Core Systems

Prisoner Messaging, Secure Video Visits and Money Deposits Solution – Direct2inmate

Prisoners are able to securely communicate with family, friends and legal teams via prisoner messaging and video visits. Over 24,5 million messages were sent by the end of 2018 using the prisoner messaging solution. Direct2inmate’s money deposits portal allows friends and family to securely deposit funds to a prisoner’s account.

Features

  • Secure prison lockdown operating system with access management controls
  • Secure prison email - watch words are automatically flagged
  • Browser based (multi-device) solution – including mobile device management
  • Full audit trail of all prisoner communication through the system
  • Optional push notifications for prison video visits
  • Investigative and analysis tools for prison staff
  • All prisoner video calls can be live monitored and downloaded
  • External portal has real time integration with prisoner account
  • Secure prisoner / staff login (biometric option)
  • Notifications to confirm successful deposit in prisoner account

Benefits

  • Prisoner messaging is less resource intensive than physical post
  • Prisoner messaging lowers the risk of contraband entering prison
  • More privacy with prisoner messaging
  • Aids normalisation – prisoner messaging is similar to e-mail
  • Video visits encourage productive in-cell time
  • Lawyers and legal counsel can avail of video visits
  • Video visits with family encourage reduction in recidivism
  • Quick and efficient way of transferring money to prisoner account
  • Peace of mind that prisoner has sufficient funds
  • Potential revenue stream for facility

Pricing

£0.10 to £0.55 per unit

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11

456281816468286

Core Systems

Diana Atchison

02890 722044

sales@coresystems.biz

Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints No
System requirements
  • Windows Server 2012 R2 Standard
  • Microsoft SQL Server 2012 R2
  • SQL Server Reporting Services
  • IIS 8
  • SMTP Server

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times This is scoped out on a per job bases to meet the needs of the customer.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Core provide a technical account manager and a cloud support engineer. A typical support scenario with a customer will be as follows:

Once it has been determined that the fault is a software issue relating to Core, Core will provide First-Level Support. Core will provide a Help desk Service which will provide for the recording and escalation of issues.

Second-Level Support - Core will further investigate the issue following the steps outlined in the documentation. This may include resolutions or temporary workarounds for complex issues.

Third-level Support – Core Systems shall provide resolutions for reported errors or issues. Core Systems shall make, and provide Customer with, revisions and enhancements to the Code.

The cost of 1st, 2nd and 3rd level support is included in SaaS pricing document. This is based on remote software support, 9 am – 5 pm, Monday – Friday, excluding bank holidays. Any additional support required for customers specific SLAs will be negotiated and costed separately.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started To help users to get starting using software solutions Core Systems provide training and assistance with go live on site. We also provide training videos and manuals to support training sessions.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction All data will be managed to ensure availability at contract end. At end of contract we will make consumers archived data available. The consumer will provide instructions of where the data is to be transferred. Core confirm that we will purge and destroy consumer data from any computers, storage devices and storage media that are to be retained by the Supplier after the end of the subscription period and the subsequent extraction of consumer data (if requested by the consumer)
End-of-contract process All data is stored within a SQL database. Data may be archived off the database onto another storage device or exported from the database using a .csv file. In the same way data can be imported using a csv file. Note the import / export of data can be automated as a scheduled task. Core will provide a “simple” and “quick” exit process to enable consumers to move to a different supplier for each of their G-Cloud Services and/or retrieve their data. Core commit to returning all consumer generated data (e.g. content, metadata, structure, configuration etc.) and a list of the data that will be available for extraction.Data that will not be available for later extraction will also be published.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Inmate portal is designed for tablets and desktop.
Officer portal is designed for desktop only.
Friends & Family portal is designed for mobile, tablet and desktop.
Accessibility standards None or don’t know
Description of accessibility The solution has not been tested to meet these requirements. Core Systems will work with the customer to satisfy all the accessibility needs raised.
Accessibility testing We have designed the system to make it easy and intuitive to use. We conducted a number of User Experience (UX) tests on the interface of our system with a group of young offenders and women offenders. We also tested the system with primary school students. We implemented all suggested changes to the system. Both of the tests proved that our system is simple to use.
API Yes
What users can and can't do using the API There is an API for importing and updating end users into the system and setting up locations. Limitations based on validation of business rules are set up to protect the integrity of the data. Other functionality that is required to be exposed through an API can be created as a bespoke piece of work for a customer to meet their needs at an additional cost.
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Branding on the officer and inmate login page can be customised to be the customer’s logo and product name – carried out by Core Systems.

Customisable permissions on the officer website so that functionality can be separated to authorised user groups – configurable on the officer website.

Access to modules on the inmate website can be switched on/off for different user groups – configurable on the officer website.

Timed access can be set up for the inmate website e.g. can only access the site for 15 minutes in a 2-hour period - configurable on the officer website.

