Future Media Standards & Guidelines

Third Party Hosting Requirements v1.3

1. Third party hosting and the BBC

The BBC will normally host its own services and content.

Third party hosting will be considered only if it is not possible or desirable for the BBC to host the data. For example, if the BBC does not have the required software or facilities to complete the required service, then third party hosting may be allowed.

An example of a bbc.co.uk website that uses third party hosting is Fantasy Football.

This document provides an overview of security issues relevant for third party hosts and describes the level of service required from them.

For detailed policy documents see: BBC Delivering Quality – Third Parties. This page contains a link to the document which describes the application process for hosting BBC-owned data using an external internet service provider, including the following questionaire you will need to complete:

1.1 Summary of application procedure

To host bbc.co.uk content via a third party supplier, you MUST apply with a business case to the Information Security Manager.

The business case should include:

  • Reasons why it is not possible to host the content on BBC servers (infrastructure or costs)
  • How you plan to integrate the externally-hosted materials to look like they are a normal part of bbc.co.uk (see section 2).
  • Proof that the proposed third party supplier can provide the appropriate security, performance monitoring and statistical services (see sections 3 to 6 below) from pre-contract evaluation and/or trial testing period. Testing MUST be carried out before live launch of any bbc.co.uk content or service that are hosted via third party servers.

Top of page

2. Integration of externally-hosted content with bbc.co.uk

You SHOULD ensure that externally-hosted content still appears to come from the bbc.co.uk domain, by using one of the following techniques:

  • A proxy. Users will see a bbc.co.uk URL, but behind the scenes they are proxied to mysite.external.bbc.co.uk which is then set up as a DNS CNAME to the third-party's hostname (a DNS CNAME maps the mysite.external address to the 3rd party server).
  • A feed to pull in external web content to template pages which are hosted on bbc.co.uk. This is the best solution, as it has no address line problems.
  • A Flash or Client Based application making requests to 3rd party service (so calls are invisible to users)
  • An iframe, so that information hosted on another site can simply be pulled into a BBC hosted and branded page that has a bbc.co.uk address.

Top of page

3. Security

3.1 DPA/Information Security MUST be assessed before contracts are signed if users' personal data will be passing through a third party site or host.

3.2 The hosting company MUST complete the Hosting, Holding or Processing Information on Behalf of the BBC questionnaire (N.B. select the document listed under Hosting BBC data on an external ISP For BBC owned data) and return it to BBC Information Security.

3.3 In addition, a technical assessment SHOULD include confirmation that the hosting company:

  • Has suitable hardware and software for the provision of the content/service;
  • Can provide adequate levels of connectivity to the BBC servers to meet agreed performance levels;
  • Will protect the integrity of data from viruses, malware and inappropriate content – protection tools to be approved by Siemens Internet Operations;
  • Has taken an appropriate level of care when it comes to protecting the BBC's data, brand, and reputation.

3.4 Vital information All BBC branded content on third party servers MUST be subject to BBC editorial control and the service MUST be proxied from bbc.co.uk, and not on a third party URL (see section 2).

3.5 The BBC will commission a third party to perform a 'Penetration Test' on the service once it is available. Any issues reported from the test MUST be rectified before the service is allowed to go live.

3.6 Firewalls

bbc.co.uk is hosted outside the BBC firewall.

Should any party need to transfer information to locations inside the BBC firewall, the firewall policy will apply. For more information see BBC Delivering Quality – Firewalls.

Top of page

4. Service Availability

4.1 The hosting company MUST agree service levels with the BBC site commissioners.

4.2 You should be aware that our minimum service levels are normally 99.55% service availability 24/7 (maximum 40 hours downtime p.a.).

4.3 Potential hosting companies MUST provide the following information:

  • Evidence of achievement of this level of service availability over the previous 12 months (where available for comparable service);
  • Maximum length of downtime over last 12 months (where available for comparable service);
  • Evidence of achievement of this level of service availability over the previous 12 months (where available for comparable service);
  • Maximum length of downtime over last 12 months (where available for comparable service).

4.4 Prior to entering any contract, the company MUST agree to the following:

  • Fault categories;
  • Meantime to repair faults – maximum of 2 hrs;
  • Between the hours of 12am and 6am, response to be during the next working day (dependent on the requirement);
  • 24/7 hotline number;
  • Failure masking (an agreed mechanism) in the event of unplanned/planned downtime;
  • Escalation procedures (see section 4.1);
  • Advance warning of scheduled downtime (minimum of 24 hrs notice by arrangement);
  • Non-urgent scheduled downtime to be held out of hours (between 12 am and 6am).

4.5 Escalation procedures

Any third-parties who wish to host BBC branded services or content MUST provide escalation procedures for any problems with service availability.

Top of page

5. Load testing, capability and reporting requirements

5.1 The BBC's requirements of the hosting company for load testing, capability and reporting will depend on the volume and type of data they are hosting. Capacity MUST be part of the requirements specification as this will be subject to load testing.

5.2 Load testing

5.2.1 The hosting company MUST demonstrate load testing, with a BBC option to attend this testing (and/or to receive a copy of test results):

5.2.2 If service exceeds the agreed peak hit rate, the BBC SHOULD be able to accept degradation in service rather than incur additional costs, and MUST have the right to reduce/stop all promotion of the service.

5.3 Reporting requirements

The hosting company SHOULD agree to provide reporting as follows:

  • Usage stats on a rolling 24 hr basis.
  • Usage stats should show normal availability – target and actual.
  • Notification of fault to be within 15 minutes, or if automated monitoring, an email alert to be generated within 2 minutes.
  • Notification of restoration of service to be within a maximum of one hour, (or if not confirmed by automated email).
  • Fault log for review at performance review meetings – frequency to be as required by the BBC.
  • If the company is to manage the BBC's user emails, then this should be via a BBC email address, and responses should be routed through the BBC. The hosting company must agree to meet BBC email response time targets.

Top of page

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.