Protocol Policy Systems Ltd.

Policy Management as Service

Policy Management as a Service makes developing, delivering, managing IT policies easy and establishes the foundations in place for a secure computing environment. Policies are tailored to clients business requirements and mapped to recognised standards and best practice. A range of functions assist with ongoing user and content management.

Features

• Efficiently develop deliver and maintain customised IT policies
• All policies are mapped to recognised standards and best practice
• Our subject matter experts keep your content up to date
• Supporting resources include security awareness videos, template forms, compliance content
• Manage user engagement - review reminder service and reporting
• Manage content - stakeholder mode, policy review reminders, change-request function
• Access made easy with SSO
• Service is branded and customised for customer
• Test user comprehension of policy content with Quiz mode
• On screen user policy acceptance mode option available

Benefits

• No requirement for in house specialists focussed on writing policies
• PPS ensure policies follow best practice
• Subject matter experts provide guidance on policies when required
• Manage and measure engagement with the policy content
• Test user comprehension of the policy content
• Manage user policy acceptances with the PMaaS onscreen acceptance option
• Efficiently address audit, governance, regulatory requirements
• Build organisational security awareness and maturity
• Change Request function - our experts review your policy edits

£5,000 to £27,500 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at steve.macmillan@protocolpolicy.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

485199337324640

Contact

Steve Macmillan
0845 241 0099
steve.macmillan@protocolpolicy.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No constraints - service based on AWS
• System requirements:
  • Access to the service is from a browser
  • Microsoft Edge
  • Internet Explorer 10+
  • Firefox
  • Chrome
  • Safari

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Weekdays<12hrs; Weekends<24hrs
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: PMaaS comes with one level of support - available options include - requesting through assistance through the customers own PMaaS admin menu or via email to support@protocolpolicy.com. Change requests can also be made via the customer PMaaS admin menu. Support and change requests during business hours are responded to within 12hrs of receipt. There are no charges for the support under our subscription model. Direct access to your Account Manager and Technical support can be arranged should a customer request a phone based support call and would not typically be chargeable.; ; Our Support and Maintenance Plan provides:-; - Fixes for anything that is not functioning correctly within the service; -The ability to upgrade to the latest version of PMaaS when updates are released - at no cost. These updates deliver new functionality content PPS introduce during a 12 month period ; - Phone and email support for assistance with any queries or issues regarding the functioning of the software; -Support assistance and change request functions are provided with each customers service administration portal
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Once an organisation has signed for a subscription to Policy Management as a Service we provide them with access to a first draft suite of policies for review purposes and conduct a kick off meeting. This meeting steps the customer through the some of the key set up processes - user enrolment, stakeholder engagement, admin functions etc. We also provide guides on the stakeholder role and format of our policy workshop. The policy workshop is run by a Protocol Policy Systems consultant after a customer has completed their internal review of content with those engaged as stakeholders. The workshop is designed to step the customer through the policy wording so it can be customised to their business requirements. Within PMaaS we provide video and text content on how to navigate the service plus we have a an comprehensive administration guide, SAML/ADFS guide and API guide. Should a customer request bespoke training then this can arranged at additional cost.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data extraction is done using our output function in the Customer Administration Menu. Output is DOCx and/or ZIP file based.; PMaaS is a content based IT Policy Management system customised specifically to each client for information governance. The service provides for the delivery of the customised content, additional supporting content, policy management functions and subject matter expertise.; At the end of a contract term we would delete the website and customer access. Should a customer wish to output copies of their policies before the end of the contract term they can do so. There is no other data to extract.
• End-of-contract process: Our subscription model provides customers with fully customised policy content for their business requirements mapped to recognised standards and best practice. For the duration of a subscription term we assist our customers to keep the content up to date and fit for purpose. Should standards guidance change then Protocol Policy Systems are responsible for interpreting this detail and then guiding customers through any required or recommended policy changes. Aside from the policy and standards content we also provide supporting content such as security awareness videos, forms templates, supporting guides and documentation. Customers can make ongoing changes to their policies under their subscription fees - there is no charge associated with these requests plus they have access to subject matter expertise to assist with the requests. From signing a subscription contract to the end of a 3 year subscription term there a no additional charge applicable to develop, deliver and maintain the contents of our service. Each year we deliver all customers two PMaaS enhancement releases that are designed to introduce new functionality or improve existing functionality.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile app has a different menu layout to making navigation of the service easy on a smaller sized screen.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: We provide each of our customers with access to a Client Menu which allows their Primary Users or System Administrators to manage a range of functions such as password resets, user enrolments, content visibility settings, usage reports and more.
• Accessibility standards: None or don’t know
• Description of accessibility: We have a WCAG audit booked for May 2024 so accessibility rating detail is therefore to be confirmed.
• Accessibility testing: Minimal testing to date however it is a project for 2024 as we have existing customers who wish for us to introduce support WCAG accessibility standards and assistive technology.
• API: Yes
• What users can and can't do using the API: Our API allows secured external access to client policy content.; Policy content is stored in a database. The API can return the policy; content from the database in response to a client request. The client must specify the data required and supply an authentication token. The API uses a Bearer Token. Bearer Tokens are both complex and secured by the HTTPS protocol. They can also be fine-tuned to limit their access, but are already currently limited in the case of the PMaaS to two functions - Policy and Statement. Both functions can return up to 6 fields of data using JSON.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: What can be customised?; • Wording of the policy content - statements and explanations; • Changes to job roles, titles, organisation structure references etc as detailed in the questionnaire or during the review workshop; • Names of the Policy documents; • Additional policy statements or policy documents if required; • Removal of content from within a policy document, including, if necessary, the removal of the entire policy; • The site header or banner - we can create or customer can provide; • The colour of the menu; • The addition and removal of forms, guidelines, logs, procedures and processes from the Forms, Logs and Guidelines, and Procedures and Processes pages; • The inclusion of compliance options as indicated on the questionnaire - these are limited to those that we have already cross referenced to within PMaaS; • What is included in the topic index; • Changes or additions to the Top Security Tips for Users page; • What appears in the Acceptable Use Policy. ; How do we customise ? - Customisation options can be selected during the delivery process or using a change request post delivery. Protocol Policy Systems take care of the customisation work.

