CoSector Limited

Bloom

Bloom is a SaaS implementation of CoSector's Bloom Software. The Bloom Software is based on a recent, stable release of the open-source virtual learning environment software known as Moodle. UoL have extended the core Moodle product with additional tools to improve teaching, learning and administration.

Features

  • Built on Moodle's established VLE / LMS platform
  • Responsive UI
  • Customisation (via plugins) supported
  • Integration with popular student record systems
  • User and authentication with AD, LDAP, Shibboleth and more
  • Options for integration with BI systems

Benefits

  • Combine open-source flexibility with enterprise level assurance
  • Tailor the VLE / LMS to suit your organisational priorities
  • Access a thriving community of users and practitioners
  • A service that will grow as your organisational usage grows

Pricing

£11495 per instance per year

Service documents

Framework

G-Cloud 11

Service ID

9 5 0 9 7 0 7 6 6 7 4 6 2 9 9

Contact

CoSector Limited

James Silcock

020 7862 5838

james.silcock@cosector.com

Service scope

Software add-on or extension
No
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints
We operate a weekly maintenance window (Tues 07:00-09:00) where service maintenance may involve downtime. All such planned maintenance will be notified with at least five (5) business days' notice.
System requirements
Browser: IE9+, Opera, Safari, Firefox

User support

Email or online ticketing support
Email or online ticketing
Support response times
Standard Monday to Friday 08:30 to 17:30; OOH is available at extra cost
P1 Showstopper, significant business or user impact 4 Hours
P2 High priority, impacting effective use of the service for a significant number of users 1 Business Day i.e. 9 hours
P3 Normal priority, service impaired for a small number of users 3 Business Days i.e. 27 hours
P4 Low priority, service not functioning as expected, but not significantly affecting use 5 Business Days i.e. 45 hours
P5 Very low impact on user and very little urgency 10 Business Days
i.e. 90 hours
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
In addition to support for incidents our support covers requests, advice, consultancy and development. This additional support is bounded by time. Our standard base service includes 3 x 8-hour days of such support. We offer four levels of additional 'Support+' packages which increase this allowance by 2, 5, 10 or 20 days. All customers will have at least annual meetings with a technical account manager
Support available to third parties
Yes

Onboarding and offboarding

Getting started
The Moodle platform that underpins the Bloom service has a significant amount of documentation online at docs.moodle.org. We offer customers an introductory webinar upon commencement of the service. We are able to offer onsite training (at additional cost)
Service documentation
Yes
Documentation formats
HTML
End-of-contract data extraction
We will provide, to the Customer: • The entire source code of the Bloom software at the time of termination • All Customer content stored within the Bloom Service • A Redacted Database dump where “Redacted” means the removal of any confidential Supplier data such as passwords. These items will be provided to the Customer on up to two (2) dates of his choosing with the last being no later than the Termination Date. These items will be provided via an sFTP location which the Customer will be able to access for ten (10) days after the content being added to the location. After this period, the sFTP location and access to it shall be removed and the data shall no longer be available. If further assistance with termination is required, this can be requested and any effort invested by we will be subtracted from the remaining Support Allowance or invoiced separately as appropriate.
End-of-contract process
We will provide, to the Customer: • The entire source code of the Bloom software at the time of termination • All Customer content stored within the Bloom Service • A Redacted Database dump where “Redacted” means the removal of any confidential Supplier data such as passwords. These items will be provided to the Customer on up to two (2) dates of his choosing with the last being no later than the Termination Date. These items will be provided via an sFTP location which the Customer will be able to access for ten (10) days after the content being added to the location. After this period, the sFTP location and access to it shall be removed and the data shall no longer be available. If further assistance with termination is required, this can be requested and any effort invested by we will be subtracted from the remaining Support Allowance or invoiced separately as appropriate.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The service is provided with a fully responsive UI so that all functionality is available via mobile devices
Service interface
No
API
Yes
What users can and can't do using the API
All functions of the Bloom platform are accesible via the API (AMF, REST, SOAP, XML-RPC)
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
The Bloom platform is a plugin-based framework and there are thousands of plugins available to extend its capabilities. Our Bloom service is unique in the Moodle sector as it combines the ability to extend the platform via plugins whilst still providing enterprise-class service levels. Our Tailored service option enables Customers to install any plugins of their choosing without first requiring approval from us. The responsibilities for managing the effects of the resulting customized system is appropriately shared between us and the Customer.

