Microsoft Dynamics 365 (Official Sensitive)
Provides out of the box Microsoft Dynamics 365, securely hosted and managed within a UK-based, IL3 data centre. The SaaS offering has been accredited for Official Sensitive use by the Home Office, can process Official Sensitive data out-of-the-box and offers PSN-P connectivity.
- Accessibility: users can access the secure service
- Flexibility: add users as requirements change and the organisation grows
- Low cost: no fixed overheads, consumption based pricing
- Security Compliant: meets Cloud Security Principles for Official/Official Sensitive
- Securely Hosted
- Commonly used for secure Case Management and Grant Management
- Microsoft Dynamics 365 Service modules
- Microsoft Dynamics 365 Analytics and Reporting with key KPIs
- Integration with Outlook and the Microsoft Office Suite
- Based on entities and workflows with inbuilt workflow engine
- Out of the box Microsoft Dynamics 365 functionality
- License for Microsoft Dynamics 365 Service, SQL server and Windows
- Capability to customise solution to support requirements
- Securely hosted to IL3/Official Sensitive level if required
- Managed from UK SC cleared staff
- Underpinned by ISO27001, ISO9001 and ISO14001 processes
- Priced on a per user per month basis
- Option for 28 day back up
- 99.99% Availability, Test and Development (T&D) Environment available
- UK data sovereignty, Dynamics CRM 2016, 365
£66 per user per month
Civica UK Limited
Civica UK Limited
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Our services are built upon Microsoft's Dynamics 365 platform.|
|Cloud deployment model||Private cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Civica offers four levels of support ranging from working hours only to full 24x7 support. Our standard Silver service response times depend on the severity of the incident and are as follows:
•Severity Level 1 - Critical 10 mins to acknowledge, 1 hour to respond, 1 day to resolve;
•Severity Level 2 - Severe 10 mins to acknowledge, 1 hour to respond, 3 days to resolve;
•Severity Level 3 - Disruptive 10 mins to acknowledge, 2 hours to respond, reasonable 5 days to resolve;
•Severity Level 4- Minor 10 mins to acknowledge, 2 hours to respond, reasonable effort to resolve.
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Civica offers four levels of support:
•Platinum: Full 24*7 support service suitable for the most business critical applications
•Gold: On-call 24*7 support service appropriate for public facing applications that are utilized 24*7
•Silver: 8AM to 17:30PM Monday to Friday, excluding public holidays. This extended hours model is targeted at customers requiring cover for a flexible working day
•Bronze: 9AM to 5PM Monday to Friday excluding public holidays and period between Xmas day and New Year’s Day (inclusive).
The Civica Service Desk is contactable from 08.00 to 18.00 on UK working days.
The Service Desk responds to questions depending on the Severity Level of the call as follows;
•Severity Level 1- Critical- The reported problem causes a halt to the Client’s core business processes and no workaround is available.
•Severity Level 2- Major- The reported problem causes degradation of the Client’s core business processes and no reasonable work-around exists.
•Severity Level 3- Intermediate- The reported problem impacts the Client’s operational environment but does not affect core business processes. A work-around is available.
•Severity Level 4- Minor- A non-critical problem is causing some disruption but with little or no impact on the Client operation.
|Support available to third parties||Yes|
Onboarding and offboarding
During initiation the Civica Delivery Manager (DM) assesses what help, support and training users require to start using the service. The DM works closely with the customer to agree an on-boarding plan that ensures users are ready to start using the service, typically priced from the SFIA rate card. The on-boarding plan may incorporate the following:
Support Documentation – availability and access to online user support documentation and resources.
Cloud Induction Training for system administrators and online product help. Provides the skills to run cloud services.
Cloud Standard Training in the core system for system champions and end users. Covers system administration, security and cloud service monitoring/managing.
Cloud Specialist Training – advanced training for system champions. This may involve Accredited Courses from Civica Cloud delivery partners including Google, Amazon Web Services and Microsoft.
