of call bundles the Contractor will assist the customer in any porting or 

relevant information required by the Customers replacement Service provider, provided 

that the information requested is to support the transition of the call bundle Service for that 

Customer only. 

974

5.4 DDI 

5.4.1 Optional DDI Services will be provided as part of its Service by the Contractors DNSP or 

PSTN provider. 

5.4.2 The charges the Contractor incurs to provide additional DDI number ranges from its DNSP 

or PSTN provider shall be detailed to the Customer and the Contractor shall apply a fixed 

management charge of 7% against all relevant call charges. 


criteria for management of DDI’s numbers to meet the specific Customer requirements and 

this will be specified in Appendix 4, the Call-Off Form. 

5.4.4 The Contractor shall review with the Customer /s the applicability of DNSP or PSTN DDI 

Number charges to ensure value for money is maintained for the user. If it is identified by 

the Customer or the Contractor that savings or improved Service can be obtained the 

Contractor shall after the expiry of any contract commitment replace the current scheme 

and suppliers with identified alternative suppliers. 



paragraph 8. 


way of the call logging reports detailed in paragraph 5.17 and DDI spare number capacity in 

accordance with paragraph 8, or as agreed with the Customer. 

5.4.7 The Customer may choose to use its own DNSP to provide DDI whereas the Contractor 

provided the DNSP is accredited to provide PSTN Services shall connect to the DNSP DDI 

number range. 

5.4.8 The minimum term for the DDI Service is 12 months. Thereafter the Customer may 

terminate the Service favour of a Customer provided DNSP Service. 

5.4.9 Upon termination any DDI Service provided by the Contractor, the Contractor will assist the 

Customer in any porting or relevant information required by the Customers replacement 

Service provider, provided that the information requested is to support the transition of the 

DDI Service for that Customer only. 

5.5 Premium Rate Number and Non Geographic Numbers 

5.5.1 The Contractor shall provide the Customer an optional premium rate number Service. The 

following Non Geographic Number Services (NGNs) shall be made available; 

975 

5.5.1.1 0845 / 0844 numbers which will provide a local call rate number facility; 

5.5.1.2 0870 / 0871 numbers which will provide a national call rate number facility; 

5.5.1.3 09xx numbers which will provide a premium rate call rate number facility; 

5.5.1.4 0300 numbers which provide a local low call rate number facility. 

5.5.2 Premium rate and non geographic number Services will be provided by the Contractors 

DNSP or PSTN provider.

5.5.3 Any charges the Contractor incurs to provide Premium Rate Number and Non Geographic 

Numbers from its DNSP or PSTN provider shall be detailed to the Customer and the 

Contractor shall apply a fixed management charge of 7% against all relevant charges. 


criteria for management of Premium Rate Number and Non Geographic Numbers to meet 

the specific Customer requirements and this will be specified in Appendix 4, the Call-Off 

Form. 

5.5.5 The Contractor shall review with the Customer /s the applicability of DNSP or PSTN charges 


the Contractor that savings or improved Service can be obtained, the Contractor shall after 





paragraph 8. 


way of the call logging reports detailed in paragraph 5.17. 

5.5.8 The Customer may choose to use its own DNSP or PSTN provider to provide Premium Rate 

Number and Non Geographic Numbers provided that the Customers service provider is 

accredited to provide PSTN Services. 

5.6 118 Enquiries 

5.6.1 The Contractor will provide a national and international directory enquiry Service based on 

its DNSP and PSTN provider 118-150 Service. This Service provides up to two searches per 

call 

5.6.2 Any charges to provide 118 Enquiries from the Contractors DNSP or PSTN provider shall be 

detailed to the Customer and the Contractor shall apply a fixed management charge of 7% 

against all relevant call charges. 


criteria for management of Premium Rate Number and Non Geographic Numbers to meet 

the specific Customer requirements and this will be specified in Appendix 4 in the Call-Off 

Form. 

5.6.4 The Contractor shall review with the Customer /s the applicability of DNSP or PSTN charges 


the Contractor that savings or improved Service can be obtained the Contractor shall after 





paragraph 8. 

976


way of the call logging reports detailed in paragraph 5.17. 

5.7 Call Preference Service (TPS) 

5.7.1 The Contractor will provide the Customer access to the Call Preference Service Scheme 

(TPS). TPS is a free opt out service enabling the Customer to record its preferences on the 

official register and not receive unsolicited sales or marketing calls. 

5.7.2 Requests for TPS can be made to the Contractor Service Management Desk or upon request 

direct to TPS. 

5.8 Audio Conferencing 

5.8.1 The Contractor shall provide four audio optional conferencing Services. The availability of 

the Service or Service type will be dependant on the Onsite Equipment or Hosted Managed 

Service requested, the Service types are; 

977 

5.8.1.1 A user controlled using the inherent facilities of the Voice Service Platform. 

5.8.1.2 A user controlled audio conference using the inherent facilities of the Contractor 

Unified Communication Collaborative platform; Up to 50 parties with optional 

voice recording can be involved in a conference. This facility is provided to all 

users who have deployed the OpenScape UC application. 

5.8.1.3 An external conference bridge provided by the Contractors DNSP or PSTN 

Provider for example the Contractors BT Meet Me Service. 

5.8.1.4 An external conference bridge provided by the Contractors DNSP or PSTN 

provider with operator assisted Services 


criteria for the measurement of the Contractors Audio Conference Service to meet the 

specific Customer requirements and this will be specified in Appendix 4, the Call-Off Form. 

5.8.3 The Contractor shall review with the Customer the applicability of the external conference 

bridge Service. If it is identified by the Customer or the Contractor that savings or improved 

Service can be obtained the Contractor shall after the expiry of any contract commitment 

replace the current scheme and suppliers with identified alternative suppliers. 



paragraph 8. 

5.8.5 The Contactor shall produce regular performance reports on all aspects of the external 

audio bridge Service. 

5.8.6 The Contractor shall if requested by the Customer implement any external Audio 

Conferencing contracts secured by the Customer direct and shall apply a fixed management 

charge of 7% against all relevant call charges.

5.8.7 The Contractors BT Meet Me Service - provides the Customer with a reservation-less, on 

demand audio conferencing Service accommodating up to 300 concurrent users, with 

optional voice recording. The Service is available 24 hours, 365 days a year. No end user 

Equipment is provided by the Contractor. The Contractor will provide every registered 

Customer with a UK toll, freephone and series of international free phone numbers to 

access the conferencing Service. . 

5.8.8 The Contractors BT meet me plus provides the Customer with a fully managed, operator 

assisted audio conferencing Service accommodating up to 2000 concurrent users. The 

Service is available 24 hours, 365 days a year. All Event meetings must be booked with the 

Contractor with a minimum of one (1) Working Day’s notice. The Contractor will provide an 

operator to monitor and manage each meeting. The operator can greet every participant as 

they enter the call, provide an introduction to the meeting and manage any question & 

answer session. 

5.9 Desktop Video Conferencing and Collaboration Tools 

5.9.1 The Contractor shall provide an optional Desktop Video Conferencing and web 

conferencing Service, based on the Contractors Accredited Hosted Unified Communications 

Platform (OUCS). 


5.9.3 Bespoke Service Levels may be amended to meet specific Customer requirements and 




5.9.5 Bespoke Customer requirements may be amended in accordance with Appendix 4, the Call 

off Form. 



paragraph 8. 



5.9.8 The Contractor shall provide the following features; 

978 

5.9.8.1 Desktop and Application Sharing – Presenters can broadcast or share visuals, 

applications, web pages, documents, software or any part of a desktop to 

conference participants. The use of a virtual whiteboard allowing presenters to 

draw, add text and highlight information with annotation tools. Integration with 

MS Exchange or IBM’s Sametime allows for single-click scheduling directly with 

predefined conferencing properties. 

5.9.8.2 Desk Top Video – Integrated with the Customer PC (the Customer will be 

responsible for the provision of suitable hardware). Linked to the Contractors 

Hosted OUCS application the user may switch from telephony to Video calling and 

nominate the Video as a telephony / video work point.

5.9.9 The Contractor shall be responsible for the provision of standard interfaces to link the 

Customer existing infrastructure to the Hosted Unified Communications Platform. The 

customer will be responsible for all network connectivity via its DNSP. 

5.9.10 The Contractor will be responsible for the provision of the Service from its Hosted 

Datacenters this will include Integrated backup and disaster recovery Services 

5.9.11 The Contractor shall agree bespoke services with the Customer for any Single sign-on 

requirements and Active Directory integration requirements. 

5.10 Web Conferencing & Messaging Services 

5.10.1 The Contractor shall provide an optional instant messaging (IM) and web conferencing 

Service, based on the Contractors Hosted Unified Communications Platform (OUCS). 


979 


and specified in Appendix 4 in the Call-Off Form. 



5.10.3.1 Bespoke Customer requirements may be amended in accordance with Appendix 

4, the Call Off Form. 



paragraph 8. 




5.10.6.1 Instant Messaging – Encrypted instant messaging between individual co-workers 

or groups using Outlook or Sametime. This includes rich presence capabilities with 

visual indicators of a colleagues’ availability based on their Exchange, telephony 

platform calendar and activities. Conversation histories are archived and 

searchable from the OUCS server. 

5.10.6.2 Web Conferencing – Integrated with the Customer PC (the Customer will be 

responsible for the provision of suitable hardware). Linked to the Contractors 

Hosted OUCS application the user may activate Web Conferencing in any 

application and subject to Accreditation enable a Web collaborative session. 



customer will be responsible for all network connectivity via its DNSP. 


Datacenters this will include Integrated backup and disaster recovery Services.

5.10.9 The Contractor shall agree with the Customer any Single sign-on requirements and Active 

Directory integration. 

5.11 Real Time Information Services; 

5.11.1 The Contractor shall upon request develop with the Customer applications to support Real 

Time Information Services or SIRI using an XML protocols. 

5.11.2 The Contractor defines SIRI as a Transmodel abstract model for (typically) public transport 

or mobile user information. 

5.11.3 Bespoke Service Levels may be amended to meet specific Customer requirements and 




5.11.5 The development by the Contractor of SIRI applications shall be a Bespoke Customer 

requirement which shall be detailed and amended in accordance with Appendix 4, the Call 

off Form. 



paragraph 8. 

5.12 Desktop Messaging 

5.12.1 The Contractor shall provide an optional Desk Top instant messaging Service, based on the 

Contractors Hosted Unified Communications Platform (OUCS). 

5.12.2 The Contractor shall meet the Service levels detailed in paragraphs 9. 

980 


and specified in Appendix 4, the Call-Off Form. 



5.12.3.1 Bespoke Customer requirements may be amended in accordance with Appendix 4 

Call Off Form. 



paragraph 8. 


5.12.5.1 Instant Messaging – Encrypted instant messaging between individual co-workers 

or groups using Outlook or IBM Sametime. This includes rich presence capabilities 

with visual indicators of a colleagues’ availability based on their Exchange, 

telephony platform calendar and activities. Conversation histories are archived 

and searchable from the OUCS server.



customer will be responsible for all network connectivity via its DNSP and will allow the 

Contractor to load a web based application and for any implications (as advised by the 

Contractor) on its infrastructure. 


Datacenters this will include Integrated backup and disaster recovery Services. 



5.13 Messaging via email 

5.13.1 The Contractor shall provide email (messaging) Service. 


981 


as specified in Appendix 4 in the Call-Off Form. 





paragraph 8. 


