One Education and Children Services
Our One Education SaaS helps teams work more efficiently, allowing authorities to invest their time and resources improving the lives of children and families. Provides a clear picture of a child or family’s circumstances, giving authorities the information required to intervene early and improve outcomes.
- Capita One provided as a complete SaaS package.
- Availability, capacity, security, performance managed by Capita underpinned by Azure.
- All software updates, technology refreshes, patches and continuous improvements included.
- Comprehensive monitoring of school data including attendance, attainment and exclusions.
- Capita One–a single comprehensive record of children and families.
- Online portals for parents, professionals and providers.
- Large number of integrated modules available to enrich the dataset
- Flexible pricing models available with several optional modules.
- Supports effective administration of services
- All software updates, technology refreshes, patches and continuous improvements
- Migration to Cloud service (onboarding) included within pricing.
- One price for complete service providing budget certainty.
- Immunity from technology changes allowing peace of mind.
- Can focus on improving lives of children and families.
- Supports safeguarding of children across the Authority.
- Ability to upload the latest school data using Capita SIMS.
- 99.5% uptime with 24/7 availability.
- Can monitor the performance and outcomes for vulnerable children.
- Supports efficient team working with time-saving solutions.
- Supports early intervention and improved outcomes in the Authority.
£14666 per instance per month
4 1 0 9 3 1 6 3 0 1 2 3 9 9 8
Capita Business Services Limited
Capita Business Services Ltd
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Capita One Education forms part of the Capita One portfolio of software services, delivering comprehensive solutions across the Public Sector and Housing Association marketplace.|
|Cloud deployment model||Public cloud|
Not all maintenance requires downtime and we will schedule downtime to be outside of core business hours wherever possible. The scheduled maintenance covers tasks including, but not limited to:
• New releases (software upgrades) and server patching.
• Monthly schedules of planned downtime published in advance.
In cases of unscheduled downtime for emergency changes, we will endeavour to complete work outside normal office hours.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Most communication from us will be in the form of updates added to our 24/7 online ticketing system called My Account. For Priority 2 or higher priority incidents, we will aim to call customers in the first instance. We aim to make our initial response to cases based on their priority:
Response times are based on working hour–Monday–Thursday 08:00 to 17:30 (UK time), Friday 08:00 to 17:00 (UK time), excluding bank holidays.
High Severity (must be logged by telephone): Response within one working hour.
Medium Severity: Response within two working hours.
Low Severity:Response within 1-2 working days.
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Help Desk requests are logged on a call tracking system and dealt with in priority and severity order. The Help Desk is operated Monday–Friday, 08:00 – 18:00.
Requests are logged online, by email or telephone.
24/7 Platform Availability Monitoring and fix of ‘site down’ P1 incidents.
High Severity: day-to-day work cannot be continued, or assistance needed to meet business-critical deadlines. We aim to respond within one hour. Resolution: continuous monitoring and customer updating until the fault is resolved, which we aim to be within four hours.
Medium Severity: day-to-day work can be continued but there is a requirement for speedy resolution. We aim to respond within four working hours. Resolution: whenever possible, a solution will be given, or we will advise how quickly a solution will be available, within eight hours.
Low Severity: day-to-day work can be continued, and the problem is minor. We aim to respond within two working days. Resolution: whenever possible, a solution will be given, or we will advise how quickly a solution will be available, within five working days.
A Technical Account Manager is available via standard escalation procedures within our Service Charter.
The standard level of support is included with the monthly service charge.
|Support available to third parties||Yes|
Onboarding and offboarding
Capita recognises that transition of a service to and from a new solution presents potential business risks. To reduce risk, a Technical Project Manager will help customers assess their business needs and provide an overall solution design before onboarding takes place.
This process will provide a transition plan for setting up the services, reducing risk, ensuring clarity of tasking and maximising uptime. Capita will work to support the applications and database installation.
For end users of the service there are options for on-site training, online training (often via webinars) and extensive online user documentation.
|Other documentation formats||
|End-of-contract data extraction||
The offboarding process is intended to provide a complete set of data back to the Customer and the eventual closing down of the hosted infrastructure. The One data will be transferred in standard Oracle Database format and standard SQL Server database format following secure file transfer protocol within 14 days of the termination of this hosting agreement.
The process to prepare the data is essentially the same as that of the onboarding process, where all the data and associated files will be provided to the Customer. Infrastructure components will not be provided as part of the process.
|End-of-contract process||All customer data is managed in clearly segregated data stores. Upon withdrawal from our cloud service, all data will be securely deleted from our infrastructure. This includes all secondary data sources, such as backups. The deletion is enforced by the Microsoft Azure Cloud Platform. Microsoft implements security controls which ensure no unauthorised access to deleted data and, ultimately, secure wiping or physical destruction of the storage hardware when it is de-commissioned from service.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|What users can and can't do using the API||One Education is seen as the main children and young person’s database within a local authority, holding the most up-to-date information which often covers 95%+ of the cohort. As such, APIs are available to feed third party systems with One Education data. The APIs have been specifically designed to be read-only to protect the large volumes of data held spanning across all areas of a local authority.|
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
The service itself may be customised in various ways by the inclusion of optional services and software.
