CALQRISK (UK) LIMITED

CalQRisk

CalQRisk is an online, modular, Governance, Risk and Compliance solution that can be tailored to suit your needs. CalQRisk brings consistency and completeness to your GRC efforts. It joins up your GRC processes in one platform, resulting in efficiencies across the organisation.

Features

• Single platform for Governance, Risk, Compliance, Third Parties and Meetings
• Risk module to support all your risk management activity.
• Tasks module to record assign and manage all actions.
• Incidents module to record and manage all incidents and accidents.
• Audit module to record all Audit and Findings information.
• Monitoring module to verify control effectiveness and ensure compliance.
• Complaints module to capture and manage all complaints.
• Third Parties module to record, classify and manage your thirdparties
• Process Module to build maps and report on critical services
• Dashboards and custom reports giving immediate overview of current status

Benefits

• Avoid duplication of effort with all information in one place.
• Use pre-populated risk question sets to quickly assess your risks.
• Maintain an overview on all open Actions in all areas.
• Easily generate an Incident report including open Tasks
• Create Checklists once, use many times in multiple Audits.
• Can easily record key information on an automatic basis.
• Satisfy your regulatory requirements regarding complaint handling and resolution.
• Be able to demonstrate you are in control of third-parties
• Can create bespoke reports that combine activity from multiple modules.
• Eliminate spreadsheet risk by storing all information in one database.

£300 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@calqrisk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

103465795837135

Contact

Chris Hanlon
02037698033
enquiries@calqrisk.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: The system is taken off-line for maintenance, outside of business hours, once per quarter and where critical update need to be applied. (Usually between 1-2 hours)
• System requirements: Users will need a browser to access the system.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: All Helpdesk emails are acknowledged and responded to within 4 working hours, calls are answered immediately.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: CalQRisk provides the following standard support to all clients (cost are included in annual licence):; A named, Key Account Manager for in-depth, tailored support during the onboarding process. They will also will make contact at regular intervals across the course of the license duration to enable the greatest use of the product.; Email Support: Available for all Users for technical issues or general queries.; Phone Support: 9am-5pm GMT Monday to Friday.; On-site support is charged depending on the client requirements.; We can offer facilitated, tailored training provided by Risk Management specialists for groups or individuals to enhance risk management practices and knowledge.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Depending on the needs of the client, it can be a mix of the below - ; - New clients are provided with a key account manager, a named person to support them throughout their time with us; - Full import of historical data with data cleansed and tested for accuracy so the system holds all the information you need, from the moment you log on.; - Risk Management training for management teams/departments; - Onsite/online training on the solution which is tailored to the user ; - Ongoing risk management/compliance advice; - Regular upgrades to the knowledge base within the system based on standards, compliance requirements and good practice.; - User Group Meetings; - Access to free policy templates, webinars on risk management and surrounding topics impacting the subject.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Users can do this at the click of a button in the solution. Alternatively, our Helpdesk team can extract the data. We typically provide the data in CSV or Excel format.
• End-of-contract process: Where an organisation decides not to renew their contract with CalQRisk, the below usually occurs - ; - notice shall be submitted within the agreed contractual timelines; - data extraction, either by CalQRisk or the client; - feedback/exit interview; - data deletion, usually 90 days after the contract expires

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There are no differences between the mobile and desktop service.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The interface is browser-based. All the popular browsers are supported. The design is such that the interface will adapt to the device used (computer, tablet, mobile). Menus appear on the left and users quickly learn how to navigate. We do not fully meet the WCAG standard but we would score highly on key aspects.
• Accessibility standards: None or don’t know
• Description of accessibility: Using a mouse or the Tab key, users can select fields / buttons.; Forms do not have a specific input sequence, so users can click into each field at random.; All screens have a title so the User always knows "where they are".; If a user makes an error, omits required data the system will respond with a clear message.; Users can increase font size by pressing "Ctrl and +"; Users cannot change the colour palette used in the forms
• Accessibility testing: We engage an expert in User Interface design to advise on best practice.
• API: Yes
• What users can and can't do using the API: Currently our API allows users to access the information in the system using an external reporting tool (e.g. Power BI). It is not possible to enter information / make changes via this interface.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: CalQRisk is made up of a suite of modules. Organisations can license whatever modules they wish.; ; Each module contains dropdown menus, custom fields, etc. that appear in the various forms which can be specified / customised by each organisation. This enables the customer to tailor the application to their context / environment / needs.; ; Only a User with System Administration rights can users set / change these items. Additional menu items are offered to those users with the appropriate Access rights.; ; Users can also tailor what information they would like to see on their personalised reporting dashboards using the drag and drop widgets. We also endeavour to train specific users on the custom report builder so they can create reports on any information held within the system in any format and style they find most user friendly and appealing.