5.13.5.1 High-availability Email built on Microsoft Exchange Server 2010; 

5.13.5.2 Advanced Collaboration integration with OpenScape UC providing Voice/VoIP, 

audio/Video/Web Conferencing, Group Chat, Instant Messaging and 

Presence, Public Instant Messaging Connectivity and Mobility; 

5.13.5.3 Email Security with Gateway, filtering and anti-virus security from MessageLabs 

and Microsoft ForeFront; 

5.13.5.4 Mobile and Remote access with Outlook Web Access 2010, BlackBerry Enterprise 

Server and Microsoft ActiveSync for Windows Mobile; 

5.13.5.5 Email Archival with personal archives and data retention policies. SOXcompliance 

and litigation-ready Services from Global Relay; 

5.13.5.6 Administration and self-Service with Active Directory integration and/or an 

optional Control Panel and Automation system. 

5.13.6 The Contractor shall be responsible for the provision of interfaces to link the Customer 

existing infrastructure to the Hosted Exchange Platform. The customer will be responsible 

for all network connectivity via its DNSP will allow the Contractor to load a web based 

application and for any implications (as advised by the Contractor) on its infrastructure. 


Datacenters this will include Integrated backup and disaster recovery Services.



5.13.9 In addition the Contractor shall provide the following Hosted Email Services; 

5.14 SMS 

982 

· Email store-and-forward; 

· Web content caching and filtering; 

· Domain name Services; 

· Distributed Denial of Service (DDoS) protection; 

· In the event of a Customer’s email server becoming unavailable, the Contractor 

Service shall store received emails on our SMTP servers for up to seven days. Upon 

the restoration of the Customer’s email Service we shall deliver them as normal; 

· A web content caching and filtering capability that shall enable Customers to 

control and filter the material that may be accessed from within their business 

domain; 

· Ability to filter web-access based upon URL requests; 

· Ability to filter web-access based upon detailed site analysis, including images and 

video content; 

· Allowing the filtering of inappropriate web content by using a ‘black-list’ registry of 

URLs; 

· Web access policies shall be provided and shall be configurable by the Customer 

through an on-line portal; 

· Manageable through a web-portal, allowing the insertion of exceptions and 

inclusions; 

· Report generation of accessed URLs. 

The Contractor shall provide a Service option that enables domain name Services (DNS) 

for the Customer. Our Service includes both DNS registration and DNS hosting. The Services 

options include: 

· Automatic renewal; 

· Hosted on our fully managed DNS servers; 

· Primary and secondary Services; 

· Zone file maintenance; 

· Weighted MX pointers (for SMTP delivery); 

· Host internet names (URL); 

· Reverse look-up; 

· Transfer in (from other hosting Services).

5.14.1 The Contractor will provide an optional SMS facility to integrate with the Customer 

infrastructure or Contractor supplied applications. 


983 







paragraph 8. 


· Send and schedule thousands of messages at once; 

· 2-way messaging including auto-replies and API functionality for integration with 

the Customers IT systems; 

· Advanced list management features including upload, opt-in/opt-out; 

· Database integration – e.g. personalise with name, ticket number, etc; 

· Detailed Delivery receipt information. 


Customer existing infrastructure. The customer will be responsible for all network 

connectivity via its DNSP. 


Datacenters this will include Integrated backup and disaster recovery Services. 



5.15 Pager, Mobile & Fixed Line Telephone Services 

5.15.1 The Contractor shall provide optional Pager, Mobile and Fixed Line Telephone Services, 

based on agreed specification with the Customer. 

5.15.2 Upon request the Contractor shall manage the Customers existing Pager, Mobile and Fixed 

Line Services on its behalf including the provision of new Services using the Customers 

existing supply arrangements; or alternatively the Contractor shall provide alternative 

supply arrangements via its suppliers. 


criteria for management of Pager, Mobile and Fixed Line Telephone Services to meet the 

specific Customer requirements, this will be specified in Appendix 4, the Call-Off Form. 

5.15.4 The Contractor shall review on a regular basis with the Customer Pager, Mobile and Fixed 

Line Telephone Services charges. If it is identified by the Customer or the Contractor that 

savings or improved Service can be obtained the Contractor shall after the expiry of any

984 

contract commitment replace the current scheme and suppliers with identified alternative 

suppliers. 



paragraph 8. 

5.15.6 The Contactor shall produce regular performance reports on all aspects of the Service. 

5.16 Telephone Operator Service 

5.16.1 The Contractors shall provide an optional Telephone Operator Service. This Service shall be 

delivered through a resilient accredited hosted operator Service whereby the Contractors 

operators or auto attendant systems will answer calls that are presented to Contractor 

Telephone Operator Service on behalf of the Customer. 

5.16.2 The Contractor can provide 24 hour Customer Operator Service, a night time Operator 

Facility or Operator overflow Service. The Contractor and Customer shall agree the scope of 

the Operator Service required and the hours of operation. The Operator Service may 

comprise of a manned station or the use of Auto Attendant voice recondition technology 

(with manned desk back up), with the agreement of the Customer. 

5.16.3 The Contractor shall work with the Customer to define the call handling policy document 

which will define the various policies that shall be adopted by the Telephone Operator 

Service when answering and the onward connecting of calls on behalf of the Customer. 

5.16.4 The Contractors Operator Service assumes the average call duration of six seconds and 

therefore is not suitable to act as an enquiry Service on behalf of the Customer. 

5.16.5 The Contractors Telephone Operator Service shall be available 24/7/365 days of the year 

and will be managed by a Service Delivery Manager. Processes and procedures with the 

Customer to deal with a range of Customer requirements for example, call handling, call 

processing, bomb threats and nuisance calls. 

5.16.6 The Contractor shall maintain a fully operational Disaster Recovery plan (DR). The DR shall 

be fully tested twice a year and a walk through exercise shall be performed monthly so as to 

ensure the duty managers are fully conversed with the DR procedure; the Contractor shall 

share the results with its Customers of any DR tests and emergency procedures. 

5.16.7 The Contractor will require access to the Customer extension data which will take the form 

of the current internal directory which will be used by the Operator Service to route calls to 

the correct destination. The Customer is responsible for the provision of updates to the 

Directory information to the Contractor and the process of updates and methods shall be 

agreed between the Contractor and the Customer. 

5.16.8 The Contractor shall provide directory software to allow the Customer to provide automatic 

updates to the directory data. The directory data will be shared with the Customer if a 

shared Operator Service is in operation (where the Customer is using Operators to 

complement or to work with the Contractors Service.


criteria for the measurement of the Operator Service to meet the specific Customer 

requirements and this will be specified in Appendix 4, the Call-Off Form. 

5.17 Call Logging 

5.17.1 The Contractor provides access to the following set of reports, via its Customer portal. The 

Contractor shall provide access to three months sorted data. For Data in excess of 3 Months 

and up to 12 months the data will be retrieved by the Contractor and made available for the 

Customer upon request. Data that is over 12 months and up to five years will be made 

available at additional charges and the reports will comprise of; 

985 

· Summary and cost by most used extension; 

· Calls listed as recorded; 

· Calls listed by extension; 

· Summary by time and operator; 

· Summary by extension and response; 

· Extensions cost and calls reports; 

· Summary by extension and rate; 

· Summary by time and line; 

· Mobility transactions; 

· Mobility per site per extension; 

· Summary by department and area. 

5.17.2 The Customer can request additional reports from the Contractor, which will attract 

additional charges identified by the Contractor at the time of request. 

5.18 Directory 

5.18.1 The Contractor shall provide a Directory Service. 








paragraph 8. 



5.18.6 The Contractor shall ensure that high availability of the Service shall be provided through 

server and application level resilience within each component located within Contractors 

Datacenters. 

5.18.7 The core component of the Directory Solution shall be the DirX Directory V8.1 high-end 

directory server. This directory shall provide the following features: 

986 

· Standards-compliant, high-performance, highly available directory server with full 

LDAP v3 and X.500 functionality and compliance; 

· uses a specialised database kernel, designed and optimised for directory modelling 

and directory access and is scalable up to many millions of entries; 

· support of multi-tenancy. The details for each Customer shall be stored in separate 

partitions within the directory, with separate administrators and secured using 

access control lists; and 

· a DirX Directory can optionally be deployed on a windows based server platform 

or can also be virtualised using VMWare ESX/ESXi 4. 

5.18.8 The Contractor shall create a white pages Directory Service per Customer shall include the 

creation, publishing and maintenance of the contact details of the End-Users. The Directory 

Service’s standard attributes shall be: 

· name information; 

· primary and secondary contact numbers / addresses; 

· role information; 

· contact email details; 

· office address; 

· department / organisational information; 

· links to web pages; 

· graphics including photographs; 

· notes/ text section. 

5.19 Identity and Access Management Service (IDAMs) 

5.19.1 The Contractor shall provide both Security Consultants and Technical Security Design 

and Implementation specialists to deliver tScheme or equivalent accredited operational 

Public Key Infrastructure (PKI) components, including Certificate Authorities and associated 

CP and CPS documentation, to achieve the required level of assurance for delivery of PSN 


5.19.2 Siemens has submitted two Codes of Practice (CoP) applications to the PSN Authority 

(PSNA) to become a supplier of PSN services as an accredited PSN Service Provider 

(PSNSP). Our proposal is for a managed service via our resilient Siemens Secure Accredited 

Managed Network (SSAMN), and for IP Telephony (IPT) solutions via our resilient accredited 

IPT platforms. PSN services will include traditional voice, next generation voice, Unified

987 

Communications, voicemail, and conferencing, amongst others. All services will be available 

at Business Impact Levels 2 and 3. 

Siemens has already created a tScheme-approved national PKI environment, and 

associated business processes, as part of the NPIA Identity and Access Management Central 

Services solution, which currently delivers PKI services to secure national police applications 

at IL4. This solution includes: 

· A sub-ordinate certificate authority for issuing high assurance Authentication, 

Confidentiality and Device certificates; 

· A subordinate certificate authority for issuing high assurance Digital signature 

certificates (for the purposes of non-repudiation); 

· A low assurance CA for device authentication certificates including VPN 

certificates; 

· A Registration Authority (RA) for the purposes of Certificate Management; 

· A Validation Authority (VA) to pre-compute appropriate certificate status 

information; and 

· A Key Generation facility to generate key pairs in appropriate Hardware Security 

Modules (HSM). 

In addition the solution contains a promulgation facility for all certificates and Certificate 

Revocation Lists (CRLs) stored in the CA environment, as well as an Online Certificate Status 

Protocol (OCSP) Responder able to provide certificate status information to agreed relying 

parties. 

6. Data Services 

6.1 The Contractor shall provide Project Management for the deployment of Services detailed 

in this paragraph 6 in accordance with paragraph 7.2. 

6.2 The Contractor shall provide the following additional Data Services, Managed Firewall 

Network access control devices (NAC) Anti-virus and spyware detection Anti-spam Intrusion 

detection and prevention Email scanning and filtering Internet Services Managed internet 

access Co-location and hosting Online storage E-mail and website Services. 








paragraph 8. 



