FCS SOFTWARE SOLUTIONS LIMITED

CommitteesPro

CommitteesPro is a cloud-based committee management system which has been designed from the ground up to manage the day to day activities involved in a busy democratic services team. From report writing, to Councillor profile management and the publication of agendas and plans all designed in our secure web-based environment.

Features

• Web based
• Fully hosted
• Workflow automation
• Real-time data
• Real-time reporting
• Email and SMS integration
• Third-party integration
• Multi-tenancy software architecture
• Single sign-on
• Full auditing

Benefits

• Quick to deploy and access
• Zero infrastructure required
• Seamlessly deliver updates
• Guaranteed levels of service
• Automated backups without user intervention
• Works from anywhere
• Increased security through geographically separated data centres
• Scalable through flexible subscriptions
• Lower up-front costs
• Process data on multiple devices

£15,000 to £40,000 a unit a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jamied@fcssoftware.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

101728891821770

Contact

Jamie Doig
07764971166
jamied@fcssoftware.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: An internet connection is required at all time in order to access the software.
• System requirements:
  • Ability to connect to the Internet
  • Ability to access to a supported Internet Browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Business as usual email support is provided Monday to Friday between the hours of 9am to 5pm where we aim to respond within 2 working hours.; ; During busy periods the business will default to our standard SLA response times of Critical (1 hour), High (2 hours), Medium (4 hours), Low (8 hours).
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Business as usual: Telephone and email support is provided Monday to Friday between the hours of 9am to 5pm. We aim to respond within 2 working hours but will default to our standard SLA response times of Critical (1 hour), High (2 hours), Medium (4 hours), Low (8 hours) during busy periods.; ; An email support service for Critical support is available at all other times where we will make best endeavours to respond within 1 hour.; ; We provide General, Application and Technical Support as standard and all support levels are included within the set support and maintenance fee.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: The client is provided with access to a Training instance of the application, prior to Go Live, which can be used at any time and primarily provided to be used in conjunction with the onboarding training services.; ; Training is delivered remotely as standard, although onsite training can be provided at an additional cost. ; ; Training is delivered in a train the trainer style and comprehensive training guides and user documentation is provided to support the training and delivery of the live system.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: An end of contract scenario (termination or otherwise) will trigger our Data Extraction Plan. This plan assumes a 'big bang' approach, meaning that everything happens in a one-time boxed event.; ; This approach acknowledges the restricted timescales that the user is typically bound by and so allows them to migrate their data to another supplier in the most practical, timely and efficient manner possible.; ; An overview of the process is as follows;; ; Step one: the suppliers appointed 'contract transition manager' will liaise with the user and agree the data extraction plan, timescales and then communicate this to all stakeholders involved in the data extraction process.; ; Step two: the contract transition manager will ensure that detailed supporting documentation is provided to assist the users incumbent supplier in auditing the data, in readiness for the migration, by identifying the following;; ; 1. What the data fields are; 2. What does and doesn't need to be mapped; 3. Any missing data; 5. Any inaccuracies; ; Step three: Extract the data and deposit it in a secure location (as agreed and provided by the user i.e. a secure FTP).; ; Step four: Provide a consultative service to assist the user during their migration process.
• End-of-contract process: At the end of contract, in conjunction with the data extraction service, the following process will be implemented, all of which is included in the price of the contract.; ; 1. Internally appoint one of our product delivery specialists to the role of Contract Transition Manager; 2. The Contract Transition Manager will be the single point of contact for the user and any incumbent supplier, in all matters relating to the end of contract; 3. The end of contract process includes the data extraction and migration assistance service (both in a physical and consultative capacity); 4. At the point of successfully extracting the data, securely delivering it to the user and receiving confirmation from the user that the data has been successfully extracted and delivered, we will commence our 'folding up' service; 5. The folding up service includes the following;; a. the removal of any and all user data backups; b. Redaction and service archiving of any related information or documentation that we are legally bound to retain (for any set period of time); c. Revoking of any and all user access to our software and services

