ECMS - Service Level Agreement (SLA)
This document shows the Enterprise Content Management Service's Service Level Agreement (SLA).
[Doc 8386 content is unavailable at this time.]
This document describes the responsibilities and service levels for the Division of Information Technology (DoIT) and the customers of the ECM/Imaging Service.
Part One: Service Operations
- Server - All servers will be hosted on the DoIT Platform and will be fully supported by the DoIT Systems Engineering Department.
- Software - Perceptive Content from Lexmark International, Inc. is the application that delivers the ECM/Imaging Service. This application is fully supported by the DoIT's Internet Infrastructure Applications Technology (IIAT) department.
- Availability - The service runs 24x7x365 with minimal downtime for scheduled and emergency maintenance (reboots and Windows Server Patching handled by DoIT's Systems Engineering). If problems arise, identified issues are addressed by system administrators during normal business hours 8x5 and off-hours on a best-effort basis.
- Maintenance and Upgrades - The service has a scheduled maintenance window on Friday evening from 20:00-22:00. The service may be taken down during this time for maintenance on the application, database or hardware. Change records, if necessary, will be submitted. Typically Perceptive releases 2-3 minor upgrades per year. We schedule major upgrades as they are released. We upgrade Test/Development servers first. Upgrades to Production are usually done on Friday nights. Department leads have access to the system on the day following the patching/upgrade for Production testing. Positive test results finalize the work or the patch/upgrade is rolled back.
- Change Management - DoIT is fully invested in Change Management and Continuity of Operations Planning best practices. The Imaging system customers will be notified of all planned outages in advance with a minimum 10-day notice for standard changes. See Continuity of Operations Planning, section 3.3.3 Change Records Classes & Types - Characteristics for more information on notification guidelines by change record classification.
- Emergency Changes - Customers will be notified when an emergency change is required. Due to the nature of emergencies, deploying a fix (reboot, etc.) for the problem that causes the emergency is the first step taken. Notification will be provided as possible via the change management system by email to the Department Leads with a 24-hour notice. Change management is integrated with DoIT's Outage page and updates will post here: http://outages.doit.wisc.edu/
- Backup - Incremental Backups are run nightly, saving 3 versions for 6 months. These backups are run only for disaster recovery purposes. Individual document restores will not be available. Once a week a journal based backup is run for anything that has changed since the last reboot. The journal rebuild is done at the same time.
- Database - Oracle is the database that is being used for the Perceptive Content application. All files are stored on the DoIT Enterprise Storage Service.
- External System Integration - Work to integrate additional applications (i.e. PeopleSoft, WISDM).
- Authentication - ImageNow uses LDAP for credential authentication. Authentication against external customer identity management systems are handled via SSH tunnel. Integration with external systems, if required, are the joint responsibility of the appropriate individuals (system administrators and middleware technologists). The Perceptive Experience client uses Shibboleth-protected University of Wisconsin System federated login with scoped UIDs.
- Security
- Client
- All data is encrypted in transfer.
- Triple DES is used for communication between desktop client and imaging system.
- SSL/TSL COMODO certificates are configured in the webserver to which Perceptive Experience connects.
- System
- Both hardware and software firewalls are implemented and supported by DoIT Systems Engineering and Networking. Application servers and the database server firewalls are IP restricted and are not open to the world.
- Imaging system servers are housed on a restricted data network.
- The eForms server is open to the world, but there is no way to access the primary imaging system from this host.
- Systems are regularly monitored and events are managed from the server.
- Account provisioning/deprovisioning and system activity are regularly monitored.
- Tripwire: a filesystem integrity checker is installed.
- Document uploads to the Imaging system require SSH-enabled FTP (SFTP).
- Client
- Department Leads - Each Imaging departmental customer/group will have a Department Lead designated by the customer. Department Leads are the primary contact that the DoIT Imaging team will use for communications. A full list of Department Lead responsibilities is included in the Customer Responsibilities section of this document.
- Restricted Data - Restricted data must be maintained with the highest level of security. Restricted data includes:
- Social security number
- Driver's license number or state identification number
- Financial account number (including credit/debit card) or any security code, access code of password that would permit access to an individual's financial account
- Deoxyribonucleic acid profile as defined in S. 939.74 (2d) (a)
- Unique biometric data, including fingerprint, voice print, retina or iris image or any other unique physical representation
- HIPAA-Protected health information (any information about health status, provision of health care, or payment of health care). Security measures are reviewed and implemented to ensure all Restricted Data is secure and appropriately handled. Deviations from Restricted Data policy requires approval from DoIT Security and the Department dean/director. Restricted Data Security Standards can be reviewed at: Policy: Restricted Data Security Management.
- HIPAA - Partners must notify the ECM/Imaging Service Team leader if HIPAA data is stored in the Imaging System so that appropriate procedures are implemented.
- PCI Data - Financial data (cp. Sec. 12.C. above) must not be scanned into or stored in the Imaging System. Contact DoIT Security at PCI-help@bussvc.wisc.edu if there is a need to store PCI or Restricted data.
Part Two: Responsibilities
Service Provider Responsibilities
- Server Support - Provide support for hardware and operating systems, including patching, hardware and software updates, firewalls, and secure access to file systems. DoIT purchases appropriate maintenance agreements for the hardware and software.
- Application Support
- Provide support for Perceptive Content, including patching, upgrades, vendor interactions, secure access to the application, problem troubleshooting and issue resolution (may require work with the vendor).
