Microsoft PPM / EPM (Microsoft Project Online) delivers flexible and easy to use PPM / EPM solutions covering full project lifecycles. It assists organisations in aligning budgets and resources to business objectives and enables them to initiate, prioritise, track and deliver project, programme and portfolio investments to realise business value.
- Project demand management identifies new ideas and projects-Idea Management
- Project portfolio definition and optimisation to drive best value selection
- Project resource management for managing demand and capacity/timesheets
- Project schedule management for improved tracking and delivery/timesheets
- Project financial management for budget, planned and actual costs
- Consolidated View of Projects, Programmes, and Portfolio
- Project team collaboration for improved working practices and understanding
- Business intelligence and reporting improves decision management/Management Information
- Securely hosted in UK datacentres with security cleared, permanent employees
- Standardisation of PPM Methodologies and Frameworks
- Consistent project management data and processes
- Low total cost of ownership
- Improved quality, timeliness and cost effectiveness
- Enterprise-wide governance with standard gateway management
- Improved project investment strategy aligned to business needs
- Built-in capabilities including project dashboards, planning, risk and issue tracking
- Microsoft Gold Partner with ISO27001 certification
- Keeps investment risk at a manageable level
- Ensures the most expensive asset (resources) is optimally utilised
£5.30 to £41.50 per user per month
- Free trial available
Program Planning Professionals Ltd (t/a Pcubed)
020 7462 0100
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Service constraints||There are no other foreseeable constraints to the Services (e.g. maintenance windows, level of customisation permitted, schedule for deprecation of functionality/features etc.)|
|Email or online ticketing support||Yes, at extra cost|
|Support response times||Dependent on the severity level. We can respond to a client within one hour, if the severity level is high|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Support levels include Email, Phone, Service desk and Onsite assistance.
Each support request will receive a severity level which is tied to a service level metric. Service-level metrics specify the maximum amount of time to elapse before a customer, after opening an incident, the user will be contacted by a support representative. Initial response goals will be the same for all support package levels but will vary by severity. Initial technical response time is determined by the severity, as follows:
Severity 1; Urgent - A full system outage , the system is not working and this is affecting all users.
Severity 2; High - A major element of either the Microsoft PPM / EPM or Pcubed solution is not working at all and affecting all / nearly all users or the production of business critical reports.
Severity 3; Normal - A single or small element of the Microsoft PPM / EPM or Pcubed solution is not working and affecting a number of users or multiple teams.
Severity 4; Low -There is a problem which is affecting limited numbers of users or a less frequent part of the solution or regular reports.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Envisioning workshops, training , change management, providing a dedicated delivery team and support where necessary|
|End-of-contract data extraction||OData - extracting PO data to an excel spreadsheet and saving project plans in Microsoft Project|
Microsoft and Pcubed are certified in ISO 27001, this enables Pcubed to comply with high standards of all our customer’s data security and integrity. Upon exit, all customer information will be securely destroyed and confirmation will be provided.
Also, Microsoft implements destruction and confirmation of destruction of all data upon exit of contract.
If you terminate a cloud subscription or it expires (except for free trials), Microsoft will store your customer data in a limited-function account for 90 days (the retention period) to give you time to extract the data or renew your subscription. During this period, Microsoft provides multiple notices, so you will be amply forewarned of the upcoming deletion of data.
After this 90-day retention period, Microsoft will disable the account and delete the customer data, including any cached or backup copies. For in-scope services, that deletion will occur within 90 days after the end of the retention period. (In-scope services are defined in the Data Processing Terms section of Microsoft Online Services Terms.)
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||There are screen user interface differences, however, there are no limited functionality features|
|Accessibility standards||WCAG 2.0 AA or EN 301 549|
|Accessibility testing||Microsoft Project Online is an application and meets the published standards as an application. Microsoft accessibility statement on can be found on the Microsoft Accessibility website (http://microsoft.com/enable). Microsoft publishes Voluntary Product Accessibility Templates (VPAT).|
|What users can and can't do using the API||
Microsoft Project Online has an Open API that allows integration with other systems (uni and bi-directional).
The API access of the following types is available: REST, SOAP. For further information, please see: https://msdn.microsoft.com/en-us/library/azure/ee460799.aspx
|API documentation formats||HTML|
|API sandbox or test environment||Yes|
|Description of customisation||The solution allows reports, letters and other communications to be customised with logos, fonts, branding and colours. Advanced customisation using pages, events, web parts and configuration can be provided to meet further requirements (e.g. add extra fields, access to API to build your own interfaces, etc.).|
|Independence of resources||
Availability reports are available via the Admin Portal of Office 365, for the overall platform and by service.
