COHESIVE UK GROUP LIMITED

Maximo Hosting and Managed Services

Maximo Hosting from Cohesive uses AWS as its infrastructure back-end to deliver a Virtual Private Cloud.

Client infrastructure is provisioned in an isolated, new account, never co-located with other clients' data or access, providing a logically-isolated area dedicated to secure operation of mission-critical Maximo Enterprise Asset and Work Management applications.

Features

• Single-Tenant, End-to-End turnkey Maximo Application Suite hosting and implementation offering.
• Covers the full lifecycle of MAS for all hosted components
• Flexible SaaS Model, scalable to any deployment size
• High Availability architecture using resilient, cloud-native services.
• Centralised infrastructure, namespace and application monitoring
• Infrastructure-as-code deployment approach, for standardised, consistent and repeatable deployments.
• Industry best standards focus on security, for all data-at-rest/data-in-transit
• Inclusive database administration, management, monitoring and tuning, including recurring tasks
• Regional, 24/7 infrastructure support from dedicated resources
• Real-time vulnerability and threat scanning agents on application server cluster

Benefits

• Clients can select hosting region, ensuring GDPR and data-protection compliance
• Secure IPSEC VPN integration with customer’s on-premises solutions.
• No restrictions on customisations and configurations.
• Support for Maximo Mobile and alternative 3rd party mobility products.
• Support for SAML/LDAPS-based authentication method against client’s personal IdP/Active Directory
• Support for additional services and 3rd party applications
• Supports various integrations, including MIF-based (REST,SOAP,iFace,File), reporting, ETL, etc.
• Flexible upgrade and maintenance schedule, suited to the client’s preferences
• Flexibility and control over data retention/access, on-premise reporting integration
• Flexible licensing; purchase through Cohesive, from IBM or Bring-Your-Own-License

£2,866.33 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at matt.blackwell@cohesivegroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

583386731855949

Contact

Matt Blackwell
+447717838847
matt.blackwell@cohesivegroup.com

Service scope

• Service constraints: We confirm the monthly patching window with each customer in advance and only proceed once this is agreed. We also confirm with each customer that the patch has been successful or that the patch has been rolled-back.; ; The process for patches for Maximo Application Suite (MAS) is different to that of legacy Maximo version 7; patches will be provided for OpenShift (for minor version upgrades), Database and other cloud-native services.
• System requirements:
  • Requires a web browser to access the hosted service
  • Requires MAS licenses, which Cohesive can provide

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: When a client raises a support issue, response times are measured from the moment the client submits a support request via the supplier’s online support system. Response times vary according to the priority and nature of the query, if the support relates to a Maximo system we are supporting: - P1 (Critical business impact): Within 2 hours (coverage 24x7x365) - P2 (Significant business impact): Within 4 hours (normal business working hours) - P3 (Some business impact): End of next working day (normal business working hours) - P4 (Minimal business impact): End of next working day (normal business working hours)
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Yes, at an extra cost
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: -
• Web chat accessibility testing: -
• Onsite support: Yes, at extra cost
• Support levels: MAS Hosting include Priority 1 (Critical) support. ; ; Application support, offered under Lot 2 and 3, incurs additional cost.; Priority 2 Significant business impact Priority 3 Some business impact Priority 4 Minimal business impact P1 are 24x7x365 P2 - P4 are handled (09.00 — 17.00) Monday to Friday UK Time (Excluding UK Bank Holidays) There are various levels of support that are priced on an individual basis, please contact us for a separate quotation. Resolution Targets: These are handled on a Severity basis. For incidents classed as severity 1 (highest) our incident handling window covers all days, 24 hours a day, 7 days a week. For incidents of severity 2 to 4, our incident handling is covered during normal business hours.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: After the cloud service is enabled we will engage with the users (stakeholders, representatives from various departments) to define configuration details to meet the clients requirements. We can also provide data migration services, on and off site standard or custom training. We can also provide early life support once the system goes live. We can provide a tailored deployment based upon clients specific requirements all based upon the SFIA rate card.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Cohesive will work with the client to export their data in an agreed format. This is typically in the form of a database export of transactional data, but other methods are available. If a client is migrating to another Maximo environment, Cohesive can assist with the transition.
• End-of-contract process: Cohesive require 6 months’ notice of termination of a Cloud-Hosted Solution agreement. Upon termination of the Service, Cohesive will deactivate any accounts and upon request provide an export of the Maximo Manage data in a standard, generally accepted electronic form (database export) within ten (10) business days. If a client is migrating to another Maximo environment, Cohesive can assist with the transition. If the client wishes to renew the service for a further term we can review and provide a commercial proposal .

