fbpx

Security & Data Protection

 

Customer data is one of the most valuable assets an organisation has. That’s why our top priority is delivering a comprehensive, high-performance solution with a focus on keeping our customers’ data safe, their interactions secure, and their institution protected.

NETWORK REQUIREMENTS:

The solution must be able to integrate with Microsoft Server 2008 R2/2012 Active Directory authentication and authorisation or OpenAthens. 

Unitu can integrate with Microsoft Server 2008 R2/2012 Active Directory authentication. 

The solution must support access and administration over secure protocols, using certificates.

Unitu does support access and administration over secure protocols as we provide access to the website over https using SSL certificate.

 

The tenderer should provide information that integrations with the University integration systems.

 

We provide three different integrations:

  1. VLE integration (e.g. Blackboard, moodle, canvas) via LTI authentication
  2. Student record integration via SITS or a custom integration through API’s or SFTP
  3. SSO integration with Shibboleth or Azure Office 365.

The proposed solution should support access via IPv6 (as well as IPv4), or support for IPv6 should be on a committed roadmap for delivery within 12 months of deployment. 

We are using Azure from Microsoft. IPv6 is under way. Up to date details available here:https://azure.microsoft.com/en-gb/pricing/faq/

INFORMATION SECURITY REQUIREMENTS

The supported system should support encryption standards AES 256 bit, FIPS 140-2 (cryptographic modules, software and hardware) and FIPS – 197 for data while it is in transit. 

All sensitive data is encrypted with the highest standards. All the communication is happening over secure HTTPS (SSL) protocol.

The tenderer will provide details of whether, and to what extent, their system supports the Unicode standard for encoding, representation and handling of text.

We use UTF-8 encoding
The tenderer’s data centres must reside in the EU.

All data is stored in UK(London)

The tenderer will provide details of their backup and recovery policies, including information on how frequently the policies are tested. 

Through Azure, the SQL Database automatically creates backups of every active database. Every hour a backup is taken and geo-replicated to enable the 1 hour recovery point objective (RPO) for Geo-Restore. Additionally, transaction log backups are taken every 5 minutes to enable Point in Time Restore.

The tenderer will provide details of their standard data retention and removal policies including details on times and secure data removal procedures.

Unitu retains all information unless our customers ask us to do otherwise. The customer at all times owns the data specific to their institution and can have it removed from our database if they wish to.

The tender will supply full details of their data security provisions and locations, including vetting of staff.  

Unitu restricts access to personal information to Unitu employees, contractors and agents who need to know that information in order to process it on Unitu’s behalf. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

The tenderer will provide details of encryption key management procedures.

Unitu’s encryption key management procedures can be provided on request.

The tenderer must provide details of what penetration tests are carried out and the frequency of such tests to ensure security compliance. 

Currently Unitu carries out manual penetration tests on a weekly basis to ensure security compliance.

The tenderer will confirm that sub processors will not be used to fulfil the contract.

Unitu can confirm that sub processors are not used to fulfil the contract. All engineers are full time employees of Unitu.

The tenderer will provide evidence how data can be returned and destroyed if the contract is terminated and, if any charges apply, details of the current costs. 

We can delete all the related to university data from our data services and provide a report.

The tenderer should provide details of audit logging that can be provided by the solution.

We keep all the logs of user actions and can provide you specific details on request.

The solution should support search functionality to locate data according to specified criteria. If this functionality has additional charging, then these need to be provided. 

Unitu’s analytics service enables filtering functionality to locate data according to specified criteria.

Outline the current security model that protects data within the platform.

We use a number of methods that protect the data and ensure the process of uploading the data is secure:

  • Restriction to data: Unitu restricts access to personal information to Unitu employees who need to know that information in order to process it on Unitu’s behalf. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

  • 2 Step Account creation/verification process: Once the CSV file has been sent via SFTP, Unitu’s CTO will use our account management control panel to activate all student accounts. It takes a two step process:

    1. All students are enrolled on to the platform.

    2. We assign students to their correct degree programme and department.

  • Azure Cloud Hosting: Unitu utilizes Microsoft’s continuously improving security-aware software development, operational management and threat mitigation practices that are essential to the strong protection of data in the cloud.

