Accreditation Guidelines for Locally Installed Products which call Web APIs
Objectives for Accreditation
This guidance applies to any product where the technical integrator use SIMS web APIs to extract data from a locally installed product.
The objective of accreditation is to provide a secure choice for mutual customers when selecting products to augment their ESS products. This is a different processes in the cloud compared to the code review that we undertake as part of the 'on premise' application accreditation.
Local applications have access to the secure APIs controlled via SIMS ID which:
- Provides secure access via an industry standard methodology
- Provides an informed consent based approval which allows a TI's application to access the agreed subset of data through the SIMS ID Tile Store.
- Provides a mechanism to stop the flow of data from the school to the TI's application 24x7x365 within the Tile Store.
The code that does this can only gain access to the API and the data that is granted to that company, validating this code is therefore not necessary and accreditation needs to consider wider quality issues. Local applications however will need to store keys and secrets in order to access data on the web.
Accreditation is Annual and technical integrators will be invited to renew approximately 1-2 months in advance of their expiry date.
So what does web accreditation check,
In common with SIMS 7 the first part of accreditation is the publication of the data and security policies via the SIMS ID Tile Store which is similar in principle to the on premise model.
2. Standards (Optional)
Technical integrators may wish to share standards bodies certifications such as ISO27001.
3. Local Security
Software providers need to ensure that security related data is not easily compromised including via a local administrator who would typically have access to any files / software on the machine. We would require that all credentials are securely stored, for example:
- Usernames, Passwords, Keys and secrets are not stored in clear
- TI to confirm that this is the case during accreditation.
So that the joint customer is assured that support is in place for all elements of the service, there has to be a development support contract in place between ESS and the Technical Integrator. This ensures that there is access to assistance in the case of a problem with the integration of your products with ESS Services and/or Software.
5. Reference Sites
TI's are asked to provide contact details for 3 sites who are prepared to:
- Confirm that they are a SIMS customer*
- Confirm that they currently use the product under accreditation.
- Confirm that it brings a benefit to the school or service related to the school.
- Confirm that they have no current security concerns about the product. **
* In the first year of accreditation non SIMS Customers may be considered
** Technical integrators will be invited to address any security concerns with their reference site and accreditation can occur once this is resolved.