The following is a list of frequently asked questions about the company and its product: Open eLMS.
tenders > company facts > procedures > accessibility > independent audits
Question
Does Open eLMS undergo independent accessibility audit reporting?
Answer
The Open eLMS system undertakes an accessibility audit annually for computers and mobile devices (provided by Ten10). .
tenders > company facts > procedures > account management > weekly meetings
Question
What is the nature of Open eLMS’ account manager meetings?
Answer
Following Go Live the account manager, as is standard, arranges weekly meetings for the first 3 months after implementation, extending to monthly thereafter. These can be extended to 3 months at the client’s behest.
Meetings will address as a minimum the following areas;
• System Performance
• Helpdesk Performance
• System Roadmap and opportunities for improvements
Also advice is given on how to get the best out of Open eLMS from the client’s perspective.
The account manager is also on hand at any time during business hours to offer just in time training and advice.
tenders > company facts > procedures > auditing > internal audit
Question
How do you conduct internal audits (audits lead by your personnel) of the service?
Answer
Open eLMS is ISO 27001 certified , part of this process requires an annual independent application security audit of the Open eLMS system.
Open eLMS is also ISO 20000 and ISO 9001 certified, the audit also reviews control and procedures taken to ensure these certifications are kept up to date.
The audit takes place annually in December.
tenders > company facts > procedures > business continuity > annual testing
Question
Is the Business Continuity Plan (BCP) tested annually?
Answer
A recovery test report for will be supplied annually with details of recovery times, etc. These tests are run on Sundays around 3pm.
Please note that Open eLMS tests the Business Continuity Plan (BCP) annually, which involves the recovery of all Open eLMS client systems. A copy of the latest BCP plan with the latest test carried out on the 20/05/2021 (see section 4.4) is included as part of this tender (https://docs.google.com/document/d/1uGwhwf_PlFy2FsK1mxfdO4Zab6YfbIWmg5lhSO_tNQ8/edit?usp=sharing ) .
tenders > company facts > procedures > business continuity > backup process
Question
How are offsite backups secured?
Answer
All backups are created using Microsoft Azure backup which encrypts data and stores the data off-site.
Open eLMS uses geo-redundant storage (GRS) which replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). This provides a higher level of durability for client’s data, even if there’s a regional outage.
tenders > company facts > procedures > business continuity > backup process
Question
How do offsite backups occur and how they are secured?
Answer
Backups (all files and database) are taken daily and by default a rolling schedule is taken daily, weekly, monthly, 3 monthly, and 6 monthly (this schedule can be adjusted to suit client requirements). These backups are saved for 2 weeks after deletion.
These backups include the entire installation, namely:
– database
– database transaction logs
– application configurations
– customer-specific customisations
– uploaded learner files
tenders > company facts > procedures > business continuity > BCP arrangements
Question
Does Open eLMS Ltd. have BCP/DR arrangements within the UK (including management)?
Answer
Open eLMS uses geo-redundant storage (GRS) replication. GRS replicates data and the system to a secondary region within the UK (hundreds of miles away from the primary location of the source data). This provides a high level of durability for your data, even if there’s a regional outage. Both the server and Senior Management Team are located within UK.
Note that the company relies on cloud computing, paperless office and remote working which provides a very resilient infrastructure in the face of various disasters. A copy of Open eLMS BCP can be provided upon request. This is tested on an annual basis.
tenders > company facts > procedures > business continuity > failure test
Question
Does Open eLMS Ltd. perform a full systems failure test and ‘fall over to back up’ on an annual basis?
Answer
The solution will perform full system failure test 12 months following Milestone 11. Reference to the company BCP can be provided for details of a full system failure test. This will include a fall over to backup test.
tenders > company facts > procedures > business continuity > RTO process
Question
What is the recovery time objective (RTO) following a disaster recovery event?
Answer
If there is an outage, then the server switches to the secondary server. The Recovery Time Objective is 10 minutes for primary servers to switch over to the secondary server. The Recovery Point Objective is at the same point as from when the primary site fails.
tenders > company facts > procedures > business continuity > summary
Question
How is the Business Continuity Plan (BCP) recorded?
Answer
The BCP is a tracked document in line with ISO 9001 document management procedures and makes up a core part of the company’s ‘ISO 27001 certification’.
tenders > company facts > procedures > business continuity > system restore
Question
Can Open eLMS perform a full system restore in an emergency?
Answer
GRS replication allows for this.
tenders > company facts > procedures > business continuity > timings
Question
What are the details of the Disaster Recovery Timings?
Answer
If there is an outage, then the server switches to the secondary server. The Recovery Time Objective is 10 minutes for primary servers to switch over to the secondary server. The Recovery Point Objective is at the same point as from when the primary site fails.
tenders > company facts > procedures > change management > summary
Question
How does Open eLMS record its Change Management Procedures?
Answer
Change Management details are laid out in the provided ‘Change Management Policy’ – https://docs.google.com/document/d/1mnVG8LCNaG5aj6L7clvfCKTovksxRhdenn6xV1Vd0Hs/edit?usp=sharing.
tenders > company facts > procedures > complaints resolution > complaints handling
Question
Outline Open eLMS’ complaints and dispute resolution procedure, including detail of timescales and the escalation process
Answer
The following is in accordance with Open eLMS’s Complaints Handling Policy:
Upon receipt of a complaint the following must be undertaken:
Inform Compliance and input the complaint into the JIRA incident log.
Compliance will create a record of the complaint in the central Incidents Register.
Dispatch an acknowledgment and initial response in writing within 4 hours. The acknowledgment should, when possible, include the priority with an expected timescale for resolution.
Complaints must be promptly, thoroughly, and consistently investigated, where practical by an independent person.
A final response email must be sent as soon as possible but no later than within 3 months of the client having lodged a complaint.
The client must be advised that PIL considers the complaint closed and they can refer the matter back to compliance if not satisfied with the resolution of the complaint.
In circumstances where it is not possible to resolve the complaint within the 3-month timescale, an email must be sent explaining the reasons, detailing the progress to date, and telling the client when it is expected that the complaint will be resolved.
Ensure that all correspondence and other pertinent information, including how the complaint was resolved, are retained as a full record of the complaint.
tenders > company facts > procedures > continuous improvement > staff development
Question
What measures are in place to ensure good staff development?
Answer
Open eLMS nurture an environment of continuous improvement to enable staff development through it’s internal training system at https://openelms.e-learningwmb.co.uk/internaltraining/login.
tenders > company facts > procedures > health and safety > policy statement
Question
How is safety and wellbeing maintained when exiting or decommissioning the system?
Answer
Open eLMS supports its clients to exit the contract in a manner which ensures the safety and wellbeing of those that are accessing the tendered service.
The company’s ‘Health and Safety Policy Statement’ is here https://docs.google.com/document/d/1PsTonPUAC3xbTtPCRtnh5sYEwyo3oqs-/edit?usp=sharing&ouid=100178995435061976528&rtpof=true&sd=true
tenders > company facts > procedures > implementation > team availability
Question
Describe the contact and teamwork approach including to what the extent to which the Open eLMS implementation team will be regularly available?
Answer
Open eLMS hand responsibility of the project to the Project Manager during the implementation of Open eLMS. The Project Manager as standard will set up weekly project meetings with your organisation to offer updates on the project schedule and coordinate tasks carried out by both organisations.
