Marston Holdings Ltd

Apply

Apply is a web-based permit/licensing solution that has been designed for Clients to self-serve and reduce client administrative costs. It is highly configurable, caters for virtual and/or paper permits, is accessibility compliant and has features like - Emissions based permits/pricing, Pre-Pay/Pay as you go, Visitor sessions and Tiered pricing.

Features

• Web based customer portal compliant to WCAG 2.1 AA
• Single screen, user centric UI for permit management
• Modern Intuitive User Interface leading giving an excellent UX
• Ability to export data as CSV for external analysis
• Highly resilient, secure and PCI Compliant payments
• Emissions based pricing is available
• Integrated Experian option to minimise backoffice document approval
• Automated customer reminders
• Mobile responsive User Interface (UI)
• Clients can self serve, setup up Zones and permit types

Benefits

• Streamlining Permit Management processes for Local Authorities
• Simplifies the application/ issuance and management of permits, creating efficiencies
• Designed with both customers/end users experience at its centre
• Delivers virtual and/or paper-based permits with ease
• Automates complex pricing models
• 24/7 web access allowing customers to purchase permits any time
• Allows customers to apply for, renew, manage their permits online
• Automates processes, permit reminders, application approvals, change of vehicles
• Ensures the highest standards of data security and privacy compliance
• Improve reporting functionality to provide more granular data

£1.50 to £2.15 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at warren.mcadam@marstonholdings.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

517659037381540

Contact

Warren McAdam
03333203355
warren.mcadam@marstonholdings.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: As this permits solution is built around a PCIDSS compliant payment platform, we must adhere to PCI governance rules.
• System requirements: Apply is accessed via a browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: P1: 15 minute resolution response time, Incident frequency update every 30 minutes, 4 hour incident resolution time.; P2: 30 minute resolution response time, Incident frequency update every 60 minutes, 8 hour incident resolution time.; P3: 180 minute resolution response time, Incident frequency update daily, 48 hour incident resolution time.; P4:360 minute resolution response time, Incident frequency update daily, 120 hour incident resolution time.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Escalation to tech teams is available in and out of core hours.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: As part of the implementation we would provide a mix of virtual and onsite training to user groups. We would also provide training manuals and videos where appropriate.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: As part of the contract exit commitments we will agree to give them their extracted data in a format and a frequency that is agreeable to all parties
• End-of-contract process: We will support the data migration and shut down services and decommission environments and finally delete any clients specific data as agreed with the buyer.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: For Apply, The Customer Portal and the Backoffice Portal are mobile responsive browser based solutions.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Apply is made up of 2 parts - the Customer Facing account and permit management portal and the back office web based portal where by approved users that the Client allows access can manage the lifecycle of a permit.
• Accessibility standards: None or don’t know
• Description of accessibility: You can:; change colours, contrast levels, fonts; zoom up to 300% without text spilling off screen; navigate most of website using keyboard and/or speech recognition software; listen to most of the website using a screen reader (including uptodate versions of JAWS, NVDA and VoiceOver); Website text is as simple as possible.; Some parts of website are not fully accessible:; The website colour button overlaps on the account home page if you enlarge font size; An aria link broken on the page and a missing form label affecting people using assistive technology like screen reader
• Accessibility testing: Apply has been externally tested by a qualified testing company to ensure that we meet WCAG 2.1AA Accessibility including testing using Assistive technologies.
• API: No
• Customisation available: Yes
• Description of customisation: This is a SaaS based product so buyers can influence the roadmap and pipeline of features but can configure their system in terms of data and workflow.

Scaling

• Independence of resources: We proactively monitor the system to ensure we can scale up or down to meet demand but also ensure that we performance test all functionality to meet our non-functional requirements.

Analytics

• Service usage metrics: Yes
• Metrics types: We can create data views and extract data as CSV for the clients on the required metrics.
• Reporting types: Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: We would extract the required data for the clients. Some users may be able to extract data from the reports, but we think there would be more fields required so would do this for them.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • JPEG
• Data import formats: Other
• Other data import formats:
  • JPG
  • PNG
  • PDF
  • BMP

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: The application is only accessed via the internet
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We agree the service credit regime with the buyer before contract sign.
• Approach to resilience: 99.70%
• Outage reporting: We proactively monitor the system and have automated email alerts that can raise incidents in our ITSM. We can add the clients into a group to receive these if required

