GISMO Managed Service Hosting

Service scope

Service constraints: GISMO Feature Storage set at 1,400,000 (more can be purchased in the unlikely event it is required)
System requirements: Concurrent Viewer licences required to View GIS

Concurrent Contributor licences required to add limited data

Concurrent Mobile licences required to View GIS in the field

User support

Email or online ticketing support: Email or online ticketing
Support response times: Response time is generally within 2 hours during normal working hours. Support is not available at weekends
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 9 to 5 (UK time), Monday to Friday
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Support is at one level through a Managed Service which comes at 4 levels: Bronze; Silver; Gold & Platinum. Each level has an increasing number of days, the number is set dependent on the size of the organisation. Pricing varies and is agreed after discussion with the buyer. More information in the Pricing Document. We have a team of experienced GIS Officers who are contactable during normal working hours. In addition the buyer will have an experienced Account Manager who is contactable through Mobile or Email.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: Training in the past was always onsite but since Covid this has switched to Online. Onsite training can still be offered if required. There is no limit to how many are involved in training. With larger numbers the training could be split into departments so elements of training are focussed on specific needs. Documentation is supplied as part of the training.
Service documentation: Yes
Documentation formats: PDF
End-of-contract data extraction: Any data captured or created during the contract belongs to the client and will be supplied free of charge in whatever format is required.
End-of-contract process: There are no additional costs at the end of the contract. The clients data will be batched and sent to the client or a new supplier (if that is the situation) by secure connection agreed between all parties.

Using the service

Web browser interface: Yes
Using the web interface: The user interface is the Web browser and the Web page it downloaded and rendered. Users are given Login and Password details to access their GIS mapping. Users are able to analyse their data, export it if required, print copies, measure objects etc. To protect the integrity of the GIS data, users are unable to edit or delete data.
Web interface accessibility standard: None or don’t know
How the web interface is accessible: An accessible interface design is the one that is accessible to all users, including the ones with low vision, hearing impairments, or any other impairment. Accessibility allows all people to interact and use interfaces.
Web interface accessibility testing: Not applicable
API: No
Command line interface: No

Scaling

Scaling available: Yes
Scaling type: Manual
Independence of resources: Each user has its own area
Usage notifications: Yes
Usage reporting: Email

Analytics

Infrastructure or application metrics: No

Resellers

Supplier type: Reseller providing extra features and support
Organisation whose services are being resold: GIS Cloud

Staff security

Staff security clearance: Conforms to BS7858:2019
Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process: No
Equipment disposal approach: In-house destruction process

Backup and recovery

Backup and recovery: Yes
What’s backed up: PostGIS Database

GISMO Maps
Backup controls: ODCGIS’s PostGIS database is used to store most of the client data that is generated or updated by ODCGIS officers. The database is hosted on ‘AWS RDS PostgreSQL 11’ (Amazon Web Server) which is located in London.
ODCGIS’s PostGIS is backed up according to the following schedule:
• 14 consecutive daily backups via RDS built-in automatic snapshots
• 2 monthly backups via AWS backup service (one of the quarterly backups will act as third month to ensure 3 months restoration)
• 4 quarterly backups via AWS backup service
Quarterly backups are retained for 1 year.
Datacentre setup: Single datacentre
Scheduling backups: Supplier controls the whole backup schedule
Backup recovery: Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: Our SLA can be supplied on request. We shall use reasonable efforts to cure the defect in the Software (or media), or re-perform the nonconforming Services, or reload back-up copies of the Software affected by the Harmful Code; or replace the Software (or media) with software that materially conforms to the specifications in the Documentation; or terminate the Software license and provide a pro rata refund of the fees that Customer has already paid relating to the defective Software or Services.
Approach to resilience: We have multiple instances of production servers running at all times. There is a hot-standby
replica of the database, ready to take over if needed. Everything is backed up daily.
Everything runs on AWS, including backups.
Outage reporting: Email alerts

Identity and authentication

User authentication: Username or password
Access restrictions in management interfaces and support channels: Set up password protected areas when requested by supplier
Access restriction testing frequency: At least once a year
Management access authentication: Username or password
Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information: Users receive audit information on a regular basis
How long user audit data is stored for: At least 12 months
Access to supplier activity audit information: Users receive audit information on a regular basis
How long supplier audit data is stored for: At least 12 months
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: No
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: We have an internal process for prioritising fixes related to security and have implemented QA measures before releasing new updates to minimise the risk of new potential risks.
Information security policies and processes: Critical severity issues are handled by the incident response team consisting of the information Security Contact in concert with whomever management designates on a case by case basis (legal contact, specific developers, etc). Information security contact will convene an incident response team meeting whose agenda will be: • Investigating and enumerating indicators of the security incident • Updating incident timeline • Impact assessment and mitigation actions • Root cause analysis The Designated Information Security Contact will report these and any other relevant information to the management. Incident response team will reconvene at regular intervals, determined according to the urgency of the specific incident, until the incident is fully analyzed, assessed, mitigated, and resolved. If the incident impacts client data, contact with the impacted client is made as immediately as practical to the designated contacts. Incident update timeframes to the client will be set in the first contact and aligned to the client requirements, severity, location/time zone and any other factors appropriate to either party.