6.3 The Contractor shall provide the following Data Services 

6.3.1 The Contractors Managed Firewall Service shall provide secure perimeter protection at a 

network boundary and enable the stateful inspection of traffic at the boundary. This Service 

shall be available as a Site Based Service supported as a fully managed or maintenance 

Service options. Additional Service options shall include: 

988 

· Security event monitoring; 

· Network health monitoring; 

· Security policy consultancy and backup; 

· Security incident evaluation and response; 

· Software and patch upgrades; 

· Hardware maintenance on Equipment deployed; 

· Change management; 

· Network access control (NAC); 

· A network access control (NAC) Service with the function to control access to the 

internal systems and network; 

Security functions carried out on the network perimeter, available options include; 

· Authentication, authorisation, and accounting; 

· Support both wired and wireless access; 

· Posture assessment. Endpoints shall be assessed and compared against predefined 

policies before network access is permitted; 

· Remediation. Non compliant endpoints shall have network access restricted to a 

quarantine area with a server that provides up to date software for installation; 

· Anti-virus and spyware detection. 

6.3.2 The Contractor shall provide an anti-virus Service which offers a policy-based management 

of inbound and outbound traffic at a nominated network boundary. The Service shall be 

provided as a Hosted Solution or as a Customer premise solution for protection against 

known; 

· Viruses; 

· Worms; 

· Malicious backdoors; 

· Diallers; 

· Keyboard loggers; 

· Password stealers; 

· Trojans; 

· Malicious code;

989 

· Spyware; 

· Adware; 

· Malware. 

6.3.3 The Contractors anti-virus Service is configured to regularly poll the Contractors centralised 

management system and check for signature updates. New updates shall be automatically 

downloaded and installed to ensure that Service provides up to date anti-virus detection. 

6.3.4 The Contractor shall provide an Anti-spam Service shall provide a gateway based anti-spam 

filter that can flag or drop unwanted, malicious email. The anti-spam engine shall filter 

incoming email for known spam and phishing attacks to act as a first line of defence at the 

Customers network boundary. 

6.3.4.1 The Contractors anti-spam Service is configured to regularly poll a centralised 

management system and check for signature updates. New updates shall be 

automatically downloaded and installed to ensure that Service provides up to 

date anti-spam detection. 

6.3.5 The Contractor shall provide Intrusion detection and prevention. 

6.3.5.1 Network-based intrusion detection systems (NIDS) - NIDS shall monitor packets 

on a network for attempts to break into a system. NIDS shall passively monitor 

critical segments within a network, such as server VLANs and internet 

connections, analysing all traffic at these points against a database of known 

attack signatures. 

6.3.5.2 Host-based intrusion prevention systems (HIPS) – HIPS agent software shall be 

installed directly onto critical servers or hosts to identify and shall prevent 

malicious behaviour before it can occur by analysing the host for any abnormal 

activity. HIPS shall provide various protection features including; 

· Malicious mobile code protection; 

· Operating system integrity assurance; 

· Audit log consolidation within a single agent; 

· Email scanning and filtering. 

In addition to the anti-virus and anti-spam Services described above we shall provide an 

email scanning and filtering Services that shall provide the following capabilities; 

· Origin based reputation filters; 

· Content filters; 

· Virus outbreak filter; 

· The scanning and filtering Service shall include configurable quarantine capabilities 

of filtered email. 

6.3.6 The Contractor shall provide Managed Internet Access as either a fully managed or a 

partially managed Service at bandwidths from 2Mbps through to 10Gbps and shall provide 

users with controlled connectivity to the Internet. The Customer shall have configurable 

control over the authenticated end users that can access the Internet from within their

990 

business domain with fine grained control over filtering options, down to the end user level, 

at the Customers option. The Service shall include measures to protect the Customers 

against Denial of Service and Distributed Denial of Service attacks and shall be implemented 

in accordance with industry best practice and the CESG Good Practice Guides and 

Architectural Patterns. 

6.3.7 The Contractor shall provide Co-location and hosting that shall include; 

· Co-location hosting; 

· Dedicated infrastructure hosting; 

· Virtual Private Data Centre (VPDC) hosting. 

Managed co-location hosting Service includes the following Service options; 

· Cooling and power management; 

· Cable management; 

· Data centre LAN switching; 

· Remote hands and administration; 

· Backup tape rotation. 

6.3.8 The Contractor shall provide dedicated infrastructure to support the following Services 

· A commoditised shared virtualised infrastructure; 

· Microsoft Windows and Redhat Linux platforms; 

· Includes all OS licensing and management; 

· Manageable through a web-portal for the purposes of reporting, billing and 

orchestration; 

· Hourly billing rates are available; 

· Based upon and industry best-of-breed virtualisation platform; 

· On-line storage; 

The Contractor shall provide a range of storage and backup Services, including; 

· Cloud based solutions on a shared infrastructure, accessible over internet or 

Customer network; 

· Dedicated, hosted, and fully managed solutions held within a managed data centre 

environment, accessible over internet or Customer network; 

· Managed backup rotations on agreed schedules with on-site tape handling and 

control. 

6.3.9 Customer protection from Denial of Service and Distributed Denial of Service attacks from 

the Internet shall be facilitated by the anti-DOS and anti-DDOS technologies. Additional 

measures shall be utilised by the response teams in our Network Operations Centres which 

shall mitigate the effects of an attack by reconfiguring the Internet routers and firewalls to 

ensure that any potential Customer impact is kept to an absolute minimum.

7. Professional Services 

7.1 The Contractor shall provide the following professional for all Services defined within the 

Framework contract. Professional Services will also be provided for all bespoke offerings to 

end customers. All Professional Services personnel will have the appropriate Security 

Clearances. 

7.1.1 The Contractor will provide skilled and experienced personnel to undertake Professional 

Services assignments from either Services and solutions teams or sector oriented 

teams. The Contractors Professional Services include but are not limited to; technical 

consultancy, security consultancy, programme and project management and on-site Service 

management. Professional Services work packages would be agreed with the end customer 

at the outset of each Professional Services assignment so that there is clarity on objectives, 

deliverables, activities, timescales and respective responsibilities. Examples of Services 

include; Business Consultancy, Risk Assessment Due Diligence Services,, Requirements 

Capture, Scope of Work Definition, Project Definition Workshop, Network Readiness 

Assessment, Technical Design Specification; End Contact Center design and management; 

Customer Training and Service Take on Training. 

7.1.2 The Contractor will also offer a range of Quick Start Professional Services Suite consultancy 

packages. A Quick Start will assess, test, plan and establish the validity of a Service or 

technology in manageable parts, giving the Customer a clear view of the benefits and 

implications and providing a clear roadmap for development; 

991 

· PS Suite for IP Communications Infrastructure; 

· PS Suite for Video; 

· PS Suite for Contact Centers; 

· PS Suite for Unified Communications; 

· PS Suite for Threat Mitigation & Data Security; 

· PS Suite for Identity & Access; 

· PS Suite for Partner Enabling; 

· PS Suite for IT Service Management; 

· PS Suite for Hosted Data Services; 

· PS Suite for Unified Communication Applications; 

· PS Suite for PBX or IP Telephony deployment; 

· PS Suite for Collaborative Working Applications; 

· PS Suite for Hosted Exchange delivery and Integration; 

· PS Suite for Delivery of DNSP or PSTN Services. 

7.1.3 The Contractor shall provide Professional Services and Solutions cover the following areas, 

prior to deployment in a Customer environment

992 

· Unified Voice Over IP (VOIP) Communication systems; 

· Wireless LAN, Data and Voice solutions; 

· Unified Communications, Collaboration and Presence management; 

· Mobility and Video Conferencing; 

· Managed and Hosted Services. 

7.1.4 The Contractor shall provide bespoke application and integration design and development 

and the on-going maintenance and support of applications during their life cycles. This may 

include prototyping, the tailoring of existing products, data migration and user training. 

7.1.5 The Contractor shall provide consultancy on all areas identified on a vendor neutral basis, 

without alignment to any specific ICT platform or application. 

The Contractor Professional Services provide consultancy and bespoke solutions in the 

following areas; 

· Identity and Access Management Solutions; 

· Public Key Infrastructure (PKI); 

· Identity Management and Provisioning; 

· Role Based Access Control; 

· Single Sign-On (inc. Enterprise); 

· Web Single Sign-on and Federation Solution; 

· Privilege Management for Business Applications; 

· SmartCard Management Systems; 

· Remote, Physical and Mobile Access; 

· LDAP/DAP Directories solutions; 

· Security and Technical Assurance Solutions and Services; 

· CLAS (CESG Listed Advisor Scheme) Security consultancy for Public Sector 

Accreditation Services; 

· Information Security Management (including ISO27001 consulting and 

certification); 

· Service Management (including ISO20000/ITIL); 

· Business Continuity Management (Including Crisis Management, BS25999 

compliance and Disaster Recovery); 

· Data Handling/Data Protection/PCI; 

· CRAMM Methodology Risk Assessments; 

· Penetration testing Services; 

· Secure Network Design; 

· Unified Communication Telephony Solutions;

993 

· Contact Centre Solution Customisation; 

· UCC and CEBPA (Communication Enabled Business Processes Automation) 

Solution Customisation; 

· Vertical Sector Solutions Integration; 

· Mobile Data Applications; 

· OpenStage XML Applications; 

· Genesys Voice Portal Applications solutions; 

· OpenScape Video Solutions. 

7.2 Project Management 

7.2.1 The Contractor shall appoint a project manager or programme coordinator to oversee all 

aspects of the delivery of Services to the Customer. 

7.2.2 The Contractor shall employ a Prince II methodology that imposes strong disciplines on the 

delivery, commercial and support teams for all Contractor vendors involved in the 

deployment of a solution, to ensure that the customer requirement is captured, the solution 

is fully defined and understood, the delivery is fully planned and executed and all changes 

are properly managed. 

7.2.3 For identified critical infrastructure deployments a business continuity plan will be 

developed with the Customer to agree key milestone dates that in the event of slippage 

allow for the Contractor to invoke alternative Service arrangements with the agreement of 

the Customer. 

7.2.4 For each project identified as requiring Project Management the Customer and the 

Contractor shall develop a project plan and allocate the required resources as detailed. 

8. Services Summary 

8.1 The Contractor shall provide a range of ITIL based Service elements that shall be 

documented within the Service Catalogue, as described in this paragraph 8. 

8.1.1 The Contractor Service catalogue shall document operational Service elements which shall 

be capable of delivering Services for proactively marked information up to Impact Level 2 

(IL2) and Impact Level 3 (IL3). 

8.1.2 The Contractor shall provide a range of service levels which are described in paragraph 9 

for the specified service types as outlined in paragraph 3, these are summarised below: 

· On-Site Equipment; 

· Hosted Telephony Service - Managed Service; 

· On-Site Managed Equipment Service – Managed Service; 

· Third Party Vendor Equipment.

8.1.3 Where the Contractor optional services as described in paragraph 4 refers to paragraph 8 

and where no service levels are provided, the Contractor shall agree relevant service levels 

in conjunction with the Customer for performance monitoring methodology in accordance 

with Appendix 4, the Call Off Form. 

8.2 Service Transition 

8.2.1 The Contractor shall work with the Customer to determine the key Service deliverables 

associated with Service transition, take on and implementation, the key Service deliverables 

are listed below; 

994 

8.2.1.1 Operational Due Diligence shall include the data discovery and capture for 

operational information including supplier information, site and network details 

and user information; 

8.2.1.2 Operational Process Definition and Documentation shall include: 

· The provision of Service Relationship Specialists to work with PSN customers to 

establish effective working relationship; 

· To specify Service contact and escalation information; 

· The definition, production and joint approval of the Operational Process 

Document (OPD) which shall document the end to end Service procedure and 

processes. 