Cloud Training Packages, tailored package of training for specific business requirements for system administrators, business managers, and end users.
The Delivery Manager also facilitates skills transfer throughout the project and provides access to Civica Knowledge Sharing activities including supplier briefings, Webinars.
|End-of-contract data extraction||
Termination period depends on the payment model. When paying per user per month, customers may terminate their G-Cloud service with 30 days’ notice. When buying an enterprise licence, the minimum term is a year. Customers can terminate their service by contacting Civica in writing.
Customers may request all associated data is extracted and provided securely to a destination of their choice (see pricing for charges associated with data extraction). If no data extraction is requested, then the associated data will be deleted within 5 working days of service termination. The three step off-boarding process is: 1. Termination Notification – one month termination notice sent; 2. Data Extraction – Optimal Data Extraction for Test Migration; 3. Service Termination – All Data Wiped.
|End-of-contract process||For monthly contracts, Civica require 30 days’ notice to terminate a G-Cloud service. When buying an enterprise annual licence, the minimum term is a year and 3 months’ written notice must be provided. At the end of the contract, the service will be turned off unless the customer decides to extract their data as per the extraction process detailed above. Customers will be credited for any amount that has been paid beyond the termination date once the service has been terminated subject to minimum terms.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Civica Services recognise that digital services are accessed “anytime, anywhere, any device”. Therefore, Civica has utilised a responsive design approach to ensure a common user experience that is browser based and platform independent. The interface is optimised to run on either a mobile device or tablet depending on the size of the screen with certain elements, like menus, collapsing to take up minimal screen space as the available space reduces.|
|Description of service interface||Full SDK is available from Microsoft.|
|Accessibility standards||None or don’t know|
|Description of accessibility||Supports screen readers and has a high contrast mode.|
|Accessibility testing||Please contact Civica for details.|
|What users can and can't do using the API||
The Web API provides a development experience that can be used across a wide variety of programming languages, platforms, and devices. The Web API implements the OData (Open Data Protocol), version 4.0, an OASIS standard for building and consuming RESTful APIs over rich data sources. (Further details can be found here -https://msdn.microsoft.com/en-gb/library/mt593051.aspx). The web API is part of the Dynamics 365 Software Development Kit (SDK). The SDK contains a wealth of resources, including code samples, which are designed allow powerful vertical applications to be built using the Microsoft Dynamics 365 platform. It is a guide for developers writing solutions, server-side code, client applications and extensions, custom business logic, plug-ins, integration modules and custom workflow modules.
As a secure platform consideration will need to each and every integration with the system.
|API documentation formats||HTML|
|API sandbox or test environment||No|
|Description of customisation||The services and solutions that we provide within Dynamics 365 provide our clients with significant flexibility for customisation and configuration. Dynamics 365 is one of the most extensible platforms available, enabling users with sufficient permissions the ability to have a bespoke customised experience across different sections of the tenancy. Configuration can easily be applied directly within Dynamics 365’s user interface. More involved customisation is typically undertaken via use of Dynamics 365’s APIs. This empowers users with the ability to introduce customisation that allow different types of content to be viewed, created, edited or even deleted. Permissions can be set to ensure that only required users have the ability to apply customisation.|
|Independence of resources||The solution is designed to operate and optimum level and system performance is reviewed to ensure the correct allocation of resources are applied.|
|Service usage metrics||Yes|
|Metrics types||Metrics are provided based on the active number of users, in addition auditing metrics are provided related to; last logon, account lockout, password resets.|
|Supplier type||Reseller providing extra features and support|
|Organisation whose services are being resold||Microsoft|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||There are a large number of different export paths provided within Dynamics 365; these depend upon the nature of the data that users wish to export. There are also a large range of 3rd party tools which enable bulk import and export, which make the process of overseeing large-scale data export far simpler.|
|Data export formats||
|Data import formats||
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||The Microsoft Dynamics CRM 365 IL3/Official Assured platform is delivered upon the UKCloud cloud platform. The guaranteed availability is 99.9% based on 24 x 7 availability. Civica’s service desk is available 09:00am – 5:30pm UK Working Days. If you would like service levels to apply outside of normal service hours, then please contact us with your requirements. Civica will act as the customer’s agent to liaise with UKCloud to resolve issues. UKCloud pay service credits directly if the cloud platform does not meet pre-defined service levels. Civica will pass onto the customer any service credits received from UKCloud.|