After the project has launched, the account manager will take over responsibility for the project (he will attend all meetings to that point.) It is standard practice for those meetings to be held weekly and then extend to monthly intervals at the behest of the client.
All members of the project team will be available via phone and email to answer questions at any time.
tenders > company facts > procedures > incident management > summary
Question
What incident/complaint management procedures are in place?
Answer
See the company’s ‘Complaints Handling policy’ utilizing the Jira incident log.
Incidents which affect security are governed by the ‘Security Incidents Management Policy’ (‘https://docs.google.com/document/d/1jRIW1HzzAw0Q0RWXALH7t165ol838E1X/edit?usp=sharing&ouid=100178995435061976528&rtpof=true&sd=true’).
tenders > company facts > procedures > ISO 20000 > release remediation
Question
Describe the release management process?
Answer
The entire testing process is described in the ISO 20000 process document concerning the Product Release Management Process (see: ‘https://docs.google.com/document/d/1hTA8F3OvWJeUjbZqlhckFZOHGmL_nC2ojKnQOp7hz9U/edit?usp=sharing’)
Vulnerability testing issues which are identified in this process are entered into the Jira issue tracking system and processed to completion before a formal release can be issued.
tenders > company facts > procedures > ISO 20000 > support tickets
Question
What is the resolution management system for Open eLMS?
Answer
Open eLMS utilises the Jira Service Management software to accelerate the flow of information between operations and development teams to respond and restore systems when incidents occur.
Any incident entered into the communication channels are automatically fed into the company’s Jira issue management system and alerted to all support staff. Often the issue can be explained via a support call from the account manager, but if it is a technical issue (aka a ‘bug’) then it escalates rapidly to 3rd line support.
tenders > company facts > procedures > order management > summary
Question
What Order Management Procedures are in place?
Answer
There is a structured ordering process through each stage from:
Placement
Legals
Fulfillment
Invoicing
and Payment
This is documented in Open eLMS’ ‘Order Management Policy’ – available upon demand.
tenders > company facts > procedures > project management > account management
Question
Can you describe the company’s account management process?
Answer
Account management takes over after the site has been released to the client, this will usually be handled by Open eLMS directly, unless the company is working with one of it’s global partners who will manage the relationship with the Open eLMS account manager.
tenders > company facts > procedures > project management > client duties
Question
What are the roles and responsibilities of the client?
Answer
The client shall cooperate with Open eLMS Ltd. in any manner reasonably required to carry out the Support Services, including:
Provision of reasonably requested information and data.
Making available suitably qualified employees and contractors of the client (at least one person available on a daily basis during the implementation stage of the project).
Report any issues to the support help desk via email, telephone to the appointed account manager, or the help desk directly in a timely manner.
Comply with Open eLMS’s standard procedures with regards to the handling of Personally Identifiable Information (PII) in accordance with the company’s ISO 27001 certification (a copy of the company’s Data Protection & Information Security Management System Policy
tenders > company facts > procedures > project management > client resources
Question
What client resources are required for an Open eLMS project?
Answer
For a typical implementation, it is strongly recommended that the client supply at a minimum a single point of contact to coordinate activities from technical and design staff.
The client’s representative will call upon additional project team members as and when required. It is envisaged that such resources will call upon one or more of the following:
IT Services representative
HR representative (with knowledge of any third party HR system)
L&D representative (with knowledge of training needs)
* Design lead for the in-house production of learning content
Project manager/manager to coordinate timely deliverables from your organisation.
* The number of designers under the design lead would depend upon the amount of content required. Open eLMS would be happy to scale this work and offer predictions of resources needed once a needs analysis is complete.
tenders > company facts > procedures > project management > client resources
Question
What client-side System Admin/Support resources are needed to run the Open eLMS system(s)?
Answer
A client staff member with technical experience should be available to deal with:
Interrogation of exported data.
Importing exports from Open eLMS (via interrogated data or export reports directly from Open eLMS) into the new system.
tenders > company facts > procedures > project management > client resources
Question
What input dependencies are on the client, including resources, to deliver a successful Implementation?
Answer
It is usual recommended that your organisation supply at a minimum a single point of contact to coordinate activities from technical and design staff.
Your organisation’s representative will call upon additional project team members as and when required. It is envisaged that such resources will call upon one or more of the following:
IT Services representative
HR representative (with knowledge of third party HR system(s))
L&D representative (with knowledge of training needs)
Design lead for the in-house production of learning content
Project manager/manager to coordinate timely deliverables from your organisation.
The number of designers under the design lead would depend upon the amount of content required. Open eLMS would be happy to scale this work and offer predictions of resources needed once a needs analysis is complete.
tenders > company facts > procedures > project management > dual running
Question
Is dual running usually adopted during system launch?
Answer
This is perfectly OK and highly recommended. Synchronicity between the two systems can be handled by data import or live synchronicity when opening/closing learning via the legacy LMS.
Setting this up is an additional cost and will be included and itemised in any proposal.
tenders > company facts > procedures > project management > implementation risks
Question
What are the 5 main risks when implementing Open eLMS?
Answer
Risk 1: Poor Communication and Solution:
The primary conduit of communication will be the account manager. the client will be assigned Andrew Howie, director of the company, as the account manager. Andrew will liaise with the Open eLMS team.
The account manager will conduct weekly meetings during the implementation phase (later extended to monthly).
Risk 2: Data Security and Solution:
Open eLMS ensures a safe data transition as they are ISO 27001 and Cyber Essentials Plus certified and as such have detailed procedures in place to ensure the security of PII. Measures include, but not limited to:
limiting access to PII and passwords
Use of the Zoho password vault to secure password use
All staff undergo ISO 27001, GDPR and Data Protection training
All staff and equipment undergo Cyber Essentials Plus audits.
Use anonymised data for testing purposes
All passwords are encrypted as is data at rest and in transit.
Risk 3: Time Overrun and Solution:
No programming is needed to deliver this project which will assist with a smooth implementation of the Open eLMS system. This will allow ample time for intensive user testing to ensure that the information architecture and user experience match the client’s expectations.
Risk 4: Business Continuity and Solution:
Open eLMS has a business continuity plan which ensures the fulfilment of support and services to the client. There is global redundancy to the Open eLMS servers and support services. All support services can be run independently of a physical office location, whilst the Cloud based Azure installation hosts the system on two sites over 200 miles from each other which switch in the case of a failover – the system creates a crash-consistent recovery point every 5 minutes.
The business continuity plan is tested and independently audited annually as part of ISO 27001 certification.
For the longer term continuity of the business, Open eLMS would be happy to hold the uncompiled code within an ESCROW agreement so that the client can further develop and support the system should Open eLMS cease trading. Note all technologies used are open source and would not require the use of any Open eLMS suite to maintain or extend should the ESCROW come into force.
Risk 5: The product become obsolete and Solution:
Open eLMS relies on user feedback for new ideas and ways to innovate. To this end it relies on feedback from its user for new ideas – this is fostered through initially weekly and then monthly meetings between the Open eLMS account manager and the client’s representatives.
Open eLMS also has quarterly user group meetings where new versions are discussed, training is given on configuration options and feedback is received for new features.
tenders > company facts > procedures > project management > internal resources
Question
What Open eLMS Ltd. resources are required for an Open eLMS project?
Answer
Open eLMS will supply a Project Manager who will be the project lead from Open eLMS during the implementation stage of the project (Planning/Information Gathering to Rollout).
