Storm ID

Events Management Service

Cloud hosted event management system with admin interface and customer facing front-end

Features

• Events admin system tailore to event types
• Customer front-end tailored to event types
• Supports multiple event types
• Search and discovery of events
• Event booking
• Cloud hosting

Benefits

• Resilient, scalable and cost effective fully managed hosting service
• Eliminates need to develop events system
• Mobile responsive interface offering intuitive experience
• Higher customer satisfaction
• Streamline events management process
• Syndicate events across other websites

£515 a person a day

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Framework

G-Cloud 12

Service ID

928209635686689

Contact

Craig Turpie
0131 561 1250
craig.turpie@stormid.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: No specific requirements

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Response times are categorised by service request priority: Urgent: 1 hour; High: 4 hours; Medium: 8 hours; Low: 16 hours.; ; Response times at weekends, public and bank holidays are negotiated separately.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our WebOps Support Desk provides your first line response to support requests. The Events Management Service is backed by Microsoft Azure services 24x7, 99.99% availability.; ; Response times are categorised by service request priority: Urgent: 1 hour; High: 4 hours; Medium: 8 hours; Low: 16 hours. P1 - Urgent: Complete loss of an entire service for all users or severe degradation resulting in inability to function; P2 - High: Service functioning improperly resulting in some loss of service/system failure removing service from a number of users; P3 - Medium: Service functioning at less than optimal performance/system problem impacting but not removing service, resolve minor bugs/site errors; P4 - Low: Change requests.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: To support customers we offer tailored training for the Events Management Service which can be delivered remotely or on premise.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Approach can be designed to suit customer requirements.
• End-of-contract process: Approach can be designed to suit customer requirements. There may be additional costs.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile experience is fully featured but interfaces are optimised for smaller form factor.
• Service interface: Yes
• Description of service interface: A secure service interface is provided for personnel involved in administering the Events Management Service.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Manual and automated interface accessibility testing has been undertaken but not specifically for users of assistive technologies.
• API: Yes
• What users can and can't do using the API: Users can use the API to syndicate events to other websites
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Almost any element of the Events Management Service can be customised to meet specific customer needs. Customisation is available to support the need to scale, to support specific security standards, monitoring and reporting or to provide extended help desk cover.; ; Customisation requirements are typically informed through early stage work in determining user needs and organisational goals. For a live service, further customisations can be considered in response to analytics, user feedback and product enhancements.

Scaling

• Independence of resources: Virtualisation technology is used to ensure applications and users sharing the same infrastructure are kept apart.

Analytics

• Service usage metrics: Yes
• Metrics types: Using tools such as web analytics and other data sources we monitor service usage and performance and recommend where service improvements could be made.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Approach can be designed to suit customer requirements.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: Storm guarantee that our hosted Events service will be available 99.95% of the time. We guarantee at least 99.99% of the time customers will have connectivity between Microsoft Azure SQL Database and the Internet gateway. ; ; We acknowledge that if the service levels fall below the quality we commit to then penalties will be incurred to compensate clients and drive service improvement. ; ; Financial penalties and service credits and their calculation will be agreed as part of the call-off agreement with the specific customer together with the terms and conditions and KPIs for the service.
• Approach to resilience: Available on request.
• Outage reporting: Email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication: Limited access network (for example PSN)
• Access restrictions in management interfaces and support channels: Available on request
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials Plus

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Storm ID is working towards ISO/IEC 27001:2013 (ISO 27001).
• Information security policies and processes: Information is an asset that Storm ID has a duty and responsibility to protect.; ; Our information security management system (ISMS) sets our approach to managing information security and is approved by top management and communicated to employees, contractual third parties and agents.; ; Top management are committed to protecting the information that we store and process though good information security practices. To achieve this, and comply with regulations, we have established: ; ; an information security policy; a commitment to customer focus and applicable regulatory requirements ; information security objectives that are measurable and consistent with the information security policy ; an ISMS describing our approach to information security; responsibilities, authorities and communication processes ; a management review process; a process to ensure availability of resources ; data access and security processes ; a business continuity / incident management procedure; ; Top management believe that a commitment to information security is important in order to: ; ; encourage information and cyber security awareness amongst employees, to develop and a ‘secure by design’ mindset; increase customer confidence, which helps build relationships with and retain customers ; reduce our exposure to risk ; effectively utilise our resources ; ; Storm ID have Cyber Essentials Plus accreditation and are in the process of achieving compliance with ISO27001.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change management is employed to evaluate, control and minimise risk and cost, and maintain the established standards and quality criteria. Our change management process is incorporated into our ITIL-based continual improvement process, that encompasses business objectives, creates baselines, defines measurements, and plans and implements improvements. Our change controls:; ; establish the purpose, category and nature changes; determine the potential consequences of changes; assess resource requirements for the changes; ; We use configuration management to establish and maintain consistency in our software’s performance. This includes configuration management for:; ; Project/work management; Source control; Build/release pipelines; Packages and artefacts; Azure CSP tenancies, subscriptions and Infrastructure
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Storm ID apply our ISO13485 accredited Quality Management System processes, and Cyber Essentials Plus backed security best practices to the information and IT assets we handle, reducing risk associated with vulnerabilities by being able to identify, classify, prioritise, remediate and mitigate vulnerabilities. Vulnerability scans are run regularly to identify weaknesses in the configuration of systems and to determine if any are missing important patches or software. Remediation or mitigation is undertaken on any vulnerabilities identified according to the class and priority of the vulnerability.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use ‘always-on’ proactive and protective monitoring to:; ; monitor the software performance; systematically identify risks; detect software faults when they occur; quickly initiate necessary corrective actions; ; Our proactive monitoring involves collecting meaningful and practical information. To do this we use tools such as:; ; Azure App Insights; Azure Log Analytics; StatusCake; Performance analytics; Service reports; Helpdesk calls and tickets; Customer complaints and positive feedback
• Incident management type: Supplier-defined controls
• Incident management approach: Storm ID’s incident management process requires that all events and suspect events that could result in the actual or potential loss of data, breaches of confidentiality, unauthorised access or changes to systems, must be reported immediately to top management by email, telephone or in person.; ; Incidents are centrally recorded, and appropriate management measures, including escalation and notification procedures are in place.; ; Incident reporting procedures are included in employee training.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £515 a person a day
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF