The BBC will normally host its own services and content.
Third party hosting will be considered only if it is not possible or desirable for the BBC to host the data. For example, if the BBC does not have the required software or facilities to complete the required service, then third party hosting may be allowed.
An example of a bbc.co.uk website that uses third party hosting is Fantasy Football.
This document provides an overview of security issues relevant for third party hosts and describes the level of service required from them.
For detailed policy documents see: BBC Delivering Quality – Third Parties. This page contains a link to the document which describes the application process for hosting BBC-owned data using an external internet service provider, including the following questionaire you will need to complete:
To host bbc.co.uk content via a third party supplier, you MUST apply with a business case to the Information Security Manager.
The business case should include:
You SHOULD ensure that externally-hosted content still appears to come from the bbc.co.uk domain, by using one of the following techniques:
3.1 DPA/Information Security MUST be assessed before contracts are signed if users' personal data will be passing through a third party site or host.
3.2 The hosting company MUST complete the Hosting, Holding or Processing Information on Behalf of the BBC questionnaire (N.B. select the document listed under Hosting BBC data on an external ISP For BBC owned data) and return it to BBC Information Security.
3.3 In addition, a technical assessment SHOULD include confirmation that the hosting company:
3.4 All BBC branded content on third party servers MUST be subject to BBC editorial control and the service MUST be proxied from bbc.co.uk, and not on a third party URL (see section 2).
3.5 The BBC will commission a third party to perform a 'Penetration Test' on the service once it is available. Any issues reported from the test MUST be rectified before the service is allowed to go live.
bbc.co.uk is hosted outside the BBC firewall.
Should any party need to transfer information to locations inside the BBC firewall, the firewall policy will apply. For more information see BBC Delivering Quality – Firewalls.
4.1 The hosting company MUST agree service levels with the BBC site commissioners.
4.2 You should be aware that our minimum service levels are normally 99.55% service availability 24/7 (maximum 40 hours downtime p.a.).
4.3 Potential hosting companies MUST provide the following information:
4.4 Prior to entering any contract, the company MUST agree to the following:
Any third-parties who wish to host BBC branded services or content MUST provide escalation procedures for any problems with service availability.
5.1 The BBC's requirements of the hosting company for load testing, capability and reporting will depend on the volume and type of data they are hosting. Capacity MUST be part of the requirements specification as this will be subject to load testing.
5.2.1 The hosting company MUST demonstrate load testing, with a BBC option to attend this testing (and/or to receive a copy of test results):
5.2.2 If service exceeds the agreed peak hit rate, the BBC SHOULD be able to accept degradation in service rather than incur additional costs, and MUST have the right to reduce/stop all promotion of the service.
The hosting company SHOULD agree to provide reporting as follows:
|04/03/2010||v1.2||Update to links to Third Party Hosting guidance and questionnaire.||Ed Lee|
|22/02/2007||v1.15||Minor amendment for Information Security, updating description and link to questionaire in Section 1.||Tred Magill|
|16/03/2005||v1.14||Put in info on iFrames (after Tech Forum on 14/03/2005)||Jonathan Hassell|
|11/03/2005||v1.13||Put in info on firewalls||Jonathan Hassell|
|10/03/2005||v1.12||Minor typos corrected||Jonathan Hassell|
|08/03/2005||v1.11||Enabled change tracking and updated based on contracts||Mark Hewis|
|23/02/2005||v1.09||Added comments from Narinder Bains and Matthew Blakemore||Sally Underwood|
|22/10/2004||v1.08||Updated to include more info on other aspects of what you must do to do this (from Richard Cooper)||Jonathan Hassell|
|11/08/2004||v1.07||Updated Head of Information Security to Head of IT and Data Assurance; also updated document links||Jonathan Hassell|
|04/03/2003||v1.06||Added bookmarks to all headings for easier reference from browser||Jonathan Hassell|
|19/08/2002||v1.05||added audience into footer||Jonathan Hassell|
|17/08/2002||v1.04||checked all contacts are abstracted into contacts file||Jonathan Hassell|
|16/08/2002||v1.03||renamed as Appendix D. Check all inter-document links.||Jonathan Hassell|
|14/08/2002||v1.02||Done global search for MUST, SHOULD etc.||Jonathan Hassell|
|07/08/2002||v1.01||Added copyright information to footer||Jonathan Hassell|
|05/08/2002||v1.00||created document (spun off from App5)||Jonathan Hassell|
Like all other Future Media Standards & Guidelines, this page is updated on a regular basis, through the process described on About Standards & Guidelines.
This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.