National Infrastructure Group. Paul McLaren (Updated by Russell Fleming and Stuart Graham)

Transcription

1 Document Control Document Title Infrastructure Standard Version 2.0 Owner Authors National Infrastructure Group Paul McLaren (Updated by Russell Fleming and Stuart Graham) Created date 5 th August 2013 Compliance See guidance in section 2 Reviewers Distribution and National Infrastructure Group, National Application Group, ehealth Leads, ehealth Architecture and Design Version Control Date Version Author Changes 05/08/ Paul McLaren Initial draft 26/08/ Paul McLaren Comments from John Light, NHS GGC 16/09/ Paul McLaren Updated following review by National Infrastructure Group on 30/08/ /09/ Paul McLaren Minor updates to wording in section /11/ Paul McLaren Update following review by National Applications Group 13/01/ Paul McLaren Update to Infrastructure Management section. 03/02/ Paul McLaren Sign off by ehealth Leads Group 02/05/ Paul McLaren Amend regarding version of Win 7 to include both 32 and 64 bit. 12/08/ Russell Fleming & Stuart Graham Major revision to ensure versioning complies with product support lifecycles. 07/02/ Russell Fleming Added a specific green ICT & environmental regulations section to make them clearer. 20/02/ Russell Fleming Added exception governance statement Page 1 of 13

2 06/03/ Russell Fleming Sign off by ehealth Leads Group Page 2 of 13

3 Infrastructure Management (within local Boards) Governance (supported by National Infrastructure Group) 1. Overview This standard describes the hardware and software specifications for infrastructure in NHSScotland. It aims to benefit a number of audiences to ensure they are making informed decisions based on the actual availability of IT infrastructure. The standard replaces the NHS Scotland Personal Computer Standard to provide wider coverage of the infrastructure stack, covering the following infrastructure elements and describing the specification for each: User directory services, authentication by single sign on Applications browsers, productivity, and core business functionality (excludes line of business and clinical) Client hardware, operating systems for PCs, laptop, tablet and mobile devices Server hardware, storage, operating systems, databases and web hosting Hosting data centres and computer rooms within Boards and beyond Network connectivity within premises, between locations and to other networks Adherence to the standard will support Boards in local planning, aid procurements by providing specifications and assist suppliers to provide solutions that can integrate with the NHSScotland infrastructure, therefore leading to more effective solution delivery. It should also be noted that NHSScotland seeks to ensure that single supplier dependencies are minimised and that lock-in to additional products is avoided to limit exposure to hidden TCO increases. The standard is also supported by roadmaps documenting the lifecycles of each of the elements within the standard, supporting transition and providing advance notification of product end of life. 2. Compliance For Boards: The standard provides Boards with a specification to which infrastructure within their Board should comply. For Suppliers: The standard provides suppliers with a specification to which their solutions must comply. Suppliers should ensure their solutions can be deployed, function and integrate where required with all the relevant specifications detailed in the standard. Page 3 of 13

4 For non-compliant solutions which require specifications out-with those in the standard then appropriate consultation should be undertaken with infrastructure teams at a local, regional or national level to consider the implications of the increased support and both cost and risk implications the non-standard product(s) introduce. Page 4 of 13

5 3. Specification The following tables detail the specification for each section of the infrastructure stack. Where a product is specified it should be assumed that product or equivalent is acceptable for Boards to have available. User Recommended specifications for directory services and authentication. Type Directory Services Authentication Single Sign On Specification Detail Minimum: Microsoft Active Directory managed by Health Board Desirable: Support for federated directory services Minimum: Microsoft Active Directory managed by Health Board Desirable: Support for claims aware federated directory support Minimum: Imprivata OneSign 4.x (latest major version -1). Desirable: Imprivata OneSign 5.x (latest major version) On Roadmap Applications Recommended specifications for browsers, productivity and core business functionality (excludes line of business and clinical). Type Application Delivery Specification Detail Methods of application delivery are, in order of preference: i. compliance with the Web Browser specification. ii. iii. packaged applications for deployment by Health Board client management tools delivery of application by desktop virtualisation or thin client technologies On Roadmap Installing or running of applications should not require elevated rights for the logged on user Page 5 of 13

