technology standards for service providers â€“ part 2 (specific

© 2008 of 90

Please ensure you are using the current version of the document which is located:- on gateway :- http://guidelines.gateway.bbc.co.uk/dq/is/requirements.shtml#specificobs on bbc.co.uk :- http://www.bbc.co.uk/guidelines/dq/contents/information_security.shtml#Framework

Technology Standards for Service Providers – Part 2 (Specific Obligations) DQ Status BBC Standard

DQ Content Authority

Head of Information Security Strategy and Principal Technologist Business Continuity (Andy Leigh)

Contact(s) for Help Andy Leigh

Description This paper provides incumbent and prospective service providers, both internal and 3rd party, with information to enable them to provide services in a manner compliant with the BBC’s current and future technology roadmaps. There are two parts to the framework. Part 1 (a separate document) covers elements of services that are common across all streams of compliance, in many cases these provisions are to do with the governance of the service. Unless otherwise stated in a specific Part 2 section, the requirements in Part 1 apply throughout the framework. Part 2 (this document) covers elements that are related to the three primary compliance streams: Presentation, Security & Continuity and Interoperability.

DQ Reference Version Date Last Reviewed

Is_17_06 1.6.0 18/03/2008 Mar 2008

Who reviewed Name can entered here or refer to a list in the appendix

Key Words DQ; Quality Assurance

Confidential Single Services Framework Technology Standards for Service Providers – Part 2

Version 1_6 / 18/03/08 of 90

Single Services Framework Technology Standards for Service Providers – Part 2 (Specific Obligations)

1 Introduction

This paper provides incumbent and prospective service providers, both internal and 3rd party, with information to enable them to provide services in a manner compliant with the BBC’s current and future technology roadmaps. This is being delivered as part of the BBC’s Single Services Framework (SSF). The main goal of SSF is to help service partners build compliant services from the start, and to ensure the eventual conformance of existing services over time. Existing services need to transition to the SSF policies, principles and requirements through appropriate change management New services are expected to comply with SSF at commencement and so compliance must be considered during vision, planning and implementation stages.

As such, the BBC expects to see these principles manifested in strategies, future roadmaps and service architectures. It is accepted that terminology may differ, but it is expected that similar concepts and principles in a Service Provider’s strategic roadmap can be correlated back to the concepts and approach outlined within the SSF.

The BBC requires the Service Provider to ensure it understands the concepts, principles and standards, and how they apply to the services covered by the contract or the ongoing service provision, to aid the development of the terms and conditions and the Service Level Agreements that will govern delivery of the service.

2 Document Framework

There are two parts to the framework. Part 1 (a separate document) covers elements of services that are common across all streams of compliance, in many cases these provisions are to do with the governance of the service. Unless otherwise stated in a specific Part 2 section, the requirements in Part 1 apply throughout the framework. Part 2 (this document) covers elements that are related to the three primary


Version 1_6 / 18/03/08 of 90

compliance streams: Presentation, Security & Continuity and Interoperability.

Security & Continuity

Standards and principles related to ensuring the continuity, security and integrity of information, system, and services.

Presentation

Standards related to the mechanism for delivery of services to the end user, including platform support, real-time collaboration and aspects of user interface.

Interoperability

Standards related to interoperability between services and systems.

Such specific services must either be directly supplied by the Service Provider or must be supplied in partnership (or subcontracted to) the BBC’s principle technology Service Provider – Siemens IT Solutions and Services (SIS).

2.1 Service Provider response and “states”

For the purposes of the SSF, a “Service Provider” may be an internal BBC body or external commercial party.

The BBC expects the Service Provider to consider the contents of this document and state whether they can comply with each specific requirement as set out below. The Service Provider will either be Compliant, Partially compliant or Not-compliant. The Service Provider should fill in the tables in each section as part of their response to an ITT, RFP, or as a statement of compliance for any other new or existing agreement to provide services to any part of the BBC. When a Service Provider responds to state they are compliant, the BBC expects the Service Provider to have fully understood the financial, technical and governance impacts of compliance and to have accounted for this in their response.

Where compliance is time-dependent or where the Service Provider maintains, or takes on under a contract, a system or service that is known (or assumed) to be non-compliant and for which there is a class or specific dispensation, the Service Provider will make it clear at which point during the life of the service compliance will be attained. By default there are three states to consider, each at a different point in the service life:

• T1 represents the state as at 0 months, i.e. at the point of service review, renewal or contract signing;

• T2 represents the state as at 24 calendar months from service review, renewal or contract signing;


Version 1_6 / 18/03/08 of 90

• T3 represents the stable operation state, as at 36 months after service review, renewal or contract signing.

The “state periods” above (i.e. 0, 24, 36 months) are suggested to apply to all sections of the service. The Service Provider may propose alternative state periods which might better represent the duration and nature of the service. Variations to state periods can be separately agreed with the BBC (as the customer of the service) and must be clearly stated in this response.

The Service Provider, in their submission should fill in their expected compliance situation (Yes = “Y”, No = “N”, Partial = “P”) for the state at each time point (T1 and T2 and T3). The Service Provider must also supply some narrative to explain their response. All columns must contain a response. As an example:

Compliant? Yes (Y), No (N), Partial(P)

T1 T2 T3

Service Provider Statement Notes (BBC use only)

N P Y NewCo will not be able to meet this requirement until two years post contract signing due to the current changes in International Standards

The Service Provider should also consider how best to measure compliance or delivery of the service. In some cases, a service may not be measurable, in which case the Service Provider should indicate this in the relevant table. If the service is measurable, the Service Provider must describe the methodology and frequency of the measure. Please see the example below:

2.2 Services Framework Part 2 – Specific obligations

The Services Framework Part 2 covers the more detailed requirements aligned with the governance principles set out in Part 1 [Document Ref: 2008-03-18_Technology Standards Part 1 (Compliance) v1_6.doc].

Respondent Details:

Name (company name or

Contact address Contact email Date of response BBC contact (if 3rd

party respondent)

Will this service be measured (Y/N)?

How will the service be measured? How frequently will the service be measured?

Notes (BBC use only)

Y The Service provider will record counts of all successful transactions and all transactions that generate an error code. The Service Provider will escalate to the BBC whenever the percentage of error-ed transactions exceeds 2% in any calendar month

Captured continuously with escalation (if required) once per calendar month


Version 1_6 / 18/03/08 of 90

BBC body)

If you wish to propose revised state periods (e.g. T1, T2, T3), please amend the form below (explaining in the comment section your reasons):

State Period Value Comment

T1 0 months BBC proposed default



3 Security service requirements

The following sections refer to specific service requirements for Information Security.

3.1 Risk management for Information Security risks

Summary: The Service Provider must operate a risk-based approach to system development and deployment

3.1.1 Impact analysis process

The Service Provider must determine the impact of an event or development on each system.


T1 T2 T3


3.1.2 Likelihood analysis process

The Service Provider must analyse the likelihood of an event or development affecting a system.





Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.1.3 Risk v benefit decision process

The Service Provider must inform the BBC of the impact and likeliness of an event or development affecting a system and advise the BBC of the risk v benefit of deployment, change or maintaining the status quo.


T1 T2 T3


3.1.4 Risk process operation & integration with the BBC

The Service Provider must be able to understand and suggest improvements to the BBC’s risk-management processes.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.1.5 Processing of unmanaged Security Risks

The Service Provider must monitor risks for which there are no known mitigations and inform the BBC’s relevant manager responsible for handling the risk, of the status of these on a quarterly basis


T1 T2 T3


3.2 Security reviews (audit) and penetration tests

Summary: The Service Provider must assist with any security reviews that the BBC commissions into the facilities provided as part of the contract. The Service Provider must monitor logs and alarms; it must be able to detect changes and additions to the infrastructure and must also be prepared to regularly self-audit its own facilities.

For the avoidance of doubt, “audit” can include the following:

Compliance Audit - refers to the checking, testing, auditing etc. that the Service Provider will perform on themselves.

BBC Internal Audit - refers to the work that the BBC’s Internal and System Auditors do to check the BBC's way of working (including the Service Providers application of the contract)

External Audit – that service performed to ensure the BBC is compliant within the laws and the charter.

3.2.1 System review and audit compliance

The Service Provider must comply with any system review requested by the BBC. The Service Provider must advise on any system that needs reviewing.








Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.2.2 Penetration Test compliance

The Service Provider must comply with any request by the BBC or a third-party employed by the BBC to perform planned or change-driven penetration tests. The Service Provider must also advise on good penetration test methodologies.


T1 T2 T3


3.2.3 BBC engagement of 3rd parties for testing

The BBC will engage third parties to perform independent analysis and penetration tests against systems. The Service Provider must accept the BBC’s decision on penetration test companies.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.2.4 Compliance with BBC commissioned ad hoc penetration tests

The Service Provider must comply and (if necessary assist) with the third-party performing a BBC-commissioned ad hoc penetration tests, which will not be carried out any more than an average of once a month.


T1 T2 T3


3.2.5 Real-time log and audit-trail monitoring

The Service Provider must operate a real-time audit-trail and log-monitoring process. This system must be able to interface to existing monitoring and asset register systems operated by the BBC and/or the BBC’s principle technology services provider – SIS. The baselines and thresholds must be agreed with the BBC and exceptions reported to BBC Information Security and reviewed by the BBC’s audit representatives on a regular basis (at least once every month).


T1 T2 T3












Version 1_6 / 18/03/08 of 90

3.2.6 Monitoring of changes and additions to the infrastructure or the services provided

The Service Provider must build and operate a solution that detects changes to the infrastructure or services provided and records and reports on types of devices and systems attached. The Service Provider must report on a regular basis (at least once every month) what systems have been added or removed without change-management processes being run. This system must be able to interface to existing monitoring systems operated by the BBC’s principle technology services provider – SIS.


T1 T2 T3


3.2.7 Security reviews on behalf of the BBC

The Service Provider must regularly and also at the BBC’s request, perform compliance reviews on the estate for which the Service Provider is responsible. A total review of the whole contracted estate must take place no less frequently than 4 times per year.


T1 T2 T3


3.3 Standards and policies for Cryptographic use

Summary: The Service Provider must comply with BBC policies regarding cryptography, including when to use it and the appropriate strength for the task








Version 1_6 / 18/03/08 of 90

3.3.1 BBC approval for the use of cryptography

The Service Provider must get approval from the BBC Information Security Manager whenever cryptographic products are proposed as part of a service.