The ongoing responsibility and main point of contact after this period will be the Account Manager.
tenders > company facts > procedures > project management > IT Director
Question
Who is Open eLMS’ IT Director?
Answer
Lauris Mikulans has been with Open eLMS for nearly 10 years and has led the work on Open eLMS since version 3 of the software.
Lauris will be responsible for technical tasks such as exporting data and setting up FTP downloads.
tenders > company facts > procedures > project management > key stages
Question
What are the Key Stages of an Open eLMS project?
Answer
The key stages are listed below:
Planning/Information Gathering
Build/Configuration
Deployment
Review
Rollout
Monitoring/Maintenance
tenders > company facts > procedures > project management > milestones
Question
What milestones for payment is usually employed for an Open eLMS implementation project?
Answer
Milestones are inserted into the project plan in agreement with each client. Typical milestones which initiate payments are as follows:
Initiation Meeting
Alpha system launched
Beta system approved
System Launched
The initial payment will be agreed and then further payments will be proportional to the work undertaken in the project implementation.
Milestones are inserted into the project plan in order to release payments to Open eLMS.
Open eLMS will monitor performance against this plan and provide reports as to progress against this plan at weekly project meetings. Any variations to this plan will be notified to the client as soon as possible and no later than the next working day.
tenders > company facts > procedures > project management > procedures
Question
What is Open eLMS’ project management process?
Answer
The Project Management Process is used for managing system implementations such as the one proposed. This process is as outlined in the company’s ISO 9001 and ISO 20000 certified procedures.
tenders > company facts > procedures > project management > product director
Question
Who is the product director at Open eLMS Ltd.?
Answer
Emil has been project managing e-learning projects since the early 90s. Emil has worked with some of the largest PLCs in the FTSE 100 as well as local and national government.
Should any project work be required outside the parameters of the standard export procedures, then responsibilities for the relationship with your organisation will be passed over to the Project Manager.
tenders > company facts > procedures > project management > project risks
Question
What specific project risks are there involved with customising the Open eLMS system?
Answer
As with any large system implementation there are always issues in bringing people together and changing existing work practices. There are, however, a number of issues which are more specific to this project. Although none of these issues will prevent the rollout of the system, it is worth highlighting them at this stage to ensure your organisation gets the most out of Open eLMS.
Form Creation
Should the Open eLMS Forms option be taken, resources need to be provided to ensure that any forms associated with personnel development and review (360 feedback, quarterly reviews etc.) are provided to Open eLMS in a timely manner so these can be created.
eLearning Authoring
Personnel and time will need to be set aside for any authoring of training using the Open eLMS Creator authoring system. Should resources to do this be unavailable, Open eLMS can offer the Open eLMS Bespoke service at an additional cost, but adequate notice would need to be given.
Creation of H5P Content
Again, use of this add-on gamification authoring system will need personnel and resources to create the microlearning modules needed prior to launch.
Curation of content
There are nearly 250 courses in the Open eLMS Catalogue library of courses. Selecting the appropriate learning (including the selection of content for H&S purposes) will take time. In addition to this, the setting of course properties (enrollable, mandatory, repeated, locked – require management approval, etc.) will take careful consideration to ensure that the training works in the right way to meet organisational needs.
Modules, pathways, queries, etc.
How the learning is collated and what determines pathways of learning will need to be carefully considered. The more work done ahead of the launch will mean that there is less administration needed to set up learners going forward.
Email customisation
Email notifications (default and custom) need to have the messages checked and edited to meet your organisation’s requirements.
Third party integration
Talent and management development tools from third-party suppliers need to be integrated into Open eLMS. Access to third-party APIs will be needed; care should be taken to notify all suppliers ahead of time to avoid development delays.
Reports
Custom reports should be set up ahead of launch to ensure that managers have the correct information. If setting up a live link to Microsoft Power BI (Business Information System Dashboard), then this should be organised ahead of time. Open eLMS has created elearning resources to help with this if needed.
Updates
Resources will need to be committed for an ongoing dialogue with the assigned account manager. This relationship ensures that the product is further developed to your organisation’s (and others client’s) needs and your organisation gets the most from any latest developments initiated by others.
tenders > company facts > procedures > project management > RACI
Question
What RACI measures are in place on any Open eLMS project?
Answer
A RACI chart can be drawn up in advance of any project and added to the statement of work as required.
A RACI chart (sometimes called a Responsibility Assignment Matrix) is a way to identify your project teams’ roles and responsibilities for any task, milestone, or project deliverable. By following the RACI acronym, you can clarify responsibility and reduce confusion. RACI stands for:
Responsible. This person is directly in charge of the work. There should only ever be one Responsible role per task so you know who to go to with questions or updates. If a task has more than one Responsible person, you can lose clarity and cause confusion. Instead, aim to add additional collaborators as some of the other RACI roles, which can have more than one person.
Accountable. The Accountable person is responsible for overseeing overall task completion, though they may not be the person actually doing the work. There are two ways to assign an Accountable role. Sometimes, the Accountable is the project manager (or even the Responsible, though in that case the person is taking on two different roles during the task workflow). In these cases, the Accountable is responsible for making sure all of the work gets done. In other cases, the Accountable is a senior leader or executive who is responsible for approving the work before it’s considered complete. Like the Responsible role, there should only ever be one Accountable.
Consulted. This will be the person or people who should review and sign off on the work before it’s delivered. There may be multiple Consulted roles for each task, project milestone, or deliverable.
Informed. This is the person or group of people who are informed about the progress and completion of work. They probably are not involved in any other aspect of the deliverable.
tenders > company facts > procedures > project management > risk identification
Question
What risk Identification and management measures are in place on a typical development or implementation project?
Answer
Upon request, Open eLMS will work closely with designated members of the client’s HR and ICT departments to produce a weekly project overview and risk log (outlining progress and highlighting areas of concern), to ensure all actions agreed within this implementation plan are delivered on schedule. The approach Open eLMS takes to hazard identification and the quantification and management of risks is outlined in the company’s supplied Risk Assessment Manual – https://docs.google.com/document/d/1h59waru22f635RUHoTjYGkx90cIOdvGALUMwpqgZaXg/edit?usp=sharing .
The major risk to the rollout of a project, which is common to all clients, is server failure which could cause a loss of service. To this end, Open eLMS uses geo-redundant storage (GRS) replication. GRS replicates data and the system to a secondary region (+100 miles away from the primary location of the source data). This provides a high level of durability for your data, even if there’s a regional outage.
If there is an outage, then the server switches to the secondary server. The Recovery Time Objective is 10 minutes for primary servers to switch over to the secondary server. The Recovery Point Objective is at the same point as from when the primary site fails.
tenders > company facts > procedures > project management > sandbox
Question
How does data migration typically take place?
Answer
Open eLMS will build a sandbox environment (e.g. https://lms.e-learningwmb.co.uk/CLIENTDOMAIN) which is used for testing during the deployment phase of the project. The sandbox environment is used to:
Migrate data from existing systems
Set up CRON (server side) tasks for the importing/synchronisation of data
Create learning resources (elearning/microlearning)
Curate the learning library
And test the ‘going live’ procedure *
* This ‘going-live’ procedure involves the migration of data from the existing systems using existing migration interfaces for the importing of HR Data, learning resources and learning resource data.