The Capita One Education software itself can be customised by authorised users to adapt the operation of the software to the specific needs of an individual local authority.
|Independence of resources||
Each customer will have their own single tenant dedicated application instance, including isolated databases. We enforce segregation and prevent cross contamination using multiple layers of network segregation, including a dedicated subnet per customer, secure namespaces and encrypted overlay VXLAN-based virtual networks per customer. This means that other instances cannot have a negative impact on each other.
The solution has automatic elastic scalability built in – it scales resources responding to unforeseen spikes of usage to protect the customer user experience. Additionally, Capita will work with customers to predict and plan for known events that will require extra resources or capacity.
|Service usage metrics||Yes|
Monthly Client Reports
A monthly report will be provided detailing the status of the system against availability targets. This report will also include any corrective actions required by the Customer, together with any additional in scope information mutually agreed during the ongoing service review process.
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
All customer data within the Secure Capita One Cloud is isolated and encrypted at rest through 256-bit AES encryption. Symmetric encryption using a multiple key hierarchy is used to encrypt and decrypt this data.
Access to customer data is restricted based on business need and by role-based access control, multifactor authentication and minimising standing access to data. Data encryption keys created and controlled by Capita.
Microsoft cannot access customer data. Microsoft Azure is the hosting service which provides the underlying highly resilient and secure data centres, physical hardware, networks and services that underpin the Secure Capita One Cloud.
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users may export data in standard Oracle Database format and standard SQL Server database formats and via use of the relevant database or reporting toolsets.|
|Data export formats||Other|
|Other data export formats||Determined by the relevant database technology and associated reporting toolsets.|
|Data import formats||Other|
|Other data import formats||Determined by the relevant database technology and associated reporting toolsets.|
|Data protection between buyer and supplier networks||
|Other protection between networks||
All data in transit between the Customer and Secure Capita One Cloud is secured and encrypted.
Data in transit to/ from our SaaS is secured by the following methods:
•Website traffic accessed via a browser is HTTPS only, encrypted and secured with SHA-2 x 509 certificates.
•Rich client application access via HTTPS and secure RDP encrypted to 128-bit.
•Restricted features for specific back office employees/ roles can be secured to be only accessible via an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
•Secure integrations facilitated by an Internet Protocol Security (IPSEC) VPN tunnel meeting FIPS 140/2 standards.
|Data protection within supplier network||
|Other protection within supplier network||The hosting platforms are designed to be compliant with the UK Government Cloud Security Principles and are tested annually for defects against this standard. We use TLS1.2 or above for encrypted traffic and IPsec compliant VPNs with SHA-256 bit encryption. All backup data and secure keys backed up between the two Microsoft UK regions are secured and encrypted in transit.|
Availability and resilience
Capita One Education SaaS is built to run 24/7 but is optimised for high availability and performance during core hours.
For public-facing portals, the service provides at least 99.5% availability 24/7, excluding scheduled maintenance.
For the internal-facing application, the service shall provide at least 99.5% availability during supported office hours, which is defined as Monday – Thursday 08:00 to 17:30 (UK time), Friday 08:00 to 17:00 (UK time), excluding English public holidays and scheduled maintenance.
The scheduled maintenance will cover tasks including, but not limited to:
• New releases (software upgrades) and server patching. Not all maintenance will require downtime.
• In addition to any scheduled maintenance, there will be occasions where Capita is required to initiate unscheduled downtime for emergency changes. In exceptional cases when emergency changes are required, we will endeavour but cannot guarantee to complete this work outside of the core normal office hours.
• Monthly schedules of planned downtime are published in advance.
The standard service does not include payment of refunds for availability below target levels, although a service credit regime may be added to the service. Any pricing adjustments necessary would be determined by the precise service level and service measurement requirements.
|Approach to resilience||
One Education is made up of a set of virtualised, containerised components that rely on specific Infrastructure as a Service and Platform as a Service features of Microsoft Azure that have been configured and optimised to make up the Secure Capita One Cloud.
The Secure Capita One Cloud only uses resources that are a commodity, highly available and easy to bring up, scale and configure on-demand.
Each dedicated customer instance will live within the Secure Capita One Cloud within one of the two UK Microsoft Azure regions (UK South and UK West). Within each region we are using highly available and highly resilient services with no single points of failure.
• Automated backups of all databases, data and configuration to support RPO and RTO targets.
• Backups are written to disk immediately within region.
• Backups are automatically copied to the second region to protect from region-wide issues.
• Unique security keys for each customer are written into both regions to protect from region-wide issues.
• Data Recovery processes tested regularly.
• Complete Disaster Recovery testing performed regularly.