T1 T2 T3


3.3.2 Cryptographic product approval

The Service Provider must get approval from the BBC Information Security Manager when implementing any product that uses cryptographic technology. The products should be compatible with those adopted by the BBC and also by the BBC’s technology services provider, SIS.


T1 T2 T3


3.3.3 Key length and strength

The Service Provider must agree key lengths for different applications and solutions with the BBC Information Security Team. Typical acceptable general values for symmetric encryption (SSL-128, Triple-DES, AES) should be equal to or greater than 128 bits. Highly sensitive data should use 256 bit keys. Typical asymmetric encryption (PKI) acceptable key lengths should be greater than or equal to 1024 bits. Highly sensitive data should use 2048 bit keys










Version 1_6 / 18/03/08 of 90

T1 T2 T3

3.3.4 Key management processes

The Service Provider must propose and get agreement on how it will manage the key creation, exchange and destruction processes. It must securely manage this process. User keys will be stored (if applicable) on the SmartCards supplied and managed as part of the strategic Identity and Access Management project being supplied to the BBC by SIS.


T1 T2 T3


3.3.5 When to use cryptographic tools

The Service Provider must use strong cryptography when processing or storing any sensitive or personal material. The Service Provider must use strong cryptography when processing or storing any financial material. Cryptography must be used whenever untrusted networks or platforms are utilised.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.3.6 Key escrow to the BBC

The keys used in any cryptographic primitive must be stored by the BBC’s Information Security team to enable key escrow.


T1 T2 T3


3.4 Perimeter security policies and architectures; 3rd-party and telecoms connections

Summary: unsecured connections must not be used when servicing the contract. When servicing facilities, which are connected to the BBC’s infrastructure, the Service Provider must only connect (to non BBC infrastructure) via SIS-provided BBC standard firewalls. When supplying services from non-BBC locations or networks, the Service provider must only connect via commercial-grade firewall products and must satisfy the BBC that the strength is sufficient for the task. All outgoing transactions must be checked for policy and all incoming transactions must be sanitised, preferably via a two-phase process. The Service Provider must comply with the BBC’s policies and recommendations for outsourcing and separation.

3.4.1 Direct connections to 3rd-parties and the Internet are not permitted

The Service Provider must not directly connect any BBC-owned plant (or plant operated on behalf of the BBC by SIS) to the Internet or any 3rd-party. Similarly, the Service Provider must not directly connect any non-BBC-owned plant to the Internet or any 3rd-party whilst it is also connected to any BBC-owned plant (or plant operated on behalf of the BBC by SIS). Any 3rd party or Internet connection must be through SIS managed firewall services and must be at the specific approval of the BBC’s Information Security Management team.

Where the Service Provider will be storing or processing BBC information assets on their own (or a








Version 1_6 / 18/03/08 of 90

subcontractor’s) plant, they must connect to the Internet or 3rd-parties via a suitably strong firewall solution, which the BBC’s Information Security Team (or its approved advisors) must first be able to audit, and in extremis veto, the design. The BBC reserves the right to regularly audit the solution and will expect to be allowed access to current rulesets (or similar) that enable the protection.

Between BBC information and any system storing and processing non-BBC information, there must be a fit-for-purpose stateful packet-inspection, proxy-based or application-level firewall supporting the following principles:

• The design must be as simple and small as possible

• The default configuration should be “all access is denied unless specifically approved”

• Every access to every object should be checked for authority

• The design must be open and not depend on obscurity for its security

• It must be configured and operated on the “four-eye” principle where all changes are cross-checked

• Every function or user of the firewall should operate using the least set of privileges necessary to complete the job

• The equipment or software common to more than one connection and depended on by all connections or transactions should be minimised

• The solution must be easy enough to use such that work-arounds are not instigated by users


T1 T2 T3


3.4.2 “Separation” and ongoing support

Following the contract award, the BBC expects some systems and most staff currently involved in the provision of this service will move off of the BBC systems: email, telephony, filestore, office automation, authentication etc. and move onto similar systems supplied and owned by the Service Provider. There will need to be ongoing direct communications between the Service Provider and the BBC. The Service Provider must work with the BBC and the BBC’s technology service provider, SIS, to ensure that the solution is secure both for the BBC and also for the Service Provider. The BBC expects the Service Provider to purchase, construct and operate any facilities needed to service and





Version 1_6 / 18/03/08 of 90

protect their estate, to connect to the BBC and also to protect any information that they store and process on the BBC’s behalf. The Service Provider should explain how they intend to perform this task.

Where BBC information is stored on 3rd party systems its protection must still meet the BBC’s Information Security policies, and so the BBC reserves the right to review designs (and in extremis veto connections based on those designs).

The BBC has made available a document describing in considerably more depth describing how the BBC expects outsourced facilities and separation to take place. This document entitled “The BBC’s requirements for the technical aspects of outsourcing and separation” is available in the data room and will also be supplied with this document. If the Service Provider does not have a copy, they should contact the BBC. In order to be compliant with this section (3.4.2), a Service Provider will need to have read and agreed to the approach that the BBC describes in the specified document.


T1 T2 T3


3.4.3 Data and telephony links between the BBC and the Service Provider

The Service Provider will need to pay for the installation and operation of data and telephony links between their properties and the BBC.

The BBC is moving towards an IP-Telephony based solution, but until further notice, it will only support TDM-based connectivity between itself and a 3rd-party. The Service Provider will need to pay for the installation and operation of a TDM-based telephony connection from their premises to one or more of the BBC’s major London sites (e.g. Television Centre or Broadcasting House) or to the BBC’s network flexibility points (including its Internet connectivity sites).

The Service Provider will need to pay for the installation and operation of IP-supporting, secure data connections between their properties and one or more of the BBC’s major London sites (e.g. Television Centre or Broadcasting House) or to the BBC’s network flexibility points (including its Internet connectivity sites). The BBC would normally expect this link to be encrypted and signed using keys owned exclusively by the Service Provider. The BBC does not accept network-level virtualisation (e.g. VLANs, MPLS etc.) as being secure.





Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.4.4 The default model: outwards policy-enabled push & inwards sanitising get

The BBC’s current default policy for connections to non-BBC locations and systems servicing information other than the BBC’s is to adopt an outwards “push” and inwards “get”. This means that 3rd parties cannot directly obtain information from systems processing BBC information. Neither can they push information directly onto systems processing BBC information. This ensures that information can have outwards policies applied (including editorial policies) and can be “sanitised” inwards.

When operating within the BBC estate, the Service Provider must therefore supply and operate information systems that allow information to be securely pushed (via the SIS-provided BBC perimeter protection) outwards to suppliers, contracted third-parties and customers. The Service Provider must ensure that information does not leave the BBC in any other manner.

The Service Provider must also, when on the BBC estate, supply and operate information systems that allow information to be securely pulled (via the SIS-provided BBC perimeter protection) from systems operated by suppliers, contracted third-parties and customers. The Service Provider must ensure that information does not enter the BBC in any other manner.

When the Service Provider stores or processes BBC information on a non-BBC site (or on devices that serve other, non-BBC, users), that information must be similarly protected from systems storing and processing non-BBC information. BBC information must never be moved onto a system storing or processing non-BBC information unless it is pushed through a policy-checking gateway. BBC information must never be moved from a system storing or processing non-BBC information unless it is pulled through a sanitising gateway.


T1 T2 T3






Version 1_6 / 18/03/08 of 90

3.4.5 Support for inwards two-stage information submission

Given the outwards-push & inwards-get nature of communications through the BBC’s perimeters, the Service Provider must ensure that incoming information from relevant 3rd-parties proceeds through a two stage process. In the first stage the information must be deposited into a secured store where it is checked for to ensure it is well-formed, appropriate and authenticated. The second stage involves a system inside the BBC perimeter “getting” the information from the secured store.

Where the Service Provider processes or stores BBC information on non BBC sites or on systems that also handle non-BBC information, transactions should always adopt a two-phase model to ensure policies applied to information leaving the BBC and to ensure that information entering the BBC is sanitised.

The BBC is investigating the use of Secure Web Services and Federation to permit new ways of working. The Service Provider must work with the BBC and SIS to ensure that they can continue to cooperate with the BBC once these services are rolled out.


T1 T2 T3


3.4.6 The use of proxy and filtering firewalls

The BBC’s technology service provider (SIS) operates for the BBC, by default, outwards pointing proxies that support only HTTP, HTTPS, Telnet, FTP, SOCKS from internal clients and servers to the outside world. To comply with current BBC policy, the Service Provider must only supply systems that support these protocols when moving information from the BBC estate to the Internet and 3rd-parties.

The BBC’s technology service provider (SIS) operates for the BBC a number of “double-skin (dual back-to-back) filtering firewalls. These are currently used for incoming staff RAS and also for separation between the BBC and 3rd-parties offering services to the BBC. When using these








Version 1_6 / 18/03/08 of 90

platforms, the principles from above will still need to be applied.


T1 T2 T3


3.4.7 Extranet support

BBC’s technology service provider (SIS) operates on behalf of the BBC a number of external protected facilities that can be used to service business-to-business type Extranet functionality. The Service Provider should utilise these systems wherever possible.

Where the Service Provider cannot utilise the SIS-provided Extranets, the solutions used must comply with all of the other requirements described in this document or in the BBC’s Information Security policies. BBC information must only be stored or processed on platforms that are up to date with patches and have been hardened. The space between the two organisations (the DMZ) must be protected by two dissimilar firewalls. All transactions must be authenticated and encrypted.


T1 T2 T3


3.4.8 Telecom agency and Internet connections

The Service Provider must not directly connect any system processing or storing BBC information to a telecoms agency or the Internet. Unless otherwise approved, any such connection must always be authenticated, encrypted and filtered based on the requirements specified in this document or in the BBC








Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.4.9 Defence in depth filtering (and 802.1x network-port control)

SIS are introducing a defence-in-depth model of security protection of BBC assets within the perimeter maintained by SIS. This will add layered filtering protecting critical assets and ring-fencing development systems. The Service Provider must comply with this model and operate a similar model when processing BBC assets. End-Systems and Intermediate System (switches, routers etc.) devices connected to the BBC’s infrastructure must comply with 802.1x


T1 T2 T3


3.4.10 Enforcement of policies and audit of breaches

The Service Provider must supply and operate the services such that they prevent outgoing requests from breaching BBC acceptable use policies. The Service Provider must securely record transactions so that detected policy breaches can be effectively resolved in a timely manner.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.4.11 Incoming Modem connections are not permitted

The Service Provider must not enable any connections that utilise incoming calls on modems.


