Future Media Standards & Guidelines

Third Party Hosting Requirements v1.2 (superseded)

1. Third party hosting and the BBC

The BBC will normally host its own services and content.

Third party hosting will be considered only if it is not possible or desirable for the BBC to host the data. For example, if the BBC does not have the required software or facilities to complete the required service, then third party hosting may be allowed.

An example of a bbc.co.uk website that uses third party hosting is Fantasy Football.

This document provides an overview of security issues relevant for third party hosts and describes the level of service required from them.

For detailed policy documents see: BBC Delivering Quality – Third Parties. This page contains a link to the document which describes the application process for hosting BBC-owned data using an external internet service provider, including the following questionaire you will need to complete:

1.1 Summary of application procedure

To host bbc.co.uk content via a third party supplier, you MUST apply with a business case to the Information Security Manager.

The business case should include:

  • Reasons why it is not possible to host the content on BBC servers (infrastructure or costs)
  • How you plan to integrate the externally-hosted materials to look like they are a normal part of bbc.co.uk (see section 2).
  • Proof that the proposed third party supplier can provide the appropriate security, performance monitoring and statistical services (see sections 3 to 6 below) from pre-contract evaluation and/or trial testing period. Testing MUST be carried out before live launch of any bbc.co.uk content or service that are hosted via third party servers.

Top of page

2. Integration of externally-hosted content with bbc.co.uk

You SHOULD ensure that externally-hosted content still appears to come from the bbc.co.uk domain, by using one of the following techniques:

  • A simple redirect. Users will see an initial bbc.co.uk URL, but then they are redirected to the external, non-bbc.co.uk address in an obvious way (the new address is displayed on the address line).
  • A feed to pull in external web content to template pages which are hosted on bbc.co.uk. This is the best solution, as it has no address line problems.
  • A Flash or Client Based application making requests to 3rd party service (so calls are invisible to users)
  • An iframe, so that information hosted on another site can simply be pulled into a BBC hosted and branded page that has a bbc.co.uk address.

Top of page

3. Security

3.1 DPA/Information Security MUST be assessed before contracts are signed if users' personal data will be passing through a third party site or host.

3.2 The hosting company MUST complete the Hosting, Holding or Processing Information on Behalf of the BBC questionnaire (N.B. select the document listed under Hosting BBC data on an external ISP For BBC owned data) and return it to BBC Information Security.

3.3 In addition, a technical assessment SHOULD include confirmation that the hosting company:

  • Has suitable hardware and software for the provision of the content/service;
  • Can provide adequate levels of connectivity to the BBC servers to meet agreed performance levels;
  • Will protect the integrity of data from viruses, malware and inappropriate content – protection tools to be approved by Siemens Internet Operations;
  • Has taken an appropriate level of care when it comes to protecting the BBC's data, brand, and reputation.

3.4 Vital information All BBC branded content on third party servers MUST be subject to BBC editorial control and the service MUST be proxied from bbc.co.uk, and not on a third party URL (see section 2).

3.5 The BBC will commission a third party to perform a 'Penetration Test' on the service once it is available. Any issues reported from the test MUST be rectified before the service is allowed to go live.

3.6 Firewalls

bbc.co.uk is hosted outside the BBC firewall.

Should any party need to transfer information to locations inside the BBC firewall, the firewall policy will apply. For more information see BBC Delivering Quality – Firewalls.

Top of page

4. Service Availability

4.1 The hosting company MUST agree service levels with the BBC site commissioners.

4.2 You should be aware that our minimum service levels are normally 99.55% service availability 24/7 (maximum 40 hours downtime p.a.).

4.3 Potential hosting companies MUST provide the following information:

  • Evidence of achievement of this level of service availability over the previous 12 months (where available for comparable service);
  • Maximum length of downtime over last 12 months (where available for comparable service);
  • Evidence of achievement of this level of service availability over the previous 12 months (where available for comparable service);
  • Maximum length of downtime over last 12 months (where available for comparable service).