8.3 Service Catalogue 

8.3.1 Service Desk 

8.3.1.1 The Contractor Service Desk shall operate 24 Hours, 365 Days including Bank 

Holidays. 

8.3.1.2 The Contractor shall provide a Single Point of Contact (SPOC) for the progression 

of all reported Service events including incidents and Service requests. The SPOC 

shall be a multi channelled (voice, mail, portal) Service operation capable of 

dealing with a range of Service events ranging from simple user assist, the 

effective triage of incidents through to complex technical diagnosis and 

resolution. 

8.3.1.3 The Contractor shall ensure that all Service Events presented to the Contractors 

Service Desk will be recorded within the Contractors ‘Service event management 

system’. This shall ensure that all reported Service events are accurately 

recorded with both a date and time stamp. Thereafter all Service events shall be 

monitored and reported against the Service agreed levels for the selected Service 

package, as described in section 9. 

8.4 Incident Management

8.4.1 The Contractors Incident Management Service shall include the key Service deliverables 

which are outlined below; 

995 

· Notification: incidents will be reported by PSN customers calling to the PSN 

Service Desk or where PSN customers create an incident record through the 

Contractors customer portal. Incidents shall also be detected proactively via the 

Contractors Secure Network Operations Centre (SNOC) and an incident record will 

be created; 

· Logging: all incidents that are reported by PSN customers shall be logged and time 

stamped within the Contractors Service event management system; 

· Prioritisation: incidents shall be prioritised against the priority definition as 

outlined in section 9; 

· Investigation and Diagnosis: all actions taken by resolver groups shall be recorded 

within the incident record; 

· Restoration and Recovery: incident restoration shall be fully tested and 

documented within the incident record, before the incident is passed back to PSN 

Service Desk for closure; 

· Closure: closure of an incident shall be confirmed with the PSN customer who 

reported the incidents, the PSN Service desk will carry out a user satisfaction survey 

for an agreed sample of incident raised, the Service desk will validate whether a 

problem record should be recorded and then will close the incident record. 

8.4.2 Remote Maintenance 

The Contractor shall remotely diagnose the probable cause of Incidents that have been 

raised through the Service Desk or via proactive monitoring of the Services provided, and 

where reasonable practical the Contractor will manage the remote resolution of Incidents 

through the Secure Network Operations Centre (SNOC) to achieve a remote resolution, as 

per the agreed Service levels in paragraph 9. 

8.4.3 On-Site Maintenance 

The Contractor shall provide on-site diagnosis and resolution of Incidents that have 

been raised through the Service Desk or via proactive monitoring of the Services provided, 

where it has not been reasonable practical to diagnose or resolve the Incident remotely 

through the Secure Network Operations Centre then the Contractor will assign resources to 

attend site and deliver on-site Service restoration, as per the Service levels per package as 

outlined in paragraph 9. 

8.4.4 Proactive Monitoring 

The Contractor shall implement Network, Application and Server Monitoring which will 

include polling of Equipment. 

The Contractor shall collect alarms and traps and depending on the nature of the 

alarm/trap and the actual impact on Service operation. The Contractors Operational 

Support Systems will initiate and create an incident record.

8.5 Change, Release and Deployment Management 

996 

The Contractors Change, Release and Deployment Service shall include the key Service 

deliverables, as outlined below; 

· All requests for change shall be recorded with a change record / request for 

change (RFC); 

· All RFC shall be reviewed and approved via the Change Advisory Board (CAB); 

· Emergency Change requests shall be reviewed and approved via the Emergency 

Change Advisory Board (ECAB); 

· All approved changes shall be communicated with both PSN customers and agreed 

with defined operational contacts as agreed in the Operational Process Document 

(OPD); 

· All releases shall be uniquely identified. 

8.6 Problem Management 

The release of Service components shall be managed through a structured process; 

o Planning – production of the release and deployment plan which shall be agreed 

with both PSN customers and key stakeholders; 

o Build & Test – assemble and test Service components prior to deployment; 

o Deploy – update Service processes and where relevant train end users and 

operational support staff; 

o Decommission – unused Service components will removed and secure disposal 

will be completed; 

o Verification and Closure - confirmation through PSN customer engagement that 

Services are not affected, verification that Service Operations can manage the 

Service, where appropriate identify issues and take corrective actions, close 

release request. 

The Contractors Problem Management Service shall include the key Service deliverables 

which are outlined below; 

· Notification and Detection: Problems will notified and raised by the Service Desk, 

Network Operation Centre and from Trend Analysis completed by the Capacity 

Manager and/or Service Level Management; 

· Logging and Recording: Where a problem has been identified then the Contractor 

shall create a Problem Record (PR) which will allow the tracking and reporting of all 

problems, this will allow the Contractor to link reported problems to related 

incidents;

997 

· Investigation and Diagnosis: As part of the ongoing investigation and diagnosis 

the Contractor uses a range of techniques including Kepnor Tregoe, Brainstorming 

and Pareto analysis to establish root cause to support problem resolution; 

· Resolution: Where root cause of the problem has been identified, a resolution 

plan will be documented in the Problem Record, this may result in Change 

Request. The Problem may be left open and agreed workarounds will continue to 

be used; 

· Closure: As part of the closure process the Problem Record will be updated with 

full details, where appropriate updates to Known Error Records will be completed 

and thereafter formal closure. 

8.6.1 The Contractor shall create a Problem Records (PR) for all P1 incidents that have been 

raised through the Contractors Service Desk; thereafter the Contractor will undergo a full 

Root Cause Analysis (RCA) for all P1 incidents. 

The Contractor shall ensure that all corrective improvements will be recorded and 

tracked through Contractors Service Level Management processes and procedures. 

8.7 Capacity Management 

The Contractor shall provide capacity management that shall provide guidance & 

support to PSN customers, approved 3rd parties and operational resolver groups that are 

managed by the Contractor. 

The Contractors Capacity Management shall include the following Service deliverables; 

· The Contractors Capacity Management shall carry out regular capacity and 

performance monitoring, agreed thresholds will be determined by the Contractors 

Technical Design Authority which will be agreed with key stakeholders and PSN 

customers; 

· Capacity breaches will be triggered and notifications will be allocated to the 

Contractors Capacity Management for appropriate action; 

· The Contractors Capacity Management will identify capacity and performance 

trends to Service Level Manager which will form part of the Service Improvement 

Plan; 

· The Contractors Capacity Management will take ownership for all capacity related 

incidents that will have been allocated via the Service Desk. 

8.8 Availability Management 

Availability shall be measured by the Contractor as a percentage of the total time in a 

Service Period, in accordance with the following formula: 

Service Availability % = (MP – SD) x 100 

MP 

MP = Total Number of minutes, excluding Permitted Maintenance, within the relevant 

Service Period.

998 

SD = Total Number of minutes of Service Downtime, excluding Permitted Maintenance, 

in the Service Period. 

The Contractor shall collect performance statistics from the Equipment via SNMP polling 

of Host Resources MIB parameters up to the agreed volumes defined in the Operational 

Process Document. 

The Contractor shall provide availability Service reports which shall be presented to the 

Customer as part of the Service Management Report. 

8.9 Service Level Management 

8.9.1 Service Reporting 

The Contractor shall implement the reporting requirements to successfully measure 

Service delivery performance against defined Service level targets as described in paragraph 

9. 

The Contractor shall implement a reporting methodology that will include analysis of 

daily, weekly, monthly trends for contracted Service elements. This analysis shall be used 

to generate Service improvement initiatives that will be documented and recorded within 

the Service Improvement Plan. 

The Contractor shall provide the Service management report that will address specific 

Service management and delivery issues such as Service desk, incident, problem, change, 

capacity, Service level compliance and performance against Service Level Targets and 

Agreements. 

8.9.2 Service Review 

The Contractor shall implement Service reviews which will be the primary forum for 

reviewing the Contractors Service performance which will include analysis of the Service 

management report and agreeing Service improvement initiatives for inclusion within the 

Service Improvement Plan (SIP). 

The Contractor Service Level Manager (SLM) shall be the primary representative at the 

Service review. 

8.9.3 Continuous Service Improvement 

The Contractor shall be responsible for the Service improvement plan (SIP) associated 

with the Service elements that are delivered by the Contractor. The SIP shall be based on 

the output from the Service management report and other continuous Service improvement 

initiatives, the SLM shall identify areas for improvement, review with the customer, 

generate action plans, monitor and communicate progress. 

9. Service Levels – Templates and Matrix

999 

The Contractor shall operate service levels across three defined packages which are 

described in paragraph 9. The Contractor shall operate a matrix of service levels associated 

with specific service types which is outlined in paragraph 9.1.1. 

9.1 Service Type and associated Service Level Package 

Service Type Service Level Package 

On-Site Equipment (Paragraph 3.2) PSN Maintenance Service Level Package 

Hosted Telephony Service Managed 

(Paragraph 3.3) 

PSN Managed Service Level Package 

On-Site Managed Equipment Service PSN Managed Service Level Package 

Third Party Vendor Equipment PSN Proactive Service Level Package 

9.2 The Contractor shall provide a range of 3 Service Packages in support of PSN customers, 

as set out below; 

9.2.1 PSN Maintenance 

9.2.2 PSN Proactive 

9.2.3 PSN Managed Service 

PSN Maintenance Service 

Package 

Name 


Definition 


Catalogue 

Element 


Cover Period 

PSN MAINTENANCE - Package 

Lot 1 

PSN Maintenance shall provide a Service Desk and a Single Point of Contact 

(SPOC) which is available 24 x 7 x 365. PSN Maintenance will allow Customer to 

leverage both Remote and On-Site Maintenance with defined Incident Priorities 

and Service Restoration based SLA. 

Service Cover 

Period 

Service Desk, Section (as per lot number) 

Incident Management, Section (as per lot number) 

Remote Maintenance, Section (as per lot number) 

On- Site Maintenance, Section (as per lot number) 


Element 

Description Selectable 

Options

Default in 

Bold* 

Selectable 

by Site 

1000 


Period 


Remote Service 

Restoration 

On-Site 

Restoration 

PSN Service 

Desk 

Incident 

Management 

Grade of 


Priority 1 

Critical 

Priority 2 

Major 

Priority 3 

Minor 


Period where a PSN 

customers can 

report service 

events through to a 

single point of 

contact 


period where the 

contractor will 

commence 

diagnosis and 

service restoration 

for reported 

incidents 

The % of calls 

presented to the 

Contractors Service 

Desk that are 

answered in less 

than 15 seconds 

Total Loss of 


Loss of Service 

affects multiple 

users 

Loss of service 

to a single user 

Priority 4 Non Service 

affecting 

Priority 1 

Critical 

Priority 2 

Major 

Priority 3 

Minor 

Total Loss of 


Loss of Service 

affects multiple 

users 

Loss of service 

to a single user 

24 x 7 

8 x 5 * 

12 x 6 

24 x 7 


Level Target - 

90% of Calls 

answered 

within 15 

seconds 

4 Hours 

6 Hours 

12 Hours 

Next 

Business Day 

5 Hours 

6 Hours 

Next 

Business Day

PSN Proactive Service 

1001 

PACKAGE 

NAME 

SERVICE 

DEFINITION 

SERVICE 

CATALOGUE 

ELEMENTS 

SERVICE 

COVER PERIOD 

Priority 4 Non Service 

affecting 

PSN PROACTIVE SERVICE PACKAGE 

Lot 1 

48 

Working 

Hours 

PSN Proactive Services builds upon and enhances the services which are 

defined in PSN Maintenance service package. PSN proactive service includes the 

provision of proactive monitoring services and ITIL based service level 

management. 