T1 T2 T3


3.4.12 Security of audio and video telephony

All voice and video telephony solutions must be securely installed and operated. At the very least no default passwords should be left operational.


T1 T2 T3


3.5 User Identification & Access-Control management

Summary: The BBC expects all identification, authentication and authorisation processes to be centrally controlled (to enable Single Sign On). The BBC’s technology service provider (SIS) is introducing a Metadirectory model which the Service Provider must be prepared to accept data











Version 1_6 / 18/03/08 of 90

from, it will be the definitive directory of user information. Identification will be via Smartcards. All system access-control must depend on this central identification and authentication solution. Joiners, Movers and Leavers should only be processed by the BBC’s Human Resources team (or those subcontracted by the BBC to perform this task).

3.5.1 Compliance with the BBC’s secure Directory Services

The Service Provider must comply with the BBC’s secure directory service which is supplied by the BBC’s technology service provider, SIS. The directory is x500 compatible and access is via LDAP. SIS are also introducing a new Metadirectory facility to be the definitive repository of user information. All facilities supplied by the Service Provider must be able to accept Identification information from this directory.


T1 T2 T3


3.5.2 Compliance with the BBC’s Identity and Authentication standards and developments

BBC user identification is supplied by the BBC’s technology service provider, SIS. At the time of writing this is based on NTLM and MSCHAPv2. However, SIS are migrating to a Single-Sign-On SmartCard-based two-factor authentication system to meet the BBC’s requirement for two-factor authentication for all Identity and Access purposes. All systems and processes delivered by the Service Provider must comply with SIS supplied solution. If a system operated by the Service Provider cannot comply, then (following a risk analysis) a dispensation may be granted for a short period to allow the Service Provider to perform local identification and authentication such that the Service Provider complies with BBC information security policies, for identifying users, systems and objects. The system must perform authentication strong enough to ensure without any doubt that the person, object or system is who (or what) they say they are – in practice this means two-factor authentication.


T1 T2 T3






Version 1_6 / 18/03/08 of 90

3.5.3 Authorisation processes

The BBC preference is for central identification and authorisation service (see above).

Where local authorisation is unavoidable, the Service Provider must supply and operate a service that can map a fully identified and authenticated person, system or object onto the Service Provider’s facilities that they are entitled to have access to (whether read, write or read+write).


T1 T2 T3


3.5.4 Access Control policies

All systems built and operated by the Service Provider must be able to deny access to non authorised people, systems or objects. The systems must only enable write access to those people, systems or objects that have been authorised to have write access. The systems must only enable read access to those people, systems or objects that have been authorised to have read access.


T1 T2 T3












Version 1_6 / 18/03/08 of 90

3.5.5 User lifecycle management (handling Joiners, Movers, Leavers)

The responsibility for joiners, movers and leavers (whether staff, contracted third-parties or freelancers) should only reside with the BBC’s Human Resources team (or those subcontracted by the BBC to perform this role). Such a facility must be able to efficiently and quickly handle the addition, the movement and the departure of people, systems and objects.

The Service Provider must ensure that any data about people in their organisation who service the BBC and who Join, Move or Leave, is securely updated inside the BBC’s repositories of information within 48 hours of a change. The details must include name, job title, physical address, fixed and mobile phone numbers.

Where local support for joiners, movers and leavers is unavoidable, the Service Provider must be able to efficiently and quickly handle the addition, the movement and the departure of people, systems and objects for the facilities they service.


T1 T2 T3


3.5.6 Access from non BBC sites only via BBS RAS services

Access to facilities provided by the Service Provider must not be accessible from non BBC sites except via the BBC’s standard two-factor authenticated Remote-Access system (provided by SIS)


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.5.7 Use of distributed poly-authentication solutions

The BBC will be investigating the use of multi-source authentication technologies for future non-internal Identification, Authentication and Authorisation. (examples include OpenID, CardSpace etc.). The Service Provider should be able to support authentication via this approach should the BBC approve it.


T1 T2 T3


3.6 Classifying data for integrity and confidentiality

Summary: The Service Provider must ensure that information is tagged to show access rights. Systems operated by the Service Provider must be capable of determining access rights based on the tags in information

3.6.1 Supply of classification systems to tag information

The Service Provider must supply and operate a system that ensures that information created for and on behalf of the BBC by the Service Provider or using the Service Provider’s systems is tagged in such a manner that indicates who/what can view it and who/what can change it. The Service Provider must comply with the BBC-approved tagging methodologies where appropriate.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.6.2 Access-control tie in with information tagging

The Service Provider should integrate the information tagging system in with access control systems so that only authorised users, systems and objects can access information, stored and processed by the Service Provider, that is of the right classification.


T1 T2 T3


3.7 Secure and appropriate handling of data

Summary: The Service Provider must ensure that all information is handled in accordance with the Data Protection Act and that, when relevant, data is securely disposed of.

3.7.1 Appropriate handling and processing of information

The Service Provider, and any Personnel, must comply with the Data Protection Act, especially when handling or storing personal and sensitive information. They must appropriately process such information as detailed in the contract. Present custom and practice will need to be recorded and codified. Policies, customs and practices regarding data handling (and associated legal compliance) will be raised as a regular agenda item at the ISSG to enable the Service Provider to respond to BBC practices.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.7.2 Secure handling of information

The Service Provider, any subcontractor, or contracted third party must securely store, handle and process all BBC information.


T1 T2 T3


3.7.3 Secure destruction of data

The Service Provider must build and operate a system or method to enable the secure destruction of data, especially sensitive and personal material - or systems that carry the data - that the BBC has marked for secure destruction.


T1 T2 T3


3.7.4 Compliance with the Freedom of Information Act

The BBC comes under the provisions of the Freedom of Information Act. The Service Provider must therefore ensure that it assists the BBC in complying with this act, either by ensuring information is speedily and economically recoverable or by speedily assisting in the processing of Subject Access Requests.










Version 1_6 / 18/03/08 of 90

T1 T2 T3

3.8 Standards and policies for wireless access

Summary: When on BBC premises, the only supported wireless access to BBC information is supplied by SIS facilities. When on non-BBC sites, BBC information must be protected from insecure wireless installations.

The service provider must comply with the BBC Wireless Access policies. Within BBC buildings, the Service Provider must not introduce their own Wireless Access technology to enable access to services they provide to the BBC. They must instead utilise the Wireless Access facilities provided by the BBC’s technology service provider – SIS.

Where the Service Provider processes BBC information in non-BBC locations, this information must be protected from insecure wireless installations. All wireless networks should utilise encrypted two-factor authentication and pass data using strong encryption with frequently changing session keys that are long enough to prevent brute-force attacks. The wireless access points must be protected from direct attack (e.g. by using a local firewall)


T1 T2 T3


3.9 Staff Remote Access to BBC systems

Summary: Remote access to BBC information by staff, contractors and freelancers must only be via the approved RAS solution. This applies to BBC information both on BBC sites and also on








Version 1_6 / 18/03/08 of 90

Service Provider’s sites.

3.9.1 Compliance with BBC’s IPSec-based VPN and double-skin firewall for staff access

Access to BBC internal facilities by staff is currently supported only via a filtered DMZ hosting VPN end-points operated by BBC’s service technology service provider SIS. All transactions are strongly encrypted and two-factor authenticated.

The Service Provider must not operate any other means for BBC staff and contracted individuals to gain access to BBC information.


T1 T2 T3


3.10 Security standards for system and software development

Summary: Software, systems and applications built or procured for the BBC must adopt good security design and operation principles.

3.10.1 Security of Service Provider supplied software and systems

Any software or system supplied by the Service Provider must adopt Best Industry Practices for security design. The BBC (in collaboration with the BBC’s service technology service provider, SIS) is in the process of developing recommendations for secure software and system development standards. The Service Provider should work with the BBC and SIS to develop these standards and to ensure that a BBC-wide consistent approach is adopted. At the very least all software should:

• Validate all input

• Ensure access is only allowed to authorised individuals and objects and is sufficiently granular

• Ensure there are no simple to access “back-doors” (all authentication must be central & strong)

• Prevent itself being used as a conduit to allow unauthorised access to another system (e.g. avoid cross-site-scripting problems)

• Not suffer from buffer overflows

• Not allow invalid data to be directly injected





Version 1_6 / 18/03/08 of 90

• Handle errors securely and consistently

• Store data securely

• Detect, survive and protect against denials-of-service

• Prevent unauthorised configuration changes


T1 T2 T3


3.10.2 Security of procured and shrink-wrapped software

The Service Provider must work with the BBC to ensure any shrink-wrapped software products procured in the supply of the service adopt Best Industry Practices for security.


T1 T2 T3


3.10.3 Restrictions on mobile code

Mobile code supplied by the Service Provider must comply with the BBC policies on mobile code.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.10.4 Integration with the BBC’s “Enterprise Infrastructure Architecture”

The Service Provider must work with the BBC and with the BBC’s technology service provider, SIS to ensure that all software operates securely with the BBC’ new “middleware” bus – “Digital Fabric”.


T1 T2 T3


3.10.5 Security of in-house system developments

The Service Provider must work with the BBC regarding any in-house system specification and developments, to ensure the systems are protected against deliberate or accidental events that affect the integrity, confidentiality and availability of BBC information.


T1 T2 T3












Version 1_6 / 18/03/08 of 90

3.10.6 Restrictions on “black box” and turnkey systems and software

Any software or system built or procured by the Service Provider must not operate as a turnkey or black-box solution. Systems must be kept up to date with Operating System and application patches and must be configured to ensure new and existing malware cannot interfere with its secure operation


T1 T2 T3


3.10.7 Application refresh

In order to ensure that obsolete and unpatchable applications do not affect security impact security of BBC Information the Service Provider must operate a Sliding “n-1” window of application replacements:- once a new major platform “n” is released by the supplier, the Service Provider must begin to replace anything that is at major release “n-2”. A window of continued n-2 operation may be dispenstated by the BBC in order to permit the migration away from the current platform.


T1 T2 T3


3.11 Application and system Access-Control

Summary: Applications and systems built and operated by the Service Provider must prevent unauthorised read or write access. Access must be based on full central identification and authentication








Version 1_6 / 18/03/08 of 90

3.11.1 Systems and applications must control access

Any system and application supplied and operated by the Service Provider must be able to prevent all access to unauthorised users, systems and objects. It must only allow read access to users, systems and objects that are authorised for read access. It must only allow write/create/destroy access to those users, systems and objects that have been granted write/create/destroy/configure rights. It must only allow administration access to those users, systems and objects that have been granted administration access.