Using the service

• Web browser interface: Yes
• Using the web interface: There are 3 interfaces that a user can interact with: 1) MAS Home interface (a "launch-pad" for other applications a user can interact with), 2) Admin portal, for use only by Administrators; includes catalogue of deployed applications, license information, user management, etc. 3) Maximo Manage - the web interface accessible via a web browser for the primary EAM solution.
• Web interface accessibility standard: WCAG 2.1 A
• Web interface accessibility testing: Maximo uses the latest W3C Standard, WAI-ARIA 1.0 to ensure compliance to US Section 508, and Web Content Accessibility Guidelines (WCAG).
• API: Yes
• What users can and can't do using the API: Standard – Maximo Integration Framework (MIF). Includes: REST Services via TLS/SSL over the Internet or VPN Tunnel; Web/SOAP Services via TLS/SSL over the Internet or VPN Tunnel; Interface Table Integration via VPN Tunnel; File-based Integration via VPN Tunnel. Standard – Enterprise Reporting. Includes: Maximo BIRT Reporting; On-premise Enterprise Reporting integration via VPN Tunnel. Standard – Kafka. Includes: Brokers to store and deliver data as streams (asynchronous); Hosted in OCP (included – perfect for small to medium integration workloads) or in AWS MSK (at additional cost – for complex, demanding workloads).; ETL / Data Loading - ETL is supported via MIF (see above).
• API automation tools:
  • Ansible
  • Terraform
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• Command line interface: Yes
• Command line interface compatibility:
  • Linux or Unix
  • Windows
  • MacOS
• Using the command line interface: Command Line Interface (CLI) is restricted to Administrators only. There is a CLI for the OpenShift Container Platform (OCP) and Maximo Application Suite.

Scaling

• Scaling available: No
• Independence of resources: Client infrastructure is provisioned in an isolated, single-tenant account; never co-located with other users’ data. We provide a logically-isolated area dedicated to enabling secure operation of mission-critical Maximo Enterprise Asset and Work Management applications. Each VPC hosts production and non-production networks, divided into dedicated subnets & subnet types, to ensure isolation of environments. All application and database servers are located in private subnets, with no route to an internet gateway, and cannot be reached by external sources. This is crucial to a secure infrastructure topology. Cohesive utilize NAT gateways in public subnets to enable access to services outside the VPC.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types: Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: IBM

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Daily backups of all application server volumes
  • Daily snapshots of all database instances
  • Daily configuration backups in OpenShift
  • Daily backups of EFS storage
  • On-demand backups for patching and changes
• Backup controls: Cohesive Cloud Standard RPO is 24 hours. This is recommended for performance, as taking backups too frequently can affect applicaiton performance - however, Cohesive can reduce the RPO in collaboration with the client if required. Users can request manual backups ahead of any scheduled changes.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: •ECDSA P-256 (elliptic-curve) SSL. •Strict security groups in-place for all servers and load balancers. •NAT gateways for traffic to sources outside the VPC. •IPSEC VPN with AES-256 encryption algorithms for Phases 1/2, with IKEv2, and SHA2-512 integrity algorithms. •DDoS protection on public DNS server (AWS Shield). •WAF situated between public DNS server and load balancer to the OpenShift cluster applications with mitigations against known malicious IPs, crawler bots, known bad inputs and vulnerabilities described in OWASP publications. •CloudFront provides in-built security functionality, e.g. geo-blocking, acting as a second layer of proxy to application servers (the first layer being elastic load-balancers).
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: •All utilized services within the solution can encrypt data at-rest. •All data at rest encrypted with industry-standard AES-256 encryption. •Data at rest encryption applies to OpenShift block storage, OpenShift shared storage, database storage, object storage, and backup storage. •Document, backup and Maximo archive storage resides in AWS S3 - which maintains compliance programs such as PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA. •Encryption and decryption is transparent, using highly secure AWS KMS keys.