When the system is ready to launch:
The database is cleared of user and test data
The old site is taken down
The migration process is ran so a fresh copy of HR data and imported learning is completed
A redirect is set up to the new Open eLMS system
This process is conducted outside office hours to ensure a minimum of down time. The process should take 15-30 minutes to complete.
tenders > company facts > procedures > project management > software/hardware
Question
What software/hardware resources are required for an Open eLMS project?
Answer
Open eLMS supply services using a SAAS model, as such all server space (Azure Server) and software (Open eLMS) will be supplied by Open eLMS.
tenders > company facts > procedures > project management > supplier duties
Question
What are the roles and responsibilities of the supplier?
Answer
Open eLMS attest to the following duties in the company’s standard EULA:
Hosting provided in the UK by Microsoft Azure.
Backups (all files and database) taken daily and by default a rolling schedule taken daily, weekly, monthly, 3 monthly, and 6 monthly (can be flexible to suit client requirements).
Acceptance testing agreed no later than 30 days from installation.
Support from 0800 to 1800; includes access to the knowledgebase and support helpdesk.
Response/resolution times will be proportionate to the seriousness of the event:
Critical Event: Critical Impact/System Down. Open eLMS in its entirety is non-functioning.
Response time 1 working hour, resolution target 2 working hours.
Major Event: Significant Impact. A number of key components are not working which seriously impacts use of the service.
Response time 1 working hour, resolution target 4 working hours.
Minor Event: An individual feature of Open eLMS is not working, workarounds are not possible.
Response time 2 working hours, resolution target 2 working days.
Trivial Event: A problem with Open eLMS for which a work around is possible.
Response time 1 working day, resolution target 4 working weeks.
The expected uptime for the Open eLMS service is 99.9% of the time.
Standard Open eLMS users will have assistance with the following data processing tasks at no additional cost:
Importing HR Data from a provided template
Setting up SSO
Enterprise users will have assistance with the following data processing tasks at no additional cost:
Importing course data from a provided template
Setting up CRON tasks to automate these imports
Intellectual property rights are protected for both parties.
Data protection is assured.
New releases will not affect the performance of Open eLMS – they can be switched on/off in consultation with the client.
All software will be tested for viruses.
Liability is limited to the total subscription fees paid by The client to the Supplier in the 12 months preceding the date of the incident giving rise to the claim or series of claims.
Meetings for Enterprise clients include weekly account management meetings for the first 3 months after implementation, extending to monthly thereafter and weekly project management meetings (during implementation).
tenders > company facts > procedures > project management >
Question
Describe the intensive support post go live?
Answer
Open eLMS as standard offers 3 months of weekly meetings, extending to monthly meetings after this period of time. The account manager will be on hand via the usual channels to offer advice and any issues can be reported via the company’s helpdesk at any time.
tenders > company facts > procedures > purchasing policy > ethical policy
Question
What is Open eLMS’ purchasing strategy?
Answer
Open eLMS considers all commercial and technological aspects (financial stability, open platforms/integration, accessibility etc.) prior to making any purchase. Any contractual arrangement with a supplier must include attesting to Open eLMS’s ‘ethical purchasing policy’ ( https://docs.google.com/document/d/1oIe3lfsjo371rtdHHOCHsc_T0TR-R6ZutA-9o4vGNiM/edit?usp=sharing ) and code of conduct.
tenders > company facts > procedures > quality assurance > ISO 9001
Question
Does Open eLMS Ltd and the Open eLMS LXP comply with ISO 9001:2015 Quality Management Systems standards?
Answer
Open eLMS (business and products/services) are ISO 9001 compliant (ISO 9001
Certificate No:002213: Expiry Date: 18/01/2023).
tenders > company facts > procedures > release management process > overview
Question
Describe in full the Open eLMS release management process with emphasis on the testing phases.
Answer
The systems will go through Open eLMS’s ISO 20000 release management process and undergo an automated and manual testing process which will follow scripts approved by the client.
The holistic testing process consists of:
Developer testing – the developer tests the issue prior to moving the issue to a ‘Done’ state.
Product Management testing – this is done in moving the issue to the ‘Closed’ state. The product manager tests the issue in the test build prior to changing the status.
IT Director testing – this test is done prior to moving the issue from the staging build to the production build. This is a test of the code merging process and acts as a secondary test of the Product Management testing phase. The IT Director will review the code to check for formatting, conflicts, quality and consistency issues as part of an overall SAST (Static Application Security Test) of the added code.
The testing is controlled and documented in the SCORMDATA project in Jira. The SCORMDATA project consists of a Kanban system where issues are moved from a state of Backlog > In Progress > Done > Closed > Autotested. Once the issue is “Closed” then the process of getting ready the issue for publishing can be initiated. This is managed by the IT Director where the issue gets published in the sequence described (development server > testing build > staging build > production build > release).
The IT Director will ensure that all test server dependencies and security updates are applied to the latest versions and tested as part of the release process (as well as daily automated testing).
The individuals responsible for testing the change must be identified and fully briefed.
The Product Manager and IT Director must accept the changes at the designated stages prior to completion of testing.
Once the change is proved to be effective (working in line with the test criteria) the IT Director authorises its transfer to the operational environment, ensuring that business processes are not disturbed and that business continuity plans are updated.
Versioning of Open eLMS updates is managed through the Jira/Bitbucket coding system. Named releases are controlled through a publishing process which goes from development server > testing build > staging build > production build > release. All named releases (as of 01 November 2020) are documented on the Open eLMS website.
Autotesting – The system is auto tested using Test Project; Test Project is an automation platform for web, mobile and API testing (effectively a wrapper for Selenium and Appium). Open eLMS coders create test scripts which are run daily. These scripts simulate major operations of the software; the desired outcome is a 100% pass rate for all scripts.
Manual testing – A manual ‘script’ is created in Jira based on the User Test Cases which are documented in the Jira project: Manual Test. The test cases in the project are run periodically (as dictated by the asset register timings) and in addition prior to a named formal release to ensure that the system is working as intended. These scripts are not operationally prescriptive so as to allow a number of routes to the desired outcome; the purpose of this is to test non-standard operations.
Accessibility Testing – The internal accessibility test is run using the Axe accessibility checker against WCAG 2.1 at conformance level A. These reports are produced every 6 months at a minimum (or prior to a named version release) to ensure compliance. The external accessibility audit provided by Ten10 is independent of the release process.
Internal Vulnerability Testing – This testing is carried out by the IT Director using the previous external vulnerability audit and OWASP Top Ten as an updated guide to the most significant vulnerabilities.
External Vulnerability Testing – The ‘production’ release is tested monthly and prior every release via the automated reporting tool at defense.com. These audits issue recommendations which are acted upon by the program team.
Documentation – Operating procedures and documentation are updated for the changes to the software. These are listed in the Knowledgebase and online manual at https://www.e-learningwmb.com/support/.
The custom documentation in line with the client requirements will be provided in the format of the client’s choosing.
tenders > company facts > procedures > risk > RAID log
Question
Will Open eLMS contribute to risk logs?
Answer
Open eLMS will contribute to the RAID log and manage any implementation risks requested by the client in line with the agreed terms of the contract The log will be reviewed at the weekly project meetings.
tenders > company facts > procedures > security > acceptable use
Question
Are all Open eLMS personnel required to sign an Acceptable Use Policy?
