CoSector Limited

CoSector Managed Applications

CoSector - University of London's Managed Applications service is based on stable releases of popular digital learning and research applications. CoSector offers support and management for services that support teaching, learning, administration and assessment, also services that support custody and discovery of research outputs.

Features

• Moodle's established VLE / LMS platform
• Mahara's established ePortolio platform
• Digital Assessment via Janison (including remote proctored exams)
• Student/Tutor Business Intelligence via IntelliBoard
• Secure E-Mail Data Protection via Zivver
• Hosted on Microsoft Azure or our private cloud
• Full customisation (via plugins) supported
• Integration with popular student record systems
• Data safe-guarding and preservation via Arkivum
• Repositories via Cayuse, EPrints or Samvera

Benefits

• Combine open-source flexibility with enterprise level assurances
• Tailor the VLE / LMS to suit your institutional priorities
• Access a thriving community of users and practitioners
• A service that can grow as your institutional usage grows
• Runs on Public Cloud to support user needs
• Accessible from any device
• 24/7 Enhanced support option available

£7,000 an instance a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@cosector.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

877320251875935

Contact

Dave Kenworthy
020 78631300
info@cosector.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: None
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 2 Business Days. Within 30 minutes for critical incdents (24/7/365)
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: A Technical Account Manager is provided for all services. Support levels can be tailored to support different institutional needs but all services benefit from 24/7/365 Incident Support combined with optional additional time (with SLA) for guidance, assistance, customisation and any other support required.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online training and user documentation provided
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data is readily extractable in open formats. Assistance can be provided for more complex data transfer needs (at extra cost)
• End-of-contract process: As data is readily extractable by users, all additional assistance with data extraction and transfer is at additional cost

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: HTML interface accessed via web browser
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: All managed applications have been tested with both automated accessibility testing tools and users of assistive technology
• API: Yes
• What users can and can't do using the API: All application functionality is available via the API
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Where the application is open source, users may work with us to extended or customise the application itself. Our support levels, volume and SLAs can be customised.

Scaling

• Independence of resources: CoSector - University of London's overall acrchitecture is a hub and spoke where each customer resides in a separate and segregated spoke, underpinned by independent cloud infrastructure. Communication between the hub and spokes is managed by resilient firewall devices that prevent any intra-spoke traffic.

Analytics

• Service usage metrics: Yes
• Metrics types: Hosting usage (CPU, RAM, Storage etc.) Support Time Consumption
• Reporting types: Regular reports

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Janison, Zivver, IntelliBoard, Microsoft, Brickfield Labs

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export their data through the main service interface.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.9% (24/7/365). Users are provided support hours credits if guaranteed levels are not met.
• Approach to resilience: Available upon request
• Outage reporting: Email alerts ; Support portal alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: All management interfaces are protected with multi-factor authentication. Support channels are only accessible to known users and can be optionally linked to institutional identity/authentication.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Bsi
• ISO/IEC 27001 accreditation date: 18/03/2022
• What the ISO/IEC 27001 doesn’t cover: No exclusions
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Es IMS Overview IMS Objective Tracker IMS Internal Audit Procedure IMS Internal Audit Plan IMS Improvement Procedure IMS Management Review Agenda & Minutes Template Enterprise Risk Log & Information Asset Register Information Security Risk Assessment Process Information Security Policy IMS Communication Policy Asset Management Procedure Document Control and Records Management Procedure Supplier Management and Supplier Information Security policies (with supporting procedures) Laptop & Mobile Device Policy Teleworking Policy Acceptable Use Policy Information Classification Policy Media Handling, Disposal & Transfer Policy Logical Access Control Policy Password Policy Cryptography Policy Physical & Environmental Security Policy Clear Desk & Screen Policy Backup & Restore Policy Vulnerability Management Policy Secure Development Policy Secure Engineering Principles Information Security Incident Management Process Project IS Considerations Checklist Patching Policy BIA, BCP & DR Plan Review Process BCP Test Schedule Change Management Policy & Procedure Application Services on Public Networks Policy Register of Legislation Capacity Management Process Record of Processing Activities (ROPA) Privacy Notice/Policies (for Data Subjects) Subject Access Response (SAR) Procedure Subject Access Response (SAR) Register Privacy Complaint Procedure Data Protection Impact Assessment (DPIA) Register DPIA Template Controller/Processor Legal Agreement/Contract Template(s) Our Managing Director is responsible for Information Security and ensuring policies are followed.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: CoSector operates ISO27001 accredited Asset Management Procedures and Change Management Policy and Procedures.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: All systems are scanned with a reputable vulnerability scanning tool at least monthly and classified according to their severity. Any Critical or High vulnerabilities shall be assessed and one or more of the following shall take place: - Vulnerability marked as a false positive - Implement mitigating protection against the vulnerability - Identify and take appropriate corrective action(s) – rescanning where possible to confirm resolution. Where we become aware of a vulnerability through any other channel, we log the vulnerability, assess the severity and if considered comparable to a Critical/High vulnerability from the tool, take one of the above actions.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: CoSector operates monitoring, logging and analysis of events across its systems. If potential compromises are detected, operational support teams are notified 24/7/365, enabling a response within minutes for the most critical incidents.
• Incident management type: Supplier-defined controls
• Incident management approach: CoSector operates a ISO9001 and ISO27001 approved Incident Management procedures including standard operating processes for common events. Most incidents are detected by monitoring systems but users can also report incidents via email, web portal or telephone (24/7/365) Our ticket systems enables root cause analysis reports to be promptly provided in written form.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Joint Academic Network (JANET)

Social Value

• Social Value:

  Social Value

  • Covid-19 recovery
  • Tackling economic inequality

  Covid-19 recovery

  CoSector's focus and expertise in digital forms of education and research continues to be instrumental in helping institutions navigate the post-pandemic world.

  Tackling economic inequality

  CoSector and University of London's core mission to improve educational standards around the world is fundamental and drives every part of our activities.

Pricing

• Price: £7,000 an instance a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@cosector.com. Tell them what format you need. It will help if you say what assistive technology you use.