The identity and authentication of individuals and objects must be based on the directory facilities and unique IDs supplied to the BBC by the BBC’s technology service provider, SIS. Alternatively the IDs must be provisioned in such a way that they are maintained totally in step (Identifier and authenticator) with the BBC central IDs and must be based on two-factor authentication.

Any application must work within the ongoing Identity & Access Management structure of the BBC and must be prepared to be updated regularly to keep in step with this architecture.


T1 T2 T3


3.11.2 Audit ability of access

All access to any resource must be uniquely identified. These means that generic accounts are not permitted.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.12 Business to Customer (B to C) and Business to Business (B to B) Information Security

Summary: B-to-C, B-to-B and B-to-C (especially systems used to handle “User Generated Content” UGC) systems are special cases of applications. The Service Provider must ensure best practices are adopted in the development and operation of these platforms. Secure Web-Services based models should be adopted

3.12.1 Principles of B-to-C, B-to-B and C-to-B systems

The BBC expects any B-to-C or B-to-B system supplied by the Service Provider to be secure and to comply with all sections of this document. At the very least, the principles of identification, authentication, authorisation, access-control, filtering and “hardening” must be applied. The basic principles should be derived from secure Web Services technology.


T1 T2 T3


3.12.2 Securing BBC information on B-to-C, B-to-B and C-to-B systems

The Service Provider must supply and operate systems that when dealing with BBC customers and business partners and rivals, must securely store and process all BBC information. The systems must be designed to control access to the information and prevent any accidental or deliberate event from affecting the integrity, availability or confidentiality of any stored or processed information.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.12.3 Securing customer information on B-to-C, B-to-B and C-to-B systems

The Service Provider must supply and operate systems that, when dealing with BBC customers and business partners and rivals, must securely store and process all customer information. The systems must be designed to control access to the information and prevent any accidental or deliberate event from affecting the integrity, availability or confidentiality of any stored or processed information.


T1 T2 T3


3.12.4 Securing financial information on B-to-C, B-to-B and C-to-B systems

The Service Provider must supply and operate systems that, when dealing with BBC customers and business partners and rivals, must securely store and process all customers, business partners and rival financial information. The systems must be designed to control access to the information and prevent any accidental or deliberate event from affecting the integrity, availability or confidentiality of any stored or processed information. The systems will have to comply with financial regulatory methods. The systems must not store customer credit card information.


T1 T2 T3


3.12.5 Public web systems (static, dynamic and media)

The Service Provider must supply and operate any part of the BBC’s public web facilities in which they have a role in a secure manner. In many cases, the underlying technology is supplied to the BBC by the BBC’s technology service provider, SIS. The lifecycle of these systems (including vision,








Version 1_6 / 18/03/08 of 90

strategy, planning, implementation, operation and removal) must be delivered using information security best practices. These services include (but are not limited to): streamed audio, video etc.; games; interactive functionality; static information and graphics etc.


T1 T2 T3


3.12.6 Broadcast and play-out systems

Where relevant, the Service Provider must ensure that broadcast and play-out systems are protected so that any deliberate or accidental event cannot affect the integrity, availability or confidentiality of any information stored or processed on them.


T1 T2 T3


3.13 Intrusion detection and response

Summary: The Service Provider must supply and operate all facilities so that they can detect anomalous behaviour and securely store records of any such event. The Service Provider must rapidly respond to stop anomalous behaviour, to ensure information is immediately protected and any weaknesses resolved.

3.13.1 Intrusion Detection service

The Service Provider must supply and operate all relevant services, systems and solutions in such a








Version 1_6 / 18/03/08 of 90

manner that they can detect anomalous behaviour and securely store records of any such event. The Service Provider must work with the BBC and the BBC’s technology service provider, SIS to ensure that any detected anomalous event can be escalated up to the BBC’s strategic IDS solution being built by SIS.


T1 T2 T3


3.13.2 Intrusion Detection Response service

The Service Provider must respond to any anomalous events that suggest an attempt is being made to subvert the availability, integrity or confidentiality of any systems managed by the Service Provider.

Any response should include at least:

• Reporting and escalation of the issue to the BBC

• Protection of the system under attack

• Defence of the facilities against further attacks

• (if necessary) roll-back to a previously known good configuration


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.14 Incidents, Investigations and event logging

Summary: The Service Provider must keep secure logs of all valid and invalid access attempts as well as transactions. The Service provider must be prepared to utilise these logs to respond to an event or retrospectively investigate an event. The Service Provider must, if required, work with the BBC and any legal authority pursuing an investigation.

3.14.1 Investigating events and attacks

The Service Provider must supply a service to investigate complex and/or long term events and attacks that could compromise the integrity, availability and confidentiality of BBC information handled by the Service Provider

The Service Provider must work with the BBC and any other 3rd-parties to ensure that the investigation is properly specified and recorded

In all cases that might involve investigations, the Service Provider must ensure sufficient historical weight of evidence is securely stored to enable any reasonable investigation to take place.


T1 T2 T3


3.14.2 Investigating non-compliance

The Service provider must supply a service to detect and investigate any non-compliance with the BBC’s information security policies, processes and standards. The Service Provider must suggest remediation solutions to resolve conflicts and work with the BBC, contractors and contracted third-parties to ensure that non-compliance systems and processes are modified to become compliant or that a dispensation is granted, if appropriate.


T1 T2 T3






Version 1_6 / 18/03/08 of 90

3.14.3 Assisting the authorities with their inquiries

The Service Provider must work with the BBC to ensure that any formal request for an investigation is carried out in compliance with local law and also within the control of the BBC’s Legal Compliance team.


T1 T2 T3


3.14.4 Security Incident Management Process

The Service Provider must define, implement and run a security incident management process to detect and resolve incidents


T1 T2 T3


3.14.5 Security Incident Reporting

The Service Provider must implement a security incident reporting process taking into account impact and need-to-know.











Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.14.6 Incident & Event Management System

The Service Provider must implement, run and maintain an incident monitoring and management system.


T1 T2 T3


3.14.7 Escalation Procedures

The Service Provider must agree and run an escalation procedure for events and incidents appropriate to the severity of the incident.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.14.8 Audit of Incidents

The Service Provider must provide a process to audit incidents including threshold analysis to reduce likelihood of recurrence.


T1 T2 T3


3.15 Security of Email or store-and-forward systems

Summary: The Service Provider must ensure that any material transferred via a store-and-forward system (including email) is appropriately secured

3.15.1 Secure transfer of information

Where relevant, the Service Provider must work with the BBC the BBC’s technology service provider, SIS to ensure that any movement of information via email, messaging and store-and-forward is secure. The systems at either end of the transfer and any intermediate systems (which might hold the information for a short period of time) must be able to survive accidental or deliberate events that might undermine the confidentiality, integrity or availability of the information (including information that the BBC is storing or processing on behalf of a third party).

Any transactions must securely logged.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.16 Systems hosted outside the BBC estate

Summary: The BBC applies different security principles to BBC information stored within BBC premises on dedicated BBC plant compared to BBC information stored on shared platforms in non-BBC locations. The Service Provider must meet the BBC’s physical and logical security requirements when storing and processing BBC information on non-BBC sites or on systems processing non-BBC information.

3.16.1 Compliance with 3rd-party hosting policies

The Service Provider must comply with the BBC’s Information Security policies that pertain to information and material that is hosted on sites operated by subcontracted third parties. If the Service Provider subcontracts the hosting of information to any third parties, the Service Provider must ensure the subcontractors also comply with the policies. The BBC reserves the right to audit any such contract and, in extremis, veto it.


T1 T2 T3


3.16.2 Security of off-site and off-shore hosting of facilities

If the Service Provider stores and processes BBC Information in a location that is not a building where BBC staff are based, the Service Provider must comply with the BBC’s policies for 3rd-party holding and hosting BBC information. There are physical security requirements; such that only staff dedicated to the support of the BBC’s information can have access. The physical security needs to be of a similar strength as that supplied by locked steel cages (accessible only by nominated support staff, dedicated to servicing the BBC) combined with video surveillance.

If the location for storing and processing BBC information is shared with customers other than the BBC; or if the systems involved in storing and processing BBC information are shared with








Version 1_6 / 18/03/08 of 90

customers other than the BBC, the Service Provider must comply with the BBC’s policies for 3rd-party holding and hosting BBC information. There are physical security requirements; such that only staff dedicated to the support of the BBC’s information can have access. The physical security needs to be of a similar strength as that supplied by locked steel cages (accessible only by nominated support staff, dedicated to servicing the BBC) combined with video surveillance. The systems and infrastructure (including management and support systems) must not be logically shared with the other customers. Logical sharing includes, but is not limited to: Virtual LANs, Virtual Private Networks (unless BBC traffic is cryptographically authenticated and encrypted – using keys that are specific to and dedicated to the BBC information), shared network-management tools, shared subnets, shared domain names, shared printers, shared FAXes, shared optical scanners, shared desktops, shared servers, shared applications, shared rooms, shared people etc.

The Service Provider must (at bid time, service initiation or service review point), bring to the attention of the BBC any shared facilities used to deliver the service. This includes technology and people who may be time-slicing between the BBC and other clients. The BBC’s default position is that all systems and people should be dedicated to serving the BBC only. However, where a key economic benefit can be demonstrated by using shared services, the Service Provider must demonstrate what technology and processes they will deploy to prevent BBC information from being deliberately/accidentally leaked, corrupted or deleted. The BBC reserves the right to veto any service it considers insufficiently secure or resilient.


T1 T2 T3


3.17 3rd-party support of systems inside the BBC estate

Summary: The Service Provider must comply with the only supported method for 3rd-parties to access systems hosted on BBC premises – the SIS provided RAS facilities (“MyConnect”).

3.17.1 Remote-access based 3rd-party support

The BBC’s technology service provider, SIS operates the only BBC-supported systems that enable 3rd-parties to access systems operating inside the BBC’s perimeters. Currently the systems are based on manually activated on-demand accounts and PSTN RAS. SIS and the BBC are moving to a VPN-based solution derived from the dual-firewall solution operating for the BBC staff RAS service.





Version 1_6 / 18/03/08 of 90

The Service Provider must not instigate any other method of access to systems inside the BBC perimeters.


