This G-Cloud 9 service is no longer available to buy.

The G-Cloud 9 framework expired on Monday 1 October 2018. Any existing contracts with S8080 Limited are still valid.
S8080 Limited

Bilingual open source content management system - CMS for Welsh / English website or web application

ISO/IEC27001 certified open source cloud hosted CMS for Welsh/English bilingual websites and web applications. S8080 can help solve complex integration, single sign-on, CRM, configuration and workflow problems. Open source content management system software is free, releasing budget for requirements gathering, user needs, technical and security architecture and content migration.

Features

  • Open source CMS installation, bilingual deployment and configuration
  • On-boarding advice and transition planning
  • Optimised performance and custom code development
  • Customisable templates that work across different browsers and mobile devices
  • Fully compliant and fully accessible to WCAG 2.0 triple AAA
  • Cross-browser and mobile device administrator access
  • Content versioning, audit and rollback
  • Workflow – simple and complex user matrices
  • Hosting on single tenant UKCloud, Azure or RackSpace Cloud VM's
  • Information security assured – ISO/IEC 27001:2013 certified

Benefits

  • 17 years Welsh public sector knowledge and experience
  • Wales based agency, Drupal team, UK hosting provision. No freelancers
  • Welsh Language Commissioner standards compliant
  • Help with your existing content audit, mapping and migration plan
  • 24/7/365 support with direct developer access
  • Modular systems - thousands of 3rd party extensions and plugins
  • Robust, proven functionality – tried and tested by governments worldwide
  • Clients include No.10, ministerial departments, emergency services, local authority, education
  • English/Welsh bilingual publishing experience for Welsh Government and NAfW
  • Anti DDOS measures and PEN testing

Pricing

£24,660.00 a unit

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chris@s8080.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 9

Service ID

8 9 0 4 5 7 1 9 6 5 6 3 5 9 4

Contact

S8080 Limited Christopher Cowell
Telephone: 01792 398266
Email: chris@s8080.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
If you'd like us to migrate or support a CMS, website or online application that has been built by another provider, we will need to check a few things first - we may need to do a code review and validate various technical aspects including security, accessibility and usability.
System requirements
  • MS Server, CentOS, Red Hat Enterprise Linux or equivalent
  • Typical VM config: 8GB RAM / 320GB block storage
  • We offer the following hosting (see pricing document for details):
  • UKCloud Enterprise Compute Cloud Medium/POWER - Assured OFFICIAL
  • Rackspace fully managed single tenant cloud Virtual Machine
  • Microsoft Azure fully managed single tenant cloud Virtual Machine

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support availability is 24/7 - 365 days a year. Standard support response times within 30 minutes, normally a lot quicker.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.0 AA or EN 301 549
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), 7 days a week
Web chat support accessibility standard
WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing
Validation from web chat SaaS provider.
Onsite support
Yes, at extra cost
Support levels
Together with a fully managed hosting provision, we offer two support options. Your S8080 Project manager will be your single point of contact for the duration of your support.

• Standard Support - available from half a day a month at £650 a day. Support will be provided during office hours, Monday to Friday, 8.00 to 5.30pm. For extended cover, see our 24/7/365 support below.
Our clients usually purchase a number of days that can be used for absolutely anything, it's very flexible. Work is billed to the nearest 10 minutes and charged at our standard rates with no surcharges.

• 24/7/365 Support - for clients who demand an extended level of service. It’s 24 hours a day, seven days a week, 365 days a year and available as a ‘bolt-on’ to our Standard Support. This level of support costs £650 a month.
How it works: if your website or application becomes unavailable at 1.30am on Christmas morning, our developers will be alerted and will investigate the issue with the hosting provider's engineers to get things working again soon as possible. It saves our clients from having to worry about their website being offline at 9.00am on a working day.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We have provided the top-level stages involved (and costs) for a typical CMS deployment and associated hosting in our pricing document. This information will help you decide what your organisation needs to implement a cloud hosted content management system.
The stages correspond to those in the Government Digital Service's Service Manual and Digital Service Standard.
During your shortlisting process, we will discuss your project in more detail and provide you with a very detailed method statement and more accurate costs tailored to your project's exact specification and hosting requirements.

