ONCOREIT LIMITED

Microsoft 365 Services

Microsoft 365 is a cloud-based IT Solution providing email, file, collaboration, productivity, mobility and security with Office Applications.
Oncore IT provide consultancy, licensing, design, implementation and ongoing support.

Features

  • Microsoft Office Applications - Desktop and Web
  • File storage, management and Sharing
  • Email, calendaring and archiving
  • Online Meetings, Video calls and Chat
  • Team Sites for Information sharing
  • Security and Compliance
  • PC and Mobile Device Management

Benefits

  • Work from anywhere
  • Access to the latest versions of applications throughout the subscription
  • Modern Working - Team work and Collaboration
  • Increase company security posture - platform and endpoints
  • Increased productivity - mobility and security, AI services
  • Reduce IT Maintenance costs - Cloud platform managed by Microsoft
  • Data Protection with privacy and compliance tools

Pricing

£3.80 a user a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@oncoreit.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

4 4 9 8 4 2 2 7 8 7 2 1 5 0 8

Contact

ONCOREIT LIMITED Sales Team
Telephone: 02038183411
Email: sales@oncoreit.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
None
System requirements
Dependent on each deployment

User support

Email or online ticketing support
Email or online ticketing
Support response times
Dependent on the level of support required from Oncore IT. These will be defined as part of the Project.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Onsite support
Support levels
Oncore IT can provide 24x7x365, Business Hours or Bespoke hours support in accordance with the Clients requirements.
Support Levels will be agreed with the client as part of the Project.
Each client will be assigned an Account Manager and Technical Lead.
Please also refer to our Infrastructure and Desktop Support Services on G-Cloud.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Oncore IT Account Manager, Technical consultant and Project Manager will be assigned to the account. These will provide consultancy to assess requirements for a M365 solution, including a review of current IT Infrastructure, Network and Endpoints for suitability and recommendations for change. Training requirements will be identified and training provided.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Please refer to Microsoft published information,
https://docs.microsoft.com/en-us/openspecs/data_portability/ms-dataportlp/a2bc1311-e0e7-4808-970a-4dc0a100f708
End-of-contract process
It will be discussed with the Client prior to renewal whether they wish to continue the contract with Oncore IT. If the contracted is not renewed then Oncore IT can assist with an Offboarding process, this will be managed as a separate project at additional cost.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Yes
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
  • Windows Phone
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Mobile Office apps included in subscription. These are specifically designed for mobiles and link in with the Cloud solution and desktop applications.
Service interface
Yes
Description of service interface
Admin Center
Security & Compliance Center
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
Microsoft have a strong Accessibility approach. Please refer to https://www.microsoft.com/en-us/accessibility/approach
API
Yes
What users can and can't do using the API
See,
Office 365 APIs https://docs.microsoft.com/en-us/previous-versions/office/office-365-api/
Office 365 Management APIs https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Admin and users can customise the Microsoft 365 Experience.
See,
https://support.microsoft.com/en-us/office/personalize-your-office-365-experience-eb34a21b-52fa-4fbf-a8d5-146132242985
Choice of various plans depending on business requirements + add on applications

Scaling

Independence of resources
Platform and Virtual Infrastructure is actively monitored
Platform is designed for mass scalability on a global and regional level

Analytics

Service usage metrics
Yes
Metrics types
Built in usage reports
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Microsoft

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
There are multiple tools within Microsoft Azure to safeguard data according to the security and compliance needs of the Client. These are many and numerous.
Information Protection - set policies
Secure Score - measure protection
Security & Compliance Center - Management
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
See Microsoft Published information on data portability,
https://docs.microsoft.com/en-us/openspecs/data_portability/ms-dataportlp/a2bc1311-e0e7-4808-970a-4dc0a100f708
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Refer to Microsoft Data Portability published documents
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • See Microsoft Fastrack - https://www.microsoft.com/en-gb/fasttrack/microsoft-365/office-365
  • .txt

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Please refer to the published 'Service Level Agreement for Microsoft Online Services'
Approach to resilience
Refer to published Microsoft document 'Resiliency/Reliability: Azure keeps your applications up and running and your data available'
Outage reporting
Microsoft 365 Service health status - web
API
Email alerts

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Active Directory
Role-based access control (RBAC)
Multi-Factor Authentication
Privileged Identity Management
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Oncore - Approachable Certification Ltd - Microsoft - see https://servicetrust.microsoft.com/
ISO/IEC 27001 accreditation date
Oncore IT - 26 April 2019 - Microsoft - see https://servicetrust.microsoft.com/
What the ISO/IEC 27001 doesn’t cover
Oncore IT - all operations
Microsoft - see https://servicetrust.microsoft.com/
ISO 28000:2007 certification
No
CSA STAR certification
Yes
CSA STAR accreditation date
Microsoft - https://servicetrust.microsoft.com/
CSA STAR certification level
Level 4: CSA C-STAR Assessment
What the CSA STAR doesn’t cover
See Microsoft Audit Reports in the Service Trust Portal
https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=0acb4535-31f6-414a-b59a-ca431952e510&tab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb&docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_ISO_Reports
PCI certification
Yes
Who accredited the PCI DSS certification
See https://servicetrust.microsoft.com/ - Audit Reports
PCI DSS accreditation date
Various - see Audit Reports (Link below)
What the PCI DSS doesn’t cover
See Microsoft Accreditation - https://servicetrust.microsoft.com/ViewPage/MSComplianceGuide?command=Download&downloadType=Document&downloadId=425af30f-1236-41bc-b45c-98a52ee84c28&docTab=4ce99610-c9c0-11e7-8c2c-f908a777fa4d_PCI_DSS
Other security certifications
Yes
Any other security certifications
See https://servicetrust.microsoft.com/ for a full list

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards
Refer to https://servicetrust.microsoft.com/ViewPage/SCCIntroPage
Information security policies and processes
A number of teams across Microsoft contribute to identifying information security risks, developing policies to protect the infrastructure on which data is hosted and accessed, and revising policies and controls to address such risks.
See published document 'Information Security Management System
for Microsoft’s Cloud Infrastructure'

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
See Microsoft published information - https://docs.microsoft.com/en-us/deployoffice/change-management-for-office-365-clients
If Oncore IT are managing changes then we will follow out change control procedure, changes are agreed with the client, documented with risk assessment and electronically signed by both parties.
Other changes (standard) are given a unique reference, ticketed and stored in our PSA system.
The Service Level Agreement defines the various changes and process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Microsoft platform conforms to a recognised standard
Vulnerability scanning, vulnerabilities tracked and verified for remediation.
Automated patching
Regular Penetration Testing
Please see the Microsoft Trust Centre for more information
Protective monitoring type
Undisclosed
Protective monitoring approach
Available on Request
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
ITIL based service desk operation
Dependent on the support Oncore IT is providing, will be defined as part of the process. Typically Incidents are classed based on impact and urgency - P1 to P4. This is all define in the Oncore IT Service Level Agreement, see Oncore Infrastructure and Desktop Support Services in G-Cloud.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£3.80 a user a month
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@oncoreit.com. Tell them what format you need. It will help if you say what assistive technology you use.