Scaling

• Independence of resources: Our content based Policy Management as a Service offering is customised specific to each client for information governance. We are providing policy development, delivery and management services -subject matter content only. As such there are no end-user transactions within the service that create a high demand on the service.; Our hosted service is with AWS EC2 service in the UK.

Analytics

• Service usage metrics: Yes
• Metrics types: We provide reports on user engagement with the service, most frequently visited content pages, policy compliance reporting based around our online user policy acceptance option, stakeholder activity.
• Reporting types:
  • API access
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: We provide a document output option that is DOC.x of PDF based, depending on the document type.; There are several management reports that can be output in CSV format.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • DOCx
  • PDF - specific documents
  • CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • PDF
  • HTML links to existing document store

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Authentication, Encryption

Availability and resilience

• Guaranteed availability: The content provided within Policy Management as a Service is customised specific to each client for information governance. Availability is guaranteed based on customer access and availability to their internet/intranet services.; We are providing policy management subject matter expert content only.; AWS our hosting partner will use commercially reasonable efforts to make the Included Services each available for each AWS region with a Monthly Uptime Percentage of at least 99.99%
• Approach to resilience: The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions.; ; AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.; ; Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS. AWS provides customers with the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.
• Outage reporting: Public dashboard; personalised dashboard with API and events; configurable alerting (email / SMS / messaging).

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: PMaaS is delivered as a single instance of the web application per customer. All access restrictions are determined by our customers with our technical team. Each unique instance of PMaaS supports two factor authentication from any TOTP token and/or SAML 2.0 integration with Azure AD/ADFS for SSO. Access to each unique instance’s administration area is restricted only to that customer’s site users who have been authenticated and assigned with administrative privileges. Users with administrative privileges can raise support requests via the administrative area, telephone or email with PPS who will authenticate the identity of the user by validating selected details.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: EY CertifyPoint
• ISO/IEC 27001 accreditation date: 22/11/23
• What the ISO/IEC 27001 doesn’t cover: N/a - hosting provider holdd certification
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 22/11/23
• CSA STAR certification level: Level 4: CSA C-STAR Assessment
• What the CSA STAR doesn’t cover: N/A - hosting provider holds certification
• PCI certification: Yes
• Who accredited the PCI DSS certification: Coalfire Systems
• PCI DSS accreditation date: 18/12/23
• What the PCI DSS doesn’t cover: N/A - hosting provider holds certification
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • 27018 - hosting provider
  • Cyber Essentials - hosting provider
  • Cyber Essentials Plus - hosting provider
  • PSN - hosting provider
  • ISO27017 - hosting provider
  • ISO27018 - hosting provider
  • SOC 1-3 - hosting provider
  • ISO9001 - hosting provider

