S8080 Limited

Bilingual Drupal content management system - CMS for Welsh / English website or web application

ISO/IEC27001 certified Drupal 7 or Drupal 8 cloud hosted CMS for Welsh/English bilingual websites and web applications. S8080 help solve complex Drupal integration, single sign-on, CRM, configuration and workflow problems. Drupal content management system is open-source, freeing budget for requirements gathering, user needs, technical and security architecture and content migration.

Features

  • Drupal 7 and 8 installation, bilingual deployment and configuration
  • On-boarding advice and transition planning
  • Drupal optimised performance and custom code development
  • Customisable templates that work across different browsers and mobile devices
  • Fully compliant and fully accessible to WCAG 2.0 triple AAA
  • Cross-browser and mobile device Drupal administrator access
  • Content versioning, audit and rollback
  • Drupal workflow – simple and complex user matrices
  • Hosting on single tenant UKCloud or RackSpace Cloud VM's
  • Information security assured – ISO/IEC 27001:2013 certified

Benefits

  • 17 years Welsh public sector knowledge and experience
  • Wales based agency, Drupal team, UK hosting provision. No freelancers
  • Welsh Language Commissioner standards compliant
  • Help with your existing content audit, mapping and migration plan
  • 24/7/365 support with direct Drupal developer access
  • Modular systems - thousands of 3rd party Drupal extensions
  • Robust, proven functionality – tried and tested by governments worldwide
  • Clients include No.10, ministerial departments, emergency services, local authority, education
  • English/Welsh bilingual publishing experience for Welsh Government and NAfW
  • Anti DDOS measures and PEN testing

Pricing

£24660.00 per unit

  • Education pricing available

Service documents

G-Cloud 9

534138662618136

S8080 Limited

Christopher Cowell

01792 485566

chris@s8080.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints If you'd like us to migrate or support a CMS, website or online application that has been built by another provider, we will need to check a few things first - we may need to do a code review and validate various technical aspects including security, accessibility and usability.
System requirements
  • CentOS, Red Hat Enterprise Linux or equivalent
  • Typical VM config: 8GB RAM / 320GB block storage
  • We offer the following hosting (see pricing document for details):
  • UKCloud Enterprise Compute Cloud Medium/POWER - Assured OFFICIAL
  • Rackspace fully managed single tenant cloud Virtual Machine

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support availability is 24/7 - 365 days a year. Standard support response times within 30 minutes, normally a lot quicker.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing Validation from web chat SaaS provider.
Onsite support Yes, at extra cost
Support levels Together with a fully managed hosting provision, we offer two support options. Your S8080 Project manager will be your single point of contact for the duration of your support.

• Standard Support - available from half a day a month at £650 a day. Support will be provided during office hours, Monday to Friday, 8.00 to 5.30pm. For extended cover, see our 24/7/365 support below.
Our clients usually purchase a number of days that can be used for absolutely anything, it's very flexible. Work is billed to the nearest 10 minutes and charged at our standard rates with no surcharges.

• 24/7/365 Support - for clients who demand an extended level of service. It’s 24 hours a day, seven days a week, 365 days a year and available as a ‘bolt-on’ to our Standard Support. This level of support costs £650 a month.
How it works: if your website or application becomes unavailable at 1.30am on Christmas morning, our developers will be alerted and will investigate the issue with the hosting provider's engineers to get things working again soon as possible. It saves our clients from having to worry about their website being offline at 9.00am on a working day.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We have provided the top-level stages involved (and costs) for a typical CMS deployment and associated hosting in our pricing document. This information will help you decide what your organisation needs to implement a cloud hosted content management system.
The stages correspond to those in the Government Digital Service's Service Manual and Digital Service Standard.
During your shortlisting process, we will discuss your project in more detail and provide you with a very detailed method statement and more accurate costs tailored to your project's exact specification and hosting requirements.

Once we begin working together, we can assist with all aspects of planning for your new system, including:
• Technical alignment meetings with your other service providers and internal IT team
• Cloud strategy, business analysis and stakeholder requirements
• User needs and requirements gathering for your new CMS
• Content audit and inventory
• Content map and migration strategy
• Information architecture
• Technical and security architecture
• Hosting planning, server configuration and hardening
• Wireframe prototype, user journeys and solution design
• User testing planning
• Onsite training, user documentation and video 'reminders' of commonly used functionality
Service documentation Yes
Documentation formats
  • ODF
  • PDF
  • Other
Other documentation formats
  • Brief video tutorials for common tasks
  • Brief video tutorials for CMS tasks only performed occassionally
End-of-contract data extraction We will provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server). We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.
End-of-contract process If we have arranged hosting for you, you can arrange to continue the arrangement with the hosting provider or move to another hosting provider.
We will provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server). We will also provide full access to the database and files on your server environment.
If you require us to help with migration to a new hosting environment or handover to a new agency, this is normally covered by your S8080 support contract, if you have one in place.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The published pages from your CMS are built to current web standards. They will display on any on modern mobile operating systems that run a full standards compliant browser.
We use Bootstrap, an open-source collection of front-end tools for creating adaptive websites and web applications. A modified version of Bootstrap has been used for parts of GOV.UK.
Accessibility standards WCAG 2.0 AAA
Accessibility testing Tested with Total Validator.
Also, if it's a requirement, we can help with online and lab-based user testing and pan-disability user testing with each testing team made up of individuals who have different types of disabilities and all of whom use assistive technology to access computers. We test to ensure accessibility for those people with:
- Low Vision
- Blind
- Colour Blindness
- Dyslexia
- Mobility impairments
- Learning difficulties
- Deaf
- Autistic Spectrum disorders
API Yes
What users can and can't do using the API Drupal has many available APIs and full details can be found at Drupal.org: https://www.drupal.org/docs/8/api
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The CMS's public-facing front end and administration screens can be customised almost without limit.

