W.D.M.Limited

WDM Integrated Asset Management System (WDM IAMS)

WDM IAMS is a comprehensive Highways and Environmental Asset Management System that incorporates 30 years of experience of working in partnership with central and local government clients. The fully integrated mapping and mobile working tools make it a perfect and fully integrated solution for a modern Asset Management System.

Features

  • Fully integrated mapping tools
  • Fully configurable asset definitions
  • Works ordering and flexible work flows & financial/contract management
  • Management of scheduled and reactive maintenance programmes
  • Mobile Working (on-line and off-line features)
  • Public facing map based enquiry reporting and enquiry management
  • Flexible Document Management capability
  • Street Works Noticing/Permitting & NSG Maintenance functions
  • Comprehensive reporting, dashboard and query facilities
  • Interfacing capability to external corporate systems

Benefits

  • Fully integrated and centred around flexible network referencing system
  • Highly configurable-options to adapt workflow and logic from standard build
  • User Groups and highway authority partnerships influence system development
  • Core system includes integrated mapping and reporting tools
  • Combinations of modules/functions can be added to the core system
  • Modules include: Street Works, Public enquiries, Lighting, RMMS, Structures
  • Modules Include: UKPMS, WDM PMS, NSG management, Financial/Contract Management, Accidents
  • 12 other modules/functions available and priced in the Pricing Document
  • Mobile working supports multiple operations (inspection, defect repair, asset editing)
  • Comprehensive document management/reporting tools relevant to each function

Pricing

£200 to £400 a user a year

Service documents

Framework

G-Cloud 12

Service ID

3 6 8 0 7 1 1 9 2 5 2 3 7 0 7

Contact

W.D.M.Limited Graeme Paterson
Telephone: 07866463992
Email: graemep@wdm.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
Updates and patching will be scheduled as required to ensure the system remains secure and reliable. This will generally be in out-of-hours periods. However, notice will be given where any planned maintenance may be necessary within the period from 8am to 6pm.
System requirements
  • Up to date Web Browser (supported versions supplied)
  • Valid email address for named users
  • Web Browser based Mobile Working (operates both offline and online)
  • All software, system and security is managed within hosted environment

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support provided between the hours of 08:00-18:00 Monday to Friday (excluding Bank Holidays). Emails populate the support ticketing system with telephone support backup for the purposes of assisting the Client with the proper use of the Software or the Service and/or determining the cause of any errors and using reasonable endeavours to fix errors in the Software or the Service.

Support system is monitored during these hours by 1st line support team and prioritisation is assessed for urgency. Auto-emailed responses as enquiry progresses to completion.

Priority 1: 4 working hours
Priority 2: 1 working day
Priority 3: agreed with client
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
There is one level of support: Help-desk and secure support site are the primary vehicles to manage that. An Account Manager will be assigned to each client and they will manage if any additional prioritisation is required, if any requests are change/control requests and whether charges are required and also any escalation that may be required.

There is availability for providing dedicated support resources through the service and prices are provided via the G-Cloud12 Rate Card pricing document.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Onboarding is achieved via a Requirements Capture Process. This is undertaken with the client on-site to: demonstrate the standard build of the system, determine any configuration requirements outside of the standard build and agree data migration, training requirements and procedures for User Acceptance Testing and Go-live. This process is led by the WDM Account Manager assigned to the project and they will project manage the delivery. The Account Manager will work with the Build Team assigned to the project to deliver the service and to liaise with the client's Project Team regarding progress and milestones.

Following Go-live, the day to day support will be passed to the Support Teams but the Account Manager will generally retain overall control of the project to retain continuity.

Training resources will be provided - More recently, this takes the form of training videos that are deployed via the software management console and this seems to work very well.