T1 T2 T3


3.18 Secure architecture and design of networks

Summary: (Where relevant) the Service Provider must only process and store BBC information using securely designed and operated networks. Service Provider networks must operate a layered, defence-in-depth model.

3.18.1 Planning and implementing secure networks

When dealing with network developments in support of the service, the Service Provider must work with the BBC’s Strategic Network Development team to ensure that the design and implementation of networks take security into account:

• Products and installations must be selected with security in mind

• Design elements must be inherently secure

• The Service Provider must introduce segmentation and defence-in-depth models (including per-service and per-application segmentation). Where the segmentation is between sensitive/important areas and dangerous/Internet areas, separate plant is required - VLANs (Virtual Local Area Networks) are not considered strong enough for secure partitioning

• Networks must be designed and built so that they are simple to operate securely


T1 T2 T3






Version 1_6 / 18/03/08 of 90

3.19 Secure server, host and desktop builds

Summary: The Service Provider must ensure that all host, server, desktop and clients are built securely. Startup scripts should not launch unnecessary code. Access control must be based on central Identification and Authentication. Anomalies must be detected and protected against.

3.19.1 Risk exposure analysis and hardening

If it is considered that a host, server, client or desktop system might, during the course of its use, be used in a dangerous situation, or a situation where information attacks are likely, such as connections to 3rd-party networks or the internet, it must built and operated as a ”hardened build”.


T1 T2 T3


3.19.2 Control of scripts and codes at start-up

The Service Provider must supply and operate host and server based systems that only run software and services necessary to achieve the tasks that the server/host was designed for.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.19.3 Security patch management

The Service Provider must keep up to date with advice from the manufacturers of all host, server, client and desktop platforms that the supplier builds and operates in order to deliver the service to the BBC. The Service Provider must ensure that these patches are applied to all systems running the software, within service level timescales based on mutually agreed criticality (nominally: critical patches should be applied within 48 hours; intermediate patches should be applied within 1 week and normal patches within 3 weeks)


T1 T2 T3


3.19.4 Secure logs and their processing

The Service Provider must ensure that anomalous events and incidents affecting hosts, servers clients and desktops are recorded in secure logs and that these logs store sufficient information and history to enable investigations of current and past events.

The Service Provider must build and operate a system to centrally aggregate host, server, client and desktop platforms logs as part of an audit or intrusion detection process


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.19.5 Local network connection control

The Service Provider must supply and operate host, server, client and desktop systems that run technologies that ensure that only approved end-nodes or services can connect to the host/server. The solutions must be centrally monitored and configured.


T1 T2 T3


3.19.6 “Host” intrusion detection

The Service Provider must build and operate host, server, client and desktop solutions such that they run technologies that can determine when a system or configuration setting/file was changed and by whom and whether the change was authorised. The solutions must be centrally monitored and configured and must be capable of interfacing to the BBC strategic IDS service being rolled out by SIS.


T1 T2 T3












Version 1_6 / 18/03/08 of 90

3.19.7 Access control and directory integration

The Service Provider must ensure that any host, server, client and desktop platforms that it builds and operates must be integrated as objects into a BBC-wide directory of information and objects.

The Service Provider must ensure that logical and physical access to the host, server, client and desktop platforms must be controlled such that only authorised and sufficiently trained individuals can make changes to settings and configurations.

The Service Provider must ensure that logical and physical access to the host, server, client and desktop platforms it builds or operates must be controlled such that only authorised individuals can access services and facilities supplied by the host, server, client and desktop platforms.

The Service Provider must ensure that any data (such as names, contact numbers, physical addresses) which might be changed by their actions (e.g. Moves-Adds-Changes and Joiners-Movers-Leavers), are updated within the BBC’s central repositories of assets and directories, within 48 hours of the change taking place.


T1 T2 T3


3.19.8 Non IT-based information systems

Where the Service Provider is responsible for supplying systems that are not based on traditional IT platforms but which process or store BBC information, these systems also comply with the BBC’s Information Security policies.


T1 T2 T3






Version 1_6 / 18/03/08 of 90

3.20 Malware control (Anti-virus, Trojans, spyware standards)

Summary: The Service Provider must install and keep up to date, technologies that prevent the spread of “malware”. Systems built and operated by the Service provider must be protected against infection.

3.20.1 Supplier obligations to prevent the introduction or spread of malware

The Service Provider must take all sensible steps to ensure that through their actions or inactions or those of any sub-contractor, no malware (e.g. virus, Trojan etc) or unsafe code (e.g. unsigned mobile code etc.) are introduced to any BBC systems or are used to affect the integrity, availability or confidentiality of any BBC information (or information that the BBC is holding on behalf of a 3rd-party)


T1 T2 T3


3.20.2 Protecting platforms from malicious code attack

The Service Provider will run appropriate up-to-date malicious code detection software on host, server, client or desktop systems in real time.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.20.3 Appropriate malicious code protection

The Service Provider must work with the BBC and the BBC’s technology service provider, SIS, to research and provide appropriate solution or solutions for malicious code protection for systems that store or process BBC information.


T1 T2 T3


3.20.4 Protection of information stores from malicious code attack

The Service Provider must provide appropriate malicious code protection on various other devices as deemed at risk of introducing viruses into the BBC system.


T1 T2 T3


3.20.5 Spyware control processes

The Service Provider must provide detection and control mechanisms to protect the BBC from Spyware risks.











Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.21 Installation standards for security systems (i.e. systems for supplying physical and logical security services)

Summary: The Service Provider must apply the highest security standards to those systems that they support which supply the BBC with logical or physical security controls (such as identity and access-control and door-access).

3.21.1 Standards for installing critical security systems

The Service Provider will work to the highest industry standards for installing critical security systems (such as central identity and authentication technologies; door-access-control systems. These will cover physical security of devices and platforms as well as physical security of cabling and cable routes. It will also cover continuity contingencies for power and chilling failures etc.

All such systems must comply with all other sections of this document (software, builds, auditing etc.)


T1 T2 T3


3.21.2 Operating critical security services

The Service Provider must operate critical security services in an appropriate manner and with appropriately vetted staff.








Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.22 Security implications of change-management

Summary: The Service Provider must operate a change-control system and must engage with the BBC’s change control system to ensure that changes are not unmanaged and to ensure that security implications of a change are not overlooked.

3.22.1 Security to be considered in Change Management

The Service Provider must ensure security is defined in the criteria for changes. The Service Provider must work with the BBC technology service provider (SIS) and other BBC technology areas to ensure that changes are synchronised throughout the estate.


T1 T2 T3


3.22.2 Security risks in changes must be mitigated

The Service Provider must ensure that security risks highlighted by the change control process are escalated to the BBC’s Information Security Management team and are mitigated to a satisfactory level








Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.23 Secure management and monitoring of networks

Summary: Where the Service Provider supplies and operates network elements, these elements must be securely managed. This includes the secure configuration of management platforms, management protocols and management agents

3.23.1 Build and operation of network monitoring and management systems

Where the Service Provider operates networks that enable the processing or storage of BBC Information, the Service Provider must ensure that network management and monitoring systems, and network infrastructure elements are correctly configured, that they are resilient, and fault tolerant, and that any data they hold is backed up and available on demand. Such data includes, but is not limited to, device configurations, system logs, historical statistical and event/alert data, and unresolved alerts. Transactions should be encrypted and authenticated (e.g. via the use of SNMPv3).


T1 T2 T3


3.23.2 Two-factor authentication for accessing network elements

Where the Service Provider operates networks that enable the processing or storage of BBC








Version 1_6 / 18/03/08 of 90

Information, the supplier should ensure that access to network elements that process network connections and transactions are controlled through two-factor authentication


T1 T2 T3


3.23.3 Access to network monitoring, management and configuration systems

Where the Service Provider operates networks that enable the processing or storage of BBC Information, the Service Provider must ensure that monitoring, configuration and management systems and elements are only accessible to trained, approved and sanctioned staff. The same applies to any access or control information used by, or used for, such systems and devices.


T1 T2 T3


3.23.4 Access to network elements and objects

Where the Service Provider operates networks that enable the processing or storage of BBC Information, the Service Provider must ensure that network elements (which includes, but is not limited to: routers, switches, modems, hubs, bridges etc.) are only physically and logically accessible to trained, approved and sanctioned staff. The same applies to any access or control information used by, or used for, such systems and devices.










Version 1_6 / 18/03/08 of 90

T1 T2 T3

3.23.5 Integration with existing network management elements

Where the Service Provider operates networks that enable the processing or storage of BBC Information, the Service Provider must ensure that processes exist to inform the BBC and the BBC’s technology service provider, SIS, of any network-management security event.


T1 T2 T3


3.24 Secure handling of backup and restore processes

Summary: Where the Service Provider backs up BBC information, they must ensure that the information is either physically secured or cryptographically protected.

3.24.1 Secure design of Backup Process

The Service Provider must implement backup processes that consider the security, sensitivity and legal implications of the data being backed up.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.24.2 Secure storage of Backup Data

The Service Provider must ensure that backup data is stored or transported in a secure manner once completed. Where physical security cannot be guaranteed, the backed-up data must be encrypted and the keys escrowed with the BBC’s Information Security Management team


T1 T2 T3


3.24.3 Protection of sensitive data in backups

The Service Provider must ensure that where data has been designated sensitive it shall have more rigorous storage characteristics to general backup data.


T1 T2 T3


3.25 Physical security of data and data systems

Summary: The Service Provider must ensure that BBC information is always physically secured.











Version 1_6 / 18/03/08 of 90

Where physical security cannot be guaranteed, the information must be cryptographically secured.

3.25.1 Appropriate physical security standards

The Service Provider must apply physical security constraints on information storage and processing system appropriate to their usage and the situation in which they are used.

Special consideration must be given to such systems operated in dangerous environments, such as warzones and disaster hit areas.


T1 T2 T3


3.25.2 Systems dealing with sensitive or personal information

The Service Provider must supply and operate systems that process or store sensitive or personal information in a physically secure manner. In most cases this means that the systems must be located in rooms that prevent access except to individuals with sufficient training and sufficient privileges.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.25.3 Systems dealing with broadcast and business critical information

The Service Provider must supply and operate systems that process or store broadcast and business critical information in a physically secure manner. In most cases this means that the systems must be located in rooms that prevent access except to individuals with sufficient training and sufficient privileges.


T1 T2 T3


3.25.4 Systems dealing with information needed for business continuity

The Service Provider must supply and operate systems that process or store information needed for business continuity in a physically secure manner. In most cases this means that the systems must be located in rooms that prevent access except to individuals with sufficient training and sufficient privileges.