Depending on your CMS implementation, customisation can be achieved through:
• CMS software settings
• Coding using HTML and CSS (and CMS dependent configurations)
• Modules and Plug-ins

CMS software settings customisation would need to be undertaken by a trained user. Coding and module customisation would need to be undertaken by competent web developer familiar with the CMS platform.

Scaling

Scaling
Independence of resources The service is hosted on a single tenant cloud-based virtual machine.
Single-tenant hosting means you have your own instance of the CMS application and supporting infrastructure. You do not share resources or software with anyone else.

Analytics

Analytics
Service usage metrics Yes
Metrics types The full range of insights and analytics that Google Analytics provides in:
• Google Analytics 360 Suite
• Google Analytics
• Google Tag Manager
• Google Optimize

Or we can integrate other analytics packages that your organisation uses.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Depending on the type of data you need from the system, we can automate secure data exporting for you.
We can also provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server) together with full access to the database and files on your server environment.
We can also help with extracting data for you as part of your support package.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 1. UKCloud Enterprise Cloud Medium/POWER - Assured OFFICIAL: 99.99%
2. Rackspace fully managed single tenant cloud Virtual Machine: 99.99%
Approach to resilience Depending on your requirements, our service can be deployed across a number of sites, regions and zones. Each zone is designed to eliminate single points of failure (such as power, network and hardware) to ensure service continuity should a failure occur.
Outage reporting All outages will be reported via the service status pages on the UKCloud Portal dashboard and Rackspace System Status dashboard in real-time.

We also offer 24/7/365 support for clients who demand an extended level of service. It’s 24 hours a day, seven days a week, 365 days a year and available as a ‘bolt-on’ to our Standard Support. This level of support costs £650 a month.

How it works: if your website or application becomes unavailable at 1.30am on Christmas morning, our developers will be alerted and will investigate the issue with the hosting provider's engineers to get things working again soon as possible. It saves our clients from having to worry about their website being offline at 9.00am on a working day.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels To access CMS administration interface, all users are required to have a unique username, password (and memorable information if required). You may also use 2-factor authentication.
• Passwords must be a minimum of 10 (ten) characters long.
• They must contain all of the following FOUR types:
- One upper case letter,
- One lower case letter
- One number (0-9)
- One non-alpha-numeric character (!,*,£,%,* etc.)

Support is available to named individuals only who are verified via support portal login or via telephone or email requests.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance (LRQA)
ISO/IEC 27001 accreditation date 05/05/2016
What the ISO/IEC 27001 doesn’t cover Our whole service provision is covered by ISO/IEC 27001 certification.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • Cyber Essentials
  • ISO 9001:2008

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials
Information security policies and processes Our ISO/IEC 27001 statement of applicability (SOA) outlines 114 Annex A objectives and controls, of which 112 are applicable to our scope: "The protection of client and company sensitive data, network & it management, products and services used in the delivery of web-based services including development, consultancy and hosting".

Each applicable control defines an information security policy or procedure that is externally audited every 12 months by Lloyd's Register LRQA.

As part of our IMS system, we have defined roles and responsibilities for information security, with overall responsibility being held by an S8080 Director.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach S8080 has documented change management policies and processes, which have been implemented, maintained and externally audited by Lloyd's Register LRQA in accordance our ISO/IEC 27001 certification. Formal configuration management activities, including record management and asset reporting, are logged, monitored and validated, and any discrepancies investigated using our Corrective Action Reporting (C.A.R.) procedures. A process for formal change requests is managed by our project management team in accordance with our ISO 9001 Quality management system.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach S8080's ISO/IEC 27001 approach is based on Cloud Security Principle 5:

• If evidence suggests a vulnerability is being actively exploited, we mitigate immediately
If not, the following timescales apply:
• ‘Critical’ patches deployed within hours
• ‘Important’ patches deployed within 2 weeks (if not sooner)
• ‘Other’ patches deployed within 8 weeks (if not sooner)

We use GFI LanGuard to monitor and manage our local network vulnerability and patch management.

Drupal and Umbraco send 'active exploitation' and 'regular' vulnerability notifications for core software and modules/plugins.

We also use automated software to check for module/security patch releases on our deployments.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Following best practice from the National Cyber Security Centre, S8080 protects its platforms with enhanced protective monitoring services (SIEM), at the hypervisor level and below. This approach to protective monitoring continues to align with the Protective Monitoring Controls (PMC 1-12) outlined in CESG document GPG13 (Protective Monitoring for HMG ICT Systems). It includes checks on time sources, cross-boundary traffic, suspicious activities at a boundary, network connections and the status of backups, amongst many others. All alerts are immediately notified to our 24/7/365 developers for prompt investigation.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach S8080 has a documented incident management policy and process, which have been implemented, maintained and assessed in accordance our ISO/IEC 27001 information security certification. This activity is responsible for the progression of alerts generated by automated monitoring systems, issues identified by S8080 personnel, and incidents identified and reported to by its customers and hosting partners. All incidents are promptly reported to our 24/7/365 development team, which ensures that each is promptly assigned to an appropriate resource, and its progress tracked (and escalated, as required) to resolution, and if appropriate, documented using our Corrective Action Reporting (C.A.R.) procedures.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £24660.00 per unit
Discount for educational organisations Yes
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