Answer
Yes, all personnel is required to sign an ‘Acceptable Use Policy’- ‘https://docs.google.com/document/d/1MotxsKCtEifhj66zkaBwELoVD_IotWQZHFlNUIHLBnY/edit?usp=sharing’
tenders > company facts > procedures > security > awareness programme
Question
Describe Open eLMS’ security awareness program for personnel?
Answer
Open eLMS nurture an environment of continuous improvement to enable staff development through its internal training system at https://openelms.e-learningwmb.co.uk/internaltraining/login. This training includes training on the security of personal data including:
GDPR Awareness
IT Security
IS 27001 Awareness
The system also allows all employees to attest to the Data Protection and Information Security Policy.
This process is refreshed annually.
tenders > company facts > procedures > security > breach detection
Question
Does Open eLMS have operational breach detection systems, deception solutions and/or anomaly detection with alerting?
Answer
Open eLMS typically utilises Azure Monitor, Microsoft Defender and Microsoft Sentinel for this purpose.
tenders > company facts > procedures > security > client notifications
Question
Do you have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems?
Answer
Any security breach is automatically classified as a critical event. SLAs dictated that for such events there should be a response time 1 working hour where the clientis notified and a resolution target 2 working hours.
Any suspected reportable breach of data to the ICO will cause Open eLMS to phone the ICO and clarify if it is reportable before reporting the breach.
This is the responsibility of the Open eLMS’s data controller (as outlined in 7.1 and 27.4 of the Data Protection and IS Policy) and must be carried out within 72 hours.
tenders > company facts > procedures > security > confidentiality agreement
Question
Are all personnel required to sign Confidentiality Agreements to protect customer information, as a condition of employment?
Answer
Yes, all Open eLMS personnel is required to sign Confidentiality Agreement to protect company and customer information as a condition for employment.
tenders > company facts > procedures > security > cryptographic measures
Question
What cryptographic frameworks are used to secure a) data in transit over public networks, b) passwords, c) data at rest? d) Protocols used HTTPS, TLS 1.2 and TLS 1.3
Answer
Cryptographic measures include data at rest using Azure’s standard Disk Encryption https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption.
Open eLMS also adopts encryption of data in transit utilising an EV SSL certificate, the EV SSL certificate displays the name of the company when viewing the certificate information.
tenders > company facts > procedures > security > customer data
Question
Does Open eLMS seek a right to use or own customer derived data for your own purposes?
Answer
No
tenders > company facts > procedures > security > developer training
Question
How do you train developers in Secure Software Development Life Cycle/ Secure Coding Practices?
Answer
All developers attest to the Secure Engineering Policy. The IT Director is responsible for training coders in secure coding practices, note code is developed using Bitbucket which allows the secure release of code only once coding standards have been met.
tenders > company facts > procedures > security > device security
Question
Describe both standard employee issued device security configuration/features and required BYOD configurations. (Login Password, antimalware, Full Disk Encryption, Administrative Privileges, Firewall, Auto-lock, etc.)
Answer
Login Password:
All passwords comply with the company’s Password Policy, namely:
Passwords must have at least 8 characters or more. It can be any combination of letters, numbers, and symbols (ASCII-standard characters only). Accents and accented characters aren’t supported.
Password controls prevent a password that …
Is particularly weak. Example: “password123”
You’ve used before on your account
Starts or ends with a blank space
Users are also advised not to select personal information (birthdays etc.) which could be easily guessed. Training is given to users about how to select passwords and remember them afterwards.
Anti-Malware:
Windows Defender installed on all PCs offers threat intelligence. The system Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.
Defender quickly adapts to changing threats via advanced analytics and big data. It’s amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts to all users and enables Open eLMS to respond quickly as an organisation.
Encryption:
Open eLMS uses standard Windows Device encryption. AES-128 bit encryption is used.
Administrative Privileges
Admin privileges are managed by Google Workspace Administration. Please note that company files are not stored on local machines, but instead the Workspace Cloud where administrator control is managed.
All endpoint devices are listed on the company’s asset register and are audited twice annually (internally and as part of Cyber Essentials Plus Certification.)
Firewall:
Windows Defender Firewall is used on all end point computers.
Auto-lock:
All computers must auto lock after 15 minutes of inactivity
tenders > company facts > procedures > security > disciplinary policy
Question
Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures?
Answer
Yes, in Open eLMS Data Protection Policy it is clearly stated that breach of the policy may result in disciplinary action, including dismissal and all significant breaches of the policy will be handled under Open eLMS’s Disciplinary Procedures.
tenders > company facts > procedures > security > endpoint management
Question
Are all endpoint laptops that connect directly to production networks centrally managed?
Answer
Yes, all endpoints are added to the company’s asset register and managed. All such laptops are annually audited for vulnerabilities as part of the company’s Cyber Essentials Plus Certification
tenders > company facts > procedures > security > group access
Question
Which groups of staff (individual contractors and full-time) have access to customer personal and sensitive data?
Answer
Open eLMS takes measures to store data electronically which is marked at Official/Official Sensitive under the GSC at the ‘Confidential’ level which is the highest information security category in the company. Such data is only accessible by named senior managers (in practice this is the account managers, project managers and IT Director.)
All data provided in writing is immediately digitised and then shredded in line with Open eLMS’s paperless office policy. Any electronic data for the client will typically have an assumed ‘Confidential’ classification and handled accordingly. Access to all project documentation and any other data associated with the client will be limited to senior named members of the project team and access controlled using the Zoho password vault.
tenders > company facts > procedures > security > independent audits
Question
What Independent Accessibility Audit reports does Open eLMS undertake?
Answer
The Open eLMS system undertakes an accessibility audit annually for computers and mobile devices (provided by Ten10).
tenders > company facts > procedures > security > InfoSec RMP
Question
Please describe your Information security risk management program (InfoSec RMP)?
Answer
Open eLMS has an ISO 27001 audited Information Security Management System (ISMS) which ensures the implementation of secure user management policies and procedures. The company’s asset register is the foundation of all policies and procedures in the organisation; in addition to procedures, all people and technologies are entered into this register so that they can be managed by the organisation’s ISMS. This involves periodic checks on the controls applied to each and assessments of the residual risk to see if further controls are needed to protect Personal Identification Information (PII) in line with GDPR requirements, ISO 27001 standards and Cyber Essentials Plus security controls.
The list of documentation and policies related to security and recorded on this register are:
‘Scope’
‘Data Protection & Information Security Policy ‘
‘Risk Assessment Manual’
‘Project Management Procedures’
‘ISO 27001 Register’
‘Teleworking Policy’
‘Standard Employment Contract ‘
‘Learning Management System’
‘Information Classification Policy’
‘Disposal and Destruction Policy’
‘Access Control Policy’
‘Secure Engineering Principles Policy’
‘Business Continuity Plan’
‘Main Lease 14 09 2016’
‘Operating Procedures’
‘Change Management Policy’
‘Supplier Security Policy’
‘Security Incident Management Policy’
‘Application Security Assessment Report 2019’
‘Application Security Assessment Report Details 2019’
‘Non Disclosure Agreement’
‘Test Cases User Stories’
‘Acceptable Use Policy’
‘EULA
‘Password Policy’
‘Document Control Procedure’
‘Monitoring, Measurement, Analysis & Evaluation’
‘Internal Audit Procedure’
‘Internal Audit 2019’
‘Management Review 2019’
‘Annex A Statement of Applicability’
‘Internal Manual for Operating Openelms Server’
‘Internal Audit 2020’
‘Information Management System Manual’
‘Application Security Assessment Report 2020’
Application Security Assessment Report Details 2020′
‘Information Security Objectives’
‘Employee Security Policy’
‘Management Review 2020’
‘Data Protection Impact Assessment (Open eLMS)’
‘Application Security Assessment Report 2021’
‘NCSC Security Principle Governance Framework’
‘ISO 27001 Mandatory Clauses’
tenders > company facts > procedures > security > InfoSec SP
Question
Does Open eLMS have a formal Information Security Program (InfoSec SP) in place?
