VERISK SPECIALTY BUSINESS SOLUTIONS LIMITED

Staff Attendance Recording System (StARS)

StARS is an integrated personnel management system for fire and rescue services. The system manages staff data and appliance availability, rostering, sickness management and reporting. It provides key management information for strategic planning and decision making.

Features

• Integrated with mobilising systems (Vision, ProCAD)
• Integrated with HR systems (Cyborg, ResourceLink)
• Integrates with payroll systems via data extract
• Real time management reporting
• Recording of attendance, absence and sickness

Benefits

• Supports the front line whilst delivering back office savings
• Single point of data capture
• Elimination of dual data entry and paper processing
• Quicker and more effective deployment of resources
• Real time view of resource availability
• Provides key management information, allowing strategic planning and decision-making
• Improves resilience and efficiency for both support and operational staff
• Improved workforce strategic planning of staffing levels and shortfalls
• Streamlines the process of managing personnel and resources
• Self administration and configuration

£10,000 a licence a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at simon.lamb@verisk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

236875541068782

Contact

Simon Lamb
020 7655 3000
simon.lamb@verisk.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: Gazetteer

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Responding to questions is on a best endeavours basis within a working day. For application issues and depending on severity but normally within two hours of a support log being raised.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Support is provided via a helpdesk between the hours of 9am-5pm Monday to Friday. The cost of this support is included in the product costs.; ; Application support outside of these hours can be provided at additional cost subject to mutual agreement. Outside of normal support hours our hosting team provides support service between 8am-6pm and outside of those hours we have critical infrastructure support for availability issues only.; ; Support issues can be raised via email, portal and phone and subsequently managed, monitored and tracked via the Zendesk support portal. The support portal is available 24x7 and is staffed from 9am – 5pm on working days. ; ; A client account manager, service delivery manager and support team are available as part of the service.; ; In addition, application hosting is 24x7x365 excluding planned maintenance windows, hosted services are covered for critical events outside standard support hours listed.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We provide on-site and online training and documentation.; ; We include additional support known as ‘hyper care’ for an agreed amount of time following go live. This is in addition to the standard support and maintenance service. The objective of this additional support is to ensure a smooth transition from Implementation to Business as Usual, as Verisk recognise that during the period following go live, clients face a number of challenges such as an increased volume of requests for help and support from users becoming familiar with the platform.; During hyper care, the Verisk team would provide the following assistance:; • Supporting first line support activities such as responding to ad hoc questions and queries and general assistance of the business users; • Supporting the investigation and analysis of issues; • Carrying out analysis and developing solutions (data fixes, application changes) as required; • Supporting the platform and hosted services
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: An extract of the data will be provided in CSV format.
• End-of-contract process: Within 28 days of termination of a contract with a client or as otherwise agreed a chargeable Statement of Work to manage the exit of the Service would describe the appropriate handling of client data, including returning the data to the client and secure destruction of data.; Verisk follows a documented process to ensure all areas of the Verisk business are engaged to confirm complete and clean separation ensuring secure protection of:; • Client's data to be returned and/or destroyed - usually in the form of a widely used and accepted industry standard, e.g. MS SQL backup files, CSV or native file formats. Other formats can be requested but these would be subject to the agreed exit statement of works; • Client's IP is returned and purged from within Verisk; • Verisk's IP is returned and purged from Client; • Verisk's internal records and process manuals are updated accordingly.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The application is available to be used on any internet browser, however it is best viewed on desktop or tablet devices
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Desktop application surfaced via a browser.
• Accessibility standards: None or don’t know
• Description of accessibility: All of the functionality is available to users based upon individual roles and security.
• Accessibility testing: None.
• API: Yes
• What users can and can't do using the API: The API provides methods that provide the following functionality:; Booking Leave; Employee Details; Teams/Employees for Shifts and Stations; Appliance Details; Appliance Riders; ; The API is initiated upon request.; ; The API methods provide the full functionality required to complete those tasks and are available to be accessed/used whilst a subscription is held.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: No
• Customisation available: No

Scaling

• Independence of resources: Verisk's standard (also referred to 'Tier 2') Managed Service utilises a shared AWS tenancy, however environments have dedicated infrastructure (not shared) so there are none of the concerns with shared resources associated with typical 'multi-tenant' offerings. Security perimeters are in place with virtual firewalling (in AWS).; ; AWS Managed Service environments are fully segregated by client, and by production and non-production purposes.

