Virtualstock Ltd

Framespan - Frameworks Directory

Framespan is a platform, that holds multiple procurement frameworks from a range of public sector framework providers.

Features

• All public sector frameworks on one platform
• Remote Access / cloud based
• Single, easily searchable directory of multiple framework providers data
• In built training resources
• Permission controlled framework views
• Framework search and filters tools
• Saved favourite frameworks

Benefits

• Reduce time searching for frameworks / increased efficiency
• Reduction in waivers / improve compliance
• Improved clinical outcomes through broadened framework search
• Save time by quickly assessing the whole market
• Broaden range of framework providers used

£2,500 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gareth.mcfarlane@virtualstock.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

588460564041502

Contact

Gareth McFarlane
07720898752
gareth.mcfarlane@virtualstock.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements: Only requirement is a support Browser Type/Version

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 72 hours
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: The Framespan platform is a true SaaS model, and therefore does not have defined SLA’s regarding end- user support as all functions are self-service.; ; Virtualstock will use commercially reasonable endeavours to ensure the availability of the Framespan platform but does not commit to any other service levels. Virtualstock assumes no responsibility for any service.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Upon subscription, users can self register an account via web browser.; In system training tools are available to the users, including videos, documents and walk-through tutorials.; No additional setup is required
• Service documentation: No
• End-of-contract data extraction: The platform is a repository of framework data for users to search. No transactional information is recorded in the platform by buyers, and therefore there is no requirement for extracting data when contract ends.
• End-of-contract process: At the end of the contract, user access is removed for all users in the organisations. The platform is a search tool for frameworks, and does not require any end of contract activities to take place.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All functionality is available on both mobile and desktop versions of the platform
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: No

Scaling

• Independence of resources: AWS EC2 Auto Scaling triggered by high system load

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: There is no data export feature in the platform.
• Data export formats: Other
• Other data export formats: Data export is not applicable
• Data import formats: Other
• Other data import formats: Data import is not applicable

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: SSH jump host or VPN

Availability and resilience

• Guaranteed availability: Platform Availability SLA - 99.99%
• Approach to resilience: Application servers in 2 availability zones + load balancing
• Outage reporting: Email Alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Key developers can access servers using SSH via jump host or VPN. Only public key authentication is allowed. Limited permissions, only admins have root access.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: DNV - Business Assurance
• ISO/IEC 27001 accreditation date: Initial Accreditation: 07/01/2019 Validity: 08/01/2022 - 07/01/2025 ISO/IEC 27001:2013
• What the ISO/IEC 27001 doesn’t cover: Support Utilities: Supporting utilities are provided by third party suppliers, including cloud service providers and building providers..; ; Cabling Security: Cables are managed by third party suppliers hosting infrastructure, cloud service providers. There is no corporate network for which Virtualstock is responsible for cabling.; ; Equipment Maintenance: Virtualstock are not responsible for the maintenance of equipment such as technical components of information processing facilities, uninterruptible power supply (UPS) and batteries, power generators, power alternators and converters, physical intrusion detection systems and alarms, smoke detectors, fire extinguishers, air conditioning and lifts.; ; Equipment Siting & Protection: Virtualstock do not host or manage on-premise equipment. Data centre siting and protection is managed by cloud platform providers.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Policies/Processes defined in line with ISO 27001:2022. All policies implemented with the exception of the following which are not applicable.; ; - Support Utilities: Supporting utilities are provided by third party suppliers, including cloud service providers and building providers..; ; - Cabling Security: Cables are managed by third party suppliers hosting infrastructure, cloud service providers. There is no corporate network for which Virtualstock is responsible for cabling.; ; - Equipment Maintenance: Virtualstock are not responsible for the maintenance of equipment such as technical components of information processing facilities, uninterruptible power supply (UPS) and batteries, power generators, power alternators and converters, physical intrusion detection systems and alarms, smoke detectors, fire extinguishers, air conditioning and lifts.; ; - Equipment Siting & Protection: Virtualstock do not host or manage on-premise equipment. Data centre siting and protection is managed by cloud platform providers.; ; The Senior Leadership Team will verify compliance to this policy and all other supporting policies through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner. ; ; All Virtualstock polices are reviewed under the terms of our Quality Management Systems (ISO 9001)