Answer
The Open eLMS is Cyber Essentials Plus certified (Certificate No: IASME-CEP-007941: Expiry Date: 17/02/2023).
Open eLMS has formal Information Security program governed by the following procedures: ‘Data Protection & Information Security Management System Policy’, ‘Information Classification Policy’ and the ‘Security Incidents Management Policy’.
tenders > company facts > procedures > security > ISMS details
Question
What are the details of Open eLMS’ information security management system (ISMS) and Information Security Policies and Procedures?
To include:
i. Security administration, physical and technical security controls are defined and implemented.
ii. ISO 2700
Answer
All people, processes, and technologies are entered into the company’s asset register and are then managed by the organisation’s Information Security Management System. This involves periodic checks on the controls applied to each and assessments of the residual risk to see if further controls are needed to protect Personal Identification Information (PII) in line with GDPR requirements, ISO 27001 standards and Cyber Essentials Plus security controls. Open eLMS ISMS will continue to work effectively throughout the lifetime of the solution provided. ISO documentation and ISO 27001 certificate can be provided.
tenders > company facts > procedures > security > key management
Question
How are cryptographic keys (key management system, etc) managed within your system?
Answer
The IT Director or their alternative generates keys, keeps track of them, stores them in the Zoho Vault. These are regenerated every x(6) months, and issued securely to whomever needs them.
tenders > company facts > procedures > security > log events
Question
How do you log relevant security events? (this includes the network and application layer)
Answer
All staff should report any incidents or suspected incidents immediately by the Jira system and then if it is a true security incident, in the Incidents Log.
tenders > company facts > procedures > security > logged attacks
Question
Which of the following attacks have you been exposed to in the last 48 months?
1- Denial of Service
2- Spoofing
3- Hacking
4- Keylogging
5- Packet Sniffing
6- Virus/Malware
7- OTHER (Please Specify)
Answer
24/03/2020 – Denial of Service. No remedial action was necessary, no down time, Open eLMS automatically withdrawn from hosting mitigation system.
14/04/2021 – Denial of Service. No remedial action was necessary, no down time, Open eLMS automatically withdrawn from hosting mitigation system.
tenders > company facts > procedures > security > logging events
Question
Are all security events (authentication events, SSH session commands, privilege elevations) in production logged?
Answer
Yes, any read/write events are logged by Open eLMS for auditing.
tenders > company facts > procedures > security > monitor vulnerabilities
Question
How do you monitor vulnerabilities in dependencies?
Answer
All dependencies are updated to the latest versions and tested as part of the release process (as well as daily automated testing).
tenders > company facts > procedures > security > NCSC Cloud
Question
Does Open eLMS provide a full formal statement of alignment against the 14 NCSC Cloud Security Principles to support Risk Assessment (https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles)?
Answer
Open eLMS will adhere to the 14 principles as outlined in the NSC Cloud security guidance (and upon demand provide evidence from its Information Security Management System) if required as part of any EULA, namely:
1. Data in transit protection – User data transiting networks are adequately protected against tampering and eavesdropping by the encryption of all data in transit utilizing an EV SSL certificate.
2. Asset protection and resilience – User data stored by Open eLMS is located on the MS Azure infrastructure which is protected against physical tampering, loss, damage and seizure. MS Azure is ISO 27001 certified and complies with SOC 2 Type 1 and SOC 2 Type 2. Details can be found here – System and Organization Controls (SOC) 2 Type 2 – Azure Compliance | Microsoft Docs.
3. Separation between users – Data is separated and password protected so that a malicious or compromised user of the service should not be able to affect the service or data of another. Measures have been taken to prevent injection attacks which could cause corruption or affect the security of the data. These measures are also subject to an annual audit (provided).
4. Governance framework – Open eLMS has a security governance framework governed by its ISO 27001 certification which coordinates and directs its management of the service and information within it. All technical controls are linked to the company’s asset register and as such are within this framework and subject to auditing and management controls.
5. Operational security – Open eLMS systems are operated and managed securely in order to impede, detect or prevent attacks. Access is limited to key security personnel and this is controlled by the Zoho Password vault in line with the company’s Access Control Policy (provided).
6. Personnel security – Open eLMS limits access to PII (client Open eLMS data) to key security personnel. This yields a high degree of confidence in their trustworthiness as all named personnel are senior staff with at least 5 years tenure with the company. All staff are screened and supported by adequate training via the company’s internal Open eLMS learning management system.
7. Secure development – Open eLMS has been built using a ‘Security by Design’ approach. This is documented in the company’s Secure Engineering Principles Policy which has been provided and to which all programming/support staff attest.
8. Supply chain security – Open eLMS are owner authors of the entire Open eLMS system which limits the use of suppliers. The exception to this is MS Azure which has satisfactorily implemented both physical and technical measures which are audited and certified to put trust in the hosting environment.
9. Secure user management – Open eLMS provides adequate security measures to ensure the privacy of data held within the system. Unauthorised access is secured by: Complex passwording rules, Forced password refreshing, SSO, 2 Factor Authentication options and IP blocking options
10. Identity and authentication – Open eLMS has various access levels and associated interfaces which are limited to authenticated and authorised individuals.
11. External interface protection – Register and login for Open eLMS are identified (as identified in the annual report) and appropriately defended (injection attacks, snooping etc.).
12. Secure service administration – System administration access is securely defended through passwording or SSO authentication. Open eLMS have alerts on the system to monitor any excessive attempts to break into the system via password guessing etc.
13. Audit information for users – All user access involving the export or deletion of data is logged so that deliberate malicious actions can be traced and data can be selectively reverted to a state prior to the attack. The AUthority will have instant access to this data in order to respond accordingly.
14. Secure use of the service – Open eLMS provides training in using the service to all administrators of the system. This training includes client responsibilities for adequately protecting the data and duties under the GDPR and Data Protection Act.
tenders > company facts > procedures > security > network configuration
Question
What is the process for making changes to the network configuration?
Answer
Changes to the network configuration is made using the Azure administration dashboard. Access to this is limited to the IT Director and their alternative.
tenders > company facts > procedures > security > network security
Question
How does Open eLMS test the security of its network and applications?
Answer
Please note that Open eLMS relies on cloud computing and applications, hence:
it has no network;
stores no files on local PCs or network servers (an exception are design files but these contain no PII);
it has no shared software applications;
Hence there is no internal network to carry out security testing on.
The process documentation surrounding the security testing of Open eLMS cloud application can be found in the ISO 20000 process document concerning the Product Release Management Process..
The company relies on the previous external vulnerability audit and OWASP Top Ten as an updated guide to the most significant vulnerabilities.
An annual third party vulnerability test is also carried out on the Open eLMS system, a copy of the latest test is available upon request.
tenders > company facts > procedures > security > network vulnerability
Question
What network vulnerability management processes and procedures are in place?
Answer
The Open eLMS infrastructure undergoes monthly internal vulnerability testing via the company’s Cyber Security Essentials Plus Accreditation service provider – Defense.com.