Content can be added and updated easily e.g. messaging watchwords etc. – configurable on the officer website.

Settings are available to turn pieces of functionality on/off e.g. enable Two Factor Authentication, enable draft messages to be saved by inmates, enable message templates to be used, scan messages for watchwords.

Settings to set values for particular areas e.g. change password label text to pin, screen one message in every x number of messages, max number of characters in a message, max number of lines in a message.

Scaling

Scaling
Independence of resources Web hosted solution on IIS, so can have unlimited concurrent users, the only limiting factor is the amount of available resources on the machine. The software is hosted in a cloud based environment, so resources can be scaled up as required. Hosting environment provides a dedicated resource that is not shared with other customers. The software has been hosted in a single datacentre before and has scaled up to handle a total of 166,000 users and counting.

Analytics

Analytics
Service usage metrics Yes
Metrics types Officer dashboard displaying numeric information on the tasks to be carried out, with links to the appropriate page in order to take these actions, e.g. number of messages to process, number of contacts to approve, number of visits to process. Reports available through the officer interface which displays usage metrics, access to these is configured through permissions in the officer website. e.g. number of logins in a time period, message summary report which contains the number of messages sent and received in a time period, number of visits in a time period, amount of money sent and received.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Standard reports which can be saved in multiple formats including Excel spreadsheet, Word document, XML file, PDF file, CSV file. These reports can also be set up to be scheduled and emailed to authorised users if required.
CSV files of the data from the database can be produced on request by Core Systems if required.
Core Systems could potentially create a bespoke API for required data if required at an additional cost.
Data export formats
  • CSV
  • Other
Other data export formats
  • Excel spreadsheet
  • Word document
  • XML
  • PDF
  • JSON from API
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks Can implement whitelist of IPs on the TLS solution so that a VPN does not need to be set up but still restrict access to the URLS so that only users from authorised networks can access the service. Can also work with a full VPN solution if required.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Hosting environment 99.99% availability
Approach to resilience Available on request
Outage reporting Dashboard to monitor if all kiosks are up and running.
Email alerts if any of the websites are not accessible.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels IP whitelisting for officer website along with permission groups to limit access to only authorised users. Support website requires username and password to be setup in order to manage the support issues. Only authorised users have access to the cloud environment and each user has their own account. Login access to the database is restricted to only authorised support users.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 SGS Ltd
ISO/IEC 27001 accreditation date 05/06/2014
What the ISO/IEC 27001 doesn’t cover Certification covers all business functions within the company
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Official Accreditation – received from Youth Justice Board

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have a well established security information management system and related policies in place which adhere to ISO 27001 international standards. We have held ISO 27001 certification which is AKAS accredited since 2014. We have regular internal audits and review meetings to ensure that our processes and practices adhere to our information management policies and that these are in line with the ISO 27001 standard.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Core Systems have a dedicated change manager who will manage the paperwork and approvals. Changes required can be discussed and scoped out with the business team and they will be passed on to change manager.
Change Process:
• Changes agreed with business
• Change request completed
• Customer approver’s review and approve the change
• Core implement the change in development & QA environments and test thoroughly
• Core implement the change in production and test thoroughly. Changes can be rolled back if necessary
• Core notify customer of change completion
• Close the change – Post implementation report
Vulnerability management type Supplier-defined controls
Vulnerability management approach Monthly patches are carried out on the OS and other 3rd party software installed.
Current and newly emerging vulnerabilities are monitored by subscriptions to email distribution groups, publications and relevant websites are reviewed regularly.
A list of 3rd party libraries used to build the software is maintained along with the current version number used, this is periodically reviewed to identify whether there are any security vulnerabilities and if a newer version is available. If an action is deemed pertinent and prudent then it will be handled through the Change Management Process.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Antivirus, Malware, Intrusion Detection & Protection, threat detection, correlation analysis, stateful firewall, execution environment checks are all provided by a cloud based Protective Monitoring service. This provides real-time, contextual and predictive threat intelligence. This will identify potential software compromises.

The response process when we find a potential compromise is as follows:
• Ascertain the issue and impact
• Contingency plans put in place around potential risks e.g. snapshots and backups
• Resolution agreed with customer and implemented

A number of risk scenarios are automated and responded to immediately.
High impact incidents are escalated to high priority.
Incident management type Supplier-defined controls
Incident management approach When a support issue is received by Core Systems a ticketing system will operate and once an issue has been logged a unique support reference number will be assigned to it and should be quoted in all future communications relating to the issue. Users must report as much information as possible to ensure faster diagnosis of the issue, examples of the information required will be provided. A common issue responsibility matrix will be provided along with the corresponding SLA level.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £0.10 to £0.55 per unit
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We offer a trial version of the software license. Hosting costs from 3rd party, support and installation are not included. There is a limited time period of 2 months.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