Umbraco CMS Deployment and Development
Our service provides the delivery of a modern, responsive website underpinned by the powerful and flexible Umbraco content management system (CMS).
This CMS enables rapid content generation, is scalable and is always focused on the end user and content manager to provide the best possbile viewing and editing experience.
Features
- User-centred strategy on design
- Customer-friendly, attractive and easy to use
- Supports book/ apply/ report/ pay functionality for all relevant service
- Fully conforms with W3C Web Accessibility Initiative (WAI) standards.
- Wide experience of designing around the user experience and journey
- Popular WYSIWYG editor and easy to navigate, intuitive menu structure
- Templates and pages can be previewed on different viewports
Benefits
- Content can be easily uploaded and updated
- Supports self-service and integrates with our other digital solutions
- Follows Government Digital Service design principles
- Level AA Conformance to Web Content Accessibility Guidelines 2.0
- Helps join up systems across organisation
- Fast access to information saves time and money
- Customer experience enhanced considerably
Pricing
£700 to £900 a person a day
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
7 5 7 8 7 0 4 0 6 1 5 6 4 2 5
Contact
Factory73 Ltd
Graeme McClurkin
Telephone: 0141 416 0733
Email: business@factory73.com
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
- Factory73 will perform non-essential updates on a defined schedule, normally outside of standard working hours. Customers will be given at least 2 weeks’ notice where possible of scheduled maintenance tasks. Essential updates, e.g. security patches, would be installed at the first available opportunity, to be agreed with the customer.
- System requirements
- No specific requirements
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
Support response times:
Priority level/ Response Time - 1) 30 minutes 2) 1 hour 3) 4 hours 4) 1 day. By agreement for weekends and bank holidays. - User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
-
• Standard support level per SLA included in service cost
• Alternative levels of support by agreement
• A service manager is part of our standard service - Support available to third parties
- No
Onboarding and offboarding
- Getting started
- A set-up facility and full user documentation is provided. Training (including) online training is available
- Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
- A wide variety of formats and platforms are supported for secure export. Factory73 can provide a "data out" policy if required.
- End-of-contract process
-
• All client data returned to client
• All client access deactivated
• Relevant secure processes fully applied
• Above at standard cost
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
-
All of the projects we develop are designed to perform brilliantly on devices of all sizes as we adopt User Experience and accessibility best practice whilst ensuring the designs are responsive.
The content editing experience is also responsive although as is the case with all Content Management Systems, the editing experience can be somewhat cramped on a mobile device. - Service interface
- No
- User support accessibility
- WCAG 2.1 AA or EN 301 549
- API
- Yes
- What users can and can't do using the API
- Core functions through web services. User authentication. Document upload. Key metrics retrieval. Service requests cannot be configured directly through the API but can be called via the API once configured on the platform. Changes can be made through the API via web-service calls. Configured service requests can be called via the API but not setup via it.
- API documentation
- Yes
- API documentation formats
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
-
• Scope for localisation of software
• Customers can use configuration tools
• Users can customise
Scaling
- Independence of resources
- We ensure a fully scalable, yet cost effective, service exists through auto-scaling of cloud services both horizontally and vertically, utilising scalable cloud databases, use of Content Delivery Networks and enhanced service monitoring. Most importantly however, we demand highly efficient code within our products, so the core platform performs well under load in the first instance.
Analytics
- Service usage metrics
- Yes
- Metrics types
-
• System availability
• Response times
• Unscheduled outages
• Incident response times
• Incident resolution times - Reporting types
- Regular reports
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Staff screening not performed
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Supplier-defined controls
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- A wide variety of formats and platforms are supported for secure data export
- Data export formats
-
- CSV
- Other
- Other data export formats
-
- CSV
- Other
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- Private network or public sector network
- Data protection within supplier network
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
-
• Service Availability 99.5% (uptime) per month
• Service Availability Window 7*24 hours (all days) – 24 hours a day
• Response time for accessing screens - Should be within 3 seconds (at a minimum) 99% of the time
• Response time for searches Response time for basic system searches for information and return of results system should be within 5 seconds 97% of the time
Factory73 will work with each of our customers on an individual basis to determine if a recompense model is required to meet the needs of the specific council or public department/ organisation.
