Link Maker – Children’s Social Care Placement Platform
Link Maker joins-up children’s social care nationally to increase placement choice, and to improve use of data between local authorities and providers. Across adoption, fostering, residential care and placement commissioning, and at any scale, it ensures all parties have the tools and information to make the best decisions for children.
- Care placement covers adoption, fostering, residential care and SEN
- Search and filter placements by location, provider and needs.
- Instant identification of placements by both authorities and providers.
- Provider collaboration and group support - frameworks, tiers, lots, consortia.
- Child and family case sharing across teams.
- User-level secure messaging and document sharing.
- Advanced reporting and monitoring tools.
- Consortium and regional collaboration support.
- 9-5 telephone and online user-support.
- ISO 27001 accreditation.
- Find the widest range of placements for children without delay.
- Source and arrange placements efficiently and securely.
- Search in-house, framework, regional or national placements.
- Collaborate with providers and other authorities seamlessly.
- Access rich, real-time intelligence to inform practice and policy.
- Extract data instantly for FOI or statutory information requests.
- Align processes with nationally developed templates.
- Stay current with regularly updated national infrastructure.
- Provide safe, online support and resources to staff and families.
- Meet all security, support, hosting and development needs.
|Software add-on or extension||No|
|Cloud deployment model||Community cloud|
|Service constraints||Planned system upgrades will result in a service outage.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
For licenced users during 'phone support' hours notification that a support issue has been raised should be received within 2 hours. Please see the SLA for the priority levels below;
1 Security issue where there was a report of a potential risk to data integrity or security 4 hours
2 Core functionally required to find a suitable placement 4 hours
3 Functionality relating to communication and sharing information and generating a profile 4 hours
4 Functionality relating to the management of the placement finding process 8 hours
5 Functionality relating to the Agency Portals, or Community Areas. 24 hours
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Access control policies are governed by ISO27001 and adhere to best practice. Access is role based, and follows principles of least privilege.
LMS do not have support levels as we provide support to all users as follows:
There is user access to the LMS support desk which covers all areas of support including licencing issues, bugs/errors, technical help, enhancement requests and advice. They can be contacted via;
• Telephone on 0843 886 0040
• The contact form on the web site
• Email email@example.com
SLA's are set for licenced users.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Users just need to register on the site and create login information. Additional help/advice can be obtained from the support desk or video tutorials available online. Additional training or onsite courses can be tailored for an individual organisation for an additional fee and can be requested through the support desk.|
|End-of-contract data extraction||Users can export individual profile and discussion information via PDF download. Activity case reports for cases are also available to download. An anonymised data extract can be run by those with management permissions.|
Removal of data can be instigated by the user, or by LMS.
LMS use a manual support process to confirm that the data is no longer required.
Inactive cases will be removed three months after an adoption or full commissioning licences has expired.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Functionality remains the same.|
|Description of service interface||Service interface is accessed via an internet browser|
|Accessibility standards||WCAG 2.1 AA or EN 301 549|
|Accessibility testing||Our most recent independent web accessibility audit for this website was in April 2019, where they use both automated evaluation tools and manual testing with assistive technologies.|
|Description of customisation||
A licenced organisation is able to customise their portal. The portal can be customised with their own branding i.e. logo, text and background colour, with the option of a branded login page. The customisation is implemented by LMS administrators on behalf of the organisation at request of a user with the relevant authority level.
The organisation can manage the content of the portal through the use of forums, where read/write access can be restricted by user type. Forums are defined by LMS staff on behalf of the organisation.
|Independence of resources||Performance and capacity is monitored 24/7, by our infrastructure management company and the infrastructure is such that remedial action can be taken instantly.|
|Service usage metrics||Yes|
Management dashboard provides an overview of all cases.
For Adoption there are, court reports, family-finding activity reports, system usage and matching reporting available. There is also a raw data extract available for system usage and matching. There is also data available for adoption to help inform the sector about placement sufficiency and practice trends.