All charges associated with migration, configuration from the standard build and implementation will be agreed with client in advance.
Service documentation
Yes
Documentation formats
Other
Other documentation formats
  • Training Videos (mpeg4) deployed directly from the Software
  • Some documentation not appropriate for Video will still be PDF
End-of-contract data extraction
Client Admins can have any table or view of the data published with the ad-hoc query tool which in turn supports download in a number of formats (CSV, XML, Shape Files, Mapinfo, KML - the last three obviously only for Spatial datasets).

On termination of the Contract, WDM can also make the data available via their SFTP site for a period of three months following termination.
End-of-contract process
As explained above, the client will have access to download their own data free of charge. If WDM are extracting the data then only time will be charged at the hourly rates quoted in the G-Cloud12 Rate Card pricing document - This will vary depending on the extent of the system and can be agreed in advance of the Contract starting.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The back-office systems are on-line Web Browser based and so mobile devices can be used where Internet is available. Tablet modes are available for some tools where appropriate. The system is designed to generally be tablet friendly - e.g. using menus rather small icons etc.

Mobile Working tools are designed specifically for mobile devices and can work on-line and off-line
Service interface
Yes
Description of service interface
The service is accessed via a Web Browser url which opens a Management Console called "AppCentre" from which all Web Browser based application url's are launched (dependent on user security).
Accessibility standards
None or don’t know
Description of accessibility
We have worked with central government clients to ensure that software, where appropriate, particularly public facing apps, complied with their standards based on WCAG2.1A. In addition, the wide use of bootstrapping in developments ensures standardisation of tools for accessibility. Text is widely used in addition to graphics.
Accessibility testing
Development in conjunction with central government clients to ensure assistive technology is appropriate for purpose.
API
Yes
What users can and can't do using the API
Some parts of the service currently have an API but this is primarily relating to interfacing with external systems at present (e.g. FixMySteet, CMS interfacing etc.). API development is part of the WDM RoadMap and that project is well underway. Developments include creating defects & enquiries, asset viewing/editing, mapping links all with full audit trail. The intention would be for the whole service to be API based by 2022.
API documentation
No
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
The service is highly configurable without requiring software development e.g. work flow, logic rules, screen layouts, grids, asset attributes/lookups, published map layers,

In general, customisation would be a client Admins role. Training can be provided. In practice, most clients use WDM Support to help with customisation. The time may be chargeable if a significant amount of work for the supplier at the rates supplied in the G-Cloud12 Rate Card Pricing document.

Scaling

Independence of resources
The cloud hosting service is scaled for more than the number of users specified and assuming they are all working concurrently. Sufficient redundancy is scaled as part of that initial system scaling.

The hosted system is continually monitored to ensure that capacity and speed remains fit for purpose and extra resources can be assigned as appropriate.

Analytics

Service usage metrics
Yes
Metrics types
Scheduled reporting can deliver metrics to reporting dashboard.
Charting application can provide real time user metrics.
Reporting types
  • Real-time dashboards
  • Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
A number of tools are provided for export. All formatted reports are accessed on-line and are downloaded via the browser. Auto-emailing is supported for scheduled reports.