Once we begin working together, we can assist with all aspects of planning for your new system, including:
• Technical alignment meetings with your other service providers and internal IT team
• Cloud strategy, business analysis and stakeholder requirements
• User needs and requirements gathering for your new CMS
• Content audit and inventory
• Content map and migration strategy
• Information architecture
• Technical and security architecture
• Hosting planning, server configuration and hardening
• Wireframe prototype, user journeys and solution design
• User testing planning
• Onsite training, user documentation and video 'reminders' of commonly used functionality
Service documentation
Yes
Documentation formats
  • ODF
  • PDF
  • Other
Other documentation formats
  • Brief video tutorials for common tasks
  • Brief video tutorials for CMS tasks only performed occassionally
End-of-contract data extraction
We will provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server). We will also provide full access to the database and files on your server environment. We can also help with extracting this for you if required.
End-of-contract process
If we have arranged hosting for you, you can arrange to continue the arrangement with the hosting provider or move to another hosting provider.
We will provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server). We will also provide full access to the database and files on your server environment.
If you require us to help with migration to a new hosting environment or handover to a new agency, this is normally covered by your S8080 support contract, if you have one in place.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The published pages from your CMS are built to current web standards. They will display on any on modern mobile operating systems that run a full standards compliant browser.
We use Bootstrap, an open-source collection of front-end tools for creating adaptive websites and web applications. A modified version of Bootstrap has been used for parts of GOV.UK.
Accessibility standards
WCAG 2.0 AAA
Accessibility testing
Tested with Total Validator.
Also, if it's a requirement, we can help with online and lab-based user testing and pan-disability user testing with each testing team made up of individuals who have different types of disabilities and all of whom use assistive technology to access computers. We test to ensure accessibility for those people with:
- Low Vision
- Blind
- Colour Blindness
- Dyslexia
- Mobility impairments
- Learning difficulties
- Deaf
- Autistic Spectrum disorders
API
Yes
What users can and can't do using the API
Drupal and Umbraco have many available APIs and full details can be found at: https://www.drupal.org/docs/8/api and https://our.umbraco.org/documentation/reference/
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • ODF
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
The CMS's public-facing front end and administration screens can be customised almost without limit.

Depending on your CMS implementation, customisation can be achieved through:
• CMS software settings
• Coding using HTML and CSS (and CMS dependent configurations)
• Modules and Plug-ins

CMS software settings customisation would need to be undertaken by a trained user. Coding and module customisation would need to be undertaken by competent web developer familiar with the CMS platform.

Scaling

Independence of resources
The service is hosted on a single tenant cloud-based virtual machine.
Single-tenant hosting means you have your own instance of the CMS application and supporting infrastructure. You do not share resources or software with anyone else.

Analytics

Service usage metrics
Yes
Metrics types
The full range of insights and analytics that Google Analytics provides in:
• Google Analytics 360 Suite
• Google Analytics
• Google Tag Manager
• Google Optimize

Or we can integrate other analytics packages that your organisation uses.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with CSA CCM v3.0
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Depending on the type of data you need from the system, we can automate secure data exporting for you.
We can also provide full access to CMS software code (stored in GitHub / TFS - Microsoft Team Foundation Server) together with full access to the database and files on your server environment.
We can also help with extracting data for you as part of your support package.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
1. UKCloud Enterprise Cloud Medium/POWER - Assured OFFICIAL: 99.99%
2. Rackspace fully managed single tenant cloud Virtual Machine: 99.99%
3. Azure fully managed single tenant cloud Virtual Machine: 99.9%
Approach to resilience
Depending on your requirements, our service can be deployed across a number of sites, regions and zones. Each zone is designed to eliminate single points of failure (such as power, network and hardware) to ensure service continuity should a failure occur.
Outage reporting
All outages will be reported via the service status pages on the UKCloud Portal dashboard, Azure Status dashboard and Rackspace System Status dashboard in real-time.

We also offer 24/7/365 support for clients who demand an extended level of service. It’s 24 hours a day, seven days a week, 365 days a year and available as a ‘bolt-on’ to our Standard Support. This level of support costs £650 a month.