6 Web Browser Minimum: Solutions must be HTML5 compliant and should be tested on IE11 Desirable: Solution are also tested for compliance with latest versions of Chrome, Firefox and Safari, as well as leading mobile browser platforms (ios, Android, Windows 10) Web Components Productivity Security Client Management Minimum: Java SE 7.x Desirable: Java SE 8.x Microsoft Office: Minimum: Microsoft Office 2007 Standard Edition Desirable: Microsoft Office 2016 Aspirational: Microsoft Office 365 Open source alternative with Health Board agreement, however, the solution must be open standards compliant. Adobe Acrobat Reader: Minimum Version 11.x.x (latest available version -1) Desirable: Acrobat Reader DC (latest available version) Health Board specified solutions offering following: Anti-virus active and managed by local Health Board Client Firewall optional Anti-malware optional Encryption per the Mobile Data Protection Standard (ref 1) USB port control optional Preboot authentication - optional Faulty and end of life hard disks are to be shredded or securely wiped and a ful;l audit trail of the process is to be maintained by the Health Board. Health Boards specified solution offering following: Hardware asset management Imaging Endpoint location information Remote support Application deployment Operating system patch deployment Application patch deployment Software asset management and licence metering Local Session Data Session data created by applications should not retained on endpoint (e.g. local copies of databases and similar) Page 6 of 13

7 Screensaver NHSScotland approved security screensavers, in addition to any local images, with a screen locking function enabled. Client Recommended specifications for hardware, operating systems for PCs, laptop, tablet and mobile devices. Type Specification Detail On Roadmap Operating System: Minimum: Windows 7 32 bit and 64 bit Desirable: Windows bit and 64 bit Processor: Windows 7 compliant minimum Memory: Windows 7 compliant minimum+, recommended Desktop/Laptop 2Gb Disk: Minimum to meet local requirements, additional spare space varies locally Screen Resolution: native to monitor with minimum 1024x bit minimum up to 32 bit colour quality Tablet and Mobile Device Tablet and Mobile Device hardware should be bought from the National contract to ensure that it is the latest compliant model. Server Recommended specifications for hardware, storage, operating systems, databases and web hosting. Type Hardware Virtualisation Specification Detail As specified by Health Board, either physical or virtual instance VMWare: Minimum: vsphere 5.5 (latest major release -1) Describable: vsphere 6.0 (latest major release) Hyper-V: Minimum: latest major release -1 Desirable: latest major release On Roadmap Page 7 of 13

8 Storage Operating System Database Web Hosting Backup As specified by Health Board, either physically attached or SAN Windows Server: Minimum: 2008 R2 SP1 Desirable: 2012 R2 Red Hat Enterprise Linux Minimum: Latest major release -1 Desirable: Latest major release SQL Server Minimum: 2012 R2 Desirable: 2016 Oracle products per the NHS Scotland EWA (ref 4) IIS: Minimum: 7.x Desirable: 8.x Apache Tomcat: Minimum: 8.x Desirable: 9.x As specified by Health Board, in line with existing Health Board solution and backup policies. Hosting Recommended specifications for data centres and computer rooms within Health Boards and beyond. Type General Rack Environment Specification Detail As specified by Health Board but recommended TIA-942 / Uptime Institute Tier-2 availability minimum (with aspects of Tier-3 such as dual PSU s in all servers, storage and networking devices). Availability in agreement with local Health Board, specification to Electronic Industries Alliance standard 19 rack mount. As specified by local Health Board but recommended: N+1 cooling capacity, minimum dual units Hot/Cold aisle configuration, maximising power utilisation efficiency. Target PUE <1.5 On Roadmap Page 8 of 13

9 Power Access As specified by local Health Board but recommended: Dual incoming supplies N+N capacity Dual UPS N+N capacity Each supply has own distribution board Each rack is supplied with 32A Commando connection from each supply Desirable: Power Monitoring with separate monitoring for IT Infrastructure and Environmental controls Physical site and equipment access in line with Health Board arrangements Remote support in line with Health Board arrangements and security policies. Access control policies should be appropriate for each security level Network Recommended specifications for connectivity within premises, between locations and to other networks. Type Local Area Wireless Local Area Wide Area Security Video Services Specification Detail Minimum: 100Mb/s to wired client devices. Desirable: 1Gb/s to wired client devices. IEEE ac standard. Secure access to be provided for staff and option to allow guest access on a separate VLAN. NHSScotland sites are connected by SWAN and COINs. Site bandwidth varies from 512kb/s to 1Gb/s (10Gb/s for some COIN backbones) with QoS for selected national applications. Asynchronous and synchronous technologies are in use. Firewalls in place between internal networks and all external environments, including SWAN, direct ISP Internet, and partner organisations such as councils, and other public sector. Configurations changes in agreement with local Health Board. Compliance with NHSScotland Video Conferencing Standard (ref 2) On Roadmap Page 9 of 13