T1 T2 T3


3.25.5 Secure servers hosts and network devices

Unless a specific dispensation applies, the Service Provider must ensure that all servers, hosts and network devices that they supply and operate are physically secured. In most cases this means that the systems must be located in rooms that prevent access except to individuals with sufficient training and sufficient privileges.








Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.25.6 Security of off-site and off-shore hosting of facilities

If the Service Provider stores and processes BBC Information in a location that is not a building where BBC staff are based, the Service Provider must comply with the BBC’s policies for 3rd-party holding and hosting BBC information. There are physical security requirements; such that only staff dedicated to the support of the BBC’s information can have access. The physical security needs to be of a similar strength as that supplied by locked steel cages (accessible only by nominated support staff, dedicated to servicing the BBC) combined with video surveillance.

If the location for storing and processing BBC information is shared with customers other than the BBC; or if the systems involved in storing and processing BBC information are shared with customers other than the BBC, the Service Provider must comply with the BBC’s policies for 3rd-party holding and hosting BBC information. There are physical security requirements; such that only staff dedicated to the support of the BBC’s information can have access. The physical security needs to be of a similar strength as that supplied by locked steel cages (accessible only by nominated support staff, dedicated to servicing the BBC) combined with video surveillance.. The systems and infrastructure (including management and support systems) must not be logically shared with the other customers. Logical sharing includes, but is not limited to: Virtual LANs, Virtual Private Networks (unless BBC traffic is cryptographically authenticated and encrypted – using keys that are specific to and dedicated to the BBC information), shared network-management tools, shared subnets, shared domain names, shared printers, shared FAXes, shared optical scanners, shared desktops, shared servers, shared applications, shared rooms, shared people etc.

The Service Provider must (at bid time, service initiation or service review point), bring to the attention of the BBC any shared facilities used to deliver the service. This includes technology and people who may be time-slicing between the BBC and other clients. The BBC’s default position is that all systems and people should be dedicated to serving the BBC only. However, where a key economic benefit can be demonstrated by using shared services, the Service Provider must demonstrate what technology and processes they will deploy to prevent BBC information from being deliberately/accidentally leaked, corrupted or deleted. The BBC reserves the right to veto any service it considers insufficiently secure or resilient.





Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.26 Patch handling for security purposes

Summary: Regardless of use, all systems (Operating System, applications, drivers etc.) built and operated by the Service Provider must be kept fully up-to-date with security patching. Where a platform or application is to be made obsolete by a vendor, the Service Provider must migrate all its systems away from the obsolete platform before it becomes end-of-life. In practice the BBC is willing to accept services based on the current major version (“n”) and the previous major version (“n-1”).

3.26.1 Supplier watch and relationship management to keep patches up-to-date

The Service Provider must keep a regular and timely watch on the suppliers and manufacturers of all systems operating in the estate under the control of the Service Provider that are used to supply the service to the BBC.

Relationship management must be kept with the suppliers and manufacturers of all systems operating in the estate under the control of the Service Provider that are used to supply the service to the BBC.

The Service provider must maintain systems in scope of the service they offer within n-1 of the current major release. If dispensated, Systems may be supported on n-2 for up to 6 months after “n” is released in order to aid migration of facilities.

The Service Provider must liaise with the BBC and the BBC technology service provider, SIS to ensure a consistent, fit-for purpose approach is adopted BBC-wide to patch levels

The BBC’s standard change management process, or one operated by the Service Provider that is compatible and synchronised with the BBC’s processes, will be used to schedule downtime for patching purposes.

Where, for business and/or broadcast critical reasons the BBC are not able to grant a timeslot within the Service Level timeframe, a record will be made in the risk register and the patch scheduled for the earliest opportunity. The relevant system will then be taken out of the Service Level calculation for the specific Service Level timeframe.





Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.26.2 Timeliness of security patching

The Service Provider must supply and operate a patching service that is delivered with a timeline appropriate to the risk.


T1 T2 T3


3.26.3 Risk analysis of security patching

The Service Provider must supply and operate a patching service that is delivered in a manner appropriate to the risk.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.26.4 Criticality of security patching

The Service Provider must take into account the criticality of a system and the criticality of the patch, when supplying and operating a patching service. The Service Provider will keep disruption to services to the minimum possible and practical and wherever technically possible (e.g. on load balanced systems) cause no service downtime.


T1 T2 T3


3.27 Security of devices and hardware

Summary: The Service Provider must ensure that any device with a network connection, processor, memory or store is securely configured and operated before it is used to store or process BBC information.

3.27.1 Risk assessing new devices and technologies

The Service Provider must supply and operate a service whereby new platforms, technologies, methods and devices that the Service Provider needs to introduce to enable the service, are tested to determine if they present a risk to the integrity, confidentiality or availability of any BBC information.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

3.27.2 Mitigation for newly introduced devices and systems

The Service Provider must supply and operate a mitigation service dealing with new platforms, technologies, methods and devices which have been determined to represent a risk to BBC information Security.


T1 T2 T3


3.27.3 Devices under consideration

This service includes, but is not limited to:

• Any device that contains a processor or memory

• Any device that can act as a gateway between two or more other devices or systems

• Any new technology that might process, store or transfer information


T1 T2 T3












Version 1_6 / 18/03/08 of 90

3.27.4 Asset management of devices

The Service Provider must build and operate a system (or must coordinate with the BBC’s technology service provider, SIS) whereby all physical and logical assets that can store or processes information are individually and uniquely identifiable and their location and characteristics are stored in a secure system that is used as part of change-management


T1 T2 T3


3.28 Business Continuity

Summary: the Service Provider must ensure that any facility, contract or service meets the relevant business area’s requirements for continuity of service. The Service Provider must demonstrate they are consistent with BS25999 Business Continuity governance processes. The solution or service must have sufficient up-front investment and operational capability to meet agreed availability targets and Recovery Time Objectives. Where the BBC might face liabilities from Service Provider non-delivery, the contract should ensure that the BBC’s liability is backed out. The Service Provider must create and operate Business Continuity plans.

3.28.1 Capacity planning and flexibility

The Service Provider must ensure that any new or current service meets the expectation of the BBC Business Unit that requested the facility. The Service Provider must agree with the BBC how capacity planning will be managed throughout the lifetime of the service. The Service Provider must ensure that space, power, storage, speed, throughput, delay etc. are continuously monitored throughout the lifetime of the service. When an agreed low- or high-water level is reached, the Service Provider must a) (for fully-managed services), ensure sufficient extra capacity is brought online in time for the service to not become degraded b) (for services where the BBC funds changes and enhancements to the facilities), ensure that, following agreement with the BBC over costs and funding, sufficient extra capacity is brought online in time for the service to not become degraded

Given the dynamic and sometimes unpredictable nature of TV, Radio and Online content collection and distribution, the BBC will sometimes require the Service Provider to swiftly respond to a request to supply extra capacity. For each service, the Service Provider should propose the most suitable solution to enable this flexible capacity.





Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.28.2 Delivering appropriate resilience levels

The Service Provider, when taking on or initiating a new service, must ensure that the BBC Business Customer for the service is made aware of any Single Points Of Failure (SPOF) in the provision, the expected Uptime for the service as well as the Recovery Time Objectives of the solution. All broadcast and business critical systems and solutions must be resilient and have no SPOFs, unless specifically dispensated by informed BBC customers. In cases where resilience is not possible, this must be accepted in writing by the relevant BBC customer lead. Where resilience is not required (e.g. for short-term or low-cost provisions), the Service Provider must ensure that this is expressed in writing.

The Service Provider must regularly rehearse potential scenarios that could undermine the resilience and Uptime of the services provided to the BBC. The Service Provider must also regularly (for example, twice yearly) test (including at least one annual end-to-end test involving all stages) the resilience of the facilities and also the people involved in delivering these services.


T1 T2 T3


3.28.3 Delivering Risk Assessment & Business Impact Analysis

The Service Provider must work with the BBC Business Continuity Unit, relevant BBC Business Units and Divisions as well as other major Service Providers to the BBC (including but not limited to: Siemens, Capita, Xansa, Red Bee, JCI) in order to perform Risk Assessments and Business Impact








Version 1_6 / 18/03/08 of 90

Analyses (BIAs). The BIAs (see BS25999 and subsequent equivalent standards in place at the time of the contract) and Risk Assessments will be defined as a result of working with BBC customers and the BBC Business Continuity Unit. The Risk Assessments will be required before the launch of any new facility and also on a regular basis for the estates and services operated by the Service Provider.


T1 T2 T3


3.28.4 Meeting Broadcast/Output Criticality requirements

The Service Provider must work with the BBC Business Continuity Unit, relevant BBC Business Units and Divisions as well as other major Service Providers to the BBC (including but not limited to: Siemens, Capita, Xansa, Red Bee) in order to establish and maintain a list of broadcast and business critical services operated by the Service Provider, or affected by the Service Providers actions (or inactions). The Service Provider must ensure that they design, plan, develop and operate the Critical Systems within this scope to a higher level of availability and robustness than non-critical systems. The Service Provider must deliver regular Risk Assessments of such systems and their operational processes. The Service Provider must agree Recovery Time Objectives and Uptime measures for Critical Systems with the relevant BBC departments.

Critical services consumed through standard BBC user platforms must also be tested with each platform update (up to 4 per annum).

The Service Provider, based on the Continuity Plans and Resilience, must track the State Of Readiness of all systems deemed to be Critical. The Service Provider must regularly report the State Of Readiness to the BBC.


T1 T2 T3






Version 1_6 / 18/03/08 of 90

3.28.5 Monitoring & Reporting business continuity activity

The Service Provider must monitor and measure the facilities and the processes that they operate on behalf of the BBC. They must be able to rapidly determine that a service is operating in an anomalous manner or that a service has failed. When a service or facility fails, the Service Provider must immediately notify BBC Customers and the BBC’s Business Continuity Unit of the failure and must at the same time include an Initial Incident Report containing: suggested next actions, prognosis of fix time and next communication point. Within 5 working days, the Service Provider must supply the BBC with an Intermediate Post Incident Report. Within 20 working days, the Service Provider must supply a full Post Incident Report.

The Service Provider must nominate at least one representative to handle Business Continuity information-collation, continuity planning, impact assessment, test/rehearsal-management, escalation and incident reporting etc. and act as a liaison for the BBC. The nominated representatives must meet regularly (at least 12 times per year) with the BBC’s Business Continuity Unit to review progress and incidents and to report on the State Of Readiness of provided critical services.


