STC and Young Offenders Self-Service Youth Portal is a secure platform for children and young offenders in secure facilities to safely access information, make service requests and take part in education and other programmes for themselves. It provides tools for offenders to rehabilitate and successfully re-enter society through self-motivation.
- Real time reporting and audit trails
- Integration with third party software
- User friendly interface designed specifically for ease of use
- Supports multiple languages to accommodate nationalities of users
- Fast and secure delivery of messages and payments
- Secure login using username and password (biometric option)
- Browser based solution can work on any device
- Modular design to choose required applications
- Accredited to official level
- Privilege based platform to maintain security
- Paperless approach saves staff time usually spent on adminstration
- Browser based therefore can be launched on any connected device
- Enterprise solution provides centralised data management
- Engaged offenders are focused on independence and rehabilitation
- Reduces likelihood of contraband entering prison facility
- Young Offenders exposure to technology builds digital skills
- Increased accountability of interactions between offender and staff
- Accurate information reduces admin mistakes and wastage
- Platform flexibility meets diverse needs of the youth estate
£0.25 to £0.95 per person per day
- Education pricing available
- Free trial available
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Email or online ticketing support||Yes, at extra cost|
|Support response times||
Priority 1 - Major: 90 minutes for initial response.
Problems causing major disruption and prevent the user from providing a normal service.
Priority 2 - Intermediate: 90 minutes for initial response
Problems causing localised disruption and limit the ability of the user from providing a normal service.
Priority 3 - Minor: 2 hours for initial response
Problems which affect non-critical functions.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Core provide a technical account manager and a cloud support engineer. A typical support scenario with a customer will be as follows:
Once it has been determined that the fault is a software issue relating to Core, Core will provide First-Level Support. Core will provide a Help desk Service which will provide for the recording and escalation of issues.
Second-Level Support - Core will further investigate the issue following the steps outlined in the documentation. This may include resolutions or temporary workarounds for complex issues.
Third-level Support – Core Systems shall provide resolutions for reported errors or issues. Core Systems shall make, and provide Customer with, revisions and enhancements to the Code.
The cost of 1st, 2nd and 3rd level support is included in SaaS pricing document. This is based on remote software support, 9 am – 5 pm, Monday – Friday, excluding bank holidays. Any additional support required for customers specific SLAs will be negotiated and costed separately.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||To help users to get starting using software solutions Core Systems provide training and assistance with go live on site. We also provide training videos and manuals to support training sessions.|
|End-of-contract data extraction||All data will be managed to ensure availability at contract end. At end of contract we will make consumers archived data available. The consumer will provide instructions of where the data is to be transferred. Core confirm that we will purge and destroy consumer data from any computers, storage devices and storage media that are to be retained by the Supplier after the end of the subscription period and the subsequent extraction of consumer data (if requested by the consumer)|
|End-of-contract process||All data is stored within a SQL database. Data may be archived off the database onto another storage device or exported from the database using a .csv file. In the same way data can be imported using a csv file. Note the import / export of data can be automated as a scheduled task. Core will provide a “simple” and “quick” exit process to enable consumers to move to a different supplier for each of their G-Cloud Services and/or retrieve their data. Core commit to returning all consumer generated data (e.g. content, metadata, structure, configuration etc.) and a list of the data that will be available for extraction.Data that will not be available for later extraction will also be published.|
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
Youth portal is designed for tablets and desktop.
Officer portal is designed for desktop only.
Friends & Family portal is designed for mobile, tablet and desktop.
|Accessibility standards||None or don’t know|
|Description of accessibility||
• Enter in free text using a on screen or a physical keyboard
• Read static text (in plain English)
• View static images
• No flickering or flashing images or text
• Click buttons to carry out actions
• View headings and labels
• View and use simple navigation
• View validation of forms.
• Access unauthorised materials/content
|What users can and can't do using the API||There is an API for importing and updating end users into the system and setting up locations. Limitations based on validation of business rules are set up to protect the integrity of the data. Other functionality that is required to be exposed through an API can be created as a bespoke piece of work for a customer to meet their needs at an additional cost.|
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
Branding on the officer and youth portal login page can be customised to be the customer’s logo and product name – carried out by Core Systems.
Customisable permissions on the officer website so that functionality can be separated to authorised user groups – configurable on the officer website.
Access to modules on the youth portal website can be switched on/off for different user groups – configurable on the officer website.
Timed access can be set up for the youth portal e.g. can only access the site for 15 minutes in a 2-hour period - configurable on the officer website.
Content can be added and updated easily e.g. FAQs, news items, PDFs uploaded, meals, tuckshop items, messaging watchwords etc. – configurable on the officer website.