Open eLMS also undergoes annual external vulnerability assessment which is CREST certified. This is available upon request.
User data stored by Open eLMS is located on the MIcrosoft Azure infrastructure which is protected against physical tampering, loss, damage and seizure. MIcrosoft Azure is ISO 27001 certified and complies with SOC 2 Type 1 and SOC 2 Type 2. Microsoft carries out a series of internal and third party audits in line with this certification.
tenders > company facts > procedures > security > outsource development
Question
Does Open eLMS outsource development?
Answer
No client integration of project implementation development work is outsourced. Occasional projects are outsourced where specialist skills are required (Artificial Intelligence, media population), but these contractors will not get access to client data or core software programming processes.
tenders > company facts > procedures > security > password access
Question
Does Open eLMS have data access restrictions?
Answer
Access to data is strictly protected. Internally to Open eLMS, password access is restricted to named Key Security Personnel who have access to client data. Access is controlled and monitored via the Zoho password system.
tenders > company facts > procedures > security > patch criticality
Question
How does the criticality of any software patch to Open eLMS (critical, high, medium, low) affect deployment guidelines?
Answer
If there is a critical patch that needs to be deployed, it is deployed to all instances immediately, if that patch will not impact downtime.
Patches that require downtime are deployed out of working hours during working hours if the client is ok with that.
tenders > company facts > procedures > security > patch evaluation
Question
How do you regularly evaluate patches and updates for your infrastructure?
Answer
Security updates if they are needed and after they are tested are deployed out of working hours. Release updates are rolled out in waves. Individual updates for clients if they request them are deployed when they are ready and tested, to that specific client.
Any patches are tested in line with the formal application release process.
tenders > company facts > procedures > security > PCI compliance
Question
What PCI compliance measures are taken by Open ELMS?
Answer
Open eLMS does not hold card data (it integrates with third party payment engines which do.) To this end Open eLMS does not need to be PCI compliant.
Should PCI wish to Open eLMS to handle such secure data then this can be put in place.
tenders > company facts > procedures > security > PII protection
Question
What data security and privacy measures are in place?
Answer
During the execution of this strategy, Open eLMS will act in accordance with the company’s ISO 27001 certification (Certificate No:372382021: Expiry Date: 13/05/2022), Data Protection and Information Security Policy ( https://docs.google.com/document/d/1EllcGOiSlgBp0vIEZN8annsK-s2MN3XKSNWgM-VazVU/edit?usp=sharing and using independently audited IT precautions in line with the independently audited Cyber Essentials Plus (Certificate No:372382021) security measures. These processes involve controlling access to Personally Identifiable Information (PII) by taking a number of measures including:
Password security
Personnel training regarding the security of client data
Processes to control access
Deletion of PII when not needed
Technical measures (e.g. encryption of data at all times in transit and at rest).
tenders > company facts > procedures > security > privacy notice
Question
Is your Privacy Notice/ Privacy Policy externally available?
Answer
Yes
https://openelms.com/gdpr-privacy-notice/
tenders > company facts > procedures > security > proactively monitoring
Question
How security threats are proactively monitored?
Answer
This process is governed by the company’s Security Incident Management Policy – available upon request.
tenders > company facts > procedures > security > secrets management
Question
What is Open eLMS secrets management strategy:(auth tokens, passwords, API credentials, certificates)?
Answer
Passwords:
All passwords, auth tokens and API credentials are stored in the company’s Zoho Vault password system.
Certificates:
TLS certificates that are used to encrypt web traffic are generated by https://letsencrypt.org/, master certificate is stored there and needs renewing every 3 months.
To connect to the server SSL, a certificate is needed. The certificate is generated for those who have SSL access, it is stored on that person’s computer, encrypted with password. This is regenerated every x(6) months. As an additional measure, SSH connections are restricted by IP.
tenders > company facts > procedures > security > secure engineering
Question
How do you ensure code is being developed securely?
Please confirm your solutions software development follows a secure coding development, review, remediation processes.
Answer
All staff attest to follow the Secure Engineering Policy. The IT Director has an overview of all code committed to the production environment to ensure code is developed securely.
This formal release process is documented in the follow ISO 20000 Product Release Management Process (see: Open eLMS ITSMS_DOC_9.3.docm,
https://docs.google.com/document/d/1hTA8F3OvWJeUjbZqlhckFZOHGmL_nC2ojKnQOp7hz9U/edit?usp=sharing)
Note that any production code is first tested via automated vulnerability testing as well as manual vulnerability analysis against the OWASP top 10 vulnerabilities.
tenders > company facts > procedures > security > security certifications
Question
Does Open eLMS have PCI AoC, SOC2 type II and ISO 27001 certification reports?
Answer
QMS Certification ican be provided (see ‘https://openelms.com/easy-to-use-and-comprehensive-lms/elearning-wmb/accreditations/’). Further information on the QMS audit can be shared via the QMS’ online portal upon request.
MS Azure is ISO 27001 certified and complies with SOC 2 Type 1 and SOC 2 Type 2. Details can be found here – System and Organization Controls (SOC) 2 Type 2 – Azure Compliance | Microsoft Docs (https://docs.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2)
tenders > company facts > procedures > security > standards and certification
Question
Which IT operational, security, privacy related standards, certifications and/or regulations you do comply with?
Answer
ISO 27001
Certificate No:372382021: Expiry Date: 13/05/2025
Cyber Essentials Plus
Certificate No: IASME-CEP-007941: Expiry Date: 17/02/2023
tenders > company facts > procedures > security > user authentication
Question
How does Open eLMS authenticate user accounts?
Answer
Open eLMS can be authenticated via a number of different routes:
Passwords – complexity (length, different characters, upper case etc. can be defined within the configuration settings. All internal passwords used are unique for separate applications and they are stored on Zoho Vault (i.e. there is no ‘master password’.)
Two factor authentication can be enabled.
Passwords can be refreshed by a custom interval defined in the configuration (this forces a password revision).
SSO is supported. This is a standard option of configuration and no additional charge is made for this service. Open eLMS supports all standards of SSO – see for more details example Azure AD implementation instructions – https://emil-reisser-weston.atlassian.net/servicedesk/customer/portal/2/article/44761090?src=-1310758382
tenders > company facts > procedures > security > vulnerability management
Question
What vulnerability management processes and procedures are in place?
Answer
The Open eLMS application is subjected to a monthly internal security vulnerability scan via the Defense.com system.
Open eLMS also undergoes an internal annual audit of the company’s Information Security Management System, reviewing metrics such as risk and residual risk levels and performance in meeting the asset register requirements. This audit is a core part of the security governance framework governed by its ISO 27001 certification which coordinates and directs its management of the service and information within it.
tenders > company facts > procedures > security > web vulnerabilities
Question
What systems do you have in place that mitigate classes of web application vulnerabilities? (e.g.: WAF, proxies, etc)
Answer
Microsoft defender mitigates web application vulnerabilities with features such as:
* Tagging alerts (e.g. zero-day vulnerabilities) to highlight high severity
* Risk-based vulnerability management and assessment
* Attack surface reduction
* Behavioral based and cloud-powered protection
* Endpoint detection and response (EDR)
* Automatic investigation and remediation
* Managed hunting services
tenders > company facts > procedures > security > zone segmentation
Question
Is the production network and environments segmented into different zones based on security levels?