Scaling

• Independence of resources: The application is hosted on Amazon's cloud platform (AWS). The configuration is such that if the number of concurrent users were to increase, the computing resources required to support them and ensure no degradation in the service, are available.; We monitor server performance and ensure that the processing power remains appropriate.

Analytics

• Service usage metrics: Yes
• Metrics types: This depends on the needs of the clients and a lot of the information is available on a self-serve basis, e.g. clients can see how many tasks were closed in a x-day period, or how many tasks are overdue.; ; We also provide periodic reports on system uptime and other key metrics
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Information can be exported at the click of a button. All reports in the solution can be exported to multiple formats including Excel, PDF, PNG, etc.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We guarantee availability / uptime of 99% within the hours of 8:00 - 18:00, Mon - Fri. No refund proposal. (Have never dropped below the 99%)
• Approach to resilience: We host the application on Amazon's cloud platform. The application is available in 3 data centres in a cluster, such that if one or two were to fail the third would be able to continue to provide the service. More information can be provided on request.
• Outage reporting: Via a public notice on the web and/or via email

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: At the system configuration level access is restricted by IP address and username and password. At account configuration/setup level access is restricted by 2-factor authentication.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: - Cyber Essentials Plus
• Information security policies and processes: We have a documented Information Security Policy that is aligned with the ISO 27001 standard. This determines the process and procedures we follow in our own in-house environment. ; From an application development point of view we follow the OWASP guidelines (Open Web application Security Project).; Our CTO determines the policies and procedures. Our Head of Development is responsible for ensuring compliance with OWASP ,which we test annually through third party experts.; - All communications with the application are encrypted.; - All backup copies of data are encrypted; - All User Passwords are encrypted; - Backups are taken every 4 hours. (with journaling in between); - Backup copy is retain off the network; - Access Rights are assigned on a "least privilege" basis.; - Access Rights are revoked when a person leaves the organisation.; - No data is stored on removable storage devices; - An inventory of all IT assets is maintained.; - Employees are regularly reminded of cybersecurity threats/ risks via awareness training.; - Access to critical functionality / system level is always with 2-factor authentication.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The software application includes a table that holds all details about changes made to the code, with date/time etc.; Content (risk questionnaires) is managed by a separate team and all additions and changes are recorded in a Change control file.; All changes to the application are extensively tested in a Sandbox before they are moved to the "put live process". All updates undergo a "dry run", whereby the new code is tested with live data, before been put live.; All changes must comply with the OWASP application security guidelines.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We receive threat information from multiple sources. The application is deployed on the Amazon platform (AWS) and we receive notifications of potential threats from Amazon. We have tools deployed to identify active threats / attacks and alert as appropriate (when over certain thresholds).; We also receive regular updates from Microsoft and we deploy these within 48 hours if they are tagged as "critical". (the application is developed and hosted in a Microsoft environment). We also are members of ISACA and receive threat information from them also.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We have intrusion detection tools deployed in the hosting environment that generate alerts whenever suspicious activity is detected. If a customer reports an unusual event this gets escalated to determine if the cause is customer account specific or a failing of the system.; Response if generally less than 15 minutes and depending on the analysis and severity the resolution could take 1 hour to 1 day.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a documented Incident Response Plan (IRP) that includes an "Analysis" step to determine the nature of the incident. Depending on the outcome of the analysis the following steps vary. e.g. potential data breach response is different to a system failure.; Users either call or email the helpdesk.; If the incident has impacted just one customer than our communication is primarily by telephone with a final update by email. If the incident affects all customers then we put a notice on the login screen of the application.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Tackling economic inequality
  • Equal opportunity

  Tackling economic inequality

  Increase supply chain resilience and capacity.; The solution has a knowledgebase of identified cybersecurity risks. This knowledgebase can be used by the client and / or in the supply chain. It can also be applied to the process of achieving identified national and international standards such as ISO 27001, NIST2 and Cyber Essentials. As part of any contract, where our client is supporting small/minority organisations in its supply chain who are anxious to achieve Cyber Essentials Plus certification, on request they can give them access through the solution to an initial gap analysis / question set.; ; Create new businesses, new jobs and new skills.; We support and encourage interest in the general topic of Governance, Risk and Compliance and offer regular, free webinars on related topics. These are information sessions and are never used for marketing, they are recorded and available from our website / social media. We encourage professionals in the sector, and students to join and contribute to increase general knowledge and awareness of efficient and effective management of risk.; ; Separately to the above, as our business grows, we continue to create new roles. For example, we’ve almost tripled our headcount over the last two years and have employed people from the local economy.

  Equal opportunity

  Tackle workforce inequality; The solution can be used to get attestation and confirmation regarding modern slavery obligations in the supply chain, both internally and in the supply chain.

Pricing

• Price: £300 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Hands-on walkthrough of the solution including a high-level gap analysis against a standard, framework, etc. of the client's choice

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@calqrisk.com. Tell them what format you need. It will help if you say what assistive technology you use.