Prisoner Messaging, Secure Video Visits and Money Deposits Solution – Direct2inmate
Prisoners are able to securely communicate with family, friends and legal teams via prisoner messaging and video visits. Over 24,5 million messages were sent by the end of 2018 using the prisoner messaging solution. Direct2inmate’s money deposits portal allows friends and family to securely deposit funds to a prisoner’s account.
- Secure prison lockdown operating system with access management controls
- Secure prison email - watch words are automatically flagged
- Browser based (multi-device) solution – including mobile device management
- Full audit trail of all prisoner communication through the system
- Optional push notifications for prison video visits
- Investigative and analysis tools for prison staff
- All prisoner video calls can be live monitored and downloaded
- External portal has real time integration with prisoner account
- Secure prisoner / staff login (biometric option)
- Notifications to confirm successful deposit in prisoner account
- Prisoner messaging is less resource intensive than physical post
- Prisoner messaging lowers the risk of contraband entering prison
- More privacy with prisoner messaging
- Aids normalisation – prisoner messaging is similar to e-mail
- Video visits encourage productive in-cell time
- Lawyers and legal counsel can avail of video visits
- Video visits with family encourage reduction in recidivism
- Quick and efficient way of transferring money to prisoner account
- Peace of mind that prisoner has sufficient funds
- Potential revenue stream for facility
£0.10 to £0.55 per unit
- Education pricing available
- Free trial available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
|Software add-on or extension||No|
|Cloud deployment model||
|Email or online ticketing support||Yes, at extra cost|
|Support response times||This is scoped out on a per job bases to meet the needs of the customer.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Core provide a technical account manager and a cloud support engineer. A typical support scenario with a customer will be as follows:
Once it has been determined that the fault is a software issue relating to Core, Core will provide First-Level Support. Core will provide a Help desk Service which will provide for the recording and escalation of issues.
Second-Level Support - Core will further investigate the issue following the steps outlined in the documentation. This may include resolutions or temporary workarounds for complex issues.
Third-level Support – Core Systems shall provide resolutions for reported errors or issues. Core Systems shall make, and provide Customer with, revisions and enhancements to the Code.
The cost of 1st, 2nd and 3rd level support is included in SaaS pricing document. This is based on remote software support, 9 am – 5 pm, Monday – Friday, excluding bank holidays. Any additional support required for customers specific SLAs will be negotiated and costed separately.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||To help users to get starting using software solutions Core Systems provide training and assistance with go live on site. We also provide training videos and manuals to support training sessions.|
|End-of-contract data extraction||All data will be managed to ensure availability at contract end. At end of contract we will make consumers archived data available. The consumer will provide instructions of where the data is to be transferred. Core confirm that we will purge and destroy consumer data from any computers, storage devices and storage media that are to be retained by the Supplier after the end of the subscription period and the subsequent extraction of consumer data (if requested by the consumer)|
|End-of-contract process||All data is stored within a SQL database. Data may be archived off the database onto another storage device or exported from the database using a .csv file. In the same way data can be imported using a csv file. Note the import / export of data can be automated as a scheduled task. Core will provide a “simple” and “quick” exit process to enable consumers to move to a different supplier for each of their G-Cloud Services and/or retrieve their data. Core commit to returning all consumer generated data (e.g. content, metadata, structure, configuration etc.) and a list of the data that will be available for extraction.Data that will not be available for later extraction will also be published.|
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
Inmate portal is designed for tablets and desktop.
Officer portal is designed for desktop only.
Friends & Family portal is designed for mobile, tablet and desktop.
|Accessibility standards||None or don’t know|
|Description of accessibility||The solution has not been tested to meet these requirements. Core Systems will work with the customer to satisfy all the accessibility needs raised.|
|Accessibility testing||We have designed the system to make it easy and intuitive to use. We conducted a number of User Experience (UX) tests on the interface of our system with a group of young offenders and women offenders. We also tested the system with primary school students. We implemented all suggested changes to the system. Both of the tests proved that our system is simple to use.|
|What users can and can't do using the API||There is an API for importing and updating end users into the system and setting up locations. Limitations based on validation of business rules are set up to protect the integrity of the data. Other functionality that is required to be exposed through an API can be created as a bespoke piece of work for a customer to meet their needs at an additional cost.|
|API documentation formats||
|API sandbox or test environment||Yes|
|Description of customisation||
Branding on the officer and inmate login page can be customised to be the customer’s logo and product name – carried out by Core Systems.
Customisable permissions on the officer website so that functionality can be separated to authorised user groups – configurable on the officer website.
Access to modules on the inmate website can be switched on/off for different user groups – configurable on the officer website.
Timed access can be set up for the inmate website e.g. can only access the site for 15 minutes in a 2-hour period - configurable on the officer website.