10 Green ICT compliance Recommended environmental specifications for data centres and computer rooms within Health Boards. Health Boards and suppliers should ensure compliance with the EU Code of Conduct for Data Centre Energy Efficiency (reference 3) and the Scottish Public Sector Green ICT Strategy (reference 5). Some high level guidance is provided below: Green ICT Summary of Legislation and Scottish Government Policy The Scottish Government Green ICT policy is not itself underpinned by legislation or mandation. It will, however, contribute to the mandatory and reporting elements established in other aspects of Scottish Government Legislation and policy initiatives. NHS Scotland Boards and Suppliers should comply with the following aspects of legislation: Procurement Reform (Scotland) Act, 2014 The sustainable procurement duty of The Procurement Reform (Scotland) Act, 2014 (reference 6) refers to the environment, and requires authorities to produce procurement strategies and annual reports. The key element pertinent to the Green ICT strategy is that before carrying out a regulated procurement initiative, public authorities should consider how in conducting the procurement process they can improve the economic, social, and environmental wellbeing of the authority s area. Climate Change (Scotland) Act, 2009 The Climate Change (Scotland) Act, 2009 (reference 7), sets out targets to reduce Scotland s greenhouse gas emissions by at least 42% by 2020 and 80% by 2050, compared to a baseline. The Act requires Scottish Ministers to set annual targets for Scottish emissions from 2010 to 2050, and publish a report on proposals and policies setting out how Scotland can deliver annual targets for reductions in emissions. Waste Electrical and Electronic Equipment (WEEE) The EC Directive on Waste Electrical and Electronic Equipment (2002/96/EC) was made law in the UK IN The WEEE regulations (reference 8) have interdependencies with the Scottish Landfill Tax (reference 9) which came into force in April 2015, and also with Scotland's Zero Waste Plan (reference 10). WEEE obligations do not cover all aspects of waste and asset disposal (e.g. data removal and destruction). The Green ICT Lifecycle: Green ICT aims at reducing emissions and other waste produced across the ICT lifecycle from procurement, to operational use, to disposal. Page 10 of 13

11 Procurement Dispopsal Operations Procurement Principles: Consider extending life of existing systems Go for services not assets: Cloud services, virtualise, consolidate Packaging reduction, re-use, repair and re-cycling methods Operations Principles Minimise Power consumption Follow data centre standards for efficient operations to help reduce power consumption. Develop a roadmap for the transition from hosting own data to hosting in cloud based services to further reduce power consumption Reduce paper consumption Embed green behaviours in operational practices and services Disposal Principles: Repair before disposal Re-use and refurbish Re-cycle in line with regulations Clean and re-sell/donate Dispose in line with regulations Environmental Standards and PUE - Energy use and environmental impact: It is well recognised that data centres are large consumers of energy, the main areas are IT power and ancillary/cooling power. The only credible and widely accepted energy performance rating system for data centres is the Power Usage Effectiveness (PUE) rating where the most efficient score is 1. Page 11 of 13

12 The rating is calculated by dividing the total data centre load by the IT load. PUE Rating Level of Efficiency >3 Very Inefficient 2.5 Inefficient 2 Average 1.5 Efficient 1.2 Very Efficient The Target for Data Centres hosted by NHSS Boards is <1.5 PUE Infrastructure Management The following should be noted: Health Boards manage and operate their ehealth infrastructure services locally to ITIL aligned processes. Suppliers and their service desks should equally be ITIL aligned. Change control or similar requests may require approval by a Board Design Authority or CAB. Suppliers should provide sufficient advance notice for planned works so Health Board approval can be agreed. Changes should be scheduled for an agreed time that causes least disruption to the business. Exceptions to the Standard Where there is a need to deviate from the Infrastructure Standard, then a request must be submitted in writing to the Chair of the National Infrastructure Group. All requests will be considered by the National Infrastructure Group and a written response will be provided outlining the decision. Governance Where there is a requirement for approval and sign off various groups and Management Boards exist within NHSScotland. The process to be followed for approval will vary dependent on the financial levels and operational impact of the request. ehealth Governance has the following structure for infrastructure decision making and sign off: ehealth Strategy Board ehealth Programme Board ehealth Leads Group Page 12 of 13

13 National Infrastructure Group (acting on behalf of the Infrastructure Portfolio Management Group) Health Board ehealth/infrastructure Management A number of other advisory groups exist (Information Governance, Security etc.) that may provide input if required. Review This standard will be reviewed every 6 months, indicated by the published date. Individual sections may be reviewed out of sequence as required. The next scheduled review date is: September References 1. Mobile Data Protection Standard: 3. EU Code of Conduct on Data Centre Energy Efficiency (2016 Best Practice Guidelines): /2016_best_practice_guidelines_v7.1.2.pdf 4. NHSScotland Oracle Enterprise Wide Agreement (EWA) products available on this agreement available on request. 5. The Scottish Public Sector Green IT Strategy (2015): 2. Video Conferencing Standard: The Procurement Reform (Scotland) Act, 2014: creformact 7. The Climate Change (Scotland) Act, 2009: 8. The EC Directive on Waste Electrical and Electronic Equipment (WEEE) (2002/96/EC): 9. The Scottish Landfill Tax: Scotland s Zero Waste Plan: Page 13 of 13