Marston Holdings Ltd

Marston Notice Processing System

MNPS is web and Android based, used for on/off-street parking, camera enforcement of both static parking and moving traffic offences. It is a SaaS (Software as a Service) product and Marston will continuously develop the platform and releasing small features, but very frequently to keep it fresh and innovative.

Features

• Handheld App-Easy PCN issuance via improved process flow/ user experience
• Web based customer portal is compliant to WCAG 2.1 AA
• Single screen, user centric UI for the full PCN lifecycle
• Modern Intuitive User Interface leading giving an excellent UX
• KPI & SLA centric reporting- using Embedded Power BI
• Ability to generate monthly operation reports in one click
• Ability to export data as CSV or PDF
• Flexible advanced search criteria to extract data for FOI requests
• Highly resilient, secure and scalable built on Microsoft PaaS
• Proactive PCN process monitoring using App insights and Azure monitor

Benefits

• Improve the efficiency and effectiveness of notice issuance and processing
• Reduce the administrative costs and errors associated with manual processes
• Enhance the transparency and accountability of notice enforcement
• Improve reporting functionality to provide more granular data
• Provide a better customer experience and satisfaction for the public
• Easily scales to accommodate increasing data volumes and evolving needs
• Ensures the highest standards of data security and privacy compliance
• Clients can customise PCN processes to local regulations and policies
• SaaS based product minimises the need for upfront capital expenditure

£0.60 to £1.50 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at warren.mcadam@marstonholdings.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

590127255888598

Contact

Warren McAdam
03333203355
warren.mcadam@marstonholdings.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: MNPS is built on Microsoft Azure PaaS so all skills involved in development and data design require MS qualified resources that we provide.
• System requirements: MNPS is accessed via a browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: P1: 15 minute resolution response time, Incident frequency update every 30 minutes, 4 hour incident resolution time.; P2: 30 minute resolution response time, Incident frequency update every 60 minutes, 8 hour incident resolution time.; P3: 180 minute resolution response time, Incident frequency update daily, 48 hour incident resolution time.; P4:360 minute resolution response time, Incident frequency update daily, 120 hour incident resolution time.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Standard support includes technical cloud expertise and is available 24/7
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: As part of the implementation we would provide a mix of virtual and onsite training to user groups. We would also provide training manuals and videos where appropriate.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: As part of the contract exit commitments we will agree to give them their extracted data in a format and a frequency that is agreeable to all parties
• End-of-contract process: We will support the data migration and shut down services and decommission environments and finally delete any clients specific data as agreed with the buyer.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems: Android
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile app is for use by the Civil Enforcement Agent to issue tickets and is only available on the handheld. The Customer Portal and the Backoffice Portal are mobile responsive browser based solutions.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: There are 3 interfaces that makes up MNPS- the handheld App that is used by Enforcement Officers on approved Android devices; The Customer Portal that is a web based site that Customers of the Client will interact with to pay or challenge Penalty Charge Notices (PCN) and the Back Office which is also a web based portal that approved users that the Client allows access can manage the lifecycle of the PCN
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: MNPS has been designed to Accessibility standards and has been tested so that all functions can be performed by those who use assistive technologies such as screen readers, speech recognition software, or specialised input devices. During testing our developers and UX designers would typically observe how these users interact with the system, identify any challenges or barriers they face, and gather their feedback on the usability of the system. This information is then used to refine and improve the system’s design and functionality. We also following best practices for accessible design, such as providing alternative text for images, ensuring sufficient colour contrast, and designing for keyboard-only navigation.
• API: Yes
• What users can and can't do using the API: There are several API's in this service as it links to multiple 3rd parties. We will only expose API's & documentation once we have approval from the buyer to do so as it holds their data and can also contain PIID.
• API documentation: Yes
• API documentation formats: Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: This is a SaaS based product so buyers can influence the roadmap and pipeline of features but can configure their system in terms of data and workflow. Users can configure their system in terms of data and workflow.

Scaling

• Independence of resources: We proactively monitor the system to ensure we can scale up or down to meet demand but also ensure that we performance test all functionality to meet our non-functional requirements.