Service Desk, Outlined Section (number per lot) 

Incident Management, Section (number per lot) 

Remote Maintenance, Section (number per lot) 

Onsite Maintenance, Section (number per lot) 

Proactive Services, Section (number per lot) 

Service Level Management, Section (number per lot) 

SERVICE ELEMENT DESCRIPTION SELECTAB 

LE OPTIONS 

Service Desk Service cover 

period where a 

PSN customer can 

report a service 

event to the single 

point of contact 

Incident 

Management, 

Remote 

Maintenance 

Service cover 

period indicates 

when the 

Contractor will 

commence 

remote diagnosis 

and service 

restoration for 

24x7 

24x7

SERVICE 

ELEMENT 


Incident 

Management 

1002 

Default in 

BOLD * 

* DEFAULT in 

BOLD, Escalation 

available 24 x 7 

SERVICE 

MEASURE 

Grade of 


Remote 


Restoration 

Incident 

Management, 

On-site 

maintenance 

both reactive and 

proactive 

incidents 


cover period 

where the 


commence on site 

diagnosis and 


Proactive Services Service cover 


the hours of 

operation where 

the Contractor will 

provide proactive 

monitoring 


Management 

% of calls forwarded to 

Service Desk that are answered 

with

Incident 

Management 

Proactive 

1003 

On-site 

service 

restoration 

Initiate & 

classification of 

service event 

through proactive 

detection via 

proactive 

monitoring 

Major Users 

3 

Minor 

4 

PRIORIT 

Y 

1 

Critical 

2 

Major 

3 

Minor 

Loss of 

Service to a single 

user 

Non Service 

affecting 

6HR 97% 

Next 

Business 

Day 

97% 

DEFINITION SLA SLT 

Total loss of 

service 

Loss of 

Service Multiple 

Users 

Loss of 


user 

4 Non Service 

affecting 

1 

Critical 

2 

Major 

3 

Minor 

Software 

MACPerform 

Urgent 

Remote 

Total loss of 

service 

Loss of 

Service to 

Multiple Users 

Loss of 


user 

4HR 97% 

5HR 97% 

Next 

Business 

Day 

48 

working 

hours 

15 

minutes 

15 

minutes 

30 

minutes 

97% 

97% 

100% 

100% 

100% 

4 Non Service N/A N/A 

2HR 95%

Software 

MAC 

1004 

Perform 

Urgent Remote 

Software MAC 

Perform 

Standard and 

Priority Software 

MAC 

Software 

MAC 

Perform 

Standard 

and Priority 

Software 

MAC 

Provision of Service Management Reports Monthly 

PSN Managed Service 

PACKAGE 

NAME 

SERVICE 

DEFINITION 

SERVICE 

CATALOGUE 

ELEMENTS 

Service Review Frequency Monthly 

PSN MANAGED SERVICE PACKAGE 

Lot 1 

12HR 95% 

2HR 95% 

12HR 95% 

PSN Managed will allow Customer to procure ITIL based services which will 

encompass the service elements outlined below. PSN Managed builds upon a 

service restoration, proactive services and will allows customer to procure services 

with defined service availability targets based around hosted services. 

Service Desk, Outlined Section (number per lot) 

Incident Management, Section (number per lot) 

Remote Maintenance, Section (number per lot)

SERVICE 

COVER PERIOD 

1005 

Onsite Maintenance, Section (number per lot) 

Proactive Services, Section (number per lot) 

Service Level Management, Section (number per lot) 

Change, Release and Deployment Management Section (number per lot) 

Problem Management Section (number per lot) 

Deployment Management Section (number per lot) 

Availability Management Section (number per lot) 

Default in 

BOLD * 

SERVICE ELEMENT DESCRIPTION SELECTABL 

E OPTIONS 

Service Desk Service cover 

period where a 

PSN customer can 

report a service 

event to the single 

point of contact 

Incident 

Management, 

Remote 

Maintenance 

Incident 

Management, 

On-site 

maintenance 

Service cover 


when the 

Contractor will 

commence remote 

diagnosis and 


for both reactive 

and proactive 

incidents 


cover period 

where the 


commence on site 

diagnosis and 


Proactive Services Service cover 


24x7 

24x7 

8x5* 

12x6 

24x7 

24x7

SERVICE 

ELEMENT 


Incident 

Management 

Incident 

Management 

1006 

* DEFAULT in 

BOLD, Escalation 

available 24 x 7 

SERVICE 

MEASURE 

Grade of 


Remote 


Restoration 

On-site 

service 

restoration 


Management 

% of calls forwarded to 

Service Desk that are answered 

with

Availability 

Management 

Proactive 

Software 

MAC 

1007 

Availability 

Management 

Initiate & 

classification of 

service event 

through proactive 

detection via 

proactive 

monitoring 

Perform 

Urgent Remote 

Software MAC 

Perform 

Standard and 

Priority Software 

MAC 

Major Users 

3 

Minor 

Hosted 

Managed 

Telephony 


On- 

Site 

Managed 

Equipment 

Loss of 


user 

4 Non Service 

affecting 

1 

Critical 

2 

Major 

3 

Minor 

Availability is 

defined in section 

8.8 

Availability is 

defined in section 

8.8 

Total loss of 

service 

Loss of 

Service to 

Multiple Users 

Loss of 


user 

Next 

Business 

Day 

48 

working 

hours 

99.999 

% 

97% 

97% 

99.999% 

99.95% 99.95% 

15 

minutes 

15 

minutes 

30 

minutes 

100% 

100% 

100% 

4 Non Service N/A N/A 

Provision of Service Management Reports Monthly 

Service Review Frequency Monthly 

2HR 95% 

12HR 95%

1008

Thales UK Ltd 


Name 


Description 

1009 

Managed Communications Solutions 

This comprehensive Service covers the Supply, Project Management, Installation, 

Maintenance, Support and Managed Operation of all elements of a complete Unified 

Communications Services Solution. The Service typically includes the following key 

activities (that can be provided as separate stand-alone or bundled services if required): 

· Communications Solutions Requirements and Programme Management 

· Design and specification of Communications Solutions and System Architecture 

· Design and specification of ITIL-based Service Solutions 

· Business Transition Communications Planning & Management - e.g. for Site Moves 

· Technical Support to transition 

· Business Support to transition 

· Expert Telecommunications Market & Technical Awareness and Advice 

· Procurement, Installation and Commissioning of equipments 

· Communications Programme and Project Management (e.g. using PRINCE) 

· Training 

· User and Technical Documentation 

· Safety Case Provision and Management 

· Configuration and Asset Management 

· Legacy System Management, Support & Transition

Manage 

ment 

Approach 

Impact 

Levels 

Target 

service 

availability 

1010 

· End User Telephone/Communications Equipment 

· Managed Technical Support to sites (e.g. configuration, repairs and spares). 

· Disaster Recovery and Business Continuity Solutions 

· Provision of a configurable range of User Services, including: 

· Managed Voice Communications 

· Conferencing & Distributed Working Services 

· Internet & Intranet Services 

· Security Services 

· Authentication & Access Management 

· Managed Messaging Services 

Thales will provide a fully managed service adhering to ITIL v3 processes, utilising 

ITIL Practitioners and ITIL Foundation qualified personnel. Access will be provided to 

user support and service/change ordering through the Thales Service Desk and Service 

Portal (as appropriate). A nominated Thales Service Manager will provide the primary 

business point of contact between Thales and the Customer for Service Level 

Agreements, Performance Reporting and Problem Management, as well as providing 

support and assistance as required to order new services or initiate significant service 

changes. Where elements of this service are provided by 3rd party providers (e.g. 

Mobile and Fixed PSTN Operators), Thales will manage all aspects of the relationship 

with these providers. 

IL2-2-x, IL3-3-x, IL4-4-x, 

Service Availability of up to 99.999% could be offered subject to the design of the 

solution. High Availability, dual resilient designs would enable ’99.999 

availability. However, dependant on customer requirements a range of different 

Service Availability Levels and Support options can be provided, allowing the System 

Architecture and Support to be matched to Customer specific needs at optimised cost. 

Service The Service offered will be 24x7x365

hours 


desk 

availability 

1011 

Service Desk availability will be 99.999% up time measured on an annual basis. 

Service coverage will be 24/7/365. 

Fix times Dependant on the service taken and on which component within the solution has 

failed will determine the fix time applied. Thales will work with the customer to 

understand the customer business requirements and devise a ‘fix time’ model which 

suits the customer’s business requirement. Suitable Service levels will be determined 

and agreed as part of the System & Architecture Design, but may include a graded 

service; typically; Gold - 4hours fix, Silver - 12 hours, Bronze - 24hours), offering varied 

levels of response to different sites to meet individual business needs. 


Entity 


Name 


Description 

Description 

Managed Voice Communications 

This Service offers the comprehensive Supply, Project Management, Installation, 

Maintenance, Support and 7x24 Managed Operation of Voice Communications 

Services. The Service includes the following activities: 

· Design and specification of the Voice System Architecture and Service Provision to 

meet Customer business and site needs 

· Procurement, Installation and Commissioning of site-based equipments 

· Provision of a configurable range of User Services, including: 

· Traditional & IP Based Voice Services 

· External (PSTN) Voice Call Packages (e.g. inclusive or minutes-based) 

· External DDI Services, PSTN Numbers and legacy Porting as required 

· Premium Rate and Non-Geographic PSTN Numbers

Manage 

ment 

Approach 

Impact 

Levels 

Target 

service 

availability 


hours 


desk 

1012 

· Personal Mobility Solutions (e.g. Follow me/call forward PSTN Numbers) 

· Internal Directory Enquiries Services and Systems 

· Call Preference Services (including contingency/event support) 

· Disaster Recovery and Business Continuity Solutions 

· Preparation and delivery of End-User training packages 

· Audio Conference Call facilities, with internal or 0800 (toll-free) PSTN 

numbers 

· Managed Technical Support to sites (e.g. configuration, repairs and spares). 

· On-site Maintenance and Field Service Technical Support activity will be provided 

as determined by site and Service Level needs 

Thales will provide a fully managed Voice Communications service based on ITIL v3 

service processes, with access to user support and service/change ordering through the 

Thales Service Desk and Service Portal (as appropriate). A nominated Thales Service 

Manager will provide the primary business point of contact between Thales and the 

Customer for Service Level Agreements, Performance Reporting and Problem 

Management, as well as providing support and assistance as required to order new 

services or initiate significant service changes. Where elements of this service are 

provided by 3rd party providers (e.g. Mobile and Fixed PSTN Operators), Thales will 

manage all aspects of the relationship with these providers. 

IL2-2-x, IL3-3-x, IL4-4-x, 

Service Availability of up to 99.999% will be offered subject to the design of the 



Service Availability Levels and Support options can be provided allowing the System 


The Service offered will be 24x7x365 

Service Desk availability will be 99.999% up time measured on an annual basis.

availability Service coverage will be 24/7/365. 