Content can be added and updated easily e.g. messaging watchwords etc. – configurable on the officer website.
Settings are available to turn pieces of functionality on/off e.g. enable Two Factor Authentication, enable draft messages to be saved by inmates, enable message templates to be used, scan messages for watchwords.
Settings to set values for particular areas e.g. change password label text to pin, screen one message in every x number of messages, max number of characters in a message, max number of lines in a message.
|Independence of resources||Web hosted solution on IIS, so can have unlimited concurrent users, the only limiting factor is the amount of available resources on the machine. The software is hosted in a cloud based environment, so resources can be scaled up as required. Hosting environment provides a dedicated resource that is not shared with other customers. The software has been hosted in a single datacentre before and has scaled up to handle a total of 166,000 users and counting.|
|Service usage metrics||Yes|
|Metrics types||Officer dashboard displaying numeric information on the tasks to be carried out, with links to the appropriate page in order to take these actions, e.g. number of messages to process, number of contacts to approve, number of visits to process. Reports available through the officer interface which displays usage metrics, access to these is configured through permissions in the officer website. e.g. number of logins in a time period, message summary report which contains the number of messages sent and received in a time period, number of visits in a time period, amount of money sent and received.|
|Supplier type||Not a reseller|
|Staff security clearance||Staff screening not performed|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Standard reports which can be saved in multiple formats including Excel spreadsheet, Word document, XML file, PDF file, CSV file. These reports can also be set up to be scheduled and emailed to authorised users if required.
CSV files of the data from the database can be produced on request by Core Systems if required.
Core Systems could potentially create a bespoke API for required data if required at an additional cost.
|Data export formats||
|Other data export formats||
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Other protection between networks||Can implement whitelist of IPs on the TLS solution so that a VPN does not need to be set up but still restrict access to the URLS so that only users from authorised networks can access the service. Can also work with a full VPN solution if required.|
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||Hosting environment 99.99% availability|
|Approach to resilience||Available on request|
Dashboard to monitor if all kiosks are up and running.
Email alerts if any of the websites are not accessible.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||IP whitelisting for officer website along with permission groups to limit access to only authorised users. Support website requires username and password to be setup in order to manage the support issues. Only authorised users have access to the cloud environment and each user has their own account. Login access to the database is restricted to only authorised support users.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users receive audit information on a regular basis|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||SGS Ltd|
|ISO/IEC 27001 accreditation date||05/06/2014|
|What the ISO/IEC 27001 doesn’t cover||Certification covers all business functions within the company|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Official Accreditation – received from Youth Justice Board|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||We have a well established security information management system and related policies in place which adhere to ISO 27001 international standards. We have held ISO 27001 certification which is AKAS accredited since 2014. We have regular internal audits and review meetings to ensure that our processes and practices adhere to our information management policies and that these are in line with the ISO 27001 standard.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Core Systems have a dedicated change manager who will manage the paperwork and approvals. Changes required can be discussed and scoped out with the business team and they will be passed on to change manager.
• Changes agreed with business
• Change request completed
• Customer approver’s review and approve the change
• Core implement the change in development & QA environments and test thoroughly
• Core implement the change in production and test thoroughly. Changes can be rolled back if necessary
• Core notify customer of change completion
• Close the change – Post implementation report
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Monthly patches are carried out on the OS and other 3rd party software installed.
Current and newly emerging vulnerabilities are monitored by subscriptions to email distribution groups, publications and relevant websites are reviewed regularly.
A list of 3rd party libraries used to build the software is maintained along with the current version number used, this is periodically reviewed to identify whether there are any security vulnerabilities and if a newer version is available. If an action is deemed pertinent and prudent then it will be handled through the Change Management Process.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Antivirus, Malware, Intrusion Detection & Protection, threat detection, correlation analysis, stateful firewall, execution environment checks are all provided by a cloud based Protective Monitoring service. This provides real-time, contextual and predictive threat intelligence. This will identify potential software compromises.
The response process when we find a potential compromise is as follows:
• Ascertain the issue and impact
• Contingency plans put in place around potential risks e.g. snapshots and backups
• Resolution agreed with customer and implemented
A number of risk scenarios are automated and responded to immediately.
High impact incidents are escalated to high priority.
|Incident management type||Supplier-defined controls|
|Incident management approach||When a support issue is received by Core Systems a ticketing system will operate and once an issue has been logged a unique support reference number will be assigned to it and should be quoted in all future communications relating to the issue. Users must report as much information as possible to ensure faster diagnosis of the issue, examples of the information required will be provided. A common issue responsibility matrix will be provided along with the corresponding SLA level.|
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£0.10 to £0.55 per unit|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||We offer a trial version of the software license. Hosting costs from 3rd party, support and installation are not included. There is a limited time period of 2 months.|