QOREX LTD

QOREX Business Management Software

QOREX maximises organisations performance. It does this by removing unnecessary complexity, simplifying operations and aligning investment with results. Enabling a systematic approach to business management, it delivers a single point of truth, bringing together data and information from across the organisation(s) including Planning, Benefits, Operations and Project Delivery.

Features

  • Translate strategy into action, leveraging capabilities to optimise organisation potential.
  • Holistic Portfolio, Programme and Project prioritisation, management, delivery and reporting
  • Encourages operational focus on value adding products, services and capabilities
  • Executive dashboards provide insight into performance e.g. most accretive projects
  • Benefits are quantified, prioritised and delivered to sustain over time
  • Business Maps highlighting interdependencies support transparency and risk management interventions
  • Supports performance appraisal by associating results with assigned staff records
  • Revolutionises routine reporting, eliminating wasted effort and boosting morale
  • Document repository and distribution management system with full audit trail
  • Geographic mapping can be used to create organisation services heat-maps

Benefits

  • Establishes a clear line of sight between strategy and delivery
  • Displays organisation scope and RAG-rated performance using simple graphics
  • Eliminates complexity to structure streamlined data and support effective governance
  • Improves collaboration, co-operation, productivity, information accessibility, employee engagement
  • Enables evidence based leadership and timely fact based decision making
  • Integrated data repository creates transparency and eliminates data reconciliation activities
  • Maps and rates interdependencies, creating a delivery risk early-warning system
  • Systemised management approach reduces administration and encourages adoption
  • Clear accountability and responsibility for results increases likelihood of success
  • Role based access control ensures appropriate levels of security

Pricing

£97.00 per person per month

Service documents

G-Cloud 11

681238869121631

QOREX LTD

Philip Trickey

07834 800416

phil.trickey@qorex.co.uk

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Any service constraints wil be agreed with the client and documented as part of the initial proposal phase so that all parties are aware of any such constraints prior to the start of on-boarding.
System requirements
  • Appropriate equipment and technology to access QOREX servers
  • Appropriate Internet connectivity and bandwidth
  • Adequate browsers are installed on end user computers
  • Ensure that firewalls configured to allow access to QOREX servers
  • Whitelisting QOREX domain so that QOREX emails can be received

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Severity 1 = 2 Business Hours Response time; 1 Business Day Resolution Time
Severity 2 = 4 Business Hours Response Time; 2 Business Days Resolution Time
Severity 3 = 1 Business Day Response Time; 5 Business Days Resolution Time
Severity 4 = 2 Business Days Response Time; Resolution is next major release of Software subject to the enhancements or additional modules being agreed by the Company.
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels Level 0 support – Self-service solutions that users can access themselves include automated password resets, soft copy user guides.

Level 1 support – Filters all reported incidents and provides basic support and troubleshooting and escalation to Level 2 and Level 3 support.

Level 2 Support - Investigates and resolves incidents and observations.

Level 3 Support – Troubleshoot and repair more complex issues. Level 3 support is carried out by technology specialists with the ability to deploy solutions to problems.

A QOREX Account Manager is assigned to each customer and has responsibility for ownership of usability, training and implementation questions raised. They act as a single point of escalation, keeping users informed of the status of their enquiry and ensuring responses are within agreed service levels.

The cost is dependent on the agreed implementation and ongoing support plan.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We typically use a three-phase approach. During the Discovery phase we work with the client to document the existing systems, processes, data (and migration requirements), technical architecture, security and systems integration requirements and the scope of the final audience, resulting in a detailed plan detailing of the new system requirements and how it is to be implemented, including any necessary bespoke development (and any associated additional costs). The Pilot phase involves setting up a new QOREX ‘instance’, working with the client to populate it with a subset of data, demonstrating the functionality to a small number of client users, including required amendments to the data-set along with the rollout and testing of any bespoke development and/or systems integration agreed. The Deployment phase commences when the client wishes to rollout the system to the entire agreed audience. On-site training will have been provided during the Pilot phase and additional on-site training may be delivered as required to a wider audience during the Deployment phase. The agreed support procedures and any further documentation required will also be rolled out at this point. User documentation is provided in the form of training and user manuals.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction In the event of termination of the Contract by either the Company or the client and on written request by the client, the Data within the Software will be provided to the client within 10 Business Days of termination of the Contract in Comma Separated Variable (CSV) format.
End-of-contract process At the end of each of the Discovery, Pilot and Deployment phases’ client approval is required before proceeding to the next stage. The Service shall be provided to the client for a period of twelve (12) months from the Contract Date and shall terminate immediately upon expiry of that period unless the client has paid the Annual Subscription Fee to renew the Service for a further twelve (12) month period. In the event of termination, the licence of intellectual property rights shall be revoked automatically. Data within the software can be provided on written request within 10 business days in CSV file format.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service QOREX has been designed and developed with responsive design in mind to maximise users’ experience, however, there exists common limitations with some mobile devices. The display on a very small mobile device (e.g. a phone) may be portrait-oriented, so scrolling and zooming may be required and hover may be unavailable; less processing power and bandwidth may be available on a mobile device which may result in pages rendering more slowly than desktop; browser features may be limited on a mobile device and the keyboard is typically smaller so data entry is less favourable on a mobile device than desktop.
API No
Customisation available Yes
Description of customisation Customisation includes local instance language, categories, types, tags and other site-wide settings like password strength, logo, colours, etc.

Customisation is carried out at the Site Administration Level and is available to those with the necessary level of Role Based Access Control.

More fundamental enhancements to the software functionality can be specified and agreed with QOREX in collaboration with the customer. Such work will be prioritised, scheduled and delivered by QOREX Ltd. All intellectual property rights associated with any software application enhancements remain with QOREX Ltd.

