OCLC (UK) Ltd

WorldShare Management Services

OCLC’s WorldShare® Management Services provide cloud-based library management and discovery applications in an integrated suite, offering librarians a comprehensive and cost-effective way to manage library workflows efficiently, and improve access to library collections and services.

Features

  • An integrated suite of cloud-based applications
  • Offers both discovery and management applications in a single suite
  • Draws on WorldCat for the data that powers its applications
  • Provides unified acquisitions for both physical and electronic collections
  • Data security, data backups and preservation are provided for you
  • All interfaces are optimised for mobile devices
  • Allows unprecedented opportunities for sharing routine workflow tasks
  • Provides what you require to create and share applications collectively

Benefits

  • Greater efficiencies in library management are delivered
  • No additional costs in having to acquire a discovery tool
  • Build better student experience and focus more resources on innovation
  • All of your acquisitions functions are available in one system
  • Draw on WorldCat® to power your workflows
  • Reduced IT maintenance meaning more time for strategic IT initiatives
  • Less need to spend time and money on security issues
  • Quick and efficient execution of work, saves time and money

Pricing

£10000 to £95000 per unit per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10

161698208109904

OCLC (UK) Ltd

Andrew Evans

01142677500

andrew.evans@oclc.org

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints OCLC will notify Institution promptly of any factor, occurrence, or event coming to its attention likely to affect OCLC's ability to meet the Uptime Commitment, or that is likely to cause any material interruption or disruption in the Hosted Services.
Maintenance may occur any Sunday during a 4 hour window and may occasionally be extended. Notice of scheduled maintenance will generally occur 3 days prior to scheduled downtime. In the event emergency maintenance is required, OCLC will make commercially reasonable efforts to notify Institution in advance.
System requirements Not Applicable

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We respond to questions within four hours, within UK office hours (09:00 – 17:30 Monday-Friday, excluding English Bank Holidays)
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Support work to the following SLAs: * Level 1 Definition: An outage or an almost total loss of functionality, SLA Response time 2hrs SLA for time to fix / provide workaround 24 hours/ * Level 2 Definition: A significant proportion of the system loses functionality, SLA Response time 4hrs SLA for time to fix / provide workaround 7 days/ * Level 3 Definition: The system does not operate in accordance with the product description, but the Library is still able to use significant elements of the system, SLA Response time 4hrs SLA for time to fix / provide workaround 20 days. All customers receive the same level of support and support costs are included in the fee for providing and maintaining software. OCLC provides a Technical Services/Cloud support contact person
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started You will be assigned a designated, PRINCE2 qualified project manager to guide you through the entire implementation process. From the start, they will liaise closely with your key contact to maintain a detailed implementation plan with agreed milestones and timescales. They will arrange and conduct regular project meetings and reports, review and sign-off of key work stages, and maintain a log of any issues arising that require resolution.

The project manager will draw up a Project Initiation Document (PID) in consultation with you and this serves as a jointly owned project document. A full training programme will also be agreed with you as part of this planning process. A session for each module is generally covered. Additionally, the System Administrator will be offered System Configuration training so that proficiency is acquired within the project time-scale. Tailored training sessions are usually delivered online but some onsite training can be requested. Online sessions are recorded allowing you to extend training to absent staff, or use the playback facility for refresher sessions.

Beyond Implementation, OCLC customers are well supported by other trainings and documentation on the OCLC WorldShare Community Centre. These are extensive, freely available on a self service basis, and continually updated.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats Large Print
End-of-contract data extraction WMS allows for the migration of data on any change of supplier when the contract ends. Customers may extract data themselves. The following are typical formats for the various categories of data:
- Bibliographic data for print & e items (Marc21, MARCXML, Dublin Core, MODS or UNIMARC)
- User data (CSV format, tab-delimited)
- Circulation data (tab delimited or via XML API)
- Acquisitions (various, or XML API)
- License information (various, or via XML API)
- Collections data, print or subscribed titles (.mrc)
End-of-contract process In accordance with our General Terms and Conditions, either party may terminate the agreement without cause at the end of the initial term or any successive subscription year with at least three months’ prior notice. Notice to terminate shall be in writing, unless the agreement was concluded electronically, in which case the agreement may be cancelled electronically.

OCLC grants customers access to the Bibliographic Data and the Customer Data for 90 days after the end of the Agreement to export it in accordance with the applicable Terms and Conditions. OCLC for their part shall destroy the Internal Data or delete it from the OCLC Systems not more than 90 days after the end of the agreement.

