Protocol Policy Systems Ltd.

Protocol Policy Systems (Hosted)

Using International security standards or policy is the first step towards creating a secure electronic environment helping to define the rules and guidelines for managing, operating and using corporate information systems. The policies are provided in a user-friendly, web format that is easily deployed in any intranet/internet environment.

Features

  • ICT Security Policy Management
  • Standards Compliance PSN, PCI-DSS, PCI, ISO27001, ISO27002, ISO27017, ISO27018, ISO22313
  • Cyber Essentials Plus
  • Audit List
  • Compliance Index
  • Information Governance
  • Security Maturity
  • Regulatory updates
  • Industry standards and compliance cross-referencing and mapping
  • Operational processes and procedures referencing

Benefits

  • Help protect the assets of a business
  • Provide an organisations' computer security framework
  • Communicate security messages in a format that is easily available
  • Provide a uniform level of control and guidelines for managament
  • Advise staff about their responsibilities to the policies
  • Endorse commitment of the SMT in protecting sensitive information
  • Set out by User, Manager or Technical member of staff
  • Yearly updates to maintain compliance standards and include new policy
  • Removes unpopular tasks provides a skill set not commonly available
  • Communicate security messages in a format that is easily understood

Pricing

£12500 to £35000 per unit

Service documents

G-Cloud 9

411491275267342

Protocol Policy Systems Ltd.

Steve MacMillan

01604 762992

steve.macmillan@protocolpolicy.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Supported web browsers include:-
Internet Explorer 10+
Microsoft Edge
Firefox
Chrome
Safari
System requirements
  • Mainstream browsers ie. Internet Explorer, Edge, Safari, Chrome and Firefox
  • Internet Server such as Microsoft's IIS with minimum 80Gb

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email Ticket acknowledgement within 1 business day, Monday to Friday, excluding Bank Holidays.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels Our IT Policy Management systems has one level of support with direct access to your Account Manager and Technical support contacts at no additional cost to your annual software maintenance charge.

Our Support and Maintenance Plan provides:-
- Fixes for anything that is not functioning correctly within the Policy System.
-The ability to upgrade to the latest version of the IT Policy System when updates are released at no cost. These updates deliver any new capabilities or new policies we have introduced during a 12 month period. On your anniversary we schedule an update to be delivered within the next six months if a new version has been creates.
- Phone support for assistance with any queries or issues regarding the functioning of the software
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We start the process off with you completing a short questionnaire providing us with any existing policy content that you wish to retain within your new system.

From your questionnaire responses we create an initial build of the Policy System to be used during the customer on-site review workshop process. The initial build version is sent prior to the workshop.

The on-site workshop review process takes three days.

Day 1, we review the technical policies. You may wish to include you systems administrator / network administrator during part of this session if there are specific technical questions to answer.

Day 2-3, we will review the manager and user sections.

You may wish to involve Human Resources representative for the personnel section.
If you have a Records/Information Manager within the organisation, their involvement may also be beneficial for the information management policy.

Included in the initial build are a number of forms designed to help with processes that should be established as part of the Policy System deployment. These need to be reviewed prior to the final build and agreed.

We allow 14 days from completing the workshop before we produce the final system to allow for additional information needed.
Service documentation Yes
Documentation formats Other
Other documentation formats On-line user system navigation information within the service provision
End-of-contract data extraction This is a contents based IT Policy Management system customised specific to each client for information governance. We are providing policy management subject matter expertise only. There are no end-user transactions or data as part of the service for customers to extract when the contract ends.
Policy Information is cross-referenced and mapped to industry standards, with added benefits of a search facility for users.
At the end of a contract we would delete the website and customer access. There would no data to extract.
End-of-contract process This is a contents based IT Policy Management system customised specific to each client for information governance. We are providing policy management subject matter expertise solution only.
The is provided on a 1st year license agreement plus annual maintenance charges.
At the end of a contract we would delete the website and customer access. There would no data to extract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The is text scalability for mobile devices for policy content management to be accessed and viewed. This does not affect the functionality.
Accessibility standards None or don’t know
Description of accessibility We can currently magnified the text without effecting functionality.
Accessibility testing We can currently magnified the text without effecting functionality.
API No
Customisation available Yes
Description of customisation Customisation options are available from Protocol Policy Systems, to modify the standard IT Policy System as follows:-
-Change "Policy" to "Standard"
-Wording of the policy systems statements and explanations
-Changes to job roles, titles, organisation structure references etc
-Names of the Policy documents
-Topbar Titles such as User, Manager etc
-Additional policy statements or policy documents
-Removal of content from within a policy document, or removal of the entire policy
-The site header/banner which we create
-The colour of the menu and menu text, footer, hyperlinks, headings, tabs and Topbar
-Adding/removal of forms, guidelines, logs, procedures and processes from the Forms, Logs and Guidelines and Procedures and Processes pages
-Inclusion of compliance options, limited to those we have cross referenced to the policy system
-Font style and sizes within the html pages
-What is included in topic index
-Changes/additions to Top Security Tips on User Page
-Purpose and Scope for each policy
-What appears in Acceptable Use Policy.
-Explanation graphic

Scaling

Scaling
Independence of resources This is a contents based IT Policy Management system customised specific to each client for information governance. We are providing policy management subject matter content only. There are no end-user transactions within the service that create a demand on the service.
Policy Information is cross-referenced and mapped to industry standards, with added benefits of a search facility for users.
Our hosted service is with UK Cloud Limited who use resource reservations and shares such as internet bandwidth shaping. The capacity planning team ensure that usage in terms of all resources are constantly monitored and increased accordingly relating to user demand.