Availability and resilience

• Guaranteed availability: Our Service and Support is provided all days, 24 hours a day, seven days a week. With a multi-zone database option our system availability is 99.99%; without multi-zone our system availability is 99.9%.
• Approach to resilience: All components within the solution stack are provisioned redundant and are configured to provide high availability. We deploy production and non-production instances in separate physical locations. More information is available upon request.
• Outage reporting: Planned and unplanned outage notification emails are sent to registered users for affected systems. We offer comprehensive system monitoring and alerts, with capacity and service reviews performed at regular intervals. Monitoring and alerts include - 1) Infrastructure monitoring; 2) Network monitoring; 3) Event and Log monitoring; 4) Application monitoring (including availability) and 5) Database monitoring. For planned maintenance we confirm the monthly patching window with each customer in advance and only proceed once this is agreed.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: SAML, LDAPS
• Access restrictions in management interfaces and support channels: Maximo follows a role-based, modular approach to managing access to applications and data. Roles are managed in security groups which control user access and privileges associated with applications, screens, fields, table rows, etc. User privileges can be controlled at any level (module, application, screen, field, table row, etc.) and different access can be granted when certain conditions apply. The system is access-controlled through named users. The role-based security model allows for very granular access control of data which enables support for having both internal and external users with different access to data and functionality.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • Username or password
  • Other
• Description of management access authentication: Maximo Security features ensure that user access is controlled to only allow users to access data to which they have been assigned. This level of control can be at the application level or to row and column granularity. The data and application entitlements are powerful and set up by role-based access profiles. Users are granted access to a number of roles to build up their total access profile; Administrator is a profile type. This approach allows system administrators to rapidly set up new users and give them appropriate access to the areas of the system to which they require access.
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 10/02/2023
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: AWS hosting complies with SOC2 and SOC3; a SOC3 report is publicly available.
• Information security policies and processes: We are certified to ISO27001 (the ISO/IEC standard for information security management systems (ISMS), defining the requirements an ISMS must meet). Our internal Information Security Policies (approved by the board of directors and administered by our Information Security and Compliance teams) are communicated to colleagues through a compliance awareness and education programme. All colleagues must review and acknowledge the policies on an annual basis. Policies, including our Information Security manual and processes, Disaster Recovery Plan, and Business Recovery Plan are updated at least annually or when revisions or updates necessitate. Through existing processes and third-party security tools, we continually monitor our overall security programme.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Configuration and Change Management follow the ITIL framework and policies and procedures are documented with various security standards. All SaaS offerings go through a cloud approval process and are scanned for vulnerabilities prior to production.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: Vulnerability management is conducted through various technologies internal and external to our network. Real-time vulnerability scanning is performed within the application cluster and is up to date with audit requirements as per CIS Benchmarks, NIST, PCI and HIPAA. Threats are identified using industry standard listings and patches/updates are applied at least monthly, or as needed, based on criticality. We confirm the monthly patching window with each customer in advance and only proceed once this is agreed. We also confirm with each customer that the patch has been successful or that the patch has been rolled-back.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Our monitoring services monitor health and service performance metrics. This includes: 1) Infrastructure monitoring: • Centralised Infrastructure health • Monitors cloud environments through a single pane of glass • Capacity management and server performance monitoring 2) Network monitoring: • Monitors process-specific network performance metrics to proactively identify connection issues 3) Event and Log monitoring: • Automated collection of log and event data 4) Application monitoring: • Centralized Infrastructure health • Performance, availability and user experience • Monitoring and optimisation of application transactions 5) Database monitoring: • Track database performance and resources to maintain a high performing and available application infrastructure
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: As a minimum, Cohesive implements a best-practice based backup/disaster recovery policy: • Daily backups of all databases and configuration • 30-day retention for Production. • 7-day retention for Non-Production • On-demand backups for patching and changes. Common events are handled dependent on severity, and users have multiple methods of reporting; reports are provided as part of our Incident Management procedure. Processes for common events include: Disaster Recovery/Failure Modes; System Compromise; Systemic Failure; Catastrophic Failure (including terrorist attacks, warfare, national disasters, etc.). Cohesive also have a validated cross-region DR approach, which is tested annually.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: Amazon Web Services (AWS)
• How shared infrastructure is kept separate: All client accounts are single-tenant, meaning infrastructure is never shared between organisations.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Cohesive utilise AWS datacentres; for further information, please see the following link: https://sustainability.aboutamazon.com/products-services/the-cloud; ; AWS infrastructure is up to 5 times more energy efficient than typical European data centers; in 2022, 90% of the electricity consumed by Amazon was attributable to renewable energy sources.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Bentley’s mission is to leverage our leading software and services to drive impact through the world’s infrastructure – advancing both the global economy and the environment for improved quality of life. As part of our Environmental, Social, & Governance (“ESG”) strategy, we are committed to managing our business in a way that enhances the environmental impacts of our products and mitigates environmental risks from our operations. Our Environmental Policy details our commitments to Environmental Responsibility and the ways in which we expect our colleagues to act to drive progress on our ESG strategy. Bentley expects all colleagues, visitors, vendors, and suppliers to follow the below practices in order to drive progress on Bentley’s ESG strategy. Bentley's Environmental Policy is here: https://prod-bentleycdn.azureedge.net/-/media/files/documents/miscellaneous/environmental_policy.pdf?la=en&modified=20211021075240