Scaling

Scaling
Independence of resources Each QOREX 'instance' has its own subdomain and its own independent database. The web and database servers are on separate physical servers with the database server only being accessible (either by QOREX staff or the QOREX application) over VPN.

Analytics

Analytics
Service usage metrics No

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach Dedicated Mechanical & Engineering corridors away from IT equipment. Biometric iris scan man-trap to gain access to data floor area. On-site human security presence 24x7. Proximity access locks on all external and internal doors. Interlocked man-traps on front entrance and goods in area. Perimeter fence with rota spikes, anti-ram raid barriers, blast-proof windows and steel security doors. External and internal digital IP ICCTV system with digitally controlled motion sensors and flood lighting.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach QOREX provides a facility within the software to export data to either a Comma Separated Value (csv) or Excel (xlsx) file format.
Data export formats
  • CSV
  • Other
Other data export formats Excel (xlsx)
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Legacy SSL and TLS (under version 1.2)
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability With the exception of planned downtime and events outside our control the QOREX BMS is planned to be available for 99.9% of available time. Any reduction on this availability will attract a refund as set out in our Terms and Conditions.
Approach to resilience The servers run the Trend Micro Deep Security IDS software to protect against attacks. The hardware is connected to redundant power supplies and our SLA has a 2 hour hardware replacement guarantee. Each instance database is backed up every 2 hours and stored on a separate (Centro -based) server.
Outage reporting The system is monitored every minute and any outages are reported to the development director and lead developer by SMS. Maintenance will be required on both a scheduled and ad hoc basis and some (but not all) maintenance activities will require system downtime. QOREX will use all reasonable efforts to keep maintenance related downtime to a minimum and wherever possible to undertake any such activities outside business days. QOREX will inform users of any necessary maintenance related downtime by giving at least 24 hours' notice and an indication of the expected downtime (if any) by email alert. Any significant planned maintenance activities that will result in extended downtime and will occur during business days will only be undertaken by QOREX in agreement with the customer at a mutually convenient time. Such activities include system migration, major software releases and hardware upgrades.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Client system administrators access their QOREX instance using an email address and password and are able to add new user accounts (up to their agreed limit) and manage existing accounts. They are empowered to create, manage and delete users accounts within their own instance and are able to dictate the screens and entities each user is able to access and the degree of control (RO/RW) over those screens and entities. Support requests to QOREX are logged within the application itself and any that are related to user account management would be referred back to the client system administrator to resolve.
Access restriction testing frequency Less than once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We ensure we react appropriately and in a timely fashion to any actual or suspected incidents relating to the security of our information systems. We have a clear incident reporting process in place which details the procedures for the identifying, reporting and recording of security incidents. This applies to all QOREX employees, contractors and partners who use QOREX facilities and equipment or have access to QOREX’s client data and all are responsible for ensuring the safety and security of QOREX’s systems and information. We foster a proactive incident reporting culture to help reduce and even prevent incidents from occurring.
Information security policies and processes Although QOREX does not yet have ISO27001 certification, an Interim Security Policy, Risk Register and Information Security Incident Management Policy is in place; enshrining the principles of confidentiality, integrity and availability of our own and client’s information; ensuring regulatory and legislative requirements are met and suspected breaches are reported and investigated. Phil Trickey, CEO, is the board representative with overall responsibility for security. An Incident Owner will be assigned for each Security Incident and is responsible for managing all aspects of the incident through to its resolution and subsequent reporting and feedback. As part of the cycle of continuous improvement, all staff are encouraged to contribute to the improvement of our information security procedures and techniques by being constantly aware of the risks associated with a breakdown in security procedures and submitting suggestions for improvement. All observations and suggestions for improvement are logged in the ticketing system and assigned to appropriate staff to review and action. Every quarter a Security Bulletin is issued to all staff in the form of an email in addition to ad-hoc security messages. Both the quarterly Security Bulletins and ad hoc updates are required reading for all staff.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes are carefully reviewed to ensure that they will not have a detrimental effect; are documented in the ticketing system; specified to be relevant to all clients (or markets); considered within the context of the existing security provisions to ensure that security is not compromised or new security provisions implemented; undergo a code review before they are submitted for local testing; documented, tested and approved by the Development Director before being released to the live system. Releases are performed, whenever possible, outside office hours. Appropriate tests are repeated on the live system once a change request has gone live.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The QOREX system was last subjected to penetration testing by Portcullis (now part of Cisco) a CHECK service provider, in 2016 as part of our successful security assessment to become a SaaS supplier to the Student Loans Company. MalDet is currently run every 24 hours. However, we are currently evaluating a number of other automated vulnerability monitoring applications (such as OWASP ZAP, Nikto, etc) and will be implementing our preferred solution before the end of the year.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises are detected from either a user or a monitoring system detecting an incident and triggering an alert. The servers run the Trend Micro Deep Security IDS software to protect against attacks. The incident is recorded and tracked, assigned an Incident Owner, allocated a severity of critical (reported immediately), significant (reported within 4 hours) or minor (reported within 1 day) and an Incident Resolution Plan is formulated. If the incident severity is Critical, the Incident Owner commences the assessment within 60 minutes of the incident being reported and informs the Security Manager of a Critical Security Incident.
Incident management type Supplier-defined controls
Incident management approach The Incident Management Process comprises four stages. Detection - an end user or employee reports a problem via a phone call or the reporting system in the QOREX platform or a monitoring system detects an incident. Assesment - the nature and severity of the Security Incident is assessed and a plan is formulated. Resolution - the Incident Owner will manage the resolution and ensure that all interested parties are informed of progress and closure through regular reporting. Review - the Incident Manager and Security Manager, will review and report the incident to see if any lessons can be learned.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £97.00 per person per month
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