The price of the contract covers a single Implementation fee in year 1. This includes data migration as defined in a scoping agreement, project management to support planning and progress for go-live, as well as to facilitate any 3rd party integrations, plus all relevant trainings. Thereafter, an annual subscription fee applies which covers hosted SaaS for all applications with ongoing enhancements, 24/7 365 Help Desk Support, and access to the resource-rich OCLC Community Centre for self-help updating, detailed release notes, and product development requests.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The mobile and the desktop services are the same, accessed via the same URL, with no separate mobile 'app'. The mobile version has a responsive design and automatically renders the screen to fit the device you are working on - meaning no awkward scrolling but instead - a clean looking, easy to use interface.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing Recognizing that adherence to standards and guidelines may not ensure that a product is accessible, OCLC is also committed to doing usability evaluations with impaired users to gather accessibility feedback. The information we gather through our Usability Lab is combined into a single Voluntary Product Accessibility Template (VPAT) for each applicable product – these VPAT details are available on request.

We have fully and successfully tested both the WMS and WorldCat Discovery interfaces with screen reading software, and confirm if the user's device (and its browser) also supports such software, then text to speech functionality can be enabled. Microsoft’s JAWS for example, is compatible, as well as Texthelp Read and Write, plus Zoomtext.

OCLC recently launched an Accessibility Task Force, to focus on continuous accessibility improvements across all our processes: product design and development through to standards development, testing and education.
API Yes
What users can and can't do using the API OCLC offers approximately 25 APIs covering all aspects of WMS. Every WMS library has access to all APIs at no additional cost. A complete listing of APIs with documentation can be found at: http://oclc.org/developer/develop/web-services.en.html.

The pre-requisites for working with our APIs are detailed here:
http://www.oclc.org/developer/develop/worldshare-platform/support/prerequisites.en.html
At the application level, API users are required to be authenticated and then must submit a request for a developer WSkey. In addition, some OCLC web services perform verification at the user level (using either, principalID and principalIDNS values, or an Access Token).
We have a GitHub Repository to record changes, and user-created code libraries for handy shortcuts.

Our goal is to make APIs and Web services as broadly accessible as possible. However, given that data is linked to institutional, rather than individual criteria, eligibility rules vary for each Web service area. Please refer to the particular documentation for each service, which describes any specifics.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Intuitive and responsive design for end-users means minimal customisations by individuals are necessary. Options exist for switching language, formats for exporting or sharing references, creating and maintaining personal lists.
By contrast, several customisable elements exist in the user interface governed by Library staff:
Visually, the search interface may be branded with institution’s logo, strapline and colour. You can also choose whether to show enriched content such as dust jackets and Google previews.
Functionally, you may add custom quick links, embed the search box elsewhere (and create custom tabs to guide users), specify a default search scope, operate separate policies for branches, manage the order of your database listing, switch on an A-Z list of e-journals /ebooks, and control the display of fulfilment options based on local policies.
Major customisations in the staff interface include:
granular role based permissions so staff only need see modules and access functions which are central to their role, specific alerts for key events such as license renewals, a gear box to select preferred individual default settings, such as viewing text or MARC code cataloguing fields.
Customisations are controlled via the Admin or Configuration module, accessible to staff member(s) you allocate the role of ‘super-user’ to.

Scaling

Scaling
Independence of resources Our Webscale services are highly scalable, and can support any number of simultaneous users without negatively affecting system performance. Performance will be monitored to ensure that response time meets quality standards that have been set.
WMS achieves scale and robustness through horizontal partitioning. A partition is defined by the subset of institutions it serves.
For scale, we deploy multiple copies of each service, with each instance serving one or more partitions. As more institutions come online and load increases we add partitions and deploy additional service instances across additional hardware; therefore, each service, partition and institution is scaled independently .

Analytics

Analytics
Service usage metrics Yes
Metrics types We offer 100 inclusive, ready-to-use reports which do not require any additional software. Many modules enable staff to immediately generate and download relevant, real-time metrics, such as: Budget Summary (Acquisitions), Hold Shelf Lists (Circulation), Requests for non-stock items (Inter-Library Loans), or COUNTER statistics for e-resources (Licenses). Mixed presentation formats are used, typically tables and pie-charts.
In addition, the Analytics module provides access to data we have transferred to warehouse. The currency of these is variable due to our data normalisation processes (currently 1 day behind for Circulation metrics to 1 month behind for cataloguing - updating frequencies will increase).
Reporting types Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Physical security within the data center allows only authorized staff to have access to the servers. This includes biometric mechanisms for staff identification. Logical access control allows only authorized staff or users to have appropriate access to data. Identity management data is encrypted at rest.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Customers will be granted access to the relevant secure file areas to extract and export their data to their chosen destination. This does not require OCLC intervention. Please refer to the preceding answer for format options.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Legacy SSL and TLS (under version 1.2)
Data protection within supplier network Other
Other protection within supplier network While we do not encrypt traffic within a data center, all traffic between data centers is encrypted using Legacy SSL and TLS (1.2). Robust perimeter controls ensure that no unencrypted private traffic flows across the internet. We employ state of the art Intrusion Detection Systems and user enterprise-grade anti virus protection on our Windows servers. Since our public APIs are exposed to the internet, client traffic to and from those APIs is encrypted.