T1 T2 T3


3.28.6 Meeting Availability requirements

All services operated by the Service Provider must have availability targets jointly agreed between the Service Provider and the BBC for each and every Service Offering. These targets would normally be different for critical systems than for non-critical systems. Availability targets should balance reasonable costs with reasonable business expectation of availability.

The Service Provider must maintain sufficient resiliency in terms of technology, space and staff to ensure that they are able to meet the BBC’s general and specific availability requirements.








Version 1_6 / 18/03/08 of 90


T1 T2 T3


3.28.7 Defining and operating Business Continuity Plans

For the services in the scope of the contract, the Service Provider must define and agree with the BBC Business Continuity Plans. The Service Provider must subsequently regularly refresh these plans (once per annum for non-critical services, twice per annum for critical services). The Business Continuity Plans must include:

• Details of Risk and Business Impact Evaluation & Control

• identification of single points of failure

• Details of Disaster Recovery (IT) solutions

• Crisis Management Plans

• Incident notification and escalation procedures

• Key contacts and numbers


T1 T2 T3









Version 1_6 / 18/03/08 of 90

4 Presentation service requirements

The following sections refer to specific service requirements for Presentation. Presentation relates to the mechanism for delivery of services to the end user, including platform support, real-time collaboration and aspects of user interface.

4.1 Platform compliance

Summary: The Service Provider must ensure any products or services being presented to BBC staff operate effectively on the BBC’s standard desktop platform as defined within the BBC User Platforms Roadmap.

4.1.1 Desktop platform support

The BBC currently uses Microsoft Windows XP and Apple Macintosh OS10.4 platforms. Services provided to BBC staff must work across both platforms though not necessarily using the same presentation format (for example thin client, web services, or fat client).

The BBC has a roadmap for updating each platform, broadly based on the roadmaps of the platform manufacturers with a period for platform stabilisation and deployment. The Service Provider must ensure they familiarise themselves with the BBC’s roadmap and ensure their services will continue to operate as technology refresh occurs.

The BBC is not an adopter of ‘bleeding edge’ technology within the mainstay of its operations and will adopt platform products only after full commercial release and subsequent satisfactory acceptance testing. In terms of older platforms, the Service Provider must operate a Sliding “n-1” window of replacements:- once a new major platform “n” is released by the supplier, the Service Provider must begin to replace anything that is at major release “n-2”. A window of continued n-2 operation may be dispenstated by the BBC on request in order to permit the migration away from the current platform.

As a rule of thumb and without prejudice to the published User Platforms Roadmap support must be provided within 3 months of the commercial release of minor platform updates (such as Service Packs) and 6 months of commercial product release for major platform releases (such as Windows Vista).


T1 T2 T3



Version 1_6 / 18/03/08 of 90

4.1.2 Application packaging

Any client-side applications required for the systems delivering services under the contract must be provided to SIS for desktop integration testing in Microsoft Installer (MSI) format, or for the Service Provider to support the packaging of the application into an MSI format by SIS prior to distribution.


T1 T2 T3


4.1.3 Application distribution

The BBC does not allow the manual installation of applications onto the BBC standard desktop used by the majority of its staff. All applications for distribution to the BBC desktop must be fully managed to the extent that it is automatically deployed, repaired and removed fully and cleanly without the need for manual intervention. Further, the application must be deployable using Active Directory or the Altiris Management Suite, or as defined in the Server Roadmap.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

4.1.4 Web browser support

The BBC utilises the Internet Explorer (Windows) and Safari (Apple Mac) web browser applications. The Service Provider must ensure services it delivers through web services are able to work correctly on both browser types up to and including the latest release from the manufacturers and as a minimum within a sliding n-1 version window.


T1 T2 T3


4.1.5 Server platform support

Services proposed to be installed on server hardware directly connected to the BBC network must either operate effectively on the standard BBC Server build (currently utilising Windows 2003 Server or as otherwise defined by the BBC Server Roadmap) or must utilise an equivalent supplier-provided and managed server build that incorporates anti-virus and server monitoring capability compatible with the management toolset defined within the BBC Server Roadmap (currently Microsoft Operations Manager).

In terms of older platforms, the Service Provider must operate a Sliding “n-1” window of replacements:- once a new major platform “n” is released by the supplier, the Service Provider must begin to replace anything that is at major release “n-2”. A window of continued n-2 operation may be dispenstated by the BBC on request in order to permit the migration away from the current platform.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

4.1.6 Hardware support

Where the services being provided require for hardware to be connected to BBC desktop or laptop devices, the Service Provider will ensure that appropriately tested (and signed where required for the platform) drivers are provided for use with the operating systems in use in accordance with the User Platforms Roadmap.


T1 T2 T3


4.1.7 Office productivity suite support

Where the services being provided are reliant on functionality within or interfaces with an office productivity suite on the user platform (ie, word processor, spreadsheet, or presentation tool) the Service Provider will ensure that such dependency can be met by the office productivity suite(s) used within the BBC as defined by the User Platforms Roadmap.


T1 T2 T3












Version 1_6 / 18/03/08 of 90

4.1.8 File format support

The Service provider will ensure that it is able to share common document, spreadsheet and presentation files through the usage of compatibility file formats. The BBC is able to consume files in Microsoft Office proprietary formats, and will be providing support for Open Document Format and Microsoft Open Office XML in timescales outlined in the User Platforms Roadmap.

The default office productivity suite output format for BBC content is as defined in the User Platforms Roadmap. The Service Provider must ensure it has the capability to support the receipt of files in that format.


T1 T2 T3


4.2 Real-time collaboration

Summary: The Service Provider must ensure it adheres to the standards utilised by the BBC for the purposes of collaborative working where a given method of communication is proposed to be utilised by the Service Provider in the delivery of services to the BBC.

4.2.1 Document lifecycle management

Documents needing to cross network boundaries are required to be secure and appropriately encrypted. The BBC is intending to implement rights management technology within its environment in the future. Rights management functionality incorporated into any document provided to the BBC must be compatible with Windows Rights Management Services v1.0 (SP1) and future versions thereof.


T1 T2 T3






Version 1_6 / 18/03/08 of 90

4.2.2 Presence

The Service Provider will ensure that the utilisation of presence services within the contracted services will adhere to SIP/SIMPLE standards. The BBC actively encourages the integration of presence functionality in people-to-people systems and services.

The BBC currently utilises Microsoft Office Live Communicator Server 2005 for the delivery of presence services. Client services are provided using Microsoft Office Communicator 2005. These are subject to change according to the transitions defined in the User Platforms Roadmap.


T1 T2 T3


4.2.3 IP telephony

Where the Service Provider is implementing services dependent on or utilising IP Telephony any services, end point devices or client software must be capable of connecting to a SIP gateway infrastructure.

The BBC utilises the Siemens HiPath IP PBX system.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

4.2.4 Instant messaging

All instant messaging functionality must be fully SIP compliant.

The BBC utilises the Microsoft Live Communication Server 2005 SIP gateway, in conjunction with Microsoft Live Communications Server 2005 Access Proxy and Microsoft Office Live Communications Server 2005 Public IM Connectivity, with Microsoft Office Communicator 2005 at the client.


T1 T2 T3


4.2.5 IP/ISDN video conferencing

Services delivering or integrating with existing point-to-point or multi-point group video conference functionality must be compliant with the H.323, H.320 and T.120 standards. IP-based video conference connectivity must be capable of using the SIP control set.

The BBC uses Polycom VSX7000 edge devices via a Polycom MGC-50 IP/ISDN bridge.


T1 T2 T3












Version 1_6 / 18/03/08 of 90

4.2.6 Calendaring

The Service Provider will ensure that where there is a requirement for calendar management within the service (for example the regular creation of meetings with BBC participants) that these are able to be arranged through X.500/LDAP Directory Services (the BBC uses Active Directory).


T1 T2 T3


4.2.7 Basic people information

Where named individuals within the Service Provider's organisation have a defined BBC-facing role that requires for their identification to BBC staff, for example BBC members of staff may need to email or call an individual within the Service Provider's organisation for the purposes of initiating or otherwise consuming one of the services being provided, the Service Provider will provide an output mechanism for the basic details of those individuals to be imported into an LDAP directory service.

The basic details will include, but are not limited to, name, role, email address and telephone number.


T1 T2 T3


4.3 Presentation Portal

Summary: The BBC has implemented a standard web-based presentation portal layer on top of








Version 1_6 / 18/03/08 of 90

its staff-facing services. The Service Provider is expected to adhere to the standards and guidelines associated with the presentation of services through that portal where the services being provided are BBC-facing and relate to staff activities.

4.3.1 Portal fabric integration

To expose services through the BBC portal the Service Provider must ensure that their services are delivered through one of the following methods:

• Web Parts or Portlets based on Web Services

• A secure Web Services interface (SOAP/XML, WSDL) provided via the internet

• Managed and documented API (SAP BAPI, .NET or J2EE) that can be wrapped into a Web Part or portal

• An Extranet (utilising one or more of the above technologies)


T1 T2 T3


4.3.2 Extranet-based services

An Extranet being utilised to provide the services must be capable of being connected to via the BBC’s DMZ environment. Any extranet service developed for the purposes of the service should be capable of participating in X.500/LDAP-based Directory Services (the BBC uses Active Directory).

Where the extranet is providing real-time collaboration functionality it must be provided in line with standards defined within this paper.


T1 T2 T3






Version 1_6 / 18/03/08 of 90

4.3.3 User experience

To ensure the BBC is able to integrate web services into its portal architecture as seamlessly as possible, the Service Provider must provide interfaces to services (e.g. screens, interactions) in an open standard web service where possible.

In all cases the Service provider must enable the ability to customise the design of the presentation layer (using e.g. XSLT or CSS).


T1 T2 T3


4.4 Federative working

Summary: The BBC is investigating the ability to work in a federated manner with its partners and suppliers to enable secure and integrated collaborative working across a variety of mediums. Whilst standards are still emerging in this field the Service Provider must work with the BBC to assist in the future integration of secure collaborative functionality through federated identification where that functionality is key to the delivery of the services being provided. Whilst the costs for any such work cannot be agreed in advance the Service Provider is expected to make available suitable personnel on a project basis at an agreed rate card.

4.4.1 Interim federative working

Where the service will require or substantially benefit from federated identity functionality the Service Provider must provide a service compatible with Microsoft Active Directory Federation Services until such a time as a broader standard is available.