We strive to exceed, wherever possible, our SLA targets for service levels. In the unlikely event of failure to meet our SLA targets we would invoke the agreed process which would award an appropriate level of service credits by way of compensation. - Approach to resilience
- Available on request
- Outage reporting
- Email alerts
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Username or password
- Access restrictions in management interfaces and support channels
-
Access is managed via User Groups and Permissions roles. Only Factory73 Administrators can access systems to change user permissions, which are on the whole pre-defined and hard coded within our platforms. User Management can be delegated to client administrators, however they must work within these pre-defined role and permissions structure.
All user passwords are hashed through many iterations to achieve a high work factor, making them very difficult or impractical to brute-force.
We require 2 Factor Authentication for any top-level administrator. - Access restriction testing frequency
- Less than once a year
- Management access authentication
-
- 2-factor authentication
- Username or password
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- At least 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- No
- Other security certifications
- Yes
- Any other security certifications
- Cyber Essentials
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- Other
- Other security governance standards
- Cyber Essentials
- Information security policies and processes
-
We have a full set if InfoSec policies in place which all staff, clients and partners are aware of and have signed up to. These include:
•IT Acceptable Use Policy
•Data Security Policy
•Data Protection Policy (GDPR aligned)
•Risk Assessment Policy
•Firewall Management Policy
•Anti-Malware Policy
•Change Management Policy
All technical team staff report to the Technical Director on all data security issues. Our Technical Director is our Data Protection Officer and takes a hands-on role in all security-related areas of the business.
•Staff handling of data is managed through a variety of measures and processes:
•Personal data is not used in development of any services
•Personal data does not leave our production environment
•All data and backups are encrypted
•Staff access to systems and databases is provided based on direct need
•Spot-checks are carried out on development databases, company servers, and staff laptops
•Endpoint security is centrally managed, including anti-malware, patch management and laptop firewall
•All staff are aware that any breach of the above policies is a disciplinary issue
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
-
All code changes are tracked in our Source Control where we use the GitFlow process of branching and merging.
Use of Automation Pipelines tracks version numbers allowing us to run multiple releases side-by-side. This system also runs Continuous Integration build and automated testing, and releases are rolled back easily should an issue occur.
All releases are documented with a full changelog.
All development work is carried out to a high standard, by security-aware developers. Code is peer-reviewed prior to release, and we build on existing, secure frameworks. All our developers are aware of OWASP top threats and coding standards. - Vulnerability management type
- Undisclosed
- Vulnerability management approach
-
Factory73:
• monitors information systems to detect attacks and/or signs of potential attacks, including unauthorised network local or remote connections.
• deploys monitoring devices strategically within information technology environment to collect information security events and associated information.
• protects information obtained from intrusion-monitoring tools from unauthorised access, modification, and deletion.
• monitors inbound and outbound communications traffic to/ from the information system for unusual or unauthorised activities or conditions.
• heightens the level of information system monitoring activity whenever there is an indication of increased risk to Meritec operations, individuals and assets. - Protective monitoring type
- Undisclosed
- Protective monitoring approach
- Our Protective Monitoring processes comprise a set of control alerts and reports that provide feedback to those with responsibility for monitoring and addressing compromises. This includes such information security control activities as inspecting firewall logs, investigating operating system security alerts and monitoring Intrusion Detection Systems (IDS). Our Protective Monitoring also includes putting in place mechanisms for collecting ICT log information and configuring ICT logs in order to provide an audit trail of security relevant events of interest. Compromises and incidents are immediately logged, analysed and rectified.
- Incident management type
- Undisclosed
- Incident management approach
- The Factory73 ITIL compliant support desk called ServicePoint is responsible for receiving requests and notifications regarding user help and support. Incidents are allocated unique identification and calls are monitored and if necessary escalated as appropriate. The output report(s) provide part of the preparations that the Service manager will use at the next Service Management meeting. Given due authorisation levels it is possible for client staff/management to access the calls database and enquire directly regarding status, progress, etc.
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Public sector networks
- Connection to public sector networks
- Yes
- Connected networks
- Public Services Network (PSN)
Social Value
- Equal opportunity
-
Equal opportunity
Factory73 are committed to following Fair Work Practices that are based around:
• Providing an effective voice
• Opportunity
• Security
• Fulfilment
• Respect
Pricing
- Price
- £700 to £900 a person a day
- Discount for educational organisations
- No
- Free trial available
- No