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: PPS meet monthly to discuss Risk Management considerations e.g - identification, assessment and prioritisation of risks to the organisation's information assets. ; PPS enforce security policies, standards, and procedures that define acceptable behaviours and practices by team members.; Security Awareness and Training sessions are held every 6 months to assist employees to understand security risks.; An Incident Response Plan has been documented and is tested annually so PPS can detect, respond to, and recover from security incidents effectively. ; Metrics are used to assess the effectiveness of security controls, processes, and strategies. ; Continuous Improvement and adaptation is applied to the above ongoing.
• Information security policies and processes: PPS require all team members to comply with a range of policies. The policies are written for user, manager and technical roles and mapped to a standards guidance such as - ISO27002 and ISO27017. Policies are reviewed by management on a annual basis and signed by each team member. Compliance to policy is maintained through the use of technical controls and reporting, user awareness training,

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Changes to AWS services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is via explicit access system requests, subject to owner review and authorisation.; ; Teams set bespoke change management standards per service, underpinned by standard AWS guidelines.; ; All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party.; ; Emergency changes follow AWS incident response procedures. Exceptions to change management processes are documented and escalated to AWS management.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Scanning done minimum once per month; ; Patching; •critical - within 2 days; •important - within 7 days; •everything else - within 30 days; ; Information; subscription service (e.g. SANS) and from a system vendor (eg Microsoft)who provides details of where to obtain an updated version, patch or fix.; ; AWS Security performs vulnerability scans on the host operating system, web applications, and databases in the AWS environment. Approved 3rd party vendors conduct external assessments (minimum frequency: quarterly). Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: AWS deploys (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor:; ; • Port scanning attacks; • Usage (CPU, processes, disk utilization, swap rates, software-error generated losses); • Application metrics; • Unauthorized connection attempts; ; Near real-time alerts flag potential incidents, based on AWS Service/Security Team-set thresholds.; ; Requests to AWS KMS are logged/visible via the account’s AWS CloudTrail Amazon S3 bucket. Logs provide request information, under which CMK, and identify the AWS resource protected through the CMK use. Log events are visible to the customer after turning on AWS CloudTrail in their account.
• Incident management type: Supplier-defined controls
• Incident management approach: Our internal service desk is designed and implemented on the best practise service management principles of ITIL.; There are predefined processes for common events such as password resets, request & incident management such as new user/software requests and system modifications via change management.; AWS adopts a three-phased approach to manage incidents:; ; 1. Activation and Notification Phase; 2. Recovery Phase; 3. Reconstitution Phase; To ensure the effectiveness of the AWS Incident Management plan, AWS conducts incident response testing annually.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  • Engineering our professional services to be delivered by remote mechanisms; • Adopting a cloud first approach to internal technologies, and reducing, consolidating, and removing hardware from on-premise; • Offering support and assistance for team members working from home; • Engaging with our customers and team members to identify any improvement areas

  Equal opportunity

  At PPS we uphold the principles of equality. We provide equality of opportunity in employment irrespective of a person's sex, gender, gender identity, marital status, religious belief, ethical belief, colour, race, ethnicity, disability, age, political opinion, employment status, family status or sexual orientation.; We believe it is important to identify and eliminate any barriers that would cause or perpetuate, or tend to cause or perpetuate, inequality in respect of the employment of any person or group of persons; All PPS all staff appointments are made solely on the basis of merit, and that all promotions, advancements, salary reviews and professional/career development opportunities are based solely on merit

  Wellbeing

  As an employer PPS use the following to maintain good wellbeing within the Team:; • Open communication – any team member can speak up about any concerns at any time and know they will be heard.; • Any team member should feel supported to seek help for any issues or distress.; • Clearly define what is expected of each person that work for the company – work tasks and acceptable behaviour.; • Check in with team members at agreed intervals to discuss workload management and any issues.; • Offer flexible work practices wherever possible.; • Support opportunities for professional skills development and growth.; • Employ and promote people based on their abilities, rather than any perceived disabilities.; • Zero tolerance for any bullying, harassment, or discriminatory behaviour.; ; Team members are expected to protect to assist with ensuring we maintain a culture of wellbeing at work by -; • treating everyone with respect and civility; • speaking up if any need help or support is needed; • being supportive of other team members that have wellbeing issues; • speaking up about any bullying, harassment, or discriminatory behaviour observed in our workplace; • each individual should take steps to stay mentally healthy at work; • ask about options (eg flexible working arrangements, special leave) if you feel you need time away from work to manage your mental health.

Pricing

• Price: £5,000 to £27,500 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at steve.macmillan@protocolpolicy.com. Tell them what format you need. It will help if you say what assistive technology you use.