4.4 Prior to entering any contract, the company MUST agree to the following:

  • Fault categories;
  • Meantime to repair faults – maximum of 2 hrs;
  • Between the hours of 12am and 6am, response to be during the next working day (dependent on the requirement);
  • 24/7 hotline number;
  • Failure masking (an agreed mechanism) in the event of unplanned/planned downtime;
  • Escalation procedures (see section 4.1);
  • Advance warning of scheduled downtime (minimum of 24 hrs notice by arrangement);
  • Non-urgent scheduled downtime to be held out of hours (between 12 am and 6am).

4.5 Escalation procedures

Any third-parties who wish to host BBC branded services or content MUST provide escalation procedures for any problems with service availability.

Top of page

5. Load testing, capability and reporting requirements

5.1 The BBC's requirements of the hosting company for load testing, capability and reporting will depend on the volume and type of data they are hosting. Capacity MUST be part of the requirements specification as this will be subject to load testing.

5.2 Load testing

5.2.1 The hosting company MUST demonstrate load testing, with a BBC option to attend this testing (and/or to receive a copy of test results):

5.2.2 If service exceeds the agreed peak hit rate, the BBC SHOULD be able to accept degradation in service rather than incur additional costs, and MUST have the right to reduce/stop all promotion of the service.

5.3 Reporting requirements

The hosting company SHOULD agree to provide reporting as follows:

  • Usage stats on a rolling 24 hr basis.
  • Usage stats should show normal availability – target and actual.
  • Notification of fault to be within 15 minutes, or if automated monitoring, an email alert to be generated within 2 minutes.
  • Notification of restoration of service to be within a maximum of one hour, (or if not confirmed by automated email).
  • Fault log for review at performance review meetings – frequency to be as required by the BBC.
  • If the company is to manage the BBC's user emails, then this should be via a BBC email address, and responses should be routed through the BBC. The hosting company must agree to meet BBC email response time targets.

Top of page

6. Document history

DateVersionChangeAuthor
04/03/2010 v1.2 Update to links to Third Party Hosting guidance and questionnaire. Ed Lee
22/02/2007 v1.15 Minor amendment for Information Security, updating description and link to questionaire in Section 1. Tred Magill
16/03/2005 v1.14 Put in info on iFrames (after Tech Forum on 14/03/2005) Jonathan Hassell
11/03/2005 v1.13 Put in info on firewalls Jonathan Hassell
10/03/2005 v1.12 Minor typos corrected Jonathan Hassell
08/03/2005 v1.11 Enabled change tracking and updated based on contracts Mark Hewis
23/02/2005 v1.09 Added comments from Narinder Bains and Matthew Blakemore Sally Underwood
22/10/2004 v1.08 Updated to include more info on other aspects of what you must do to do this (from Richard Cooper) Jonathan Hassell
11/08/2004 v1.07 Updated Head of Information Security to Head of IT and Data Assurance; also updated document links Jonathan Hassell
04/03/2003 v1.06 Added bookmarks to all headings for easier reference from browser Jonathan Hassell
19/08/2002 v1.05 added audience into footer Jonathan Hassell
17/08/2002 v1.04 checked all contacts are abstracted into contacts file Jonathan Hassell
16/08/2002 v1.03 renamed as Appendix D. Check all inter-document links. Jonathan Hassell
14/08/2002 v1.02 Done global search for MUST, SHOULD etc. Jonathan Hassell
07/08/2002 v1.01 Added copyright information to footer Jonathan Hassell
05/08/2002 v1.00 created document (spun off from App5) Jonathan Hassell

Document editor: Editor, Standards & Guidelines. If you have any comments, questions or requests relating to this document, please contact the Editor, Standards & Guidelines.

Like all other Future Media Standards & Guidelines, this page is updated on a regular basis, through the process described on About Standards & Guidelines.

Top of page

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.