Mott MacDonald Limited

Merlin

Mott MacDonald’s Merlin is a flexible web browser-based incident, crisis and major event management tool enabling strategic collaboration between teams in coordinating city or event operations. Merlin provides the ability to quickly share knowledge, implement coordinated responses to incidents, maintain cohesive and clear map-based and tabular views for relevant stakeholders.

Features

  • Incident management including capturing all relevant incident history.
  • Interactive mapping, supporting geospatial analysis.
  • Document storage, providing access to contingency plans.
  • Stakeholder dashboard, providing a shared status of all issues.
  • Planned event management, enabling impact assessment during crises.
  • Routine and ad-hoc reporting, encouraging information sharing.
  • Full audit trail, supporting post-incident analysis.
  • Secure role-based access from any standard web browser.

Benefits

  • Internal and external access allows information to be quickly shared.
  • All data stored centrally and safely, reducing administrative overhead.
  • Enables informed decision making and ensures teams are kept up-to-date.
  • Supports cross-organisational collaboration improving communication.
  • Supports rapid and appropriate response and recovery.
  • Fully accessible by desktop, tablet and mobile device.
  • Developed closely with clients and major recent events.
  • Advanced filtering and sorting to find incidents quickly and easily.

Pricing

£39900 per instance

Service documents

G-Cloud 9

829534602956585

Mott MacDonald Limited

Samantha Lottering-Geeson

+44 (0)141 222 3798

sam.lottering-geeson@mottmac.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements Approved web browser version

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times:

GOLD Support: 1 support hour
SILVER Support: 4 support hours
BRONZE Support: 8 support hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard Support: 08:30-17:00 weekdays (excl. bank holidays)
Enhanced Support: 24x7 (by agreement)

Support costs and further details are included in our Service Description and Pricing documents

We will provide a technical project manager/account manager.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Following agreement of contract, the following on-boarding process will be undertaken:

● Initiation of project management methodology
● Clarification session on configuration requirements held on customer premises
● Templates provided for customer data inputs, such as user accounts, organisation names and map data
● Hosting setup and configuration
● Service configuration and commissioning
● Support setup

User training can be provided in the form of classroom-based, hands-on training. User training is provided as a half-day session at the buyers premises. During such training, users are provided with instruction in using all aspects of the system as an end-user. Attendees are provided with electronic course materials.

Train-the-trainer training can be provided in the form of classroom-based, hands-on training. Train-the-trainer training is provided as a full-day session at the buyers premises. During such training, trainers are provided with instruction in using all aspects of the system as an end-user, as well as in the underlying system principles, allowing them to confidently provide training and guidance to the ultimate end users. Attendees are provided with electronic course materials. Train-the-trainer training is priced as a unit of five attendees.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction As part of the off-boarding process, Mott MacDonald will provide the customer with an extract of all customer data stored in Merlin. This will be provided in Comma Separated Value files. All hosted data will then be securely deleted from the server prior to decommissioning of the service.
End-of-contract process The system will be decommissioned and an export of the data will be provided as part of the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility Our service has been developed in close consultation with expert users throughout its lifecycle. This ensures it is easy to use and intuitive for the particular user community.
Accessibility testing No specific accessibility testing has been undertaken.
API No
Customisation available No

Scaling

Scaling
Independence of resources Independent cloud infrastructure is supplied for each client instance to prevent one client service impacting another. Preventative health checks and network checks are undertaken daily for each system to ensure a high level of service at all times.

Analytics

Analytics
Service usage metrics Yes
Metrics types Fully audited system recording user access and all changes to data.
Reporting types Reports on request

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The data stored in Merlin is accessible to users through the application at any time they require. If an export is required it can be provided by the support team. A full export of the data would be provided at the end of the contract as part of the off-boarding process.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Service levels can be defined on a client by client basis as part of the call-off arrangements.
Approach to resilience Resilience level is dependent on host service support selected.
Outage reporting Outages are reported internally to our helpdesk, who coordinate and escalate to project managers as required to liaise with client representatives.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Limited access over dedicated link, enterprise or community network

Username and strong password/passphrase enforcement

The system supports different roles and responsibilities with respect to
access to data held within the system. Accounts and roles will be
assigned to individuals.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL
ISO/IEC 27001 accreditation date 1/3/2016
What the ISO/IEC 27001 doesn’t cover N/a
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our cloud services are managed under Mott MacDonald's Information Security Management System (ISMS) which is independently audited and certified under ISO27001:2013.

Project Managers are responsible for their Projects’ Security Incident Management for systems that are not connected to Group IT systems. All projects must complete an Information Security Risk Assessment (ISRA) as part of our Project Plan of Work (PPW), which must review risks and provide mitigation strategies.

All serious information security incidents (actual or perceived) must be immediately reported to the Director Business Management Systems and Risk who will form a Response Team and Plan to deal with the situation.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our configuration and change management processes are documented as procedures complying with both ISO9001:2008, TickITPlus and potential security impacts through ISO27001:2013. TickITplus covers our expertise in project management, technical and advisory services in transport engineering, system integration and the development of associated software to Government, Local Authority and the Private Sector. Management and mitigation of risk is an integral part of our system and is monitored and reported through a set of mature project governance procedures designed to identify risks and mitigate against them as soon as possible.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We maintain a broad awareness of cyber threats and techniques by:

• Subscribing to numerous vulnerability and security alert sources e.g.
o Redhat security advisories
o Microsoft security advisories
o Oracle Java advisories
o Cisco security advisories
o General alerts:
 CERT-UK alerts
 US CERT alerts
 News sites
 https://nvd.nist.gov/cvss.cfm
 NCSC threat reports

For specific platforms, we use analysis and reporting tools as one means of keeping track of implementation issues e.g.

• scap-workbench with various profiles.
• OpenVAS mailing list: https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
• NVT Feed: http://www.openvas.org/openvas-nvt-feed.html
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use a number of tools and techniques to monitor systems for signs of compromise:
• Regular network penetration test scans to detect potential vulnerabilities;
• host-based intrusion detection;
• network firewall;
• Web application firewall where justified by the risk assessment; and
• comprehensive system and network monitoring using OpenNMS to detect log events and service issues.
We treat a potential compromise as an information security incident and respond using our Business Management System STEP procedure which details the process for dealing with an information security incident.
Incident management type Supplier-defined controls
Incident management approach External users can report incidents by contacting our Help Desk by phone or email. Internal users use our ServiceNOW system to report information security incidents.
We treat a potential compromise as an information security incident and respond using our BMS STEP procedure, complying with ISO 27001, which details the process for dealing with an information security incident.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £39900 per instance
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