Merlin (strategic issue management service)
Mott MacDonald’s Merlin is a flexible web browser-based issue, crisis and major event management tool enabling strategic collaboration between teams in coordinating city or event operations. Merlin provides the ability to quickly share knowledge, implement coordinated responses to issues, maintain cohesive and clear map-based and tabular views for relevant stakeholders.
- Issue management including capturing all relevant history.
- Interactive mapping, supporting geospatial analysis.
- Document storage, providing access to contingency plans.
- Stakeholder dashboard, providing a shared status of all issues.
- Planned event management, enabling impact assessment during crises.
- Routine and ad-hoc reporting, encouraging information sharing.
- Full audit trail, supporting post-incident analysis.
- Secure role-based access from any standard web browser.
- Internal and external access allows information to be quickly shared.
- All data stored centrally and safely, reducing administrative overhead.
- Enables informed decision making and ensures teams are kept up-to-date.
- Supports cross-organisational collaboration improving communication.
- Supports rapid and appropriate response and recovery.
- Fully accessible by desktop, tablet and mobile device.
- Developed closely with clients and major recent events.
- Advanced filtering and sorting to find incidents quickly and easily.
£34200 per instance
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
- Modern Slavery statement
Mott MacDonald Limited
+44 (0)141 222 3798
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|System requirements||Approved web browser version|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Response times: GOLD Support: 1 support hour | SILVER Support: 4 support hours | BRONZE Support: 8 support hours|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Standard Support: 08:30-17:00 weekdays (excl. bank holidays) | Enhanced Support: 24x7 (by agreement)
Support costs and further details are included in our Service Description and Pricing documents.
We will provide a technical project manager/account manager.
|Support available to third parties||No|
Onboarding and offboarding
Following agreement of contract, the following onboarding process will be undertaken:
● Initiation of project management methodology
● Clarification session on configuration requirements held on customer premises
● Templates provided for customer data inputs, such as user accounts, organisation names and map data
● Hosting setup and configuration
● Service configuration and commissioning
● Support setup
User training can be provided in the form of classroom-based, hands-on training. User training is provided as a half-day session at the buyer's premises. During such training, users are provided with instruction in using all aspects of the system as an end-user. Attendees are provided with electronic course materials.
Train-the-trainer training can be provided in the form of classroom-based, hands-on training. Train-the-trainer training is provided as a full-day session at the buyer's premises. During such training, trainers are provided with instruction in using all aspects of the system as an end-user, as well as in the underlying system principles, allowing them to confidently provide training and guidance to the ultimate end users. Attendees are provided with electronic course materials. Train-the-trainer training is priced as a unit of five attendees.
|End-of-contract data extraction||As part of the offboarding process, Mott MacDonald will provide the customer with an extract of all customer data stored in Merlin. This will be provided in Comma Separated Value files. All hosted data will then be securely deleted from the server prior to decommissioning of the service.|
|End-of-contract process||The system will be decommissioned and an export of the data will be provided as part of the contract.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|Independence of resources||Independent cloud infrastructure is supplied for each client instance to prevent one client service impacting another. Preventative health checks and network checks are undertaken daily for each system to ensure a high level of service at all times.|
|Service usage metrics||Yes|
|Metrics types||Fully audited system recording user access and all changes to data.|
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||Less than once a year|
|Penetration testing approach||In-house|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||No|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||The data stored in Merlin is accessible to users through the application at any time they require. If an export is required it can be provided by the support team. A full export of the data would be provided at the end of the contract as part of the offboarding process.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Service levels can be defined on a client by client basis as part of the call-off arrangements.|
|Approach to resilience||Resilience level is dependent on host service support selected.|
|Outage reporting||Outages are reported internally to our helpdesk, who coordinate and escalate to project managers as required to liaise with client representatives.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||
Limited access over dedicated link, enterprise or community network.
Username and strong password/passphrase enforcement.
The system supports different roles and responsibilities with respect to access to data held within the system.
Accounts and roles will be assigned to individuals.
|Access restriction testing frequency||At least once a year|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||DNV GL|
|ISO/IEC 27001 accreditation date||10/5/2019|
|What the ISO/IEC 27001 doesn’t cover||N/a|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Our cloud services are managed under Mott MacDonald's Information Security Management System (ISMS) which is independently audited and certified under ISO27001:2013.
Project Managers are responsible for their Projects’ Security Incident Management for systems that are not connected to Group IT systems. All projects must complete an Information Security Risk Assessment (ISRA) as part of our Project Plan of Work (PPW), which must review risks and provide mitigation strategies.
All serious information security incidents (actual or perceived) must be immediately reported to the Director Business Management Systems and Risk who will form a Response Team and Plan to deal with the situation.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||Our configuration and change management processes are documented as procedures complying with both ISO9001:2015, TickITPlus and potential security impacts through ISO27001:2013. TickITplus covers our expertise in project management, technical and advisory services in transport engineering, system integration and the development of associated software to Government, Local Authority and the Private Sector. Management and mitigation of risk is an integral part of our system and is monitored and reported through a set of mature project governance procedures designed to identify risks and mitigate against them as soon as possible.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
We maintain a broad awareness of cyber threats and techniques by:
• Subscribing to numerous vulnerability and security alert sources e.g.
o Redhat security advisories
o Microsoft security advisories
o Oracle Java advisories
o Cisco security advisories
o General alerts:
US CERT alerts
NCSC threat reports
For specific platforms, we use analysis and reporting tools as one means of keeping track of implementation issues e.g.
• scap-workbench with various profiles.
• OpenVAS mailing list: https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
• NVT Feed: http://www.openvas.org/openvas-nvt-feed.html
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
We use a number of tools and techniques to monitor systems for signs of compromise:
• Regular network penetration test scans to detect potential vulnerabilities;
• host-based intrusion detection;
• network firewall;
• Web application firewall where justified by the risk assessment; and
• comprehensive system and network monitoring using OpenNMS to detect log events and service issues.
We treat a potential compromise as an information security incident and respond using our Business Management System STEP procedure which details the process for dealing with an information security incident.
|Incident management type||Supplier-defined controls|
|Incident management approach||
External users can report incidents by contacting our Help Desk by phone or email. Internal users use our ServiceNOW system to report information security incidents.
We treat a potential compromise as an information security incident and respond using our BMS STEP procedure, complying with ISO 27001, which details the process for dealing with an information security incident.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£34200 per instance|
|Discount for educational organisations||No|
|Free trial available||No|