Answer
The cloud-based Open eLMS production and development/testing environments are on different virtual machines. The production machine has elevated security monitoring as it holds PII.
tenders > company facts > procedures > service management > additional metrics
Question
What company metrics are Open eLMS happy to supply clients?
Answer
Workload:
The number of requests assigned to your agents i.e. Helpdesk faults logged by the client
Satisfaction:
The average customer satisfaction rating for your team
Article usage:
The number of times the client viewed knowledge base articles in the portal and found them helpful
Article effectiveness:
The number of requests resolved with and without knowledge base articles
Created vs resolved:
Compares the number of requests created and resolved over time
Time to resolution:
Compares the length of time taken to resolve requests of type or priority i.e. Timescales
SLA met v breached:
Compares the number of requests that have met or breached an SLA goal
Incidents reports by priority:
Compares the priority of incidents reported
These reports will be generated on a quarterly basis (one month prior to the account management meeting or with 1 week’s notice) and are supplied on request of the client and are attached to any Service Level Agreement on consultation with the client.
tenders > company facts > procedures > service management > SLA Measures
Question
What KPIs exist related to the support of Open eLMS?
Answer
Open eLMS attest to service levels in the Open eLMS’s EULA document. In summary they are in excess of the targets set, namely:
• System Availability (target 99.9% on a monthly basis)
• Fault Resolution (target 100%)
• Complaints Handling (target 100%)
Open eLMS will be happy to provide reports from the Jira and Uptime Robot systems to enable the client to benchmark performance against other similar systems within the organisation’s IT infrastructure.
tenders > company facts > procedures > supplier > modern slavery
Question
What measures are in place with regards to Modern Slavery?
Answer
Open eLMS supports the ‘Modern Slavery Act (2015)’, regardless of its legal obligations (the company is not defined as a “relevant commercial organisation” under the act). A copy of the company’s ‘Modern Slavery Policy’ is provided (https://docs.google.com/document/d/1lpFZ4Kjk8l9dH73ZKlwRAVnksExVeFd9_AHwzXHSeSY/edit?usp=sharing ).
Open eLMS has a zero tolerance approach to any form of modern slavery. The company is committed to acting ethically and with integrity and transparency in all business dealings and to putting effective systems and controls in place to safeguard against any form of modern slavery taking place within the business or our supply chain.
Open eLMS has a responsibility to ensure, through our due diligence processes and so far as is possible, that workers are not being exploited, that they are safe and that relevant employment, health and safety, and human rights laws and standards are being adhered to, including freedom of movement and communication. If the company and its employees believe that these rules are not being adhered to, they will notify the relevant authorities.
All employees and suppliers (or products and services) must avoid any activity that may lead to a breach of this policy and should report any concerns immediately under the reporting procedure which is defined in the company policy. The prevention, detection and reporting of modern slavery in any part of Open eLMS’s business or supply chain, whether in the UK or abroad, is the responsibility of everyone working for Open eLMS. Any new supplier must be considered with regard to the qualifying questions on the Modern Slavery Checklist (provided as an addendum to the company’s ‘Modern Slavery Policy’). Should the supplier come from a location, engage in a business or provide certain raw materials, then a complete modern slavery response is required from the supplier.
tenders > company facts > procedures > support > metrics
Question
What standard support metrics reports are available and audited annually?
Answer
Open eLMS will provide management information (MI) reports to the client’s Contract Manager. These reports are generated by the Jira Helpdesk system can will include the desired information, namely:
• Helpdesk faults logged
• Helpdesk faults resolved
• Timescales for responding to and resolving faults against agreed service response matrix
Additional reports from the project management capabilities of Jira will include performance against implementation plan for the implementation period only.
tenders > company facts > procedures > termination > client data
Question
Does Open eLMS support secure sanitisation or destruction of infrastructure components (physical or virtual) that have processed Buyer Data at the end of the Call-Off Contract?
Answer
The client instance is completely removed from the Azure Cloud Virtual Machine as part of the sanitization process and all application files and databases deleted.
All client data (both financial and within Open eLMS) are held on cloud systems – as such no physical storage destruction is carried out.
Open eLMS does not keep any client data on local machines and has a clear desk/computer policy to delete/destroy all local documents and data immediately after use.
A copy of the company’s ‘Disposal and Destruction Policy’ can be provided which explains when and how physical media is destroyed.
tenders > company facts > procedures > termination > continuing service
Question
What measures are in place for continuing service during migration away from Open eLMS?
Answer
Open eLMS can ensure the continuation of service during any migration process. The site can be live whilst the company assists with data migration. It is imperative that text outputs are provided to any third party before the transition of service, so imports can be tested and any migration queries can be created.
The account manager will remain in place and act as the Exit Manager as defined with Schedule 9. The Exit Manager assists with the termination process as well as continues to carry out any standard account manager operations to ensure the continuation of service prior to, and during, termination.
Open eLMS will also store data for an agreed period of time after migration should anything go wrong with the exit process. All data is usually stored on the servers for up to 3 months after the contract end date and backups are stored for 6 months after that. These time frames can be adapted to the client’s requirements.
tenders > company facts > procedures > termination > data migration
Question
What is the method of data migration to a new System?
Answer
A backup file of the MySQL database will be stored in a secure FTP location which will be sent via an end-to-end encrypted email service (Open eLMS uses Google Workspace servers and would require a similar setup).
Should your organisation not use Google Workspace, then the data can also be sent with end-to-end encryption via Keybase (or similar). The file will also be passworded.
Sending the entire database will give your organisation the flexibility in what they want to bring forward with any third party supplier.
tenders > company facts > procedures > termination > incoming provider
Question
How will data will be transferred to an incoming provider?
Answer
At the end of any contract, Open eLMS will make available a backup copy of the database (MySQL database) for data extraction. This will be sent via end to end encryption (e.g. Keybase) or via a secure ftp link. The new supplier will be provided with a report, documenting the database and what configuration options have been selected in the client instance.
An alternative solution would be to provide exports directly from the system using the CSV export/reporting functionality. Custom exports can be created to migrate users and learning data from Open eLMS to any third party system. This functionality is self-serving however support will be provided as needed to assist with this process.
A register of exportable learning resources will also be provided to the client for which the client owns the IP. An interface is provided for downloading the SCORM zip files on this register (necessary for setting up elearning on any new system). This includes any elearning (created using Open eLMS Creator or from third-parties).
elearning courses provided from the Open eLMS Catalogue can be sold for transfer to any new system at the standard market rate in accordance standard pricing.
Open eLMS will also assist the client in archiving learner files and utilising the pack and go functionality to equip users with uploaded data. It is a common approach of Open eLMS to build in exporting functionality into the system rather than relying on back-end queries which need to be customised by support staff.
Assistance will be given in the transfer of any licences from third party software vendors (licence keys, configuration information, etc.) to any new supplier (e.g. Anders Pink, H5P, etc.).
tenders > company facts > procedures > termination > testing strategy
Question
How is the company’s Exit Management Strategy tested and maintained throughout the life of the contract
Answer
The processes within Open eLMS which determine the exit strategy (daily data backups, export of reports) are tested daily from all instances. Should any backup fail, then this will be alerted to the Open eLMS system administrator.
The migration process to any new system can only be tested in its entirety once the new system has been selected. For this reason, it is important to start this process at least 3 months prior to the exit date of the contract, so ensure migration queries and data exports are working as expected.