CLIMB GLOBAL SOLUTIONS LTD

Microsoft 365

Microsoft 365 Enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely.

Microsoft 365 Enterprise consists of: Office 365 Enterprise; Windows 10 Enterprise; and Enterprise Mobility + Security (EMS).

There are three plans to choose from: E3, E5 and F1.

Features

• Identity & access management, protect users’ identities and control access
• Threat protection, protect against advanced threats
• Security management, gain visibility and control over security tools
• Ensure documents and emails are seen only by authorized people
• Email and calendar with Exchange
• Connect to people, content, and apps with SharePoint
• Voice, video, and chat with Skype and Microsoft Teams
• Office 365 ProPlus on up to 15 devices per user
• Broad support for PC, Mac, iOS, & Android platforms
• Auto-enrollment of Windows PCs and devices

Benefits

• Comprehensive management of your entire workforce
• Connect the experience across devices
• Minimize TCO across deployment, management, & servicing
• Visualize information in new ways
• Create compelling content with intelligent apps
• Detect and protect against external threats
• On-premises Client Access Licenses (CALs) to some Microsoft server products
• Access files and folders hosted in Microsoft's cloud securely anywhere
• Intelligently collaborate with users across your organization and externally
• Windows 10 deployment with upgrade in place and Autopilot

£3.80 to £15.10 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chrisc@greymatter.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

660676763043289

Contact

Chris Chandler
01364 654100
chrisc@greymatter.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Hybrid cloud
• Service constraints: Microsoft cloud services require an active internet connection, and can be accessed from a supported internet browser. For information on app-specific or service-specific constraints, we can provide specific information on request.
• System requirements: https://products.office.com/en-gb/office-system-requirements

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Standard level offers you a 2-hour response time for your business-critical issues and our team are available Monday to Friday (excluding bank holidays), 9 am to 5:30 pm.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: None, standard text-based web chat.
• Web chat accessibility testing: None, standard text-based web chat.
• Onsite support: Yes, at extra cost
• Support levels: Standard free support offers: - Unlimited remote break/fix support - 2-hour response SLA for business-critical issues (severity A) - Support incident escalation service - 24x7 access to our ServiceAide helpdesk portal to log support requests, knowledge base and FAQs - Service availability Monday to Friday (excluding bank holidays), 09:00 to 17:30 24x7 support offerings are available upon request.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Combination of onsite training, online training, and user documentation.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Upon request.
• End-of-contract process: Option to renew or cancel the contract. Data can be removed or migrated.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Linux or Unix
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Microsoft 365 includes various cloud services which offer mobile device capabilities. Most Microsoft cloud services such as Office 365, Teams, SharePoint, Power BI etc. have a mobile app which has reduced functionality. Where a native mobile app is not available, most commonly used browsers are supported. More details can be provided upon request.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Microsoft 365 uses various web portals which allows users and administrators to administer, configure and manage its cloud services. One of the main portals that would be used is https://portal.office.com.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Microsoft performed these tests to achieve their WCAG certification. Because Microsoft is a major software and cloud-services provider to states and governments around the world, it is committed to complying with all relevant international standards and compliance controls. By adhering to these wide-ranging accessibility standards, Microsoft ensures that all customers—both inside and outside of government—can use Microsoft services and products.
• API: Yes
• What users can and can't do using the API: Microsoft Graph is a unified API endpoint for accessing data across Microsoft 365, which includes Office 365, Enterprise Mobility, and Security and Windows services. It provides a simplified developer experience, with one endpoint and a single authentication token that gives your app access to data across all these services.; ; Further reading can be found here: https://docs.microsoft.com/en-us/graph/overview; ; API documentation is publicly available and further information is available on request.
• API documentation: Yes
• API documentation formats:
  • HTML
  • ODF
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Microsoft 365 cloud services can be configured and customised to conform to most business needs, even when they are complex. The customisation can be done by authorised users from within the portals available upon purchasing the product. End users can also customise the desktop applications such as Office apps and Teams, to fit their user preferences. If technical services are required, we can look at technical resource available and any associated costs.