There is a separation in services between consumers; users are not affected by the demand of other users.
By using Office 365 API, further monitoring is possible. The service is based on Microsoft architecture which is fully scalable.
|Service usage metrics||Yes|
|Metrics types||Please see the Business admins section found here https://support.office.com/en-gb/article/Activity-Reports-in-the-Office-365-admin-center-0d6dfb17-8582-4172-a9a9-aed798150263|
|Reporting types||Real-time dashboards|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||For data at rest, the service deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM conversations, as well as content stored in SharePoint Online and OneDrive for Business. BitLocker volume encryption addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers and disks. Your organization’s files are distributed across multiple Azure Storage containers, each with separate credentials, rather than storing them in a single database.|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users can use OData to extract or import their data. Out of the box SharePoint allows export of all information to Excel. Pcubed could also develop specific reports relating to more detailed information and saving project plans in Microsoft Project|
|Data export formats||
|Other data export formats||
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Other protection between networks||For data in transit, all customer-facing servers negotiate a secure session by using TLS/SSL with client machines to secure the customer data. This applies to protocols on any device used by clients, such as Skype for Business Online, Outlook, and Outlook on the web. See also http://aka.ms/Office365CE|
|Data protection within supplier network||
|Other protection within supplier network||
Microsoft supports versions 1.0, 1.1, and 1.2 of the Transport Layer Security (TLS) protocol. This protocol is an industry standard designed to protect the privacy of information communicated over the Internet. TLS assumes that a connection-oriented transport, typically TCP, is in use. The TLS protocol allows client/server applications to detect the following security risks:
• Message tampering
• Message interception
• Message forgery
For further information, please refer to: https://msdn.microsoft.com/en-us/library/windows/desktop/aa380516(v=vs.85).aspx
Availability and resilience
Microsoft provides a contractually backed SLA to a minimum of 99.9%.
Backup, disaster recovery and resilience plan in place
|Approach to resilience||
Office 365 services have been designed around five specific resiliency principles:
There is critical and non-critical data. Non-critical data can be dropped in rare failure scenarios. Critical data should be protected at extreme cost. As a design goal, delivered mail messages are always critical, and things like whether or not a message has been read is noncritical.
- Copies of customer data must be separated into different fault zones or as many fault domains as possible (e.g., datacentres, accessible by single credentials (process, server, or operator)) to provide failure isolation.
- Critical customer data must be monitored for failing any part of Atomicity, Consistency, Isolation, Durability (ACID).
- Customer data must be protected from corruption. It must be actively scanned or monitored, repairable, and recoverable.
- Most data loss results from customer actions, so allow customers to recover on their own using a GUI that enables them to restore accidentally deleted items.
- Backup, disaster recovery and resilience plan in place
Further info: http://aka.ms/Office365DR
|Outage reporting||Office 365 reports outages via the service status portal https://portal.office.com/servicestatus/servicestatus.aspx, Alert or Mobile Application|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||
User access to interfaces is made possible with a user account: O365 account.
Without having the O365 account, users cannot gain access to the service.
Access to the service is limited to authenticated and authorised users.
Usernames and password control remain under the buyers control.
|Access restrictions in management interfaces and support channels||
Access can be restricted based on the role of the user (administrator, team member with edit right, or only viewer).
In addition, if the user does not have a O365 licence, they are restricted from the service.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||No audit information available|
|Access to supplier activity audit information||No audit information available|
|How long system logs are stored for||Less than 1 month|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||17/01/2017|
|What the ISO/IEC 27001 doesn’t cover||Control: The organisation shall supervise and monitor the activity of outsourced system development.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||Yes|
|CSA STAR accreditation date||29/04/2016|
|CSA STAR certification level||Level 1: CSA STAR Self-Assessment|
|What the CSA STAR doesn’t cover||None|
|Other security accreditations||Yes|
|Any other security accreditations||
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
EU Model Clauses,
SASE16 SOC1 & SOC 2
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402.
The service has developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1/SOC 2, NIST 800-53, and others.
Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft. OSA combines this knowledge with experience of running hundreds of thousands of servers in datacentres around the world.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Configuration, change management, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.
In addition to Microsoft’s ISO-27001 compliance, and their use of independent 3rd party penetration tests, they operate an assumed breach model and use active red-team penetration testing and vulnerability management as part of their Operational Security Assurance (OSA).
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||Configuration, change management, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||Configuration, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£5.30 to £41.50 per user per month|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||30 Day Trial of Office 365|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|