For Placement commissioning, availability history reports, incoming referrals report, and there are raw data extracts for system usage and placement information.
|Reporting types||Real-time dashboards|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||None|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Other data at rest protection approach||Our datacentre operators are a member of The Green Grid industry body, comply with the European Code of Conduct for Datacentre Operators best practice guidelines, and have been externally audited and certified to ISO 9001 (Quality Management), ISO 14001 (Environmental Management) and ISO 27001 (Information Security) standards.|
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Users can export individual profile and discussion information via PDF download. Activity case reports for cases are also available to download. An anonymised data extract can be run by those with management permissions.|
|Data export formats||
|Other data export formats||
|Data import formats||Other|
|Other data import formats||
|Data protection between buyer and supplier networks||
|Other protection between networks||In addition to the above we use CSRF and XSS protection.|
|Data protection within supplier network||Other|
|Other protection within supplier network||LMS have a private LAN with restricted service/ports between servers, allowing non-web traffic only via hardened bastion server.|
Availability and resilience
|Guaranteed availability||The LMS hosting provider has an average availability time of over 99.99%.|
|Approach to resilience||The infrastructure is virtualised with load balanced components. The server cluster is hosted by Equnix with high level of physical security, fire suppression and power redundancy.|
|Outage reporting||For any planned down time that exceeds 1 hour, users will be emailed 3 days in advance to advise of the outage. For any planned downtime less than an hour, an announcement is posted on the site for all users. All planned downtime is scheduled out of hours to minimise the impact on users.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||
Users are authenticated using a username, strong password and PIN.
It is possible for individual licenced organisations to instigate two factor authentication for their own individual users.
|Access restrictions in management interfaces and support channels||
Access control policies are governed by ISO27001 and adhere to best practice. Access is role based, and follows principles of least privilege.
LMS administrators can only access the site via a VPN, with a VPN username and strong password. They then need to enter a unique username, strong password and PIN for access to the web site.
Users can be granted management functionality either by other users in their organisation who already have that functionality, or by LMS administrators with the approval of an authorised representative.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||For the web site, administrators can only access the site via a VPN, with a VPN username and strong password. They then need to enter a unique username, strong password and PIN for access to the web site.|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||Between 1 month and 6 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||Between 1 month and 6 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Alcumus ISOQAR|
|ISO/IEC 27001 accreditation date||12/11/2015|
|What the ISO/IEC 27001 doesn’t cover||LMS business operations that do not directly affect the online platform.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
COO of LMS is responsible for information assets and as such owns the information security policies and is the Senior Information Risk Owner (SIRO). Together with the LMS Security Board, policies are reviewed on an annual basis to ensure it is accurate and reflects the risks to information and commitment by LMS to safeguard personal data.
LMS perform regular risk assessments. Risks are mitigated using appropriate controls and residual risks are monitored on an on-going basis.
To ensure LMS continue to implement, maintain and comply with their information security policies an annual internal audit is carried out, by an independent resource to ensure impartiality. An internal audit report will be generated together with a list of recommendations from the audit. The auditor can select a random set of controls that cover at least a third of ISMS.
On induction all staff are given formal training on Information Security and the LMS ISMS policies. Refreshers are repeated annually.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
LMS operate an infrastructure change control procedure and a development and release process. All changes to the LMS infrastructure or web site are logged, and monitored by the security officer through to completion.
Issues are reviewed against impact on data privacy the LMS security policies before being approved, and implemented.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||LMS uses an external CHECK approved ITHC provider to perform network/application level vulnerability scans, annually.Vulnerability scans of application and infrastructure are carried monthly, or on each version release. The findings are interpreted in to a remediation plan, where each vulnerability is given a severity rating, and appropriate action taken. For issues with a severity rating of critical or High the issues are fixed immediately. LMS patch policy states that where CVSS is greater than 8.5 then patches are applied within 24 hours, where CVSS is greater than 7 then patches are applied within 1 week. Other patches are applied monthly.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
Email alerts are generated for anti-virus issues. The application generates event logs which are reviewed on an ad-hoc basis for any potential security issues. LMS are currently reviewing its solution to event monitoring and is examining components to centralise accounting and audit. The LMS hosting provider actively monitor the servers and their integrity, alongside intrusion attempts via proprietary tools under SSH.
Reported/identified incidents are assessed by the security officer and assigned a security incident rating. An incident procedure is followed to ensure resolution with the target times are set per security rating. Upon being alerted, all issues are investigated immediately.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
LMS are committed to identify, managing and recording incidents so that the information assurance and business processes can be continually approved.
This policy and process applies to all individuals and business processes within LMS, as everyone has a responsibility to report suspicious or known malicious issues to senior stakeholders. Users can report incidents through the normal support channels. LMS Security officer will assign a severity level, and appropriate action taken. The size of the company enables LMS to have a flexible and agile approach to identifying, measuring and treating risk.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£103.41 per licence per year|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||
There are elements of the site which users are able to access for free for an unlimited time period.
Adopters are able to list their profile and access the community network. Practitioners can search profiles and support adopters.
Staff can identify and arrange individual placements for children.
|Link to free trial||N/A|