GOV.UK
SAP Roadmap Planning
Review customer landscape requirements. Conduct a complete business and IT strategy assessment. Understand business requirement impacting IT for past, present and neat term future, Prepare 5-10 years SAP roadmap.
Features
- Helps the organization to match the business and technology strategy
Benefits
- Helps the organization to match the business and technology strategy
Pricing
£250 per person per day
Service documents
Framework
G-Cloud 11
Service ID
796928122524904
Contact
Service scope
| Software add-on or extension | No |
| Cloud deployment model | Public cloud |
| Service constraints | No Constraints |
| System requirements | Software Licenses |
User support
| Email or online ticketing support | Email or online ticketing |
| Support response times |
Support time responses are as follows: Critical fault response within 1 hour, Material Fault (Significant Impact) response within 2 hours, Cosmetic Fault (Low Priority) response within 1 day. Standard hours of Support are Monday to Friday, excluding national holidays, 9.00-17.30. |
| User can manage status and priority of support tickets | Yes |
| Online ticketing support accessibility | None or don’t know |
| Phone support | Yes |
| Phone support availability | 9 to 5 (UK time), Monday to Friday |
| Web chat support | No |
| Onsite support | Yes, at extra cost |
| Support levels |
We have 3 support levels - Silver, Gold and Platinum. Further details regarding the support plans can be decided based on the project requirements. |
| Support available to third parties | Yes |
Onboarding and offboarding
| Getting started | Every project has a different need and we can provide onsite, online and user documentation level trainings. |
| Service documentation | Yes |
| Documentation formats |
|
| End-of-contract data extraction | Depending on the services provided and in scope we guide on usage of standard tools for extraction of data if required. |
| End-of-contract process | We extend support for handing over to the new service provider |
Using the service
| Web browser interface | Yes |
| Supported browsers |
|
| Application to install | No |
| Designed for use on mobile devices | Yes |
| Differences between the mobile and desktop service | Our product allows access and functionality to be provided via mobile devices with via a web browser or mobile application. The solution supports a model that only requires configuration to be carried once regardless of how the solution is accessed. |
| Accessibility standards | None or don’t know |
| Description of accessibility | NA |
| Accessibility testing | NA |
| API | Yes |
| What users can and can't do using the API | Users can use the Storage Made Easy secure REST API to interact with the service. The REST API is documented and users can interact with the API based on the permissions they have been given or inherited. Certain API calls require Admin permissions. |
| API documentation | Yes |
| API documentation formats | HTML |
| API sandbox or test environment | Yes |
| Customisation available | Yes |
| Description of customisation | The look and feel of browser, desktop and mobile interfaces can be customised to match users branding. This can be performed to a high level of sophistication. |
Scaling
| Independence of resources | We insure through our process that continuous monitoring of applications is done (Wherever applicable). These processes are standardized hence users are not affected by the demand other users are placing on service, |
Analytics
| Service usage metrics | Yes |
| Metrics types |
File Stored Bandwidth usage Audit event Logs GEO Location data File location data Reporting types API access |
Resellers
| Supplier type | Not a reseller |
Staff security
| Staff security clearance | Other security clearance |
| Government security clearance | Up to Baseline Personnel Security Standard (BPSS) |
Asset protection
| Knowledge of data storage and processing locations | Yes |
| Data storage and processing locations | Other locations |
| User control over data storage and processing locations | Yes |
| Datacentre security standards | Supplier-defined controls |
| Penetration testing frequency | At least once a year |
| Penetration testing approach | Another external penetration testing organisation |
| Protecting data at rest | Physical access control, complying with CSA CCM v3.0 |
| Data sanitisation process | Yes |
| Data sanitisation type |
|
| Equipment disposal approach | A third-party destruction service |
Data importing and exporting
| Data export approach | Solution has in-built provision to export data. |
| Data export formats |
|
| Other data export formats |
|
| Data import formats |
|
| Other data import formats |
|
Data-in-transit protection
| Data protection between buyer and supplier networks | Legacy SSL and TLS (under version 1.2) |
| Data protection within supplier network | Legacy SSL and TLS (under version 1.2) |
Availability and resilience
| Guaranteed availability | 95% at application level.. It can be customized or modified as per customer requirements |
| Approach to resilience | Available on request |
| Outage reporting | Email alerts.We can provide APIs and public dashboards as well if required" |
Identity and authentication
| User authentication needed | Yes |
| User authentication |
|
| Access restrictions in management interfaces and support channels | Customers must raise a support request vial email or the support portal. User emails must belong to the customer domain and are validated as part of the support engagement process. |
| Access restriction testing frequency | At least once a year |
| Management access authentication | Username or password |
Audit information for users
| Access to user activity audit information | Users contact the support team to get audit information |
| How long user audit data is stored for | User-defined |
| Access to supplier activity audit information | Users contact the support team to get audit information |
| How long supplier audit data is stored for | User-defined |
| How long system logs are stored for | User-defined |
Standards and certifications
| ISO/IEC 27001 certification | Yes |
| Who accredited the ISO/IEC 27001 | NA |
| ISO/IEC 27001 accreditation date | NA |
| What the ISO/IEC 27001 doesn’t cover | NA |
| ISO 28000:2007 certification | No |
| CSA STAR certification | No |
| PCI certification | No |
| Other security certifications | No |
Security governance
| Named board-level person responsible for service security | Yes |
| Security governance certified | Yes |
| Security governance standards | ISO/IEC 27001 |
| Information security policies and processes | Yet to write |
Operational security
| Configuration and change management standard | Supplier-defined controls |
| Configuration and change management approach |
We use a third party application to track service and component changes. The change management workflow has been designed based on standard recommendations. It follows a standardized process to deal with change requests, which in turn reduces follow up incidents and minimizes negative business impact. The change review process encompasses: • Web vulnerabilities • Input/data validation / sanitisation • Authentication / Authorization data flows • Exception management • Variable Analysis • Unsafe and unmanaged code check • Configuration check • Threading analysis • API validation / Undocumented public interfaces |
| Vulnerability management type | Supplier-defined controls |
| Vulnerability management approach |
Vulnerability management process is defined by creating following : a. security page: Creation of security page for website (e.g. yoursite.com/security). security page is the first gateway of a website that our security researchers will reach out to report any kind of security bug. Responsible Disclosure policy: Provide guidelines for the security researchers to be followed for reporting vulnerabilities. We are compliant to top ten OWASP guidelines." |
| Protective monitoring type | Supplier-defined controls |
| Protective monitoring approach |
Our approach for Protective Monitoring include following areas: • Configuration and Deployment Misconfiguration • Application or Framework Specific Vulnerabilities • Business Logic Flaws • Shopping Cart & Payment Gateway Manipulation • Known Security Issues (CVEs) • Weak Identity Management • Broken Authentication • Improper Authorization • Broken Session Management • Weak Input Validation • Error Handling • SQL Injection • Weak or Broken Cryptography • Client Side Script Security • Cross-Site Request Forgery (CSRF) • Cross-Site Scripting (XSS) • Clickjacking • Unrestricted File Upload • Sensitive Data Exposure • Insufficient Attack Protection • Under-protected APIs • HTTP Security Header Information |
| Incident management type | Supplier-defined controls |
| Incident management approach | We have incident management approach which has been perfected over the years of experience. We provide incident management tool to the client for reporting incidents and our teams prvide support/ SLAs based on that |
Secure development
| Approach to secure software development best practice | Supplier-defined process |
Public sector networks
| Connection to public sector networks | No |
Pricing
| Price | £250 per person per day |
| Discount for educational organisations | No |
| Free trial available | No |