TRILATERAL RESEARCH LTD

STRIAD® Solutions - Cloud software for data-driven decision making for complex social challenges

STRIAD® solutions combine Trilateral’s socio technical approach to cloud software and artificial intelligence to support data driven decision making around complex social challenges (e.g., human security & crisis, child exploitation, organised crime, social care). Complemented with our associate services for premium support, data protection, cyber security, interdisciplinary analysis and training.

Features

  • Collecting, storing, querying visualising and geo-mapping structured and unstructured data
  • Machine learning architecture for modelling, predictive, descriptive analytics, patterns, trends
  • Text classifier builder for natural language processing of unstructured data
  • Document analyser for network analysis, entity recognition and searching
  • Human security data layers, maps, text classifiers for planning
  • Human security document and news media analysis, incident database
  • Child exploitation algorithms for risk assessment - victimisation and offending
  • Algorithms for recognising exploitation themes in text and network analysis
  • Crime dashboard and case management reporting & safeguarding
  • Secure identity access management and user permission controls

Benefits

  • Application specialising in enabling human security & conflict analysis
  • Application specialising in conflict analysis and safeguarding children from exploitation
  • Natural language processing and network analysis quicker than human analysis
  • Solutions designed around usability, cyber security, GDPR and ethics
  • Solutions reduce time, resources required for data preparation and analysis
  • Solutions designed for quick, actionable intelligence, situational awareness and planning
  • API interface for data ingestion and interoperability with external systems
  • Supports dynamic operational planning in a changing complex environment
  • Common operating picture for decision making via visualisations in briefings
  • Solutions enable inter and cross organisation analysis and collaboration

Pricing

£40,000 a unit

Service documents

Framework

G-Cloud 12

Service ID

2 4 5 3 7 7 0 9 3 5 4 9 6 0 5

Contact

TRILATERAL RESEARCH LTD

Kush Wadhwa

02070528285

striad@trilateralresearch.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
A web browser is required to use the service but no hardware is required.
System requirements
Internet Access.

User support

Email or online ticketing support
Email or online ticketing
Support response times
An email reply will be sent within 24 hours, Monday to Friday.
Weekend coverage is available customer request.
Priority support is offered to our Premium Support customers.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
A cloud solution architect is available for call outs at a day rate (in line with our SFIA rate card), A Product Manager is available at a day rate (in line with our SFIA rate card), Analysts are available at a day rate (in line with our SFIA rate card), Data Protection and Ethics experts are available at a day rate (in line with our SFIA rate card).
Support available to third parties
No

Onboarding and offboarding

Getting started
Once we have received an order from you through G-Cloud, Trilateral Research will work with you to ensure the service fits your requirements. To do so we take the following steps:
• Planning: scoping requirements and developing an implementation plan.
• Implementation according to the implementation plan (see below) via remote set-up and on-site or virtual meetings.
• Support: We will support you throughout the duration of the contract and alert you to any maintenance windows.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Arrangements and any associate services required to ensure exporting of latest versions of data in CSV and/or JSON format.
Additional bespoke migration services available on request and at additional cost (see SFIA rate card and service definition document).
End-of-contract process
Upon conclusion of the service:
Termination notice as agreed in the contract.
Arrangements and any associate services required to ensure exporting of latest versions of data in CSV and/or JSON format.
Additional bespoke migration services available on request and at additional cost.
Deletion of user accounts and data as appropriate and specified by the customer.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The service is intended to have limited features via mobile/tablets e.g. basic form filling. Additional features are being added on a rolling basis to support mobile and tablet use.
Service interface
Yes
Description of service interface
Browser
Accessibility standards
None or don’t know
Description of accessibility
All images/graphs used contain alt-text and colour is not used as exclusive means to differentiate. A minimum font size of 12 points is used with sentence case, high contrast is used throughout, and form fields are clearly labelled.
Accessibility testing
The interface has been tested by people with colour blindness. Further testing is planned for 2021.
API
Yes
What users can and can't do using the API
Users can query the databases to get and post data, they can call algorithm endpoints to get predictions.
API documentation
Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
Plots, forms and databases can be customised and permissions for customisation can be controlled by admins.

Scaling

Independence of resources
The service is built in a public cloud that uses state-of-the art databases and micro-services built to scale and does so automatically on-demand.