Availability and resilience

Availability and resilience
Guaranteed availability Our SLA states an Uptime Commitment of 99.5%. All software applications are monitored 24x7x365 and alerts are captured in both log files and a centralized internal dashboard which is proactively managed by IT specialists. Customers may choose to sign up for global system alerts and associated updates about resolution.

With regard to the LMS performance, we aim for 95% of transactions to complete within three seconds across 10 minute reporting windows during office hours (measured from system ingress point to system egress point, thus excluding network transit time beyond OCLC data centres).

UK Helpdesk available 09:00 - 17:30 Monday – Friday. High priority calls are answered via the global support desks, available 24/7. The UK Support team is made up of nine analysts. Response times relate to the urgency rating of a call:
Critical – 2hrs response with a fix or work-around within 4 hrs [average resolution achieved 1hr, 55 mins)
High – 4 hrs response with a fix or work-around within 7 days [average resolution achieved 6 hrs]
Medium – 4 hrs response with a fix or work-around within 20 days [average resolution achieved 9 days]

We have no case of refunding for failure to meet these standards.
Approach to resilience Information on how our service is designed to be resilient is available on request.
Outage reporting Customers may sign up for global system alerts and any associated resolution updates. This can be via email or RSS feed.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication A customer institution may choose identity federation with their existing IDP or we may provide an IDP (and thus username/password). OCLC will consider joining a regional identity federation to support authentication. We support existing IDPs running SAML2 SP initiated Web Browser SSO profile[1], Central Authentication System (CAS, version 2 & 3), and LDAP. OpenID Connect is planned.

[1] often referred to as shibboleth; see Section 4.1 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf and https://en.wikipedia.org/wiki/Shibboleth_(Internet2)..
Access restrictions in management interfaces and support channels Customers authenticate to the management interface with their own or OCLC’s IDP. Customer administrators assign roles that authorize access to protected interfaces as needed by individual staff.

OCLC support staff use an OCLC IDP to be authenticated & roles to be authorized to access protected interfaces.
Access restriction testing frequency At least once a year
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance
ISO/IEC 27001 accreditation date 29/06/2016
What the ISO/IEC 27001 doesn’t cover We did not implement ISO 27001 control A.18.1.5 because because OCLC does not create, manage, or export cryptographic controlled items.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes The Head of Global Security is responsible for implementing the Information Security Policy, and this position reports to the Chief Information Officer (CIO). The CIO reports to the Chief Executive Officer (CEO). Our policies follow the ISO 27001:2013 standard, and we will be happy to review them with you on request. Yearly ISO 27001 audits ensure that we comply with our policies, and internal security staff routinely engages with other staff to ensure policies are considered and addressed during development and deployment.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Non-trivial changes are reviewed for potential security impact. Otherwise, the change management process implements the controls recommended in ISO 27001. Specifically, we implement strict segregation of duties by allowing only select staff to deploy changes, and only after the changes are reviewed by the Change Review Board. The CRB is made up of a diverse team tasks with ensuring changes are appropriate and correctly implemented. Software changes are versioned and can be rapidly rolled back. All changes are tracked through a central change management system subject to management oversight.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We conduct vulnerability scans monthly to identify potential threats. A team consisting of security and support staff review each vulnerability for its severity and potential impact the business. We deploy patches as needed based on our analysis, and we have a process for handling emergency/critical patches. We use vulnerability scans, vendor security bulletins, and trusted news sources to keep informed of potential threats. We also rely on the Common Vulnerability Enumeration and follow the principles of the Common Vulnerability Scoring System.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use an industry-leading IDS to monitor incoming and outgoing traffic. We closely monitor system performance for early indication of security issues. We preserve audit logs for at least six months and use those logs for diagnostic and forensic purposes. OCLC maintains a robust Incident Response process, and we conduct annual training on that process.
Incident management type Supplier-defined controls
Incident management approach Users can report events through the website or by calling the OCLC service desk. Operations has a full runbook detailing how to respond to common events. OCLC also maintains a full escalation matrix that defines critical staff to involve for each product and service. Should an incident require it, OCLC has a time-tested Computer Incident Response Procedure that is reviewed annually by the Director of Global Security. This procedures defines the team and the individual roles to handle an incident. We maintain a website for customers to monitor overall system health.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £10000 to £95000 per unit per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Upon request, OCLC may grant a temporary password to a demo version of WMS. This permits exploration of the various modules using existing test data.
A sandbox environment is provided for developers working with Platform APIs. This can be used to test applications before taking them into production.

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