- Working support cases with the vendor may require that we provide them with material to enable case resolution. The following statement taken from the contract between the UW-Madison and Lexmark governs use of such material: "General Data Protection - The CONTRACTOR agrees that data provided to them during the provision of service shall be used only and exclusively to support the service and service execution and not for any other purpose."
- Security - Provide Security Policies, Implementation, and Annual Audits for compliance. All users will be created and authorization verified via DoIT-maintained processes. User accounts require an HRS appointment.
- Multiple Environments - Create and maintain working development, test, and production environments for the ImageNow application for customer use.
- Development - The development environment allows customers to create and test folder structures, workflows and processes, user groups, iScript development, etc. in an environment that is not identical to the production environment.
- Test - The Test environment is a copy of production which will be refreshed on the first Friday of every month. Additional access may be given to developers as needed. Changes developed and tested in the Development environment move to Test where Test's similarity to Production allows additional testing and refinement.
- Production Moves - Finalized changes in Test move into the production environment.
- End-User Support - Second Level End User support will be provided by the DoIT Help Desk. Calls may be escalated to either DoIT Technologists or the customer depending on the nature of the issue (cp. item 8 under Customer/Partner Responsibilities).
- Request Forms - Respond to Support, New Work, and New Customer requests within reasonable time period.
- Administrative Tasks
- Accounts - Adding new users and removing past users. User accounts require an HRS appointment.
- Groups - Adding/modifying groups and group privileges.
- Areas/Departments Management - Set-up Test/Development servers so that users can test and experiment. Move the set up to production when testing is satisfactorily completed.
- Planning - Three groups are constituted by which various levels of interaction between the ECM/Imaging Service Team and its Partners is available.
- Imaging Customer Advisory Group (ICAG) - The ICAG is composed of designated individuals who have the authority to represent a local Imaging system constituency in on-going planning and advising of the ECM/Imaging Service.
- Imaging Administrator/Security Team (IAST) - The IAST is a forum through which local department representatives (administrators, key users, etc.) can meet to discuss system issues, planning, or other topics of concern that relates to departmental use of the ECM/Imaging Service.
- Imaging Customer User Group (ICUG) - The ICUG is a forum through which users can discuss issues, develop best practices, contribute to on-going Perceptive client development processes, or talk about any topic of concern that relates to use of the ECM/Imaging Service.
Customer/Partner Responsibilities
- Department Leads - All departments using the Imaging system will identify a Department Lead for the department to handle administrative tasks on the department's behalf. The Department Lead responsibilities are:
- Communication Contact - Communication point of contact for all users in the Department they represent.
- Imaging Administrator/Security Team Meetings - Participate in monthly Imaging Administrator/Security Team meetings.
- Testing Coordination - Coordinate all testing of patches and upgrades with their users.
- Local End-User Support - Provide local initial user support.
- Request Forms - Use provided Request Forms to initiate support and new work requests.
- User Account Management - Request for their department user account additions, changes, or deletions using the required Jira process.
- Retention Policy Implementation - "A basic preservation plan must be put into place before imaging can begin. The plan will identify the retention period for the records (taken from the RDA or GRS), how and when the digital files will be tested for errors, and when migration will be considered." (From: UW-System: Planning & Development of Imaging Process)
- Annual Audits - Coordinate and conduct an annual review of departmental users, drawers, doctypes, groups, workflows, retention implementation, and Imaging system processes for appropriate access control, use, and security vulnerability.
- Imaging Environment Management - Use the Development Environment to setup, maintain, and test their Imaging work for the following areas which are then deployed to the Test Environment for testing prior to deployment to the Production Environment:
- Drawer setup and maintenance.
- Creation and Testing of Processes and workflows.
- Creation and testing of eForms.
- Creation and testing of Learnmodes.
- Adding/modifying/removing annotations.
- Adding/modifying/removing project types.
- Security - Document Security using access controls, printing policies and redaction of restricted data.
- All restricted (e.g., HIPPA-protected) data must be stored in drawers separate from non-sensitive data with appropriate auditing controls enabled.
- The University tightly controls authorization for access to protected data. Authorization will only be granted with the approval of the Department Dean/Director.
- Department Dean/Director accepts full responsibility for the emailing or printing of images that contain restricted data. Any use of restricted data must follow the established guidelines.
- Test Environment Use - Participate in the testing for all patches and upgrades prior to production deployment.
- Testing - Thoroughly testing of all features, functions, application integrations and processes in the test environment prior to system upgrades. Notify DoIT technologists of any issues that are identified during the testing period prior to the upgrade.
- Post Patching/Upgrade Updates - Update all processes, scripts and customizations as required by software patching and upgrades.
- Clients
- Client installation/upgrades are not managed centrally. Notice is sent to Department lead regarding when and where they can get the upgraded client versions.
- System Access
- Access to the Imaging system does not require VPN if the client used is within your office space (this includes ECM/Imaging Service Partners).
- Connections to the internet through an untrusted network, either wired or wireless, require the use of secure connections using the WiscVPN service (for UW-Madison users) or a VPN service provided by the partner campus (see https://kb.wisc.edu/90370 for more information).
- End-User Support - End User support will be provided by the customer or data custodian. Calls may be escalated to either DoIT Technologists or the customer depending on the nature of the issue (cp. item 5 under Service Provider Responsibilities for End-User Support).
- Scanner and CaptureNow - Purchase of scanner and CaptureNow licenses and maintenance or purchase of scanning outsourcing service. NOTE: the ECM/Imaging Service doe not supply scanning hardware, contracts for such, or licensing.
- Document Scanning - Scanning of documents, including quality checking and linking to external applications as required.
- Terms of Use - Adhering to the ECM/Imaging Service Terms of Use.