  Covid-19 recovery

  When the world locked down to combat the COVID-19 virus, we took immediate action to ensure our colleagues had the equipment and resources they needed to work from home, which also enabled success for our users. Our global task force provided continuous communication, education, and support services to our colleagues. Their wellbeing fueled our response plan, and we created learning resources to support them throughout the pandemic. These resources included guides and practices for managers to lead virtually with empathy, tips for maintaining team collaboration, and resources and support for colleagues to maintain a healthy work-life balance. As the pandemic continues, and work flexibility is seen as the key to success for the business and our colleagues’ wellbeing, we’ve introduced the Infrastructure Empowered Workforce Plan (IEWP). The IEWP is built on a solid foundation of trust. Colleagues are empowered to make responsible and effective choices on the right balance between working from the office and remotely. This plan does not require colleagues to come into the office at any specific frequency. Rather, it provides colleagues the flexibility to make these choices with their manager and within their teams to achieve business success and maintain a high level of productivity and engagement.

  Tackling economic inequality

  As a global company with colleagues of different cultures, backgrounds, and perspectives based in more than 40 countries worldwide, our diversity is what makes us successful. We have developed strategies and programs focused on increasing diversity and equity, as well as fostering a culture of inclusion and wellbeing in the workplace. These initiatives include building a pipeline of diverse candidates by recruiting at and partnering with Historically Black Colleges and Universities. We also partner with educational and professional organizations to provide internships, scholarships, grants, and projects that support groups underrepresented in technology. Bentley has active and engaged colleague resource groups within the Inclusion, Diversity, and Equity Alliance (IDEA) that have allowed colleagues, during this pandemic, to join their peers from all regions and departments with the goals of building community and fostering diversity and inclusion. IDEA currently has four focus groups open to all global colleagues: OpenPride, OpenAbilities, People of Color in the U.S., and Women at Bentley. IDEA has been a platform for education and a place to securely have difficult discussions about racism, discrimination, and bias through book clubs, panel discussion, speakers, and global awareness events. Members of executive management are key sponsors of each focus group and have been instrumental as sounding boards and in providing access to resources and the executive team. We have implemented robust training with topics focused on respect in the workplace, identifying and overcoming bias, and anti-discrimination. We have held interactive sessions with our executives, emerging leaders, and talent acquisition in fostering diversity, equity, and inclusion and eliminating unconscious bias, and have implemented training for hiring managers to ensure fairness in the interview process. You can find additional information, including our commitment to anti-slavery on our ESG website: https://www.bentley.com/en/esg/data-center

  Equal opportunity

  Bentley is an equal opportunity employer and considers all qualified applicants for employment without regard to race, color, sex, sexual orientation, gender identity, disability, protected veteran status, religion, national origin, age, or any other protected characteristic. This commitment extends to all aspects of employment, including, but not limited to, hiring, placement, promotion, compensation, and training. EEO is the Law and EEO is the Law Supplement documents provide additional information about your rights as an applicant under the law.

  Wellbeing

  As a company, it is our goal to ensure our colleagues know they are supported and valued as the first order of business. Therefore, our Talent Management strategy puts colleagues at the centre of the workplace at Bentley. We focus on enriching colleague experience and creating memorable, meaningful, and purposeful connections. We invest in developing an impactful experience that reflects the company’s mission and values. We build practices and programmes that deliver on engagement, recognition, communication, and development while rewarding colleagues through our robust total rewards package.

Pricing

• Price: £2,866.33 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at matt.blackwell@cohesivegroup.com. Tell them what format you need. It will help if you say what assistive technology you use.