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Virtualstock has a defined Change Management Procedure document in line with ISO 27001:2022. ; ; Tracking: Change/Configuration changes are requested via a Change Request and reviewed/approved/rejected via a CAB.; ; - Change Request Creation; including business impact assessment; - Development Phase; technology/security impact assessments and test/validation strategy.; - CAB Approval; including agreement on release timelines; - Monthly Change Reports; - Quarterly Change Compliance Review; ; A Security Review is undertaken as part of the Technical Impact Assessment Phase with review/approval/rejection from the Virtualstock ISM.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Covered in the "Virtualstock Vulnerability and Threat Management Policy". ; ; Information about emerging threats are obtained from appropriate sources and users alerted proactively of potential attacks, giving as much detail as possible to maximise the chance of recognition. ; ; Vulnerability Management at Virtualstock covers the full lifecycle of vulnerability identification, classification, prioritisation and mitigation.; ; Any vulnerabilities that have been identified are prioritised based on the risk to Virtualstock services and criticality (BIA rating). ; ; HIGH (CVE 7.0-10) < 14 Days, MEDIUM (4.0–6.9) <30 Days, LOW (0.1–3.9) <90 Days.; ; Sources: NCSC, NIST & GitHub/Dependabot
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The process is defined in the Virtualstock "Incident Management Policy" in line with ISO 27001:2022. ; ; We have SIEM implemented that is used to identify potential compromises; as well as internal/external stakeholders reporting to the Virtualstock InfoSec team (security@virtualstock.com).; ; An incident response plan has been established following the incident response lifecycle:; ; - Triage; - Escalate; - Response; - Analyse; - Contain / Mitigate; - Remediate / Eradicate; - Recover; - Review/Close down; ; P1 15 Minutes Response / 4 Hours Recovery, P2 30 Mins / 2 Days, P3 1 hr / 1 week, P4 1 Day / 6 Months
• Incident management type: Supplier-defined controls
• Incident management approach: Virtualstock has a defined Incident Management process in accordance with ISO 27001:2022.; ; The reporting of incidents is achieved by sending an email to security@vitualstock.com. A Security ticket is automatically raised and the Information Security Manager is notified.; ; Incident communications are conducted in accordance with the Virtualstock Communication Plan. All communications are clearly and accurately recorded. Depending on the incident there are a variety of external parties that will be communicated with during the response. ; ; Information released to external parties is done in a timely manner, ensuring that the information is accurate.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  Create new businesses, new jobs and new skills; The Framespan platform is a single database enabling all frameworks across the public sector to be published to buying organisations. The task of searching for frameworks is made easier to the buyer enabling them to compare a much larger range of frameworks.; By making all frameworks easily accessible, this opens up the number of suppliers a buyer can access. The buyer can make considerations when selecting a frameworks such as ‘which framework has the largest number of suppliers’. This creates more opportunity for the small and medium enterprises to be included in mini competitions.; The platform also supports the suppliers managing promotional content through a brochure page. This brochure page is structured and standardised across suppliers, so the small organisations have the same scale of promotion in the platform as the 'big budget' large suppliers. This also gives the small suppliers a promotional space within the buying community that is others difficult to access; ; Increase supply chain resilience and capacity; The Framespan platform opens up larger number of complaint routes to market for buyers. Where a buying organisation uses a limited number of their ‘traditional’ framework providers, through Framespan they now have quick and easy access to over 50 providers and 1500 frameworks. This gives the buyer greater choice to find frameworks that meet the best clinical or business outcomes.; Having access to a larger and more diverse range of frameworks ensures a route to purchase is found, avoiding the need to run resource intensive procurements, this enabling the procurement teams to reinvest that time in more value add procurement and supply chain initiatives

Pricing

• Price: £2,500 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gareth.mcfarlane@virtualstock.com. Tell them what format you need. It will help if you say what assistive technology you use.