The following is a list of frequently asked questions about the company and its product: Open eLMS.
tenders > Open eLMS > data security > customisable parameters > configuration
Is there a capacity to delete data after an predefined period of time (i.e. set an expiry date for data)?
LMS shall have ability to flag up data that hits the 10 year mark and allow user to decide to keep or delete
Parameters exist within the system to delete or disable data after a set amount of time. These time periods can vary for different types of data as shown (useful for GDPR compliance for varying types of data)..
The system can also be configured not to delete data should that user still be with the company.
tenders > Open eLMS > data security > CSC framework > details
Does Open eLMS adhere to the CSC (National Cyber Security Centre) Security Principle – Governance Framework?
Details of this are provided as an attachment – https://docs.google.com/document/d/14cp_Ir_bowKQOPtZ5CzALpQrqGldeIlGTjZT6bBblVM/edit?usp=sharing
tenders > Open eLMS > data security > disposal and destruction > policy details
How long does Open eLMS keep data on it’s clients?
All company data is stored for 6 years prior to being destroyed. Open eLMS can keep client data for up to 3 years after the termination of a project upon request of the client (data is otherwise deleted 3 months after the termination date.)
A copy of Open eLMS’s Disposal and Destruction Policy relating to data and the physical destruction of information has been included
tenders > Open eLMS > data security > DPIA > summary
Is there a Data Protection Impact Assessment (DPIA) carried out for Open eLMS?
Open eLMS’s DPIA complies with GDPR and Privacy and Electronic Communications Regulations (PECR) requirements.
The generic DPIA for Open eLMS can be supplied.
In addition, security policies are aligned to the company’s ISO 27001 certification, safeguarding the privacy of PII in line with GDPR and PECR requirements.
tenders > Open eLMS > data security > GDPR > data portability
How does Open eLMS deal with the data retention and destruction requirements of data security legislation?
Open eLMS has functionality to follow best practice guidance for data retention and destruction for leavers. This includes the option to give portability of data to learners via the ‘pack and go’ functionality and the right to be forgotten with the importing of leaver lists which delete all associated data from the system.
tenders > Open eLMS > data security > GDPR > security by design
What GDPR measures does Open eLMS LXP contain?
Open eLMS has been designed to be compliant with the GDPR. Specific measures taken to ensure compliance include:
Keeping an audit trail of data exported from the system
Implementing ‘right to be forgotten’ functionality which removes persons and their data upon request as well as via an import of a leavers list
Standard registration interfaces (if used) are GDPR compliant
Students can take data with them using ‘Pack and go’ functionality
Open eLMS adopts a security by design approach to PII and data security in the Implementation of the SAAS. Measures include, but are not limited to:
Limiting access to PII and passwords in accordance with Password Policy
ISO 27001 (Certificate No:372382021) certified Information Security Management System.
Independently audited Cyber Essentials Plus (Certificate No:372382021) security measures designed to protect against the snooping of PII.
Use of the Zoho password vault to secure password use
All staff undergo ISO 27001, GDPR, and Data Protection training
Use anonymised data for testing purposes
Technical measures include data at rest using Azure’s standard Disk Encryption https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption. Open eLMS uses SSE with PMK is server-side encryption with a platform-managed key. This is enabled by default on all managed disks. The data on the disks are encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
In addition, Open eLMS adopts encryption of data in transit utilising an EV SSL certificate, the EV SSL certificate displays the name of the company when viewing the certificate information.
tenders > Open eLMS > data security > ISO 27001 > asset register
Does Open eLMS Ltd. have an Information Security Management System (ISMS)?
All people, processes, and technologies are entered into the company’s asset register and are then managed by the organisation’s Information Security Management System. This involves periodic checks on the controls applied to each and assessments of the residual risk to see if further controls are needed to protect Personal Identification Information (PII) in line with GDPR requirements, ISO 27001 standards and Cyber Essentials Plus security controls.
tenders > Open eLMS > data security > ISO 27001 > client data
What does Open eLMS Ltd. do to vet its staff?
All staff with access to data (i.e. PII) will be BPSS vetted prior to receiving client data for import tasks and going forward in BAU. Full candidate reports from Secure Screening Services will be made available upon request.
Access to client data is controlled and audited via the company’s Zoho vault password system.
tenders > Open eLMS > data security > ISO 27001 > documentation
Does Open eLMS Ltd. meet ISO standards 27001 (general IT security) and 27034 (application security)?
Open eLMS is ISO 27001 certified Certificate No:372382021: Expiry Date: 13/05/2022. Part of this process requires an annual independent application security audit of the Open eLMS system aligned to ISO 27034 from Defence.com. A copy of this report is available on demand.
tenders > Open eLMS > data security > ISO 27001 > PII protection
Does Open eLMS employ subcontractors?
Open eLMS employs one subcontractor (providing specialist programming knowledge) who is prevented from dealing with support tasks or accessing any client sites with PII. Despite this, all subcontractors are required to sign a Non-Disclosure Agreement and evidence that they meet the standards within the company’s Supplier Security Policy, namely:
Any third party contract must meet the following GDPR Article 28 Requirements criteria:
Processes the personal data only on documented instructions from the controller.
Ensures that persons authorised to process the personal data have committed themselves to confidentiality.
The processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Ensure any subcontractors meet GDPR requirements for processors.
Assist the controller in fulfilling its obligation to respond to requests for exercising the data subject’s rights under GDPR.
Notify the controller of any personal data breach and assist the controller in fulfilling its own obligations regarding breaches.
Delete or return all personal data to the controller upon request.
Makes available to the controller all information necessary to demonstrate compliance with GDPR obligations.
Complete and sign an Information Security Agreement and NDA.
Policies and procedures – ISO 27001 and/or Cyber Essentials.
tenders > Open eLMS > data security > ISO 27001 > security measures
Does Open eLMS Ltd follow development standards and ISO standards?
Open eLMS is ISO 27001 certified (Certificate No:372382021: Expiry Date: 13/05/2022).
Open eLMS undergoes an annual ISO 27001 audit and certification from an independent auditor, QMS. This is complemented by a Software Vulnerability assessment from Defence.com (available upon demand).
The Open eLMS API is a RESTful API and as such follows industry standards.
Open eLMS is also LTI Certified and as such can easily use webhooks to communicate with additional third party systems – https://site.imsglobal.org/certifications/e-learning-wmb/open-elms.
tenders > Open eLMS > data security > overview > data diagram
What technical considerations are made concerning the data flow from Open eLMS to client systems?
The following describes the flow of data across the platform. This technical diagram demonstrates connectivity, ports and traffic flows between Open eLMS and the client’s network.