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The system is designed to automatically scale to the screen size accessing the application.; ; When accessing the system using a desktop, users can use keyboard shortcuts and/or the mouse to navigate around the application and process data.; ; Mobile device users can use touchscreen features such as touch, swipe and zoom to navigate around the system, with access to the touchscreen keyboard allowing them to process data.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: All processes in our application use an API and the user (with the correct permissions) can call any of the same methods as the application through the API.; ; The user can use their own software to interact with the API or they can use a third-party to write methods that interact with the services the user uses.; ; All of our API documentation is documented as an Open API (Swagger) which provides a list of all of the end points.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The entire application can be fully customised.; ; 1. Increase and decrease the application (font size, icon size etc.) ; 2. Adjust the panel height and width; 3. Adjust the column and row height and width; 4. Group tables by applying a user defined row header; 5. Filter columns so that they display customised sets of data; 6. Applying a row sort in ascending and descending order

Scaling

• Independence of resources: Users are provided with independent databases and our services have automated scalability built-in. This prevents "other users" demand from affecting the service.; ; In addition, FCS continually monitor the application and API for high usage and tier up when capacity nears the pre-set threshold. The process to 'tier up' is virtually instantaneous, but to ensure that we have ample warning in advance of the service nearing a threshold, auto alerts are generated when the service hits 70% capacity.

Analytics

• Service usage metrics: Yes
• Metrics types: 1. Service availability; 2. Live service usage; 3. Applications breakdown (documents upload, downloaded from the IER Digital Service); 4. Staffing portal (number of logins, training courses attended, pass and fail rates etc)
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Other
• Other data at rest protection approach: We use tools to safeguard data, applying symmetric encryption to encrypt and decrypt large amounts of data quickly.; ; Data encryption at rest provides defence-in-depth protection using the following conceptual model: ; ; A symmetric encryption key is used to encrypt data as it is written to storage.; ; The same encryption key is used to decrypt that data as it is readied for use in memory.; ; Data may be partitioned, and different keys may be used for each partition.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export their data using a variety of methods. The base standard is for the user to use the export option which exports all on-screen data into an Excel spreadsheet.; ; Alternatively the user can use the proprietary reporting tool to export specific sets of data, applying user defined reporting parameters and exporting data in a range of formats i.e. csv, tsv, Excel, PDF.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Excel
  • Doc
  • PDF
  • CSV
  • TSV
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • Excel
  • Word Doc
  • PDF
  • CSV
  • TSV
  • Any image format

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We provide an SLA with guaranteed levels of availability of 99.5%. The user can apply for a 10% credit or 25% credit if the guaranteed level of availability falls below 99.5% or 95% respectively.; ; Service credits are the sole remedy for any performance or availability issues for any service provided under the agreement.; ; The service credit percentage is calculated per month and based on the following formula;; ; Annual fee ÷ 12 (months) ÷ 100 x 10 or 25 (percentage amount dependant on the downtime); ; Service Levels do not apply to any performance or availability related to:; ; 1. Factors outside our control i.e. natural disasters, acts of terrorism; 2. Use of software or services not provided by us i.e. inadequate bandwidth; 3. Failure by the user to modify their use of service after being advised to modify their use of service; 4. During pre-release, beta or trial versions; 5. Unauthorised or lack of action when required resulting in failure to follow appropriate security practices; 6. Faulty input i.e. accessing files that do not exist; ; Service credits claims will need to detail the incident, specify the time and duration of downtime and a describe what attempts were made to resolve the incident.
• Approach to resilience: Available on request.
• Outage reporting: We provide users with access to a service page that references the outage and navigates them to the email alert service. The service page is is a fall back solution that isn't hosted in any of the locations that the outed services are located.; ; The email alert service is triggered automatically when an outage occurs and notifies the user of the outage, detailing the following:; ; 1. The outage (time etc.); 2. The current estimated time of resolution; 3. Any mitigation steps that are being taken; ; While any outage would be a major country level event (given the size and use of Microsoft Azure), as with the delivery of the service page, fail safes have been added to ensure the user user notified accordingly i.e. the email alert service would continue to work as Office 365 is a global service, so would remain unaffected by a nationwide outage to the hosted service.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
• Access restrictions in management interfaces and support channels: As part of the installation we create an Admin account and provide the (administrative) user with access to our Users and Groups modules.; ; The administrator is able to use these functions to create new/edit and delete Users, create user groups i.e. Admin, Power User, Read-only User etc. and then assign permissions with different levels of access to each of these groups.; ; The permission and level settings within this account management module are extensive and allow the admin user to define and configure almost any combination of system access to suit any user.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Socotec
• ISO/IEC 27001 accreditation date: 11 June 2021
• What the ISO/IEC 27001 doesn’t cover: None.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: In line with our ISO 27001 certification, our policies are created, reviewed and maintained by the Managing Director and monitored and enforced by the Technical Director. All staff report through their line manager who in turn reports directly to the Directors. ; ; Confidential Data Policy:; Details how we abide by the Data Protection Laws; ; Device Security Policy:; Details how we ensure the security of information on the workstation; ; File Sharing Policy:; Details how we share, transmit, view and publish sensitive, protected or confidential data or content; ; GDPR Policy:; Details how we process data in accordance our responsibilities under GDPR; ; Incidence Response Policy:; Details how we respond to breaches, Cyber security attacks and Disaster Incidents; ; Password Protection Policy:; Details the standard for creating passwords, its protection and frequency of change; ; Physical Security Policy:; Details the security controls in place to meet all legal, regulatory, contractual and standards; ; Security Awareness Policy:; Details our response to virus hoaxes, social engineering, malware, spyware and phishing; ; System Hardening Standards:; Details our standards for installations and configuring software; ; Wireless Policy; Details requirements that wireless infrastructure devices connect to our network