Analytics

• Service usage metrics: Yes
• Metrics types: We are able to show activity monitoring and access, however, in the project it is important to explicitly define the requirement and test the outputs meet the business need.; ; Service metrics include:; ; - Concurrent connections to the service; - Application activity
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: The Encryption Policy requires that all encryption should use common, well-understood ciphers that follow the standards outlined in the Federal Information Processing Standard (FIPS) Publication 140-2, including: AES 256, and TLS 1.2, and that encryption is automated where possible.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported upon request.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The Verisk AWS managed service offering has an SLA of 99.5% uptime for 'Standard' (Tier 2) or 99.9% for Bespoke/Tier 1.; ; Verisk does not apply a methodology of penalties/service performance credits as standard as part of our contracts with clients. As such, this would need to be discussed as part of any further commercial negotiations.
• Approach to resilience: AWS provides identified critical system components required to maintain the availability of our system and recover service in the event of outage. Critical system components are backed up across multiple, isolated locations known as Availability Zones.; Each Availability Zone is engineered to operate independently with high reliability. Availability Zones are connected to enable you to easily architect applications that automatically fail-over between Availability Zones without interruption. Highly resilient systems, and therefore service availability, is a function of the system design.
• Outage reporting: Verisk will predominantly utilise email communication, via Verisk's Service Management toolset 'Zendesk'. This is in line with our Core Service Guide that can be provided on request.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: Verisk support SSO with MFA via customer-federated authentication, where we can utilise either Okta, Microsoft Entra Id (Azure AD) and; JumpCloud.
• Access restrictions in management interfaces and support channels: Claim and Role based authorisation.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Less than 1 month

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: LRQA
• ISO/IEC 27001 accreditation date: 23/11/2023 with annual inspection
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO 27001
  • SOC1 Type II
  • SOC2 Type II

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: SOC2 Type I; SOC2 Type II
• Information security policies and processes: Verisk has implemented an Information Security Management System (ISMS) based on ISO/IEC 27001, and used this International; Standard, together with ISO 27002 (Code of Practice), as a reference for selecting controls and managing security risks.; Verisk’s ISMS aims to take a holistic and coordinated view of the organisation’s information security risks in order to implement a comprehensive suite of information security controls under the overall framework of a coherent management system.; Through the implementation of the ISMS, Verisk has gained ISO27001 accreditation and follows a strict InfoSec policy to maintain such.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Verisk’s approach to managing IT infrastructure changes aligns with ITIL principles. Change roles, types of change and the process for creating and managing change are clearly defined. Their objectives include maintaining integrity, security, performance, and availability of existing systems, ensuring compliance with standards, delivering efficient changes, and allowing retrospective analysis of failed changes. Each IT Operational change requires both Technical approval and Business approval, with change history being logged and maintained, to support these objectives. Visual Studio Team Services to track changesets on code base. Impact assessment with regards to overall solution and design. Security assessment when changing API methods.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Verisk operate documented Patching, Vulnerability Management, Scanning and Remediation procedures. Services are scanned by a range of tools, findings are categorised and defined to a CVSS score. Tracked vulnerabilities are addressed according to an agreed action plan. External, internet facing, IP addresses, owned by Verisk, all production and non-production internet facing URLs/fully qualified domains names, hosting Verisk products are scanned on a daily basis based on Tenable IO. Internal IP address scans are performed on all servers, desktops, laptops, appliances and networking devices, using enable IO. Vulnerabilities are escalated, addressed based on severity and reported to the Executive Team monthly.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: The following logs are captured to facilitate security event analysis, diagnosis and evidence. These logs are secured in a tamperproof format:; •Active Directory security logs; •EC2 Configuration; •AWS Cloudwatch events; •AWS EC2 / Microsoft Server / Verisk Product Security Logs; •AWS S3 and EBS Storage Security Logs; •Shared VPC tooling security logs; •Imperva DAM and Crowdstrike; Additional application logs (native to operating systems and Verisk products) are captured for troubleshooting purposed, not in tamperproof format, but access is audited. Systems are synchronised to a regional Domain Controllers, via group policy to ensure logging has the correct timestamp.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Our Information Security Incident Management Procedure includes Roles and Responsibilities, procedures for reporting incidents and Management and Communication plans. Formal awareness training is provided to all staff which inform them of the need to report incidents or weaknesses. All reported incidents are immediately communicated to Verisk’s Information Security and Compliance Function, where they are analysed to determine whether a risk, nonconformity, incident or opportunity for improvement has been reported. The Information Security Function operates a formal incident log (referred to as the Information Security Improvement Plan), that captures events, incidents and non-conformities, along corrective actions and improvements.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Wellbeing

  Fighting climate change

  The replacement of paper based systems contributes to climate protection, and towards minimising climate change through minimising deforestation.

  Wellbeing

  This system directly addresses the protection of the public through more streamlined and efficient mobilisation to incidents.

Pricing

• Price: £10,000 a licence a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at simon.lamb@verisk.com. Tell them what format you need. It will help if you say what assistive technology you use.