Analytics

Service usage metrics
Yes
Metrics types
Number of users, dashboards, databases, and API calls. Amount of data stored.
Reporting types
  • API access
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
Other
Other data at rest protection approach
STRIAD runs on Amazon Web Services (AWS). AWS adheres to independently validated privacy, data protection, security protections and control processes.
AWS is responsible for the security of the cloud; customers are responsible for security in the cloud. AWS enables customers to control their content (where it will be stored, how it will be secured in transit or at rest, how access to their AWS environment will be managed).
Wherever appropriate, AWS offers customers options to add additional security layers to data at rest, via scalable, efficient encryption features. AWS offers flexible key management options and dedicated hardware-based cryptographic key storage.
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Arrangements and any associate services required to ensure exporting of latest versions of data in CSV and/or JSON format.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • GeoJSON
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON
  • GeoJSON
  • PDF

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Availability is that which is offered by Amazon Web Services and varies among different components of the STRIAD platform. AWS currently provides SLAs for several services which are available on the AWS website via the link below: https://aws.amazon.com/legal/service-level-agreements/
Approach to resilience
STRIAD is built on Amazon Web Services (AWS) and resilience is provided by the data replicas in different availability zones offered by AWS. The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximising the effectiveness of the recovery and reconstitution efforts and minimising system outage time due to errors and omissions.

AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
Outage reporting
Public dashboard; personalised dashboard with API and events; configurable alerting (email / SMS / messaging).

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels
Access in management interfaces is restricted using user roles and user groups with clearly defined policies.
- Restricted to user accounts with relevant privileges
- Username and complex password
- Can be restricted to particular domains or IP addresses
- Separation of environment at Management/Network/Hypervisor/Storage layers
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
The technical lead is responsible for security policy. The Senior Data Protection Advisor and Data Protection Technical Advisor provide regular guidance on procedures. The team have qualifications in computer science, experience in IT and stay informed of best practice. Cyber security systems are tested internally by the technical team on a regular basis and annually by independent penetration tests. We are Cyber Essentials accredited. Staff have experience in applying Risk Management Frameworks such as ISO:27005 which incorporates applying information security management standards such as ISO:27001, NIST Risk Management Framework (NIST 800-37) and associated NIST Security Control frameworks - NIST 800-37.
Information security policies and processes
Trilateral’s Information Security Policy and Procedures cover the following domains:

- Access Control
- Information handling
- Physical & Environmental Security
- Operations Security (Software Usage, Backup, Disaster Recovery, Malware Protection, Vulnerability Management)
- Change Management
- Human Resource Security
- Incident Management
- Asset Management
- Cryptographic Controls
- Communications Security
- Data Protection Compliance
- System Acquisition
- Supplier Relationship Management
- Training and Awareness

Policy Governance:
Policies are implemented via technical and organisational structures, enumerated via procedures, and monitored via measurement of KPIs, self-assessment, auditing and evaluation. Monitoring, measurement, analysis, and evaluation methodologies align with the ISO 27004 standard. The board of directors has oversight of policy efficacy. Policy enforcement is provided for via defined roles and responsibilities, appropriate training and awareness programmes, and disciplinary review and corrective action procedures.

Reporting:
Reporting structures, enumerated via procedures generally follow a sequence of: Employee -> Line Manager -> Practice Manager -> Information Security Director. The Information Security Director has direct access to Trilateral’s Board of Directors.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Configuration and Change Management processes are in place governing hardware, software, documentation and procedures related to running, support and maintenance of systems.

A CMDB is used to record information about hardware and software assets.

Proposed changes must be approved. The change management process includes the raising and recording of changes, assessing the impact, cost, benefit and risk assessment of proposed changes, applying security control mitigations, developing business justification, obtaining approval, managing and coordinating change implementation, monitoring and reporting on implementation, reviewing and closing change requests.

Change management is incorporated into the software development process. Project managers coordinate with Change Managers.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We align with ISO:27001 Technical vulnerability management controls, informed by ISO:27002 guidance. There is a technical vulnerability management process in place. Vulnerability management tools are integrated with the CMDB. Identified vulnerabilities are responded to based on a timeline aligned to class of severity and risk. Changes are made under the Change Management process. Patches are tested prior to deployment.

Mitre CVE database is monitored for relevant items.

Procedures are in place to address situations where vulnerabilities are identified and no suitable countermeasures are available.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We align with ISO:27001 / Monitoring, measurement, analysis and evaluation, informed by ISO:27002 implementation guidance. There is a defined process for identifying assets that need to be monitored. Appropriate roles and responsibilities are established. The protective monitoring process is incorporated into our risk management framework. Data points that require monitoring are determined, measurement and evaluation criteria are defined. Reporting tools are integrated into relevant OSI layers.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We align with ISO:27035. Incident management responsibilities and procedures are established. An incident response team (IRT) exists to respond to incidents. The IRT is tasked with implementing the following facets of incident the response process:

- effective detection of information security events;
- appropriate assessment of events;
- ensure efficient incident response;
- minimise adverse effects of incidents on operations;
- support vulnerability management;
- incorporate learning from incidents into processes and procedures.

Common events have pre-defined processes in order to facilitate more efficient response.
Incident reports are compiled and provided to management. Learnings are incorporated into processes and procedures.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£40,000 a unit
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