Web Query Builder tools allow any dataset to be queried/filtered and downloaded in a number of formats (CSV, Excel, various spatial formats if appropriate etc). The queries can also be saved and scheduled to export to an Open Data Repository or Sharepoint. These can be made available via URL for access via external Analytical Tools. Configurable XML import/export software is available as part of the service. Time may be charged to support this aspect.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel
  • Shape File (if Spatial data)
  • MapInfo format (if spatial data)
  • KML (if spatial data)
  • Word (formatted reports)
  • PDF (formatted reports)
  • CSV
Data import formats
Other
Other data import formats
  • XML (using XML Importer) - configurable to suit data type
  • HMDIF for UKPMS datasets
  • MifMid for spatial data sets where appropriate
  • Document system to store main office formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We currently achieve the following Service Levels and these are measured and reviewed as part of our ISO 27001 ISMS: Access and availability of the systems at least 98% per year. We actually achieve at least 99.9% to date (equates to 8.76 hours downtime per year). Access to Customer support 08:00 to 18:00, Monday to Friday 5 days a week, not including Bank Holidays at least 98% at all times. Any failures to meet these SLA's will be escalated to the Management Team and appropriate action taken to resolve in discussion with the client.
Approach to resilience
The primary cloud hosting environment is Amazon(UK) cloud services and resilience is well documented. Further details can be provided on request. Some existing clients are hosted via WDM's own data centre which may be continued where existing clients use G-cloud to continue their system supply.This WDM hosted system is operated across two redundant sites in Bristol. Each site has dedicated ISP circuits and all critical components are mirrored between the sites. Disaster recovery procedures are all tested annually for both options. Further details can be provided upon request.
Outage reporting
The hosted system provides an authenticated monitoring dashboard indicating service health. Email alerts can also be configured to alert for specific predefined conditions.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
The hosted system implements ISO 27001 controls and is certified by BSI. The hosted system is a discrete and separate system from the WDM corporate system. Administration of the hosted system is segregated from corporate accounts allowing for task specific authorisation and monitoring to be implemented. Logs are collected and protected within an intrusion detection system, providing monitoring and alerting for system changes and resource usage.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
BSI
ISO/IEC 27001 accreditation date
Initial accreditation 05/07/2017 (re-accreditation 05/07/2020 to 04/07/2023)
What the ISO/IEC 27001 doesn’t cover
Certification does NOT cover ICT equipment, hardware and software on the premises of the ICT System User. Nor does it cover ICT infrastructure such as internet or network connectivity or the third party suppliers of the ICT System User and its agents. Scope is limited to; The Information Security Management System in relation to the provision of Software as a Service and Ancillary Hosted Services. This is in accordance with the Statement of Applicability version 19.00 (June 2020). View only access to the SOA is available upon request.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
The management system supports how the company will achieve its business objectives and the requirements of management standards that the company adopts for business in the UK and overseas.

These include: ISO 9001 for quality; ISO 14001 for environment; ISO27001 for information security; and BS OHSAS 18001 for occupational health and safety and Cyber Essentials.

The managing director requires that the company follows management systems to ensure products and services meet customer determined requirements and satisfy regulatory bodies. The programme is directed from the top of the company, and all directors, sector heads, managers, supervisors and employees must make a full contribution to the implementation, development and maintenance of management systems.

The management system manual provides a framework for the establishment of leadership,responsibility, competence and the management of documented information.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The hosted system is managed using WDM's ISO9001 and 27001 certified CRUMPET management system. All change management is booked, scheduled, and authorised via this system.

All WDM software updates are deployed using WDM's Hosting Hub platform to ensure an immutable installation process to guard against unintentional security properties being changed.

Hosting hub and Crumpet are integrated systems which provide full visibility of the change management process. Changes can be tracked and reviewed back to customer requirements and authorisations.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Software patching for security fixes are on an automated schedule which are deployed through the change management process. (Release candidate followed by A/B group releases).

WDM Operate an application security assurance programme and regularly scan and test the infrastructure for vulnerabilities. Vulnerabilities are risk assessed and prioritised for remediation. Remediation can be immediate, Overnight, or next available maintenance window dependent on the risk assessment.

We subscribe to vendor alerts and are members of the NCSC Information Sharing partnership.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The web applications are protected by a Web application firewall which scans the requests for malicious activity, blocking and alerting upon suspicious requests.

WDM Operate an intrusion detection suite which receives heterogeneous logs from across the infrastructure and provides insights, reporting and alerting to inform the security status of the system.

WDM Participate in the NSCS CiSP information sharing partnership and receive alerts and indicators of compromises which are loaded into the intrusion detection system.
Incident management type
Supplier-defined controls
Incident management approach
WDM, as part of the ISO 27001 certified ISMS, operate a security Incident and Investigation Process. This can be made available upon separate request to your account manager.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£200 to £400 a user a year
Discount for educational organisations
No
Free trial available
No

Service documents