1013 

Fix times Dependant on the service taken and on which component within the solution has 



suits the business. This will be determined and agreed as part of the System & 

Architecture Design, but may include a graded service; typically; Gold – 4 hours fix, 

Silver - 12 hours, Bronze – 24 hours), offering varied levels of response to different sites 

to meet individual business needs. 


Name 


Description 

Conferencing & Distributed Working Services 

This Service provides a range of managed Conferencing and Distributed Working 

Services, allowing organisations to capitalise on their organisational resources through 

flexible and effective distributed working practices, enabled by industry standard tools, 

including: 

· Audio Conference Call facilities, with internal or 0800 (toll-free) PSTN numbers 

· Desktop Video Conferencing, allowing rapid Peer to Peer or Group conferencing. 

Options are available to provide secure Video Conferencing where confidentiality is a 

requirement. 

· Collaboration Tools to allow distributed working on shared documents and files, 

including instant messaging, chat, bulletin boards & shared presentations 

· Web Conferencing, allowing collaborative and shared working across larger 

distributed user groups 

· preparation and delivery of End-User training packages 

· Maintenance and Technical Support activity will be provided as determined by 

Service Level needs

Manage 

ment 

Approach 

Impact 

Levels 

Target 

service 

availability 


hours 


desk 

availability 

1014 

These Services are fully managed and can either be called off on a "per use" basis, 

or as part of longer term bundled usage packages, e.g. "per seat". Thales will operate 

the managed service using ITIL v3 processes, and will provide access to user support 

and service/change ordering through the Thales Service Desk and Service Portal (as 

appropriate). A nominated Thales Service Manager will provide the primary business 

point of contact between Thales and the Customer for Service Level Agreements, 

Performance Reporting and Problem Management, as well as providing support and 

assistance as required to order new services or initiate service changes. 

IL2-2-x, IL3-3-x, IL4-4-x, 


solution. High Availability, dual resilient designs would enable 99.999% 




The Service will be 24x7x365 

Service Desk availability will be 99.999% up time, measured on an annual basis. 


Fix times Dependant on the service taken and which component within the solution has 



suits the business. Suitable Service levels will be determined and agreed as part of the 

System and Architecture Design, but may include a graded service; typically; Gold – 4 

hours fix, Silver - 12 hours, Bronze – 24 hours), offering varied levels of response to 

different sites to meet individual business needs. 


Name 


Description 

Internet & Intranet Services 

This Service provides a range of Internet and Intranet-based Information Services, 

using Thales experience as an Internet Service Provider and our digital infrastructure to 

assure effective, reliable and secure Internet and Intranet services to Public Service 

organisations, including the following key services:

Manage 

ment 

Approach 

1015 

· Internet Service Provision (PSN Qualified Provider) 

· Managed Intranet Services 

· e-Mail Services - internal and external (Internet) 

· Hosted web filtering service 

· Secure, Monitored Website Hosting Services 

· Co Location of Customer equipment in Thales Secure Datacentres 

· On-Line storage and backup facilities using the Thales Secure Data Centre. 

Technologies to ensure the integrity and confidentiality of data in the on line 

storage facility and the management of the underlying cryptography can be included in 

this service 

· Internet and Intranet Security Services and Support based on our extensive Cyber 

Security experience 

· Anti Virus / Spyware Protection, Support and Management 

· Firewalls and Secure Gateways between Systems (including at different ILs) 

· On-site Maintenance and Field Service Technical Support activity will be provided 

as determined by site and Service Level needs 

Security is paramount in this section of the Communications Services Lot and the 

Confidentiality, Integrity and Availability (CIA) of data, carried at differing IA levels must 

be adhered to and acknowledged. Thales is expert in the area of data segregation and 

data integrity. Leveraging on Thales expertise in not only the defence Industry but also 

in the commercial sector Thales will ensure the design is fit for purpose as specified in 

the call-off contract with the customer and offers value for money to the 

customer Thales runs multiple customers over its Internet services segregating 

customer data by utilising vendor agnostic appliances. 

These Services can be fully managed or unmanaged and can either be called off on 

a "per use" basis, or as part of longer term bundled usage packages, e.g. "per 

seat". Thales will operate the managed service using ITIL v3 processes, and will provide 

access to user support and service/change ordering through the Thales Service Desk 

and Service Portal (as appropriate). A nominated Thales Service Manager will provide 

the primary business point of contact between Thales and the Customer for Service

Impact 

Levels 

Target 

service 

availability 


hours 


desk 

availability 

1016 

Level Agreements, Performance Reporting and Problem Management, as well as 

providing support and assistance as required to order new services or initiate service 

changes. 

IL0 - IL6 – confirm, and subject to PSN accreditation. 






The Service offered will be 24x7x365. 

Service Desk availability will be 99.999% up time measured on an annual basis. 


Fix times Suitable Service levels will be determined and agreed as part of the System & 





Name 

Authentication & Access Management


Description 

Manage 

ment 

Approach 

Impact 

Levels 

Target 

service 

availability 


hours 


desk 

availability 

1017 

This Service provides Project Management, Secure Authentication and Access 

Management Services and Applications. The service can be delivered as a managed 

solution (which may be part of, or integrated with, an overall Thales Communications 

Services Package) or as a stand alone service. Available services include Identity and 

Credential provisioning and management, including biometric, integration of logical and 

physical access control, strong authentication of both users and transactions, secure 

assured and auditable Web and Application Sign-on using open Federation standards 

(SAML). Our specialist component e-security products (hardware and software) and 

consultancy services can also be provided separately for use in a customer specified 

system and include SafeSign Authentication products and nShield Hardware Security 

Modules. These specialist products have been fully integrated with leading ID and 

Access Management (IDAM) products from leading companies like IBM and Oracle 

Maintenance and Technical Support activity will be provided as determined by site 

and Service Level needs 

These Services range from unmanaged to fully managed and can either be called off 

on a "per use" basis, or as part of longer term bundled service packages. Thales will 

operate the managed service using ITIL v3 processes, and will provide access to user 

support and service/change ordering through the Thales Service Desk and Service 




support and assistance as required to order new services or initiate service changes. 

Thales is able to provide these services across a wide range of Impact Levels, in 

accordance with CESG requirements and PSN policy, and subject to PSN accreditation. 






The Service will be 24x7x365 


Service coverage will be 24/7/365.

1018 


Architecture Design, but may include a graded service (typically Gold – 4 hours fix, 




Name 


Description 

Manage 

ment 

Approach 

Managed Messaging Services 

This Service provides a range of managed messaging and information services, 

including instant and near real-time information services to internal and external (e.g. 

Internet) users. The Service includes the following activities: 

· Supply and configuration of Desktop Messaging Applications and Services 

· Provision of Messaging services via e-mail, including: 

· Bulk Messaging Solutions (internal & External) 

· Auditable (e.g. logged/non-repudiation) Messaging Solutions 

· SMS Messaging Packages & Services (e.g. Broadcast SMS) 

· SMS Paging Services 

· Bulk SMS Messaging Solutions. 

· SMS Cell/Geographic Broadcast Solutions. 

· preparation and delivery of User training packages 

These Services are fully managed and can either be called off on a "per use" basis, 

or as part of longer term bundled usage packages. Thales will provide the managed 

service based on ITIL v3 processes, with access to user support and service/change 

ordering through the Thales Service Desk and Service Portal (as appropriate). A 

nominated Thales Service Manager will provide the primary business point of contact 

between Thales and the Customer for Service Level Agreements, Performance 

Reporting and Problem Management, as well as providing support and assistance as 

required to order new services or initiate significant service changes. Where elements 

of this service are provided by 3rd party providers (e.g. Mobile Operators), Thales will

Impact 

Levels 

Target 

service 

availability 


hours 


desk 

availability 

1019 

manage all aspects of the relationship with these providers. 

Thales is able to provide these services across a wide range of Impact Levels up to 

and including IL3, in accordance with CESG guidelines and PSN policy and subject to PSN 

accreditation. 












to meet individual business needs.. 


Name 

Security Services


Description 

Manage 

ment 

Approach 

Impact 

Levels 

Target 

service 

availability 


hours 


desk 

availability 

1020 

Thales offers a range of Security Services to support the provision of secure 

Communications Services. These include: the provision of Public Key Infrastructure and 

Digital Certificate Services for both devices and users, PKI Bridge and federation 

Services, Secure and non repudiable. Audit and Accountability services, Secure Time 

Stamp services, High Assurance Cryptographic Key Management services and High 

Assurance DNSSEC services. 

These Services range from unmanaged to fully managed and can either be called off 

on a "per use" basis, or as part of longer term bundled service packages. Thales will 

operate the managed service using ITIL v3 processes, and will provide access to user 

support and service/change ordering through the Thales Service Desk and Service 




support and assistance as required to order new services or initiate service changes. 

Thales is able to provide these services across a wide range of Impact Levels, in 

accordance with CESG requirements and PSN policy and subject to PSN accreditation. 

Service Availability of up to 99.999% could be offered subject to the design of the 






Typically Monday to Friday 8am to 6pm, excluding English public 

holidays. Additional Support can be provided as required at additional cost on a 

permanent or ad-hoc basis. 

Fix times A three tier support structure of Gold, Silver or Bronze Service is offered, providing 

varied support response times as appropriate, allowing service costs to be optimised in 

line with business needs

Vodafone Limited 

Vodafone will provide the following Communications Services and Capability Services 

requested in the Lot 1 ITT. 

Lot 1.1 Service Description – Unified Communications Services (Avaya, Cisco, Microsoft 

and Shoretel Premise based IP PBX) 

PSN Service component PSN Service element 

Communications Service - All 

traditional and IP based voice 

services 

Deliverables of the Service 

PSN/GPS Capability Service 

requirements: 

1021 

Vodafone will provide supply, design, deliver and managed 

services for Avaya, Cisco, Microsoft and Shoretel onpremise 

IP-PBX infrastructure. 

Flexible Call Functionality 

Easy Extension Moves 

PC or Desk Phone Interfaces 

Support for Multi-Site or Multi-System estates 

Supply – Yes 

Installation - Yes 

Maintenance – Yes 

Technical architecture - Yes 

System design - Yes 

Service Levels Available: Foundation 

Project management - Yes 

Support for equipment - Yes 

Commodity and managed service – Yes 

Enhanced 

Comprehensive 

Total 

Service Delivery: Vodafone will use our Total Communications Delivery 

Methodology (“TCDM”) to provide the required PSN 

capability services: 

Further Details 

Unified Communication Services

Vodafone’s professional services deliver IP Telephony solutions based on Avaya, Cisco, 

Microsoft and Shoretel IP Telephony equipment. Vodafone’s capability in Avaya is accredited to 

deliver both Avaya Communications Manager and legacy Nortel PBX systems which will allow 

clients to have a single point of services for any multi-platform upgrade requirements. 

Vodafone’s Avaya, Cisco and Microsoft capabilities allow clients to transition away from many 

disparate existing elements of their communications infrastructure to a single integrated 

solution. Vodafone’s Shoretel and Avaya IP-Office solutions provide 50-100 seat remote site 

solutions for smaller departments. 

Vodafone provide the solution design, deployment and transition of IP Communications projects 

and their transition into Vodafone’s assure managed service. 

Users have a choice of interfaces – from traditional desk phones, to ‘soft phone’ clients on 

PCs. 