Analytics

Analytics
Service usage metrics No

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach This is a contents based IT Policy Management system customised specific to each client for information governance. We are providing policy management subject matter expertise only. There are no end-user transactions or data as part of the service that is available for export.
Policy Information is cross-referenced and mapped to industry standards, with added benefits of a search facility for users.
Data export formats Other
Other data export formats PDF of policies and forms
Data import formats Other
Other data import formats
  • PDF
  • HTML links to existing document store

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Other
Other protection between networks Our hosting provider UK Cloud Ltd offers the choice of connecting:
• Via the internet using additional encryption such as TLS 1.2
• IPSec VPN tunnels
• Via private networks such as leased lines or MPLS
• Via public sector networks such as PSN, N3, Janet
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability As this is a contents based IT Policy Management system customised specific to each client for information governance are availability is guaranteed based on customer access availability to their internet/intranet services.
We are providing policy management subject matter expert content only.
Our hosted service is 99.95% - 99.99% availability depending on Service Level chosen
Approach to resilience UK Cloud provides our hosted service which is deployed across a number of sites, regions and zones. Each zone is designed to eliminate single points of failure (such as power, network and hardware). Customers are encouraged to ensure their solution spans multiple sites, regions or zones to ensure service continuity should a failure occur.
Outage reporting All hosted services outages will be reported via the Service Status page and the notifications service within the UKCloud Portal.  Outages are identified as Planned maintenance, Emergency maintenance, and platform issues.  In addition, a designated Technical Account Manager will contact customers as appropriate.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels We deliver the policy system on cloud by setting up a single instance of the web application per customer. All access restrictions to the application are then determined by our customers in conjunction with the hosting provider (UKCloud).
Customers have the option to raise a support request via telephone or email. UKCloud will authenticate the identity of the user by validating selected details. The management interfaces are only available on the UKCloud network.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 8th May 2012
What the ISO/IEC 27001 doesn’t cover For hosting provider
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 28th October 2016
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover For hosting provider
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • ISO27018 - hosting provider
  • Cyber Essentials - hosting provider
  • Cyber Essentials Plus - hosting provider
  • PSN - hosting provider
  • ISO20000 - hosting provider

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards In addition to CSA STAR, ISO27001, ISO27018 and ISO20000, our hosting provider UK Cloud Ltd service has been formally accredited by a National Cyber Security Centre (NCSC) Pan Government Accreditor (PGA) for the services provided to the Department for Work and Pensions (DWP)
Information security policies and processes Protocol Policy Systems UK has a suite of policies that are mapped to ISO27002 standards and the PSN requirements

We also have a library of 28 process and procedural flowcharts that relate to the policies.

All staff are expected to sign a document acknowledging they have read and will comply with the company policies. Controls are applied to enforce compliance.

Our hosting provider UK Cloud has a number of inter-connected governance frameworks in place which control both how the Company operates and the manner in which it delivers cloud services to its customers. These have been independently assessed and certified against ISO20000, ISO27001 and ISO27018 by LRQA, a UKAS accredited audit body. The Company is governed by an integrated suite of information security policies. Under the top level Information Security Policy itself are second-level documents with specific focus on Acceptable Use, Antivirus Protection, Asset Management, Business Continuity Management, Data Protection, Password Management, Personnel Management, Supply Chain Management and many others.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All changes we make to our HTML based application are recorded in our customer database.

If we apply a HTML changes to our web based system we conduct testing inhouse to verify it displays as expected and then upload a new instance of a full system as a replacement.

UKCloud our hosting provider has documented configuration and change management policies and processes, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 standard.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Our vulnerability management process is:–

Scanning done minimum once per month

Patching
•critical - within 14 days
•important - within 30 days
•everything else - within 60 days

Information
subscription service (e.g. SANS) and from a system vendor (eg Microsoft)who provides details of where to obtain an updated version, patch or fix.

Our hosting provider UKCloud has a documented vulnerability management policy and process, which have been implemented, maintained and assessed in accordance with the guidance from ITIL v.3 and the current ISO20000 and ISO27001 standards.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Our hosted IT policy management solution is sub-contracted and hosted with UKCloud (formerly Skyscape) using Enterprise Cloud Assured Services.
Following best practice from the National Cyber Security Centre, UKCloud protects its Assured platforms with enhanced protective monitoring services (SIEM), at the hypervisor level and below. It continues to align with the Protective Monitoring Controls (PMC 1-12) outlined in CESG document GPG13 (Protective Monitoring for HMG ICT Systems). It includes checks on time sources, cross-boundary traffic, suspicious activities at a boundary, network connections and the status of backups, amongst many others. All alerts are immediately notified for prompt investigation.
Incident management type Supplier-defined controls
Incident management approach Our internal service desk is designed and implemented on the best practise service management principles of ITIL.
There are predefined processes for common events such as password resets, request & incident management such as new user/software requests and system modifications via change management.
Incident reports are provided in PDF format.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • New NHS Network (N3)
  • Other

Pricing

Pricing
Price £12500 to £35000 per unit
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