Accreditation Guidelines for Cloud based products which use our Web APIs
Objectives for Accreditation
This guidance applies to any product where the technical integrator use Capita / Capita SIMS web APIs to extract data and any of the data extracted from SIMS in the cloud.
The objective of accreditation is to provide a secure choice for mutual customers when selecting products to augment their Capita / Capita SIMS products. This is a different processes in the cloud compared to the code review that we undertake as part of the 'on premise' application accreditation.
Web applications have access to the secure APIs controlled by Capita via SIMS ID which:
- Provides secure access via an industry standard methodology
- Provides an informed consent based approval which allows a TI's application to access the agreed subset of data through the SIMS ID Tile Store.
- Provides a mechanism to stop the flow of data from the school to the TI's application 24x7x365 within the Tile Store.
The code that does this can only gain access to the API and the data that is granted to that company, validating this code is therefore not necessary and accreditation needs to consider wider quality issues.
Accreditation is Annual and technical integrators will be invited to renew approximately 1-2 months in advance of their expiry date.
So what does web accreditation check,
In common with SIMS 7 the first part of accreditation is the publication of the data and security policies via the SIMS ID Tile Store which is similar in principle to the on premise model.
2. Penetration Testing
The second part to the accreditation process is an initial and annual check that the application has undergone 'penetration testing in line with Government guidance and best industry practices. Accredited technical integrators need to demonstrate to Capita that their product has been tested within the past 12 months and the quarter that it is next due in. They may also provide evidence of any certifications such as ISO27001 and or Cyber Essentials certification
So that the joint customer is assured that support is in place for all elements of the service, there has to be a development support contract in place between Capita and the Technical Integrator. This ensures that there is access to assistance in the case of a problem with the integration of your products with Capita Services and/or Software.
4. Reference Sites
TI's are asked to provide contact details for 3 sites who are prepared to:
- Confirm that they are a SIMS customer*
- Confirm that they currently use the product under accreditation.
- Confirm that it brings a benefit to the school or service related to the school.
- Confirm that they have no current security concerns about the product. **
* In the first year of accreditation non SIMS Customers may be considered
** Technical integrators will be invited to address any security concerns with their reference site and accreditation can occur once this is resolved.