Provision of Orcuma's multi agency CRM and case management software. Implementation service includes project management, business analysis, software development, configuration, testing (including penetration testing), training, go live support. Post go-live services include support, maintenance, change management, incident management, hosting, data backups and disaster recovery service (IBM Softlayer).
- Self service configuration capability and workflow engine.
- Inbuilt map screen.
- Document storage and management.
- Mobile application for remote and agile access.
- Ease and speed of access and setup.
- Ease of data extraction and real time reporting capability.
- Role based access security configuration.
- Multi agency case access with manageable actions.
- Configurable APIs and Web services.
- Escalation management.
- Facilitate multi-agency data sharing / collaboration approach.
- Holistic view of the customer and their interactions.
- Reduce travelling costs and resource hours.
- Proactively monitor caseload and processing bottle necks.
- Enables and supports a mobile, agile workforce.
- Secure, realtime access to case management data.
- Data looksups reduce key stokes/ duplication of data/effort.
- Hold multi-partner datasets for analysis / trend spotting.
- Manage / collaborate on cases effectively / efficiently 24/7.
- Maintain accurate overviews of all cases by whom and when.
£300 to £300 per licence per year
- Free trial available
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Service constraints||No constraints.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||We respond to incident management emails to a dedicated support email address within 1 working day from receipt (or the beginning of the next working day if received on a Saturday or Sunday).|
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), 7 days a week|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||This is either by Cisco webex or meeting burner software, which allows us or the user to sign in and share their screen so we can see any software issues whilst they are working. We also use Skype to discuss any issues with a client, if they prefer to interact with us through that medium.|
|Web chat accessibility testing||None.|
|Onsite support||Yes, at extra cost|
The escalation of the incident will depend upon the priority/severity of an incident. We provide a standard Service Level Agreement.
Support provision is via a dedicated email address and telephone number.
1st Line support – Orcuma helpdesk staff receive the incident details. Resolution can be given here using resolutions to known faults from our Orcuma FIRsT application for recording incidents. If resolution cannot be given in the initial interaction, the incident will be routed to 2nd Line support.
2nd Line support is one of Orcuma implementation consultants for analysis and review. If resolution cannot be given to the incident, the incident will be routed to 3nd Line support, the technical team for investigation. It will remain with them until a fix is able to be provided to the incident.
All support levels are included in costings. All support provided by Orcuma Ltd staff.
|Support available to third parties||No|
Onboarding and offboarding
Implementation workshops –Workshops held with key process owners. Orcuma configure a prototype FIRsT system from the output of these sessions.
Workshop 1 - Understanding “as is” and “to be” processes, interactions with DCC applications and aligning to how Orcuma’s FIRsT software will support processes eg reporting, workflows, security model and outputs e.g. Emails, Texts. Orcuma’s FIRsT software configured to meet “to be” processes.
Workshop 2 - Demonstration/discussion based on initial configuration of FIRsT (interfaces just to be discussed). Output - Agreed FIRsT application configuration documented. Agreed scope of functionality, data fields, data migration and reports/performance management.
Configuration of Orcuma’s FIRsT software – Software configured based on output from workshops. Released for review in Test environment for sandpit” user testing.
Training is from the “to be” processes view so that staff know how to use FIRsT from the agreed operational processes. This is onsite training.
Orcuma will provide a generic user guide as a template - allowing for the creation of bespoke training documentation that can be used for the “train the trainer” sessions.
Orcuma will provide a generic system administrator user guide outlining the key functionality.
|End-of-contract data extraction||At contract end, authorisation to pass back client data must be received from a nominated client contact. The client's data data entered in FIRsT would be extract (into comma separated value format) and transferred back to them (by Orcuma staff) via an agreed method (secure export via FTP would be free but if Orcuma are required to migrate to another system, this would be chargeable). We would then expect written authorisation from the client that we are permitted to permanently destroy their data on FIRsT.|
Authorisation must be received from a nominated client contact that the contract is ending.
Their data (residing in our software) would be extracted (to comma separated value format) and transferred back to them via an agreed method (secure export via FTP would be free but if Orcuma are required to migrate to another system, this would be chargeable).
We would then expect written authorisation from the client that we should permanently destroy all their data that is held by Orcuma.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||None|
|Accessibility standards||None or don’t know|
|Description of accessibility||
We are working towards making the web pages displayed by our system meet accessibility standards, the current situation is as follows:
* Text can be resized by users
* Colour is not used as the only visual means of conveying information or a meaning
* No audio is used on the system (other than audio files which may be uploaded by users)
* All user input controls have names which describe their purpose
* Navigation and menus are consistent throughout the system
|Accessibility testing||None to date.|
|What users can and can't do using the API||Orcuma enable integration to FIRsT using APIs and Web Services. These are developed as and when needed by customers, and currently include functionality to create case and client records, retrieve statuses and create notes for cases. Each user would be given a unique API token and username/password to authenticate against the API or Web Service.|
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
Customisation is in the form of different software configuration settings on our software or different reporting outputs/layouts, which may be required in order to support the client's specific operational processes. These will be discussed with the client prior to any implementation and will be tested in the Test environment to ensure appropriate to the requirements and have no impact across the software.
There may be a need to customise an element of the existing software code but this is controlled through our change control process and can only be requested and approved by the client's nominated key contact.
Only Orcuma staff or the client's system administrators can apply software configuration settings. Only applicable Orcuma staff can amend any coding / software forms / database elements.
|Independence of resources||
We only use Orcuma staff. This means that we are in control of their annual leave, their work load and their work load scheduling.