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: Multipe types of authentication are used across the solutions and infrastrucure based on the security classifciation of the solution for data, the autenticiation types used are as follows; ; - All users will be issued with a unique account ; - Access levels are always set using a least priveledge methodolgy ; - Authentciation using a unique usernam and password; - Authentciation against an active directory environment with Goup policy controls; - Single Sign on where avaliable ; - Multifactor authentication using a app based validation method
• Access restrictions in management interfaces and support channels: Access levels are defined for each user or user group; ; Access is provided using a least privilege approach with users only being provided with the necessary access level to undertaken their role
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 29/08/2019
• What the ISO/IEC 27001 doesn’t cover: The ISO 27001 scope excludes the following areas of the business ; - Sales Team ; - Marketing team ; and any other functions that are not linked to the production environment or team members.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Nettitude
• PCI DSS accreditation date: 02/06/2023
• What the PCI DSS doesn’t cover: The Areas not covered by the Pci Accreditation are as follows; - Anything outside of the production environment and team members; - Staging environment ; - Integration environment
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials ; PCI DSS V4
• Information security policies and processes: Key IVR develop, support and host Apply for MHL. ; They have an inhouse ISMS which includes policies and procedures for all elements of security in line with ISO27001 and PCI DSS accreditation; To ensure compliance with these policies and procedures the following actions are undertaken. ; - Full security training is provided during employee induction. ; - Mandatory Quarterly security awareness training sessions held for all employees which is a refresher to induction training, introducing any new changes ; To monitor effectiveness of this training and adherence to policies, the following actions are taken ; - Completion of internal audits annually ; - Completion of external audits annually; - Monthly security steering group meetings held by the senior security team members ; - Ad hock checks completed on a weekly basis and testing of team members ; Where a non compliance is identified this is logged and an action plan assigned, monitoring is then implemented following the completion of the action plan to ensue its effectiveness of rectifying the non compliance.; ; The following documents are attached for Reference ; - ISMS-DOC-09-1 Process for Monitoring, Measurement, Analysis and Evaluation V5 Release; - ISMS-DOC-09-2 Procedure for Internal Audits V6 Release; - ISMS-DOC-09-4 Procedure for Management Reviews V6 Release

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes can originate from multiple sources, including the following ; ; - An incident issue; - New Hardware ; - New Software ; - New functionality ; - Infrastructre updates ; - Legislation changes ; - Security update ; - Business changes ; - Service retirement ; ; All changes are managed using the following methodology ; ; - Raising of a change case ; - Case validation and priorty assigment; - Risk Assessment and resource requirements for the change ; - Approval for the change; - Change Implementation; - Testing ; - Monitoring the change ; - Review the change process lessons learned ; - Case Closure; ; See attached for details ; ; ISMS-DOC-A12-2 Change Management Process V6 Release
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Key IVR Manage vulnerabilities inline with the following process which are included for reference ; ISMS-DOC-A12-8 Technical Vulnerability Management Policy V6 Release; ISMS-DOC-A12-9 Technical Vulnerability Assessment Procedure V5 Release; ; The following methods are utalised for the management of vulnerabilities ; - Hardening of all hardware and software to limit vulnerabilities ; - Deployment of vendor updates and patches within 30 days of being made available, typically these are deployed within 14 days ; - Security Awareness training for staff; ; When assessing vulnerabilities we review the following ; - Impact ; - Likelihood of occurrence ; - Risk Treatments
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: To effectively monitor the security and operation of the solution and its underlaying infrastructure the following are utilised ; ; - Firewall security appliances protect the perimeter of the network with the include of IPS and IDS with active alerting and blocking of IP addresses. ; - Full activity auditing to the central logging service ( Logins, changes ETC ) ; - Monthly Internal infrastructure and external infrastructure vulnerability scanning; - Full monitoring for the operation and health of all infrastructure and solutions; - Daily health check and audit log reviews ; - Automated alerting for defined events
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The management of incidents Is undertaken in line with the following policies which are attached for reference ; - ISMS-DOC-A16-1 Information Security Event Assessment Procedure V5 Release; - ISMS-DOC-A16-2 Information Security Incident Response Procedure V6 Release; ; The highlevel process for managing an incident is as follows; - Incident raised or detected; - Incident response team assembled ; - Review the incident ; - Impact and risk assessment completed. ; - Communication strategy agreed; - Action plan defined and agreed ; - Action plan implemented ; - Effectiveness review and monitor ; - Post incident activities completed ; - Lesson Learned ; - Incident closed ; - Policy review

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  In the early stage of deploying the contract, a comprehensive life cycle analysis of the product can be undertaken. This analysis, employing a holistic life cycle approach, aims to delve into the emissions associated with the manufacturing process, transportation and distribution, and waste generation after the product has reached its end of life.; ; As part of our commitment to sustainability, we will assess the emissions generated by our office-based workforce. This will include emissions from advisory and support personnel involved in the contract deployment, ; ; Once a baseline is established through this thorough assessment, we are dedicated to writing a carbon reduction plan by Year one and offsetting any identified emissions in year 2. To achieve this, we have partnered with Ecologi, our offsetting partner. Through their robust and credible offset programs, we aim to halve contractual emissions starting from the second anniversary of the contract.

Pricing

• Price: £1.50 to £2.15 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at warren.mcadam@marstonholdings.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.