ARX PARTNERS LIMITED

Citadel

Citadel, is a highly secure, customisable enterprise-wide Audit, Survey, Accreditation and Compliance tool that assesses and evidences any area of risk in a consistent and scalable manner. An integrated risk register enables risks to be monitored, tolerated or mitigated. Live threat or risk-related data can be integrated through APIs.

Features

• Role based access is strictly controlled.
• People, sites or functions can be assessed.
• Groups can be created according to the user's needs.
• Bespoke assessments, internal policies or regulatory/best practice frameworks used.
• Any data uploaded to evidence responses. AI can validate evidence.
• Report is automatically generated through integrated algorithms.
• Integrated Risk Register gives an enterprise wide overview of risk.
• Statistics package presents any and all data captured.
• APIs can import live risk/threat intelligence related data.
• Integrated Application for IoS/Android available for online/offline working.

Benefits

• Scalable and consistent approach to risk management/compliance assurance.
• Friendly user interface allows non-SMEs to conduct assessments.
• Multiple risks can be monitored creating an enterprise-wide risk picture.
• Evidence based risk reports signpost best-practice enabling enhanced decision making.
• The Integrated Risk Register prioritises and audits all decision making.
• Internal Audit team can prioritise where and what needs validating.
• Corporate risk management/performance can be tracked and measured.
• Real time situational awareness and understanding are generated.
• Significant savings in time and money generated.
• Enables blended and flexible approach to risk management/compliance assurance.

£3,125 a licence a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrew.wood@arxpartners.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

133289771883224

Contact

Andrew Wood
07818034934
andrew.wood@arxpartners.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: This must be run in modern and secure environments and will not run on older, non-HTML5 browsers.
• System requirements: Docker is required to run the paltform On-premises.

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: 9 to 5 (UK time), Monday to Friday
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: A Major incident – loss of access to the system due to system error.; Response within 4 hours (in hrs of operation) and provide an estimated time to fix the issue in 4 hours.; ; High issues - System not performing correctly or user error causing disruption to more than one user (at a level that it will prevent business critical work). Response within 24 hours (in hrs of operation) and provide an estimated time to fix the issue in 24 hours.; ; Low issue - System not performing correctly or user error causing disruption to a single user (at a level that it will prevent business critical work). Response within 24 – 48 hours (in hrs of operation) and provide an estimated time to fix the issue in 24 – 48 hours.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: At an additional cost, we will provide training that is appropriate for the users' needs
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: The data will be exported in a csv format.
• End-of-contract process: At the end of the contract, all the data will either be securely deleted or returned to the client in a CSV format.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The platform is reactive and will work on mobiles. However, the UX will be affected by the amount of text in the assessment.
• Service interface: No
• User support accessibility: WCAG 2.1 AAA
• API: Yes
• What users can and can't do using the API: All aspects of the service can be run from the APIs. Access to the APIs will require authentication. Full documentation is available.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Each individual deployment is bespoke to each user's needs. So, this might include branding, customisation of the user's nomenclature, any specific onboarding requirements and bespoke statistics and data analytics. All of which need to be set up before deployment.; ; Users can design their own risk audits, questionnaires, regulatory compliance frameworks and surveys.

Scaling

• Independence of resources: Auto scaling of the cloud kubernetes cluster will add more services as and when required ensuring that the demand is met.; ; If the platform is hosted onprem, it will be the responsibility of the client to ensure there are sufficent services to meet demand.

Analytics

• Service usage metrics: Yes
• Metrics types: There is a suite of diagnostic and analytical tools integrated into the software. All the data that is captured during the onboarding and assesment processes be can be interrogated and viewed in whatever format required by the client. Bar charts, Pie charts, Spider graphs.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The data can be exported via API or via a csv file.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We have a 98% uptime guaranteed.
• Approach to resilience: Available on request
• Outage reporting: Available on request

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Citadel has its own integrated IAM module that supports the roles based access. This can be configured as required by the client. TFA can be configured for each user if required.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: BSI Kitemark™ for Secure Digital Transactions.

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: BSI Kitemark™ for Secure Digital Transactions.
• Information security policies and processes: We follow the NCSC Cloud security guidance and this is audited during our bsi kitemark audits.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The components of our service are tracked through their lifetime by automated tests that run on each new build.; When a new feature is introduced, FVT ensures the feature is fit for purpose and there has been no regression of any existing components.; We use GIThub and other relevant sources to identify new threats, vulnerabilities or exploitation techniques which could affect the Citadel Platform. And corrective action is taken, if required.; Our configuration and change management processes are fully audited by BSI on a regular basis for our KiteMark.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We use GITHUB advanced checking of our codebase and outher relevant sources, including AWS and Google Cloud information serves, to get information relating to threat, vulnerability and exploitation techniques. Using our change management process, known vulnerabilities are tracked until mitigations have been deployed.; ‘Critical’ patches are deployed as soon as we are aware. ‘Important’ patches are deployed within 14 days of a patch becoming available and ‘Other’ patches deployed within 8 weeks of a patch becoming available.; This processes is fully audited by BSI on a regular basis to ensure we mainatin our KiteMark.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: We use GitHub security scans and Docker security scans to identify any potential compromises. We use Virtual Appliance Load Balancer to provide an Intrusion Prevention and Detection Service (IPS+IDS) with local and remote blacklists, DDoS protection, real-time blackhole lists (DNSBL) and Web Application Firewall.; In the event of a potential compromise, we would apply the remedial action recommended by the identifying authority.; We would respond as soon as an incident was identified.
• Incident management type: Undisclosed
• Incident management approach: We have predefined processes for common events, although these are limited in number as we don’t experience many issues with the Platform. Our users will report any incidents via email or phone and we will categorise the incident into either UX or Technical. We prioritise the incident into one of three levels: High, Medium or Low. The issues are dealt with in priority order and reports are generated in accordance with our SLAs.; Our processes are audited regularly as part of our BSI Kitemark accreditation.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We are constantly looking at ways to make the software more efficient and deliver better performance therefore reducing server costa and greenhouse gas emissions.

  Equal opportunity

  We foster diversity and inclusion by offering training and career development opportunities to people from different backgrounds, including those from underrepresented groups.

  Wellbeing

  Our services improve the wellbeing of our clients and their employees by enhancing collaboration and productivity through advanced cloud solutions.

Pricing

• Price: £3,125 a licence a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: The free version of our service offers users full access to all features without restrictions for one month. During this period, users can enjoy unlimited data storage, full customisation options, and access to advanced collaboration and security tools.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrew.wood@arxpartners.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.