Settings are available to turn pieces of functionality on/off e.g. enable Two Factor Authentication, enable draft messages to be saved by young people, enable message templates to be used, scan messages for watchwords.
Settings to set values for particular areas e.g. change password label text to pin, screen one message in every x number of messages, max number of characters in a message, max number of lines in a message.
|Independence of resources||Web hosted solution on IIS, so can have unlimited concurrent users, the only limiting factor is the amount of available resources on the machine. The software is hosted in a cloud based environment, so resources can be scaled up as required. Hosting environment provides a dedicated resource that is not shared with other customers. The software has been hosted in a single datacentre before and has scaled up to handle a total of 166,000 users and counting.|
|Service usage metrics||Yes|
|Metrics types||Officer dashboard displaying numeric information on the tasks to be carried out, with links to the appropriate page in order to take these actions, e.g. number of messages to process, number of requests to process, number of weeks that need menus assigned. Reports available through the officer interface which displays usage metrics, access to these is configured through permissions in the officer website. e.g. number of logins in a time period, message summary report which contains the number of messages sent and received in a time period, number of requests sent in a time period, tuckshop sales report.|
|Supplier type||Not a reseller|
|Staff security clearance||Staff screening not performed|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Standard reports which can be saved in multiple formats including Excel spreadsheet, Word document, XML file, PDF file, CSV file. These reports can also be set up to be scheduled and emailed to authorised users if required.
CSV files of the data from the database can be produced on request by Core Systems if required.
Core Systems could potentially create a bespoke API for required data if required at an additional cost.
|Data export formats||
|Other data export formats||
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Other protection between networks||Can implement whitelist of IPs on the TLS solution so that a VPN does not need to be set up but still restrict access to the URLS so that only users from authorised networks can access the service. Can also work with a full VPN solution if required.|
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||Hosting environment 99.99% availability|
|Approach to resilience||Available on request|
Dashboard to monitor if all kiosks are up and running.
Email alerts if any of the websites are not accessible.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||IP whitelisting for officer website along with permission groups to limit access to only authorised users. Support website requires username and password to be setup in order to manage the support issues. Only authorised users have access to the cloud environment and each user has their own account. Login access to the database is restricted to only authorised support users.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users receive audit information on a regular basis|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||SGS Ltd|
|ISO/IEC 27001 accreditation date||05/06/2014|
|What the ISO/IEC 27001 doesn’t cover||Certification covers all business functions within the company|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||Yes|
|Any other security accreditations||Official Accreditation – received from Youth Justice Board|
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||We have a well established security information management system and related policies in place which adhere to ISO 27001 international standards. We have held ISO 27001 certification which is AKAS accredited since 2014. We have regular internal audits and review meetings to ensure that our processes and practices adhere to our information management policies and that these are in line with the ISO 27001 standard.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Core Systems have a dedicated change manager who will manage the paperwork and approvals. Changes required can be discussed and scoped out with the business team and they will be passed on to change manager.
• Changes agreed with business
• Change request completed
• Customer approver’s review and approve the change
• Core implement the change in development & QA environments and test thoroughly
• Core implement the change in production and test thoroughly. Changes can be rolled back if necessary
• Core notify customer of change completion
• Close the change – Post implementation report
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Monthly patches are carried out on the OS and other 3rd party software installed.
Current and newly emerging vulnerabilities are monitored by subscriptions to email distribution groups, publications and relevant websites are reviewed regularly.
A list of 3rd party libraries used to build the software is maintained along with the current version number used, this is periodically reviewed to identify whether there are any security vulnerabilities and if a newer version is available. If an action is deemed pertinent and prudent then it will be handled through the Change Management Process.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Antivirus, Malware, Intrusion Detection & Protection, threat detection, correlation analysis, stateful firewall, execution environment checks are all provided by a cloud based Protective Monitoring service. This provides real-time, contextual and predictive threat intelligence. This will identify potential software compromises.
The response process when we find a potential compromise is as follows:
• Ascertain the issue and impact
• Contingency plans put in place around potential risks e.g. snapshots and backups
• Resolution agreed with customer and implemented
A number of risk scenarios are automated and responded to immediately.
High impact incidents are escalated to high priority.
|Incident management type||Supplier-defined controls|
|Incident management approach||When a support issue is received by Core Systems a ticketing system will operate and once an issue has been logged a unique support reference number will be assigned to it and should be quoted in all future communications relating to the issue. Users must report as much information as possible to ensure faster diagnosis of the issue, examples of the information required will be provided. A common issue responsibility matrix will be provided along with the corresponding SLA level.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£0.25 to £0.95 per person per day|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||We offer a free trial version of the software license. Hosting costs from 3rd party, support and installation is not included. There is a limited time period of 2 months.|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|