|Approach to resilience||The service is deployed across a number of sites, regions and zones. Each zone is designed to eliminate single points of failure (such as power, network and hardware). The platform has been configured to make use of the available resiliency within the cloud platform.|
|Outage reporting||All outages will be reported via the Service Desk and e-mail alerts to designated technical contacts.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||Support is provided by bastion hosts. These are on dedicated VPNs connected to the environment at UKCloud. Certain individuals who have the appropriate security clearance have the physical access to the machines and are allocated a login to access the system. All support is performed from the UK.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||Between 1 month and 6 months|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||Between 1 month and 6 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Alcumus ISOQAR Ltd|
|ISO/IEC 27001 accreditation date||4th May 2016|
|What the ISO/IEC 27001 doesn’t cover||Civica's ISO27001 certificate covers the full breadth of services that we deliver. The certificate does not extend to the inner workings of the Microsoft Data Centres but these are covered by Microsoft's ISO27001 certificate.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials Plus|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||Civica is ISO27001 accredited. It has decades of experience in delivering highly-secure, business critical services for public sector clients, including the development and management of several national critical systems. All of Civica’s activities are carried out under its ISO27001-compliant Information Security Management System (ISMS) which defines the secure operating procedures for every single aspect of Civica’s operational processes, including its engagement with partners such as Microsoft. Microsoft are themselves ISO27001 accredited and Civica has worked to ensure this service offers seamless operational security coverage. Ultimate responsibility for Civica’s security policies rests at board level; day-to-day operational responsibility is held by Civica’s Head of Security who manages a team of Security Administrators involved in supporting operations and technical owners. Operational security for this service is assured by the internal service owner, with the support of the security team.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||Civica use a documented configuration and change management policy which is part of our ISO9001 and ISO27001 management systems. This is underpinned by the UKCloud documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 standard. A robust, established process for the formal submission of change requests is mandated prior to review and approval of the daily Change Advisory Board, which is attended by a quorum of operational and technical management personnel.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||The service is built upon UKCloud's platform, UKCloud has a documented vulnerability management policy and process, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 and ISO27001 standards. Where technically possible, real-time updates and status reports are identified and sourced from credible vendor sources, which cover a significant proportion of UKCloud’s asset population. For other systems and software, assigned personnel have responsibility for regularly reviewing technical forums and specialist groups to promptly identify and evaluate any emerging patches or updates which require our attention.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||Following best practice from the National Cyber Security Centre, UKCloud protects both its Assured and Elevated platforms with enhanced protective monitoring services (SIEM), at the hypervisor level and below. Our approach to protective monitoring continues to align with the Protective Monitoring Controls (PMC 1-12) outlined in CESG document GPG13 (Protective Monitoring for HMG ICT Systems). It includes checks on time sources, cross-boundary traffic, suspicious activities at a boundary, network connections and the status of backups, amongst many others. All alerts are immediately notified to the UKCloud NOC for prompt investigation.|
|Incident management type||Supplier-defined controls|
|Incident management approach||Civica will provide service desk support to a designated customer administrator or IT Help Desk. End users of the service experiencing service issues contact their designated administrator or help desk who will then raise an incident either by phone, e-mail or online ticket. The incident will be managed by the service desk team who will assign a priority depending on severity. The engineers will then work to resolve the incidents and any underlying problems if present. Work is overseen by the Service Delivery Manager who works with the customer and will produce monthly incident management reports.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Connected networks||Public Services Network (PSN)|
|Price||£66 per user per month|
|Discount for educational organisations||No|
|Free trial available||No|