• Application components are built from golden images and can be spun up easily.
More information available on request.
|Outage reporting||Service outages are communicated in differing ways dependent on the magnitude of the service outage. For a multi-customer service outage, email communications will be sent out to all customers advising the status of outage with regular updates on progress as well as a status message being provided on the Home Page of the online ticketing system. A service outage that affects a single customer will be communicated both by email and by telephone. Historical outage reporting is provided as part of the quarterly service review pack as well as being available at an individual customer level via the online ticketing system which offers an on-demand view of this.|
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||There are several options for authentication for the solution, including utilising customers’ own identity providers (subject to supported configurations) and as such MFA and other customer required security requirements may be supported.|
|Access restrictions in management interfaces and support channels||
Access to the System Administration functionality (where administrative functions are managed, including user maintenance and system configuration) is controlled by username and password.
Access to the My Account Portal is controlled by username and password. New customers with responsibility for contacting the Help Desk are encouraged to register on the support portal. If customers contact us by telephone or email, their details are matched to an existing registration.
The management control plane for the cloud service is locked down and not public. We use Azure AD and have role-based access by employees.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||The management control plane for the cloud service is locked down and not public. We use Azure AD and have role-based access by employees. We have reduced risk by giving no data access via cloud service management. All access is audited and only granted on a need basis.|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Cloud service hosting certified by BSI.|
|ISO/IEC 27001 accreditation date||Microsoft recertification date: 20/06/2017.|
|What the ISO/IEC 27001 doesn’t cover||N/A.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||Yes|
|CSA STAR accreditation date||Microsoft recertification date: 20/06/2017.|
|CSA STAR certification level||Level 3: CSA STAR Certification|
|What the CSA STAR doesn’t cover||N/A.|
|Other security certifications||Yes|
|Any other security certifications||Cyber Security Essentials.|
|Named board-level person responsible for service security||No|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
Our cloud service provider complies with many standards, including CSA CCM v3.0, ISO/ IEC 27018, ISO/ IEC27001, UK Cyber Essentials PLUS.
Capita has several Information Security Policies and Standards that cover ISO 27001 clauses and controls. Capita has UK Cyber Essentials certification.
Further details are available upon request.
|Information security policies and processes||
As part of Capita Business Services, we work to policies and standards that are aligned with ISO 27001. These are agreed and signed off by the Group CEO and cascaded to the businesses via an internal intranet site and email communication. In addition, each year when employees complete their annual training they agree to comply with both Group and Business Unit Level policies.
Information Security employees as well as Capita Audit complete announced and unannounced checks to ensure that the policies and standards are being followed. Any non-conformities are reviewed and dealt with appropriately.
Information Security is dealt with at all levels of the business, including at the Business Unit, Divisional Unit and Capita Group.
The maintained ISMS Management Policies include:
• Acceptable Use Policy
• Access Control Policy
• Compliance Policy
• Data and Asset Management Policy
• Information Security Management Policy
• Mobile Working Policy
• Personnel Policy
• Physical Security Policy
• Risk Management Policy
• Systems Acquisition Development and Maintenance Security Policy.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||Capita maintains the assets which make up the solution using ITIL v3 incident, problem and change management processes which align to the ISO 27001 standard. No configuration items are added or changed without the appropriate review and backout planning to ensure that the risks and impact are appropriately managed prior to delivery of the change into live.|
|Vulnerability management type||Undisclosed|
|Vulnerability management approach||Capita has several Information Security Policies and Standards that cover ISO 27001 clauses and controls to triage vulnerabilities. Capita will monitor security alerts from various sources, such as Secunia, NIST or Gov Cert UK and will assess the patches that are released by operating systems suppliers and software vendors. All patches are graded Critical, Recommended or Low. The grade of the patch will determine the timescale in which a patch will be installed. Critical patches will be installed at the next available opportunity. Automated vulnerability and threat detection services will also be employed.|
|Protective monitoring type||Undisclosed|
|Protective monitoring approach||
Incident Response methodology:
•Monitoring, control, communication
Nominated stakeholders will perform communication and data gathering with users.
•Ensure the privacy of those affected.
•Report and document potential breaches of confidentiality to Governance and Compliance.
•Ensure integrity of data is maintained throughout the lifecycle.
•Maintain a full inventory of the data tracking additions and amendments.
•Encrypt and store data securely.
•Ticket with event description made for correspondence and reporting purposes.
•An Incident Manager will own an event through its lifecycle.
•ISO 27001 standards for accountability are reviewed for the lifecycle at each stage.
|Incident management type||Supplier-defined controls|
|Incident management approach||
We have a defined, approved and tested Incident Management process. The process has a list of example incidents that are designed to cover a wide range of scenarios. All employees are made aware of the incident reporting process and randomly tested for effectiveness.
Incident reports will be passed to relevant customers if there has been an impact to their environment or data.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£14666 per instance per month|
|Discount for educational organisations||No|
|Free trial available||No|