Scaling

• Independence of resources: Microsoft works continuously to ensure that the multi-tenant architectures of our cloud services support enterprise-level security, confidentiality, privacy, integrity, and availability standards. Microsoft continue to monitor their service available and health and will continue to invest in their data centers which have been designed to support massive multi-tenant enterprise scale.; ; For more information on their service health and continuity guarantees with Office 365 which is a service that is part of Microsoft 365, please see the following website:; ; https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/service-health-and-continuity

Analytics

• Service usage metrics: Yes
• Metrics types: Microsoft provide service health, service availability, usage metrics, workspace analytics, and many other forms of service metrics as part of your cloud services subscription. Some plans also include Power BI which enables you to create your own dashboards and reports and collaborate intelligently across your organization.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Microsoft

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Data exporting capabilities are available within the Microsoft 365 portals and what can be exported varies by service. For example you can export a list of users and groups from your Office 365 tenant directory, but you cannot export your mailbox data from the Office 365 portal, as Microsoft host the data in their own servers, however mailbox data is cached locally on PST Files and they can be retrieved locally with technical migration tools if required.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Microsoft's 365 service level agreements vary by service. Microsoft provide financial backing to our commitment to achieve and maintain the service levels for each service. If they do not achieve and maintain the service levels for each service as described in the Service Level Agreement, then you might be eligible for a credit towards a portion of your monthly service fees.; ; The latest SLA document can be downloaded here:; ; https://go.microsoft.com/fwlink/?linkid=272026; ; Further information can be provided upon request.
• Approach to resilience: Information is available on request.
• Outage reporting: There is a publicly available dashboard which includes service health informtion. Email alerts can be configured, and the API can also be used.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: Office 365 uses the cloud-based user identity and authentication service Azure Active Directory (Azure AD) to manage users. You can choose from two main authentication models in Office 365 to set up and manage user accounts; cloud authentication and federated authentication.
• Access restrictions in management interfaces and support channels: Microsoft 365 can designate separate administrators to serve different functions. These administrators will have access to features in the Office admin portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user-licenses, and manage domains, among other things.; ; A user who is assigned an admin role will have the same permissions across all of the cloud services that your organization has subscribed to, regardless of whether you assign the role in the Office 365 portal, or in the Azure portal.; ; https://docs.microsoft.com/en-us/office365/admin/admin-overview/about-the-admin-center?view=o365-worldwide
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Security governance is standardised via internal policies and procedures. The Microsoft platform complies to all standards detailed within the Microsoft Security and Compliance Centre.
• Information security policies and processes: Director level ownership, all processes are tracked and audited and there are additional requirements around change management. Accountability at all levels.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Microsoft have developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1 / SOC 2, NIST 800-53, and others.; ; Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft including the Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response Center program, and deep awareness of the cybersecurity threat landscape.; ; Please see: https://www.microsoft.com/en-us/SDL/OperationalSecurityAssurance and https://www.microsoft.com/en-us/sdl
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerability scans are performed on a quarterly basis at a minimum.; ; Microsoft contracts with independent assessors to perform penetration testing of their datacenters.; ; Microsoft implement many vulnerability management processes, one of which being their edge router security which provides the ability to detect intrusions and signs of vulnerability at the network layer.; ; Further information on other processes are available on request.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Microsoft employs sophisticated software-defined service instrumentation and monitoring that integrates at the component or server level, the datacenter edge, their network backbone, Internet exchange sites, and at the real or simulated user level, providing visibility when a service disruption is occurring and pinpointing its cause.; ; Proactive monitoring continuously measures the performance of key subsystems of the Microsoft cloud services platform against the established boundaries for acceptable service performance and availability. When a threshold is reached or an irregular event occurs, the monitoring system generates warnings so that operations staff can address the threshold or event.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Microsoft has developed robust processes to facilitate a coordinated response to incidents. ; ; • Identification – System and security alerts may be harvested, correlated, and analyzed. ; • Containment – The escalation team evaluates the scope and impact of an incident. ; • Eradication – The escalation team eradicates any damage caused by the security breach, identifies root cause for why the security issue occurred. ; • Recovery – During recovery, software or configuration updates are applied to the system and services are returned to a full working capacity.; • Lessons Learned – Each security incident is analyzed to protect against future re-occurrence.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Wellbeing:

  Wellbeing

  Further information on Grey Matter’s culture and corporate responsibility can be found here: https://greymatter.com/about/#culture

Pricing

• Price: £3.80 to £15.10 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: We offer a 25 user 30-day trial for all Microsoft 365 cloud services including Office 365, Enterprise Mobility + Security, and Windows 10.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chrisc@greymatter.com. Tell them what format you need. It will help if you say what assistive technology you use.