Users can mix voice calls with Instant Messaging (IM), presence and other UC applications 

on their PC screens – enabling them to improve collaboration and boost productivity. 

We provide extension numbers, hunt groups and a comprehensive range of call handing 

functions – so it’s easier to connect incoming calls to the right destination first time. We 

configure your IP systems to meet your exact needs – and include all the call forwarding, 

voicemail. 

IP or hybrid solutions that ensure any existing non-IP systems can still be reused and integrated 

into a new company-wide deployment. Systems can use IP via Session Internet Protocol (“SIP”) 

connections, or traditional ISDN and analogue lines. 

Service Tier Service Desk 

Support Hours 

Foundation 08:00 – 18:00hrs 

Monday – Friday 

Enhanced 08:00 – 18:00hrs 

Every Day 

Comprehen 

sive 

1022 

Tier 1 remote 

support desk 

24Hrs Support 

Weekdays 

Help desk to help 

desk model 

Total 24Hrs Support 

7 Days a week 

End User Support 

On Site Level 1 

Service Performance & 

Reporting 

Web based user driven 

service reporting 

Monthly Service Review 

meetings 

Monthly Service Reports & 

Performance improvement 

plan 


meetings 



plan 


meetings 



Service Model 

Help desk to help desk 




Optional end user 

service desk or on-site 

support models

1023 

Support Team plan 

Service Governance 

Lot 1.2 Service Description – Vodafone OneNet PSN (Hosted IP PBX) 


Communications Service - All traditional 

and IP based voice services 

available 

A Vodafone hosted IP-PBX platform providing 

centralised control over enterprise voice which 

can be integrated into the customer’s WAN and 

existing on-premise PBX infrastructure. 

Deliverables of the Service Fixed and Mobile convergence 


requirements: 

Single number reach 

Single voicemail 

Single corporate directory 

Full OPEX-based managed service 









Commodity and managed service – No. 

Managed Only 

Enhanced 

Comprehensive 

Total 

Service Delivery: Vodafone will use our Total Communications 

Delivery Methodologyto provide the required 

PSN capability services. 


Vodafone OneNet Business provides options for Single number reach – each user can use 

their existing fixed geographic or mobile number as their single number. We provide a Single

voicemail – rather than having to manage separate fixed and mobile voicemail systems, users 

will have just one single consolidated voicemail box for all calls. This can integrate into a Single 

directory. The service also avoids the need for smartphone handsets as the integration is 

performed in the network. There is no need for users to use specific brands or types of mobile 

handsets. Employees with the most basic mobile handset can take part in the service. 

Full OPEX-based managed service covering design, deployment, management, support and 

reporting. Vodafone OneNet PSN is a managed service where Vodafone provides a complete 

solution from design through to support. 

Integration with Unified Communications. Vodafone OneNet PSN can also be integrated 

with presence-based messaging, conferencing applications and collaborative tools to provide a 

unified communications experience with mobility at the core. Vodafone OneNet PSN will support 

desktop integration with Microsoft and Lotus Unified Communications environments, providing 

click to call and mobile presence integration. Presence – Vodafone OneNet PSN allows users 

to see the status of other users, allowing them to choose the most appropriate way to 

communicate. Presence information is extended out to smart mobile devices, extending 

collaboration to wherever you are. Integrated voicemail – to further unify messaging, the user’s 

voicemail box can be integrated with the enterprise email system to create a single integrated 

inbox for email and voicemail messages. This enables the user to listen, forward and manage 

voicemail messages as they would email – termed as the ‘voicemail to mail’ function. 

The Vodafone unified communication services are securely hosted in Vodafone network centres. 

This provides a solution to support our customers’ UC requirements in a secure, cost-effective way, 

giving maximum flexibility to each customer for provision of their own UC features. The key benefit 

derived from this way of deploying UC applications is that each enterprise’s suite of hosted services can 

be rapidly deployed and flexibly expanded. 

1024 


Support Hours 



Enhanced 08:00 – 18:00hrs Every 

Day 

Tier 1 remote support 

desk 


Performance & 

Reporting 

Web based user 

driven service 

reporting 

Monthly Service 

Review meetings 


Reports & 

Performance 

improvement plan 




Comprehensive 24Hrs Support Monthly Service Help desk to help desk

1025 

Weekdays 


model 


7 Days a week 



Support Team 



Reports & 

Performance 





Reports & 

Performance 



Governance 




support models 

available 

Lot 1.3 Service Description – Vodafone OneNet Enterprise (On-premise IP PBX) 


Communications Service - All traditional and IP 

based voice services 

Vodafone OneNet Enterprise is a 

complete fixed and mobile 

communications solution that 

encompasses your IP-PBX (fixed), 

mobile devices, desk phones, soft clients 

– as well as a SIP link from your IP-PBX 

to our intelligent IP-based mobile 

network. 





PSN/GPS Capability Service requirements: Supply – Yes 

Full OPEX-based managed service 




System design - Yes


1026 



Commodity and managed service – No 

Managed Only 

Enhanced 

Comprehensive 

Total 

Service Delivery: Vodafone will use our Total 

Communications Delivery Methodology 

to provide the required PSN capability 

services. 


The Contracting Authority’s IP-PBX is integrated with the Vodafone network utilising SIP over a 

dedicated managed ethernet connection. This SIP trunk carries both outbound traffic from the IP-PBX 

and inbound traffic from the Vodafone mobile network. The SIP trunk utilises the Vodafone Intelligent 

Network IMS (IP Multimedia Subsystem) (“Vodafone IMS”) platform to route calls and hold a unified dial 

plan alongside the IP-PBX. The IMS platform controls all calls that pass through it and routes calls either 

to the mobile network, to the customer IP-PBX or to Vodafone’s global telephony interconnects as 

required. 

The Vodafone IMS is an all-IP platform, so regardless of the origin of the call – fixed, mobile or 

extending – Vodafone OneNet Enterprise users benefit from a more stable voice quality, reduced postdial 

delay and fewer dropped calls versus traditional IP to TDM conversion products. 

The network-based dial plan means that end users can be equipped with cost-effective mobile 

devices and still enjoy features like extension mobility and extension dialing without a smartphone 

client. 

The components of the OneNet Enterprise solution architecture are unified to provide the following 

end user and corporate communication features: 

• Mobile and Geographic phone number 

– Each user will have a single GSM device, an IP desk phone or both. Numbers will be 

combined with a single geographic and mobile telephone number, allowing users to 

decide which number to publish to customers and advertise, whilst never missing a call. 

• Call Forward.

• Caller Line Identity - Users can control whether to display their fixed or mobile number to people 

they call, settings can be applied to all calls, or adjusted on a per call basis. By default all users will 

display the Mobile CTN as the CLI. 

• Company Main Number. 

• Auto Attendant 

– The Auto Attendant feature provides small businesses with an automated secretary 

style of service, where all inbound calls are automatically answered by a pre-recorded 

message. 

– Call queuing exists only on company level numbers, it allows multiple callers to a hunt 

group, to be queued on hold until an operator is available to take their call, rather than 

routing straight to voicemail. Up to 20 calls can be held in a queue. 

• Data Service. 

• Microsoft Office Lync 

– Instant messaging. 

– Collaboration share point services. 

• The service can be delivered over multiple site locations. 

• IVR solution to manage feature configuration. 

• Online solution for managing user and corporate feature management. 

• Online solution for self service in life management. 

1027 


Support Hours 




Every Day 

Tier 1 remote 

support desk 

Comprehensive 24Hrs Support 

Weekdays 


desk model 


Performance & 

Reporting 



reporting 




Reports & 

Performance 





Reports & 

Performance 






Total 24Hrs Support Monthly Service Help desk to help desk

1028 

7 Days a week 



Support Team 



Reports & 

Performance 



Governance 

Lot 1.4 Service Description – Fixed Network Services 


Communications Service - voice call 

packages, voice minutes, DDI, premium 

rate numbers, non-geographic numbers, 

118 enquiries 

Deliverables of the Service Calls and Lines 


requirements: 

Optional end user service 

desk or on-site support 

models available 

Vodafone has two components under Fixed 

Network Services; Fixed Voice and Fixed Data 

Services. The Fixed Voice Service will provide fixed 

line and mobility solutions incorporating call and line 

rental with select services, internet and broadband 

connectivity, text centre, carrier pre-select, Nongeographic 

numbers and 118 881 offering. The 

Fixed Data Service will deliver Data Fixed Link and 

Business Broadband Services 

Non-Geographic Numbers 

Voice Link 

SIP Connectivity 

118881 

Data Fixed Link 

Business Broadband 






Project management - Yes


1029 



Enhanced 

Comprehensive 

Total 


Delivery Methodology to provide the required 

PSN capability services: 


Fixed Voice Services: 

Our calls and lines service consists of two basic parts – the line which allows access to the 

network and the calls. Vodafone provide Public Switched Telephone Network (“PSTN”) access 

services line rental over standard analogue lines , ISDN2 or ISDN 30 lines– with no minimum 

call charge, no set-up charges and per second billing. Vodafone deliver Direct Dial Inbound 

(DDI) Services with advanced features for call routing, geographic numbering and detailed 

reporting. Vodafone’s fixed line services provide additional services for resilience and 

contingency planning, single service desk, bill consolidation and online bill and standard 

reporting. 

Vodafone’s Select call features are extra services that can be added to a line to provide a 

customer with extra functionality. Standard select services include call diversion, three way 

calling, call barring, call minder service, reminder call, ring back, caller display, call waiting, 

choose to refuse, anonymous call rejection, 1471 extras, call sign, caller redirect, smart diverts, 

selective outgoing call barring and call return. Digital select only services include caller line 

identity presentation and restriction, sub – addressing, permanent incoming and outgoing call 

barring, client and administrator controlled call forwarding, call deflection/waiting/hold and up to 

10 directory numbers to be allocated to one line. 

Vodafone provision of Non-Geographic Numbers – Free phone 0800/0808, Local Rate 0845, 

Low Rate 0844 and National Rate 0870/0871 numbers with Vodafone’s response services that 

allow clients to manage their Non-Geographic Numbers activate intelligent call routing based on 

time of day, date or geographical area from which the call originates. 

Vodafone’s Directory Assistance number is 118 881 offering UK business and residential fixed 

line numbers (a maximum of 2 numbers per call) and a through connect to UK business and 

residential fixed line number. 

Voice Link – connectivity between site PBX and the Vodafone network for calls to and from mobiles. 

Calls are routed via virtual or dedicated fixed links, reducing the cost of call charges to your mobiles.

SIP Connectivity – SIP connectivity between PBX and the PSTN. Enables intelligent traffic 

routing, providing greater flexibility and resilience. 

Fixed Data Services: 

Data Fixed Link – dedicated and virtual connections directly to the Vodafone network, providing a 

highly secure and reliable way of connecting mobile devices to applications hosted in a corporate 

network. By using a fixed data link connection to a Private APN (see Remote Access), information from 

mobile devices never touches the internet. 

Business Broadband –internet connectivity for home workers and small offices. These services are 

dedicated to business use, with high levels of security and support. Vodafone offer multiple features 

which includes unlimited downloads and “plug and play” routers that enable multiple users through one 

connection. Vodafone broadband offering can also supply a static IP address to support running a 

website, enabling remote access or running an FTP server. 

