ESS Accreditation Programme
Introduction
Our accreditation process supports our technical integrators by giving schools confidence in a secure integration.
Before we can accredit an integration, a Support Contract must be in place between ESS and the integrator. This ensures that you have access to assistance in the case of a problem with the integration of your product(s) with ESS services and/or software.
Accreditation consists of two aspects:
Technical Validation
In line with industry best practice and our extensive experience of integrations with SIMS, we require the following to grant accreditation.
For integrations with a local component (applications deployed to the school’s hardware)
- Year 1 of integration: A code review is required. TIs submit relevant source code to ESS for validation.
- Year 2+: TIs notify ESS of changes to their integration and provide changes for review by ESS upon request where appropriate.
- Every year: TIs confirm in writing that they do not and will not store credentials such as client secrets or passwords in clear text outside of recognised secure stores.
For integrations with a web-hosted element:
- TIs provide evidence of a suitable Penetration Test within the last 12 months.
- A Pentest should have been performed by a named and independent third-party.
- All Medium / High alerts must be addressed or be in the process of resolution.
- TIs must not share their ‘internal’ security issues with ESS because vulnerabilities should be on a need-to-know basis prior to resolution.
- TIs must warrant that all communications are via SSL or other industry-accredited secure transfer, e.g. SFTP.
For integrations that use ESS web access via SIMS ID, TIs must warrant that:
- They will secure any keys and secrets obtained from SIMS ID.
- They will update their application / online documents and information within 7 working days of any change
For backup and timetable providers ESS requires a list of:
- Claims for TI’s product capabilities
- Confirmation of technical mechanisms used.
Please check Backup Services Accreditation for more detail. Either ESS or reference sites will review claims annually.
Integration Efficiency Feedback:
Integrators who receive feedback from the SIMS Partner Team on ways to make their integration more efficient for schools, the TI, SIMS, or all three, are expected to engage with the SIMS Partner Team and make a good-faith effort to act on the feedback within 12 months. Failure to engage or act on the feedback will result in failure to pass (re)accreditation.
Customer Validation
- From the second year of integration, all integrators will need to undergo an annual Customer Validation consisting of three satisfactory customer references. The integrator supplies the customer names. SIMS Partner Support will send these customers a few questions to ascertain their satisfaction with the partner’s integration.
- In the first year of integration, non-SIMS customers may be considered as references.
Annual Customer Validation Process Outline
All integrators will need to undergo an annual Customer Validation consisting of three satisfactory customer references. The integrator supplies the customer names and contact details. In the first year of integration, non-SIMS customers may be considered as references if the integrator does not have three SIMS customers yet.
SIMS Partner Support will email the customers the following questions to ascertain their satisfaction with the partner’s integration:
- Does the partner’s application extract data correctly from SIMS?
- Does the partner’s application update SIMS correctly where required?
- For timetable apps only: “If you import a timetable, does the curriculum in SIMS .net look correct after import and can you work with it?”
- “On a scale of 0 to 10, how likely are you to recommend (insert TI name)’s product or service to another school?”
- Why have you given that score?
The scores on Question 4 will be used as follows:
Score Range 0-6:
ESS may decide to ask the integrator to follow up with the customer to resolve the issue. We cannot issue the (re-)accreditation until we have three satisfactory customer validations. The TI can choose to send ESS a contact for another school while they follow up on the concern raised, or the TI can ask ESS to resubmit the questions to the same school once the issue has been resolved.
Score Range 7-10:
The integrator has passed the Customer Validation. No follow up is required.