Analytics

• Service usage metrics: Yes
• Metrics types: We have a standard set of metrics in our system, but if we have the data we can create embedded PowerBI reports to the client's requirements as part of the implementation
• Reporting types: Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: We would extract the required data for the clients. Some users may be able to extract data from the reports, but we think there would be more fields required so would do this for them.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • JPEG
• Data import formats: Other
• Other data import formats:
  • JPG
  • PNG
  • PDF
  • BMP
  • TIF
  • TIFF
  • HEIC

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: The application is only accessed via the internet
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We agree the service credit regime with the buyer before contract sign.
• Approach to resilience: 99.99%
• Outage reporting: We proactively monitor the system and have automated email alerts that can raise incidents in our ITSM. We can add the clients into a group to receive these if required

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Access levels are defined for each user or user group; ; Access is provided using a least privilege approach with users only being provided with the necessary access level to undertaken their role
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 04/02/2015
• What the ISO/IEC 27001 doesn’t cover: Some smaller contracts where there was no contractual requirement to certify but they do operate under the policies and procedures of ISO27001
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 06/04/2016
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: A singular on premise instance within our Videalert operation
• PCI certification: Yes
• Who accredited the PCI DSS certification: URM
• PCI DSS accreditation date: 01/03/2015
• What the PCI DSS doesn’t cover: Marston have a Level 1 Service provider accreditation along with all other applicable payment channels PCI DSS compliant under the self assessment process via acquiring bank's compliance portal.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials & Cyber Essentials Plus; ISO22301
• Information security policies and processes: In our security governance structure, the Head of Cyber & Information Security reports directly to the Group Chief Technology Officer (CTO), who is part of the executive leadership team. This ensures that information security concerns are represented at the board level, facilitating strategic alignment and swift decision-making.; ; We adhere to a comprehensive set of policies and processes documented in our ISO 27001 certified Information Security Management System (ISMS). These policies cover areas such as access control, risk management, incident response, and compliance with legal requirements. Key policies include Data Protection, Forensic Management, Secure Development and Network Security Management, among others.; ; To ensure that these policies are followed, we conduct regular audits and require executive approval for critical updates or changes. The Head of Cyber & Information Security is responsible for the ISMS's continuous improvement, responding promptly to business changes, security incidents, or directives from senior management. This structured approach guarantees that our security practices remain robust and compliant with both internal standards and external regulatory requirements.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our vulnerability management process encompasses regular assessments using advanced scanning tools and threat intelligence from sources like the National Cyber Security Centre (NCSC) and vendor advisories. We prioritise vulnerabilities by severity, deploying critical patches within 48 hours and others inline with Cyber Essentials Plus using automated patch management tools. This streamlined approach ensures rapid mitigation of risks and maintains the integrity of our services, aligning with industry best practices and compliance standards. Through continuous monitoring and proactive threat identification, we effectively safeguard our systems against emerging cybersecurity threats.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: TBC
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our protective monitoring processes utilise intrusion detection systems (IDS), security information and event management (SIEM) systems, and threat detection technologies to identify potential compromises by monitoring for unusual activities. Upon detection, our incident response team swiftly evaluates and responds to the threat, implementing predefined procedures such as system isolation and forensic analysis. We prioritise rapid response, aiming to address critical incidents within hours and less severe issues within days. This proactive approach ensures minimal impact on operations and maintains robust security, continually refining our response capabilities based on lessons learned from past incidents.
• Incident management type: Supplier-defined controls
• Incident management approach: Our incident management processes are streamlined and efficient, utilising pre-defined procedures for common security events and a dedicated incident reporting application for rapid, secure communication. Users report incidents directly through this application, which send alerts in real time to applicable incident responders. Post-incident, we provide detailed reports via the same application, outlining the incident’s nature, impact, response actions, and lessons learned. These reports help refine our security strategies and improve preventive measures. Regular user training ensures effective incident recognition and reporting, maintaining a robust defence against security threats and promoting continuous improvement of our incident management capabilities.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  In the early stage of deploying the contract, a comprehensive life cycle analysis of the product can be undertaken. This analysis, employing a holistic life cycle approach, aims to delve into the emissions associated with the manufacturing process, transportation and distribution, and waste generation after the product has reached its end of life.; ; As part of our commitment to sustainability, we will assess the emissions generated by our office-based workforce. This will include emissions from advisory and support personnel involved in the contract deployment, ; ; Once a baseline is established through this thorough assessment, we are dedicated to writing a carbon reduction plan by Year one and offsetting any identified emissions in year 2. To achieve this, we have partnered with Ecologi, our offsetting partner. Through their robust and credible offset programs, we aim to halve contractual emissions starting from the second anniversary of the contract.

Pricing

• Price: £0.60 to £1.50 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at warren.mcadam@marstonholdings.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.