Using project planning during an implementation, we can schedule work packages for staff so we know their availability for that work plus capacity for any unscheduled work in that time.
This allows us to be able to react and assign appropriate resources to any unscheduled events, incidents or change request received by clients. Work is not assigned to any staff without checking their existing work packages first and the expected completion date of these.
|Service usage metrics||Yes|
Uptime percentage over the previous calendar month and then over the previous 12 months.
Number of Incidents received (date received) and its category.
Number of Incidents closed (date closed) and its category.
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
Users are required to login with a username and a "strong" password.
“2 factor” authentication over an SSL secure connection can be employed.
Three unsuccessful login attempts and the user’s account will be locked.
No caching of any passwords. Passwords are "masked" and encrypted by a secure hashing algorithm which is unique to each user.
Auto “timeout” if inactive for 30 min.
Forced password reset every 60 calendar days.
Our servers are protected by Anti-Virus and malware software.
For day-to-day access by users, the user’s browser session is encrypted using an extended-validation Symantec SSL certificate.
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||
Users can export data sets from our software into comma separated value files. This is standard functionality.
Alternatively, we can extract their data, specific to their requirements, by using an appropriate SQL script.
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||In our Service Level Agreement, we endeavour to provide a 99.7% uptime. There is no refund provision if this is not met.|
|Approach to resilience||This is information available on request.|
Email alerts are sent to our Technical Services Director with the outage time, description and estimated restoration time.
Emails are sent during the outage to ensure that we are aware of all actions being taken to resolve the outage.
We will email notification to key client contacts/users where any unplanned outage occurs during normal business hours as soon as we are made aware of these.
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||
The user’s browser session is encrypted using an extended-validation Symantec SSL certificate.
Username and "strong" password required. Two factor authentication can be employed.
We can also lock down access to the software by defined IP address(es).
|Access restrictions in management interfaces and support channels||
Users need to be properly authenticated before being allowed to perform management activities, report faults or request changes to the service.
We allow clients to manage their own user base.
Users can report faults directly to our support desk but they must include our nominated client super user.
All requests to Orcuma for any type of management activities or change request must come through email. We have a nominated client super user for every client. They are responsible for emailing the change request and approving them. All change request approvals must be via email.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||Yes|
|Any other security accreditations||
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||Yes|
|Security governance standards||Other|
|Other security governance standards||Cyber Essentials Plus and Information Assurance for Small and Medium Enterprises|
|Information security policies and processes||
We have a named company director who is responsible for our Information Security Management System as well as data protection. Information security is a standing agenda item at our board meetings as well as monthly director's meetings.
We have an up to date ISMS risk assessment (approved at board level along with all policies) and it has been reviewed in the last 12 months.
We also have policies for data protection, asset management register, access and physical management security, security incident management, disaster recovery and business continuity. These polices are distributed to all Orcuma employees on starting employment and again when updated. All staff are reminded of their information security responsibilities on a weekly basis verbally.
Our ISMS policies and data protection policy are all included in our employee's contracts and company disciplinary procedures.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Orcuma will provide a standard change request template for completion.
Review of the change request requirements and discuss potential configuration options with the client.
Change requests are logged and may have a system requirements document developed – outlining requirements, system areas affected, the procedure for backing out the change, development time and (potential) cost and penetration testing required. Goes back to client for approval or rejection.
One month before implementation, an upgrade document will be issued detailing changes included in any upgrade and potential impact in the software. Orcuma may need to provide training sessions to key users.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
IBM Soft layer (ISO27001 accredited) provide our hosting facilities. They provide automatic hardware upgrades and software patches to their anti malware, anti virus and firewall software packages. We are notified all our changes to our servers. They provide our vulnerability management process on our hosted environment.
Our Technical Director gets weekly regular electronic (email/Twitter) security briefings (and news articles) and will act accordingly and immediately (same calendar day) if a threat is perceived to our software. We perform regular (6 and 12 month) penetration testing using IBM's Appscan programme and will act the same calendar if a fix is required.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Anti malware and Anti virus software are installed on our servers. Our hosted environment resides in a “DMZ” and controlled by Firewalls to prevent intrusion.
Regular penetration testing also takes place.
There is a protective monitoring script that runs every 30 mins on the server identifying any changes to database structure or file system. We use NESSUS vulnerability scanner to identify any issues requiring attention on the server environment.
Three unsuccessful attempts to login to FIRsT and the user’s account will be locked. When users request a password, we are notified of this action to identify potential "brute-force" hacking attempts.
|Incident management type||Supplier-defined controls|
|Incident management approach||
We have a incident management SLA which stipulates response and resolution times and categorisation. We provide a support helpdesk via email, telephone or online medium to report incidents.
All incidents are logged and tracked. Incidents are routed to the relevant person(s). Once fixed, they record the process/change on our Orcuma FIRsT environment. The fix will then be applied and the user informed. The user will be asked to confirm that the incident is resolved. If yes, the incident is changed to reflect that the fix has been confirmed. If not, the case can be re-opened and updated.
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||Yes|
|Connected networks||Public Services Network (PSN)|
|Price||£300 to £300 per licence per year|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||
Signing of our Non Disclosure Agreement for their organisation before accessing our software.
All functionality is included and the trial lasts 30 calendar days. Then the trial accounts are made inactive and locked.
Trial extensions can be granted by discussing with our support team.
|Pricing document||View uploaded document|
|Terms and conditions document||View uploaded document|