Operational security

Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach: GIS Cloud developers run virtual machine on the desktop making it possible to run GIS Cloud in an environment resembling the production environment ensuring there are minimum differences between development and production environments. The code versioning system in use is git. The git servers are located in GIS Cloud HQ, controlled by the frontend system “gitolite” allowing hosting on a central server, with fine-grained access control. Updates, new features, bug fixes or hotfixes are tested and verified before release by the QA team. The build and ticketing system allows for a streamlined, robust and secure process of testing product updates.
Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach: Periodically we perform penetration and vulnerability scanning using Burp Suite by PortSwigger. Burp Suite is a Java based Web Penetration Testing framework, an industry standard suite of tools used by information security professionals to identify vulnerabilities and verify attack vectors for web-based applications. Individual HTTP requests can be paused, manipulated and replayed back to the web server for targeted analysis of parameter specific injection points. Injection points are specified for manual and automated fuzzing attacks to discover potentially unintended application behaviours, crashes and error messages. GIS Cloud has successfully undergone security review by 3rd party Vendors.
Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach: AWS uses proprietary techniques to mitigate and contain DoS/DDoS attacks to the AWS platform. These are additional methods in use to defend the servers: OS-level firewall (iptables); ModSecurity - an open source, cross-platform web application firewall (WAF) module; Snort - Network Intrusion Detection System (NIDS) Wherever possible, protection systems are set up with monitoring and alert thresholds that immediately notify the GIS Cloud systems administrators of all critical incidents. Suspicious behaviour is logged and reported on a weekly basis.
Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach: When a security breach or potential breach is uncovered, an email must be sent to abuse@giscloud.com to register the breach. Incidents are categorized thus: • Low severity: for suspicious behaviour that is not verified and which has been not been deemed worthy of an emergency response. • High severity: for issues where the threat is real, but there is no record of it having been exploited by malicious actors. • Critical severity: for issues where there's record of active exploitation. Incident reports are supplied by email.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
Who implements virtualisation: Third-party
Third-party virtualisation provider: AWS
How shared infrastructure is kept separate: This is under jurisdiction of our server provider - AWS.

Energy efficiency

Energy-efficient datacentres: Yes
Description of energy efficient datacentres: Our services are hosted on AWS. We are not aware if they have signed the EU code of conduct,
but they do take care about the energy efficiency of their data centres.

Social Value

Fighting climate change
Covid-19 recovery
Tackling economic inequality
Equal opportunity
Wellbeing

Fighting climate change

Land use and grounds maintenance data captured into your GIS can be used to calculate your carbon consumption as part of your drive to achieve carbon net zero. The results can be used as part of your SHIFT response. The SHIFT Assessment is a sustainability standard specifically designed for the housing sector. It serves as an independent assessment and accreditation scheme that demonstrates organisations are delivering against challenging science based environmental targets.

We have taken the decision to encourage staff to work from home when at all possible to reduce carbon footprint. Clients using our service save travel time (and thus carbon emissions) as the number of site visits is reduced as information can be viewed through the GIS.

Covid-19 recovery

When the Coronavirus outbreak first started, it was clear that contingency plans should be put in place in the event of home working. This included mapping drive time areas from staff postcodes to assist with business planning. Since the lockdowns and the rise in home working, having spatial data accessible online has cut down on travelling, particularly on site visits enabling swifter responses to issues as they arise.

Initially, throughout the first 2 years of the COVID-19 crisis we published a daily map with data from ONS to track the level of outbreaks and offered it for free to all social housing organisations. They were able to plot all their properties along with staff residences to plan for business continuation.

Tackling economic inequality

Our pricing is competitively set by passing on savings to our social housing clients achieved by efficient working. We also have an active plan to ensure clients get the maximum ROI so they can pass on benefits to their tenants.

Equal opportunity

We have an Equal Opportunities Policy which we can share with any potential buyer.

Wellbeing

GIS allows staff to work in a less stressful environment as more information is available at their fingertips. They will be able to do their jobs quicker, for example being able to answer queries or complaints efficiently reducing potential animosity from tenants.

Pricing

Price: £250.00 a licence a year
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: Hosting, loading of clients data and demonstration with some training. Usually limited to one month but can be extended.
Link to free trial: https://portal.giscloud.com/map/1939740/odc-gis-open-data

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Pricing

Service documents

Cookies on Digital Marketplace

GISMO Managed Service Hosting

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Backup and recovery

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Separation between users

Energy efficiency

Social Value

Pricing

Service documents