1030 


Support Hours 

Foundation 24Hrs Support 

7 Days a week 


Enhanced 24Hrs Support 

7 Days a week 



7 Days a week 



7 Days a week 



Performance & 

Reporting 



reporting 




Reports & 

Performance 





Reports & 

Performance 





Reports & 

Performance 



Governance 






Optional end user service 

desk or on-site support 

models available

Lot 1.5 Service Description – Vodafone Collaboration Services 


Communications Service – Audio conferencing, 

desktop video conferencing, collaborations tools 

and web conferencing. 

1031 

Vodafone supplies, installs and maintains 

Polycom, Avaya and Microsoft desktop 

audio and video conferencing equipment 

using Vodafone Unified Communications 

Services, implemented using TCDM. 

Vodafone provide the following Web 

Conferencing Services; Vodafone Unified 

Meeting, Microsoft® Lync Online, Cisco 

WebEx Web Conferencing, Cisco WebEx 

Meeting Center, Adobe Acrobat Connect 

Pro. 

Deliverables of the Service Vodafone will provide Vodafone 

Collaboration Services– this includes: 

PSN/GPS Capability Service requirements: Supply – Yes 

audio conferencing 

desktop video conferencing 

collaboration tools 

web conferencing 

integrated to the desktop to allow support of 

meeting up to 500 attendees 








Commodity and managed service – No 

Managed Only 

Enhanced

1032 

Comprehensive 

Total 

Service Delivery: Vodafone will use our Total 

Communications Delivery Methodology to 

provide the required PSN capability 

services. 


Vodafone supplies, installs and maintains Polycom, Avaya, Cisco and Microsoft desktop audio and 

video conferencing equipment using Vodafone Unified Communications Services, implemented using 

Total Communications Deployment Methodology. Vodafone provide the following Web Conferencing 

Services; Vodafone Unified Meeting, Microsoft® Lync Online, Cisco WebEx Web Conferencing, Cisco 

WebEx Meeting Center, Adobe Acrobat Connect Pro. 

Vodafone’s collaboration toolset are designed to support meetings of less than 500 attendees. 

All Web conferencing services integrate data, voice and video content within a standard web 

browser so you can conduct real-time meetings over the internet. Vodafone’s collaboration 

solutions will support Document Sharing, Support for Microsoft® PowerPoint Animation and 

Transitions, Multimedia Content Sharing, Application Viewing, Application Sharing and Desktop 

Collaboration with Remote Control, QuickStart Screen, File Transfer, Video and Webcam 

support, Multipoint Video Integration, Polling, Record, Edit and Play Back Meetings, Schedule 

Meeting Wizard , One-Click Meetings , Auto Play Presentations, Note Taking Panel, Meeting 

Transcripts, Floating Icon Tray, Microsoft Office and Outlook / Lotus Notes Integration, 

Customised audio pop-up within meeting, Mobile Meetings (IOS, Android, Blackberry), 

Localised invitations, Additional language support, Global join, Auto detect browser language, 

Time zone interface enhancements, on Call Identification in Participant panel, On Call 

Identification reconciliation, Toll & Toll-Free, Conference Access Numbers, Participant Callback, 

Active Speaker notification. 

Service Tier Service Desk Support 

Hours 




Day 


desk 


Performance & 

Reporting 



reporting 




Reports & 

Performance 



desk 

Help desk to help desk


Weekdays 

1033 


model 


7 Days a week 


On Site Level 1 Support 

Team 





Reports & 

Performance 





Reports & 

Performance 



Governance 

Lot 1.6 Service Description – Vodafone Mobile and Data Services 


Communications Service – Internet 

Services, email and website services, colocation 

and hosting and on-line storage. 



desk 




available 

Vodafone’s email and website services offer 

standard and professional levels for bandwidth 

provision, domain name, FTP access, web 

space with simple builder tools. 

Deliverables of the Service Vodafone will provide Vodafone Mobile and 

Data Services – this includes: 


email and website services 

co-location and hosting for Unified 

Communications, Email, and Blackberry 

on-line storage for Unified 

Communications, Email, and Blackberry 

Additional Services: 

Vodafone’s email and website services offer 

standard and professional levels for bandwidth 

provision, domain name, FTP access, web 

space with simple builder tools.


requirements: 

1034 









Commodity and managed service – No. 

Managed Only 

Enhanced 

Comprehensive 

Total 





Vodafone Mobile and Data Services customers will be able to view and share the content from their 

account via the web browser of a PC, laptop or netbook in the future; reducing the need to transfer 

content from one device to another Vodafone is offering a range of Hosted Services - Email, Web and 

Domain Names to complement our existing products and services. Vodafone also offer Office 365 which 

is a hosted, cloud-based IT email and website solution that combines Microsoft’s suite of 

communication tools with Vodafone’s telephony and connectivity services which is designed for 

organisations with 5-200 employees. Vodafone has formed a strategic partnership with Decho 

Corporation, a wholly owned subsidiary of EMC, to develop a range of cloud-based services for 

businesses that includes the ability to securely backup work-related or personal digital content from 

their computer to a remotely hosted site. 

. 

Service Tier Service Desk Support 

Hours 




Performance & 

Reporting 





desk


Day 

1035 


desk 


Weekdays 


model 


7 Days a week 


On Site Level 1 Support 

Team 

reporting 




Reports & 

Performance 





Reports & 

Performance 





Reports & 

Performance 



Governance 

Lot 1.7 Service Description – Vodafone Internet Security Services 


Communications Service – Security 

services, antivirus, email scanning and 

filtering, firewalls, intrusion and spyware 

detection, authentication and application 

sign- on services 


desk 


desk 


desk 




available 

Vodafone’s Secure Remote Access (VSRA) is a 

policy based desktop security application that 

provides remote worker secures access to 

centralised documents held on the organisation’s 

internal network. VSRA provides a policy 

management platform for Data Leak Prevention by 

controlling access policies and configurations for 

laptop security and connectivity services. 





Full OPEX-based managed service


requirements: 

1036 









Commodity and managed service – No Managed 

Only 

Enhanced 

Comprehensive 

Total 


Delivery Methodology (TCDM) to provide the 

required PSN capability services. 


Fixed and mobile convergence delivering the same PBX functionality to desk phone, 

softphone and mobile users alike. This provides options for Single number reach – each user 

can use their existing fixed geographic or mobile number as their single number. Vodafone 

provide a Single voicemail – rather than having to manage separate fixed and mobile 

voicemail systems, users will have just one single consolidated voicemail box for all calls. This 

can integrate into a Single corporate directory. The service also avoids the need for 

smartphone handsets as the integration is performed in the network, there is no need for users 

to use specific brands or types of mobile handsets. Users with the most basic mobile handset 

can take part in the service. 

Full OPEX-based managed service covering design, deployment, management, support and 

reporting. Vodafone OneNet Global Enterprise is a managed service where Vodafone provides 

a complete solution from design through to support. 

Integration with Unified Communications. Vodafone OneNet Global Enterprise can also be 

integrated with presence-based messaging, conferencing applications and collaborative tools to 

provide a true unified communications experience with mobility at the core. Vodafone OneNet 

Global Enterprise will support desktop integration with Microsoft and Lotus Unified 

Communications environments, providing click to call and mobile presence integration.

Presence – Vodafone OneNet Global Enterprise allows users to see the status of other users, 

allowing them to choose the most appropriate way to communicate. Presence information is 

extended out to smart mobile devices, extending collaboration to wherever you are. Integrated 

voicemail – to further unify messaging, the user’s voicemail box can be integrated with the 

enterprise email system to create a single integrated inbox for email and voicemail messages. 

This enables the user to listen, forward and manage voicemail messages as they would email – 

termed as the ‘voicemail to mail’ function. 

The Vodafone unified communication services are securely hosted in Vodafone network centres 

using the Cisco Unified Computing Solution and are virtualised using VMware technology. This 

provides a solution to support our customers’ UC requirements in a secure, cost-effective way, 

giving maximum flexibility to each customer for provision of their own UC features. The key 

benefit derived from this way of deploying UC applications is that each enterprise’s suite of 

hosted services can be rapidly deployed and flexibly expanded. The virtualised environment can 

also support the latest version of Cisco Unified Communication applications, meaning no 

‘feature lag’ when compared to on-premise alternatives. 

There are a number of core Cisco components which Vodafone has brought together to deliver 

the key features of the service. The technology utilised includes: 

Cisco Unified Communications Manager (CUCM) delivering call control for the customer’s 

estate 

Cisco Unity Connection providing single, integrated subscriber messaging. 

Cisco Unified Presence Server adding rich, presence capabilities to end-devices. 

Cisco Unified Operation Manager – part of the solution management suite. 

1037 


Support Hours 




Day 


desk 


Weekdays 


Performance & 

Reporting 



reporting 




Reports & 

Performance 






desk 

% Service Uptime 

Target MTBF (active 

redundancy) 

Target MTTR (time 

to restore) 


Target MTBF (active

1038 


model 


7 Days a week 



Support Team 


Reports & 

Performance 





Reports & 

Performance 



Governance 

Lot 1.8 Service Description – Vodafone Application Service 


Communications Service – Messaging 

Services, real time information services, 

desktop messaging, messaging via email, 

SMS, pager and mobile fixed line 

telephone. 

redundancy) 

Target MTTR (time 

to restore) 


Target MTBF (active 

redundancy) 

Target MTTR (time to 

restore) 

Vodafone’s Application Services deliver realtime 

messaging and control solutions that are 

focused on mobile, and remote based users 

under its Field Based Management solution 

portfolio. 

Deliverables of the Service Vodafone will provide Vodafone Application 

Services – this includes 


requirements: 

messaging services 

desktop messaging 

messaging via email 

SMS 

pager and mobile or fixed line telephone 

Automated communication 

real time information services 




Technical architecture - Yes

1039 






Enhanced 

Comprehensive 

Total 





Vodafone Application Services: 

Vodafone’s Application Services are focused on mobile, and remote based users under its Field 

Based Management solution portfolio. Field Service Management solutions from Vodafone offer a set 

of tools to plan, schedule, automate, optimise, dispatch and analyse work activity in the field. 

Our solutions are purpose designed for fast deployment, and scalable to allow you to increase 

capability or add functionality should your needs change. Field Service Management solutions from 

Vodafone are fully mobile-enabled and can be deployed across a range of mobile networks on various 

handheld devices. Automated communication using multiple messaging platforms with field workers to 

allow real-time information and situation management at the point of service delivery, overcoming 

traditional time delays and revisits. 

Vodafone’s Field based management solution focuses on workflow process automation from 

work creation through to completion, resource planning and appointment booking, scheduling 

automation and optimisation with street level routing, automated dispatch, seamless 

connectivity with field technicians through fully integrated mobile capability which includes web 

and application sign on services; messaging services; real time information services; desktop 

messaging, GPS tracking and navigation, job tracking and SLA jeopardy management, accurate 

parts track-and-trace, timesheet process automation, service intelligence and decision support. 


Support Hours 



Service Performance 

& Reporting 



reporting 



desk


Every Day 

1040 

Tier 1 remote 

support desk 


Weekdays 


desk model 


7 Days a week 



Support Team 


meetings 


Reports & Performance 



meetings 





meetings 




Service Governance 




desk 




available

1 PSN Services Service Descriptions - Government Procurement ...

Create successful ePaper yourself

Delete template?

Save as template?