How it works: if your website or application becomes unavailable at 1.30am on Christmas morning, our developers will be alerted and will investigate the issue with the hosting provider's engineers to get things working again soon as possible. It saves our clients from having to worry about their website being offline at 9.00am on a working day.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
To access CMS administration interface, all users are required to have a unique username, password (and memorable information if required). You may also use 2-factor authentication.
• Passwords must be a minimum of 10 (ten) characters long.
• They must contain all of the following FOUR types:
- One upper case letter,
- One lower case letter
- One number (0-9)
- One non-alpha-numeric character (!,*,£,%,* etc.)

Support is available to named individuals only who are verified via support portal login or via telephone or email requests.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Lloyd's Register Quality Assurance (LRQA)
ISO/IEC 27001 accreditation date
05/05/2016
What the ISO/IEC 27001 doesn’t cover
Our whole service provision is covered by ISO/IEC 27001 certification.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security accreditations
Yes
Any other security accreditations
  • Cyber Essentials
  • ISO 9001:2008

Security governance

Named board-level person responsible for service security
Yes
Security governance accreditation
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials
Information security policies and processes
Our ISO/IEC 27001 statement of applicability (SOA) outlines 114 Annex A objectives and controls, of which 112 are applicable to our scope: "The protection of client and company sensitive data, network & it management, products and services used in the delivery of web-based services including development, consultancy and hosting".

Each applicable control defines an information security policy or procedure that is externally audited every 12 months by Lloyd's Register LRQA.

As part of our IMS system, we have defined roles and responsibilities for information security, with overall responsibility being held by an S8080 Director.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
S8080 has documented change management policies and processes, which have been implemented, maintained and externally audited by Lloyd's Register LRQA in accordance our ISO/IEC 27001 certification. Formal configuration management activities, including record management and asset reporting, are logged, monitored and validated, and any discrepancies investigated using our Corrective Action Reporting (C.A.R.) procedures. A process for formal change requests is managed by our project management team in accordance with our ISO 9001 Quality management system.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
S8080's ISO/IEC 27001 approach is based on Cloud Security Principle 5:

• If evidence suggests a vulnerability is being actively exploited, we mitigate immediately
If not, the following timescales apply:
• ‘Critical’ patches deployed within hours
• ‘Important’ patches deployed within 2 weeks (if not sooner)
• ‘Other’ patches deployed within 8 weeks (if not sooner)

We use GFI LanGuard to monitor and manage our local network vulnerability and patch management.

Drupal and Umbraco send 'active exploitation' and 'regular' vulnerability notifications for core software and modules/plugins.

We also use automated software to check for module/security patch releases on our deployments.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Following best practice from the National Cyber Security Centre, S8080 protects its platforms with enhanced protective monitoring services (SIEM), at the hypervisor level and below. This approach to protective monitoring continues to align with the Protective Monitoring Controls (PMC 1-12) outlined in CESG document GPG13 (Protective Monitoring for HMG ICT Systems). It includes checks on time sources, cross-boundary traffic, suspicious activities at a boundary, network connections and the status of backups, amongst many others. All alerts are immediately notified to our 24/7/365 developers for prompt investigation.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
S8080 has a documented incident management policy and process, which have been implemented, maintained and assessed in accordance our ISO/IEC 27001 information security certification. This activity is responsible for the progression of alerts generated by automated monitoring systems, issues identified by S8080 personnel, and incidents identified and reported to by its customers and hosting partners. All incidents are promptly reported to our 24/7/365 development team, which ensures that each is promptly assigned to an appropriate resource, and its progress tracked (and escalated, as required) to resolution, and if appropriate, documented using our Corrective Action Reporting (C.A.R.) procedures.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£24,660.00 a unit
Discount for educational organisations
Yes
Free trial available
No

Documents

Pricing document
Pricing document
Skills Framework for the Information Age rate card
Skills Framework for the Information Age rate card
Service definition document
Service definition document
Terms and conditions document
Terms and conditions document

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at chris@s8080.com. Tell them what format you need. It will help if you say what assistive technology you use.