Enterprise Cloud Oversight Service (ECOS) provides oversight functions and management of cloud based services, specifically focused on software as a service (SaaS). The service assures compliance and improved security by providing transparency through VITA oversight.
The service assures consistent performance from suppliers through service level and performance monitoring. Agencies benefit from flexibility with growing business demands by ensuring adequate security controls are in place for the protection of data, proper utilization of resources and compliance with regulations, laws and timely resolution of audit recommendations.
ECOS minimizes the need for exceptions in obtaining external SaaS services. ECOS provides a flexible and custom option for obtaining SaaS services which meet the specific needs of the agency. The service offers guidance and oversight activities for agencies in the following areas:
- Assisting agencies meet commonwealth requirements, such as SEC 525 for hosted systems
- Incorporating appropriate contract terms and conditions to mitigate risk
- Completing Annual SOC2 Type II assessment reviews
- Ensuring vulnerability scans and intrusion detection are conducted
- Patching compliance of suppliers environment
- Ensuring architectural standards are met
- Monitoring performance against Service Level Agreements (SLAs)
ECOS is a service specifically created for third party vendors offering software as a service (SaaS) applications.
SaaS is the capability to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The provider manages or controls the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.
SaaS Characteristics include:
- Network-based access to, and management of, commercially available software
- Access to provider’s services through an internet connection to a third party hosted facility
- A one-to-many model (single instance, multi-tenant architecture) for service delivery
- A common architecture for all tenants, usage based pricing, and scalable management
- Third party management of the service including functions such as patching, upgrades, platform management, etc.
- A multi-tenant architecture with a single, centrally maintained, common infrastructure and code base shared by all users and applications
- Subscriber/user managed access for the application
- Provider-based data custodianship and server administration for the service
ECOS Applies when:
- Services under procurement meet the above definition and/or characteristics of a SaaS provider.
- When an agency is requesting the provider to act on behalf of a Commonwealth entity and/or is accepting commonwealth data, and/or serving as the data custodian and/or system administrator of that data for purposes of making it available back to the Commonwealth via an interface for fee.
There are three distinct components of the ECOS offering:
The assessment component is a pre-procurement questionnaire that will be completed by the proposed supplier(s) and reviewed by the Enterprise Services Director and the Security Architect. The assessment allows VITA to verify supplier ability to meet the commonwealth security and governance requirements for non-premise based services.
Note: The Assessment Review service is engaged independently of the other two service components. Once a supplier's solution has been assessed and approved by VITA, the assessment is valid for 12 months from the approval date. An Assessment Review fee or associated fees will not be incurred by agencies seeking use of a previously approved suppler solution.
The SCM component includes consulting services to offer guidance and oversight to the agencies for delegated cloud procurements, including contract language, contract terms and conditions, support during negotiations, and SCM final contract review. The SCM Consulting Service assures that contract language embedded into cloud contracts enable VITA oversight. The amount of VITA staff time will vary based on the level of assistance needed as well as suppler responsiveness.
The oversight component provides monthly performance monitoring (PM), Service Level Agreement (SLA) management, operational oversight and security conformance of SaaS services through analysis and review of data and artifacts provided by the SaaS service supplier. The service assures compliance with regulations, laws and annual audit recommendations. Oversight also includes both an annual and end-of-service contract review. Resources engaged in these activities are Technical Services Lead, IT Security Auditor, IT Security Architect (as required) and Enterprise Services Director.
Who are the suppliers and applications that have assessments approved?
Please click the following link to view the requesting agency, the supplier and the supplier product name:
Approved Application List and ECOS Metrics
Watch video for ECOS High Level Overview Fireside Chat.
Frequently Asked Questions (FAQs)
FAQs and the Top 10 questions related to the ECOS assessment process are available to answer the most common questions.