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: As part of our ISO 27001 certification, FCS have a robust change management policy and process in place.; ; The Change Plan covers the following;; ; 1. Description (what will change); 2. Who will be involved in the change process; 3. Links to documentation (to determine the correctness of our actions); 4. Pre-installation (everything that needs to be done before change is planned); 5. Installation plan (all actions to be performed and when); 6. Post-installation (checks to the system); 7. Backout plan (action to be performed in the event of issues); 8. Applications (collation of reference information)
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We do not have a vulnerability management process in place as this is managed by Azure.; ; Our Technical Director has full access to Azure's Threat Management dashboards which include:; ; 1. Advanced Data Security; 2. Vulnerabilities assessments; 3. Advanced threat protection.; ; In regards to any other vulnerabilities, these are covered in the following policies:; ; 1. Confidential Data Policy; 2. Device Security Policy; 3.File Sharing Policy:; 4. GDPR Policy; 5. Incidence Response Policy; 6. Cyber security attacks and Disaster Incidents; 7. Password Protection Policy; 8. Physical Security Policy; 9. Security Awareness Policy; 10. System Hardening Standards; 11. Wireless Policy
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential comprises are identified through the use of Azures Advanced Threat Protection module.; ; We're alerted to suspicious events, i.e. a SQL injection attack and provided with links on how to remediate it. We identify that it is a genuine threat and (if required) take steps to remediate it.; ; Response to these incidents are based on the threat level provided, where we will mitigate the threat, prevent future attacks and/or trigger automated responses.; ; High: investigate and respond immediately; Medium: investigate immediately (then respond immediately or within two calendar days); Low: investigate within one working day and respond within five working days
• Incident management type: Supplier-defined controls
• Incident management approach: Our Incident Response Policy (which is applied in conjunction with our Confidentiality and Data and File Sharing policies) detail how we respond to incidents i.e. Breaches, Cyber Security Attacks, Business Continuity and Disaster Incidents.; ; Incidents (whether reported by the customers or discovered internally, are reported to an FCS Director who will carry out a review and categorise the incident by severity, i.e. threat of life, disruption of service.; ; Customers that are affected are contacted and provided with a report, which includes details of the incident, strategies to mitigate risk, and any actions that need to be taken by the customer.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Public Services Network (PSN)

Social Value

• Social Value:

  Social Value

  Covid-19 recovery

  Covid-19 recovery

  Our cloud-based solutions support local authorities recovering from the impacts of COVID-19 by supporting new ways of working, through the delivery of solutions that are accessible on any device that has an internet connection.; ; This flexibility improves workplace conditions that support the COVID-19 recovery by enabling office-based working, remote-based working, or a hybrid of the two.

Pricing

• Price: £15,000 to £40,000 a unit a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: 1. Conversion of data (or the provision of test data); 2. Installation (provision of application); 3. Configuration (user access controls); 4. Support services (telephone, email, online help); 5. Full access to all elements of the application; 6. Provided initially on a 3 month trial period
• Link to free trial: N/a

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jamied@fcssoftware.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.