Version 1_6 / 18/03/08 of 90


T1 T2 T3






Version 1_6 / 18/03/08 of 90

5 Interoperability service requirements

The following sections refer to specific service requirements for Interoperability. The BBC requires all service partners to align the delivery of the business services they provide to a Service Orientated Architecture (SOA)-based sourcing model.

The BBC intends to use web services based technologies in enabling and supporting greater collaboration and integration between the BBC and its partners.

To this end, the BBC will provide a roadmap outlining common capability that service providers will be able to leverage in enabling and supporting the delivery and presentation of data and processing resources as web services. These services involve user-to-system and system-to-system service interactions that are key in supporting cross-business processes that may transverse the BBC’s firewalls and organisational boundaries.

5.1 Interoperability

Summary: The Service Provider must support the integration of shared processes and the eventual migration and exposure of data and processing resources as discrete, autonomous business services with well defined, published and standards compliant interfaces that can be invocated over standard protocol and transports as Web Services.

For any Service Provider to be able to leverage the capability offered through the interoperability services, partner organisations are required to expose and deliver services using the W3C Web Service technology standards. The granularity and visibility of these business services are to be agreed with the BBC.

The following requirements specify how existing and new services will be governed in ensuring they are compliant with the BBC’s Single Services Framework model. Most of these requirements are embodied within the W3C Web Services standard to which the Service Provider is expected to comply, however, some of these requirements specify the underlying principles that must govern best practice design and implementation of service interfaces.

5.1.1 Services are Simple; presenting a low barrier to use.

The mechanism through which services are presented is not overly complicated, thereby precluding the use of these services. This applies mainly to the interface specification, were Service providers must ensure they don’t specify interfaces that attempt to do too many non-related functions through a single interface specification.


T1 T2 T3



Version 1_6 / 18/03/08 of 90


T1 T2 T3


5.1.2 Services are Open and Inclusive through the adoption of open industry standards like XML

This is implied through the BBC requirement for Web Services, which are based on the XML data format.


T1 T2 T3


5.1.3 Services are Accessible; they are easy to find and use

Web Services incorporates the concept of a service directory that acts as a registry of services. The BBC, through its interoperability SSF service will have a similar entity responsible for presenting services advertised by other systems. Service providers must be compliant with service presentation requirements encompassed within Web Services to ensure their services can be discovered, accessed and used through the BBC’s Service Directory.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

5.1.4 Services are Autonomous; implementing a complete business task, process or function.

Services presented by a system must perform a complete business task, function, or process. The unit of work performed by the service interface depends on various factors, but the requirement and principle remains the same; in terms of ensuring that data/process is in a stable state once the function/transaction is completed, and that the service can be consumed in parallel or reused in another context if required and not prohibited any policies associated with the service.


T1 T2 T3


5.1.5 Service supports human and system interaction alike where appropriate; to aid the automation of the service or its participation in a orchestrated composite service

Service Providers must ensure, whenever possible, that a service caters for human consumption as well as consumption by another system. This is because as processes transition through different states of maturity and change, it cannot be guaranteed that the entity at the other end is another system or user. Some services may be delivered to a user through a document interface that mimics the characteristics of being another system. Or, a service may be delivered to a portal environment through a web interface. In both cases supporting this requirement gives the BBC the flexibility and agility to present the service as it sees fit, and based on its requirements.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

5.1.6 Service interfaces are decoupled from service implementation

The BBC requires that where services are presented by systems, they are presented through service interfaces that are decoupled from the service implementation. By this we mean that changes to the complementation of configuration of the system that the supports the services should not result in the service consumer having to make a corresponding change. This design principle is vital in managing the cost of change of the life time of the service engagement, and is currently seen as best practice in system architecture, development and design.


T1 T2 T3


5.1.7 Services are reusable and leverage existing business and technology services to allow the delivery of new composite services required to meet anticipated threats and opportunities

The main benefit of adopting the architecture and design principles of SOA is that through the consistent and uniformed presentation of services through interfaces that are decoupled from the service implementation, these interfaces can be reused to deliver other services in supporting other processes. These services can then be used as the building blocks in delivering a business process, and by changing the order in which these services are executed other new processes can be supported in anticipation of emerging business opportunities and threats.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

5.1.8 Services are self describing

Services must be self describing through their interface, or contain a reference to a web based information source that specifies the following as a minimum:

Service owner contact details – Email and/or phone number for individual or group responsible for the service

• Service Support contact details – Email and/or phone number for service support queries

• Service version – The version number of the service

• Service Description – A description of the service

• Service Policy – Information, or a reference to information on what assertions, assumptions and constrains bound service use.

When a machine readable description is implemented, Service Providers must use one of the following standards, UDDI/WSDL 1.2 or later, W3C XML Schema.

It is the responsibility of the Service Providers to ensure this information is accurate and timely.


T1 T2 T3


5.1.9 Service data formats are XML based

Data or information resources presented as services must be XML based with valid W3C schema.


T1 T2 T3









Version 1_6 / 18/03/08 of 90


T1 T2 T3


5.1.10 Service Invocation

Service must support invocation through one of the following service protocol protocols XML, SOAP 1.1 or later, HTTP 1.1 (Rest Model) or Web Sphere MQ.


T1 T2 T3


5.1.11 Service Transports

Services must support one of the following service transports standards: HTTP, HTTPS, JMS or Web Sphere MQ.


T1 T2 T3









Version 1_6 / 18/03/08 of 90

5.1.12 Standards

The BBC requires that System to System type interfaces must be open standards based; by this we mean the implementation must utilises internet standards. The following types of web services interfaces are considered compliant.

• WS-I Web Services (http://www.ws-i.org/)

• REST Model Web Services based HTTP 1.1 or later

• Business Semantics: These standards cover specific sectors and support integration by specifying a common language that can be used across business transactions.


T1 T2 T3


5.1.13 Policies

Service policies around quality of service, security and other areas will be discussed and agreed through the service definition activities. However, the agreed policies governing the services must be provided in the service description to ensure these are available at the point of use as per the service requirements specified above, and other SSF requirements.

All other BBC Information and Technology policies apply.


T1 T2 T3









Version 1_6 / 18/03/08 of 90





Version 1_6 / 18/03/08 of 90

6 High-level service provision roadmap

Summary: The Service Provider must supply a high level view of planned changes based on timed states. The BBC requires this information in both a tabular and diagrammatical format.

6.1 Table showing locations and staff

As part of a contract with the BBC, the Service Provider is likely to initiate new facilities and deploy new staff. They might also move existing BBC staff and facilities to new locations. The way that applications and services are delivered may also be changed over time (e.g. through integration with the portal or via Terminal Services)

In order to clarify the Service Provider’s planned deployment, they should complete a high-level table giving details of planned technology changes at each of the three states: State 1, State 2 and State 3 (see section 2.1). The must enable the BBC to understand the technical and resource implications for technology change. Consequently, the BBC requires details about application and service provision (including logical and physical location, presentation and protocol) and people (including logical and physical location).

An example table is provided below using examples based on 76 staff (at the start of contract) and example systems called “TESTBED”, “PRODSYS”, “POSTDEV” and “SERVTRAK”:

“Location” What State 1 State 2 State 3

Staff numbers 76 21 0

Application or service: 1) name 2) presentation format and network protocol

TESTBED Proprietary protocol & presentation

TESTBED Proprietary presentation accessed via Terminal Services

TESTBED Secure web-services via the portal

BBC premises and/or facilities


PRODSYS Web-based presentation

N/A N/A


N/A PRODSYS Web-based presentation

PRODSYS Web-based presentation via the portal

De-Militarised Zone between the BBC and the Service Provider

Staff numbers 0 22 45 Service Provider premises and/or facilities


N/A POSTDEV Proprietary presentation accessed via Terminal Services

POSTDEV Web-based presentation via the portal


Version 1_6 / 18/03/08 of 90

“Location” What State 1 State 2 State 3


N/A SERVTRAK Web-based presentation via the portal

SERVTRAK Web-based presentation via the portal

6.2 Diagram showing locations

The Service Provider must also produce three simple, high level diagrams showing basic interconnections needed to achieve the service at each of the three States. Two typical examples (for States 1 and 2) are supplied here using examples based on 76 staff (at the start of contract) and example systems called “TESTBED”, “PRODSYS”, “POSTDEV”,“SERVTRAK” and “WEBFAC”:


Version 1_6 / 18/03/08 of 90

6.3 Diagram showing interfaces

The Service Provider must include a set of diagrams showing circuit and firewall details to indicate how the connections to the BBC’s and SIS’s infrastructure will be achieved.


Version 1_6 / 18/03/08 of 90

Document Control Page

1 Document Identification

Title : Technology Standards for Service Providers (2): Specific Obligations Document Ref. : CI Ref. : Version : 1.6 Date : 18 Mar, 2008

2 Authorisation

Name : Keith Little Position : Head of IT and Data Assurance Date : Signature :

3 History

Version Date Author Description

Draft01 24 Oct 2005 Paul Boyns Initial re-cut of Andy Leigh’s IS papers

Draft02 31 Oct 2005 Paul Boyns Inclusion of Presentation and draft Interoperability

Draft03 01 Nov 2005 Paul Boyns Including feedback from Nic Price and Dan Abunu

V1.0 02 Nov 2005 Paul Boyns Minor error corrections.

1.1 07 Nov 2005 Paul Boyns Renamed Document

1.2 16 Mar 2006 Andy Leigh Added response/state section (2.1) and roadmap section (6)

1.3 17 Mar 2006 Paul Boyns Minor amendments to 1.2 (states).

1.4 05 June 2006 Andy Leigh Clarifications to network connectivity

1.5.1 07 Aug 2007 Andy Leigh Embedding response section into main document (also copy part 1 version 1.5.2)

1.5.2 07 Aug 2007 Andy Leigh Added section on distributed ID & Auth

1.5.3 07 Aug 2007 Paul Boyns Updated Presentation section

1.5.4 - .7 08 Nov 2007 Andy Leigh Added Business Continuity and Service Measure

1.5.8 11 Nov 2007 Paul Boyns Inclusion of office productivity and hardware standards and minor updates.

1.5.9 12 Nov 2007 Andy Leigh Inclusion of corrections from Peter Brooks

1.6 18 Mar 2008 Andy Leigh Renumbering to align with DQ standards. Missing table added

Any comments, queries or change control requests about this document should be addressed to: Paul Boyns ([email protected])