  • HTTPS & SSL: By using Hypertext Transfer Protocol Secure (HTTPS) it will protect the privacy and integrity of the data exchanged over the web. Any connection via unitu.co.uk is encrypted using an obsolete cipher suite.

  • Salted Password Hashing: Unitu employs salted password hashing to protect users’ passwords from being breached.

BUSINESS CONTINUITY REQUIREMENTS:

The tenderer will have provide evidence that they are able to provide business continuity in the event of an incident at their primary location.
We are using Azure Cloud and our production instance is geo replicated, so there are secondary locations available in case of incident.

The tenderer will demonstrate that an RTO (Return to Operation) of 8 working hours can be expected. 

Unitu provides a technical support over the phone and email. In case of any problems our staff should react within 8 working hours.

The tenderer will demonstrate that an RPO (Recovery Point Objective) of 30 minutes can be expected. 

Through Azure, the SQL Database automatically creates backups of every active database. Every hour a backup is taken and geo-replicated to enable the 1 hour recovery point objective (RPO) for Geo-Restore. Additionally, transaction log backups are taken every 5 minutes to enable Point in Time Restore. 

The tenderer will have provide evidence that they are able to provide business continuity in the event of an incident at their primary location. 

After the pilot programme we provide auto-recovery if services in one locations fails, it will be restored and continue to run as normal in a different location.

 

AVAILABILITY REQUIREMENTS:

The tenderer will be able to provide availability of 99.9%. 

Unitu uses Azure services and it is promised by Microsoft that Azure cloud hosting can guarantee at least 99.9% availability.

The tenderer will describe the process for planned downtime, including notification processes.

Through our staging and production provisioning we expect no downtime. 

The tenderer will provide information describing how service status can be monitored.

Service status can be monitored with any external tool as Unitu is a web application and production instance is available over the internet.

The tenderer will provide information about how the system can be integrated with Microsoft Systems Centre Operations Manager.

Information about Unitu can be integrated with Microsoft Systems Centre Operations Manager can be found through this link: https://technet.microsoft.com/en-gb/library/hh881882.aspx

BACKUPS REQUIREMENT:

The tenderer will provide details of their backup and recovery policies, including information frequency of backups and testing
We have automatic data backups every night and up to a second data snapshots for the last two-weeks. For testing, we use a wide range of automated unit/integration tests in addition to manual testing, Automated tests are running on any codebase change.

 

The tenderer will provide details of their standard data retention and removal policies including details on times and secure data removal procedures. 

We retain data as per contract. If university is to end their agreement with Unitu, we then work with the University in a formal process to close their account and remove all user data. It usually takes up to a week, as all the students should be notified about the planned accounts closures.

CAPACITY AND PERFORMANCE:

The tenderer will provide details on included data storage for the solution. 

For data storage, Unitu uses MS SQL Server , Azure Table Storage, Azure Blob Storage, Azure Service Bus.

The tenderer will provide details on procedures and costs of extending included storage. 

The procedures and costs of extending included storage can be found here: http://azure.microsoft.com/en-gb/pricing/details/storage/

The tenderer will provide details on any limitations regarding the data storage for the solution. 

The limitation for data storage is 200+ Gb per storage account.

The tenderer will provide documentary evidence regarding the measured performance metrics that can be expected, e.g. user expected response times under normal working conditions based on other customer sites. 

We will find out response times for different operations during the pilot programme and will define expected response time for normal load after going university wide.

The tenderer will be able to provide a baseline for page loading time

Unitu monitors page loading time on a daily basis and aims to achieve a consistent page loading time of 3 seconds or less for every page on the application.

 

WEB BROWSER REQUIREMENTS

If web based application, must support to following browsers;-

 

Browser

Supported by Unitu (y/n)

Microsoft Internet Explorer 10 and 11

Y

Mozilla Firefox 17+

Y

Google Chrome 25+

Y

Apple Safari 7 for Mac OS 

Y

Safari on IOS7, 8.1 (iPhone 4, 5, 6) 

Y

Safari on IOS7, 8.1 (iPad 3) 

Y

Default browser on Android v 4.4 

Y

Default browser on Windows Phone 8+

Y