Scaling

Independence of resources
Customers service instances have dedicated virtualised resources across multiple physical hosts which can dynamically migrate instances to alternative physical hosts where necessary to maintain performance.

Analytics

Service usage metrics
No

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users can extract data via industry standard APIs, built-in functions for content export and using our support services to perform custom extracts of low-level data.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Our base Bloom service guarantees 99.9% availability (measured during Business Hours). Our OOH optional add-on service maintains the 99.9% guarantess but this is measured 24/7/365. In any calendar month where availability levels are not met, 5% of the following month's fee is credited.
Approach to resilience
Available on Request
Outage reporting
We have e-mail, SMS and Voice alerts which are also available to customers, upon request.

Identity and authentication

User authentication needed
Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Support channels are restricted to specific named customer contacts. Access to support via our service portal is via credentials issued by us.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
Responsibility for the production, maintenance and communication of this top-level policy document and all sub-policy documents lies with the University’s IT Security Manager. This top-level policy document has been approved by the Information Technology Governance Group. Substantive changes may only be made with the further approval of this group. Responsibilities for the approval of all sub-policy documents is delegated to the Information Security Group. Where necessary. each of the documents constituting the Information Security Policy will be reviewed annually. It is the responsibility of the IT Security Manager to ensure that these reviews take place. Annual trustee review.
Information security policies and processes
The organisation has a defined Information Security policy based upon industry best practice, it employs a full-time security manager whose primary function is to ensure that policies and process are followed. They are backed up by an information security board, that regularly review the policies and procedures as well as any potential breaches. There is mandatory staff training for information security which takes place during induction (over the past year all members of staff have been required to take the training and pass the exam at the end). The information Security policy is one of a group of interlinked policies that are regularly reviewed they are : Acceptable Use Business Continuity Disaster Recovery Incident Management User Account Management Mobile Device Network Configuration Physical Security Application Security System configuration and maintenance Penetration testing Any individual suspecting that the security of a computer system has been, or is likely to be, breached should inform the IT Service Desk immediately. In the event of a suspected or actual breach of information security, IT Security, with or without consultation with the relevant department, may require that any systems suspected of being compromised are made inaccessible. Full policies & processes available on request

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change Management is by way of a change board Requests for change (RFC) are first reviewed by a technical expert (depending on speciality) before submission to the Change Board for approval. All non-standard changes must be approved before they are implemented all changes are reviewed by the security team for any potential security impacts before implementation. All RFCs are reviewed upon completion of the change The University maintains a Configuration Management database (CMDB) where all configuration items (CI) are maintained and tracked through their lifetime.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The supplier uses advanced technologies to identify and address security weaknesses in web-orientated servers, applications and activities. The systems are also actively monitored for any potential security events and other vulnerabilities. In particular, all system access events are monitored and mailed on a daily basis to the sys-admin lists for assessment and action. The supplier's service platform is based on hardened, Linux and Microsoft systems which are automatically and non-destructively monitored daily by CoSector for susceptibility to known attacks. Operating System patches and updates are continuously monitored for security vulnerabilities. They are tested and installed as appropriate to ensure protection.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We run a Network Intrusion Detection System - SNORT at the entry point to our network. We have full Unified Threat Management capability on our main firewall equipment. Our Linux systems use a range of Host Intrusion Detection Systems such as tripwire All new web facing systems are put through our standard Penetration testing process. Response is measured against the issue identified and whether it is a confirmed compromise or not. We secure the system if an attack is currently underway. To do this we isolate the system from the internet to prevent further damaged/data loss. 15 minutes initial response
Incident management type
Supplier-defined controls
Incident management approach
ITIL v3 is the common standard for incident management used by the supplier. The reporting of an incident can be either by portal, email or telephone to the service desk, any of these methods will generate a unique incident identifier, initial triage will categorise and prioritise the incident, trigerring the appropriate SLA. The initial diagnosis will identify the appropriate team to respond and resolve the incident in line with the SLA. Typically resolution reports are provided within the incident record by the resolving engineer. P1 incidents are followed up by a formal report through the senior management team.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Yes
Connected networks
Joint Academic Network (JANET)

Pricing

Price
£11495 per instance per year
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