Scribe Compliance Audit Management
A fully featured, customisable cloud audit management system, empowering users to complete, respond, report and action on all standards within an organisation to become and remain compliant. Tablet/smartphone technology links directly to a powerful analytics portal comprehensively managing, automating, and mandating action plans. Helpful wizards provide easy self-management.
Features
- Paperless management of regular repeatable actions for compliance.
- Portal automates the completion, highlighting any non-compliance of standards.
- Tablet and smartphone friendly, even in offline mode.
- Return on investment over existing paper-based / spreadsheet methods.
- Satisfies compliance and governance statutes e.g. CQC.
- Remove duplicated processes by simplifying bespoke audit forms.
- Define/report on challenge areas, focusing organisations on what's important.
- Save tailored reports according to management level, reporting line.
- Create group accountability sharing standards among categorised teams.
- Specific additional features available aimed at the UK Ambulance Services.
Benefits
- Integrate Scribe Compliance Audit with existing software for powerful synchronisation.
- Gamification of labour-intensive, repeat tasks, produces higher, more engaged responses.
- Validation prevents invalid responses reducing follow-up time.
- Real-time data enables management of non-compliances.
- Real-time data enables proactive prediction of non-compliances.
- Automated corrective actions automatically assigned to the correct parties.
Pricing
£6,000.00 to £35,000.00 a licence a year
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
6 0 3 9 7 6 4 9 3 4 2 0 5 3 7
Contact
Doc-works Ltd
Ceri Jones
Telephone: 01296 668210
Email: ceri.jones@doc-works.co.uk
Service scope
- Software add-on or extension
- No
- Cloud deployment model
- Private cloud
- Service constraints
- None.
- System requirements
-
- Android tablets, iOS iPad and iPhone.
- Thin-client for Portal web-browser access.
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
Service Level Agreements are agreed per type of instance. Emergency
response is within 2 hours for NHS customers during normal working hours.
Usual response time for non urgent cases is 4-8 hours. - User can manage status and priority of support tickets
- No
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Onsite support
- Support levels
-
All Accounts benefit from a dedicated Account Manager, named front-line Support Desk technicians, as well as a Project Lead and a System Architect.
Required support for each customer is defined early on in the scoping exercise depending upon skill levels, amount of internal resource etc of each customer.
Doc-works provide all upfront hand-holding to enable X product goes live within the customers' own network, or hosted within Doc-works' own secure Cloud environment. - Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- A train-the-trainer approach is usually adopted with an agreed number of hours/days included free of charge, depending upon the geographic spread of the customer's staff. Additional days are charged according to distance travelled and time spent. Online training is provided for minor upgrade releases, refresher / new trainers starting. User documentation is provided tailored to each customer / level of user.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- Other
- Other documentation formats
- Word
- End-of-contract data extraction
- Doc-works would provide all data free of charge at the end of a contract in previously agreed, standard formats.
- End-of-contract process
- Doc-works would be available for paid-for assistance migrating data to a new supplier, should this be required.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Application to install
- Yes
- Compatible operating systems
-
- Android
- IOS
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
-
Recording of incidents is performed on Android and iOS devices.
Access to the Portal is via browser on Mac/PC
desktop. - Service interface
- No
- User support accessibility
- WCAG 2.1 AA or EN 301 549
- API
- No
- Customisation available
- Yes
- Description of customisation
- Forms can be customised by Doc-works for localised user requirements. Reporting can be specific to each user, as defined in the scoping exercise.
Scaling
- Independence of resources
-
Server performance will be monitored and hardware
upgraded as required. Servers will be specified to meet and exceed all expected initial requirements, and agreed periodic account reviews will include server performance results.
Analytics
- Service usage metrics
- Yes
- Metrics types
- As per user requirements.
- Reporting types
-
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Developed Vetting (DV)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- No
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with another standard
- Other
- Other data at rest protection approach
- All data stored by Doc-works is encrypted at-rest using Bitlocker full disk encryption. SQL Databases are encrypted using AES 256
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
- Authorised Users have full access to the database. There is no no need to export.
- Data export formats
-
- CSV
- Other
- Other data export formats
-
- XML
- JSON
- TXT
- Data import formats
-
- CSV
- Other
- Other data import formats
- XML
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Other
- Other protection between networks
-
Service is designed to transmit data over HTTPS using TLS version 1.2 or above with a SHA256 2048-bit RSA Certificate.
Data transfer can also be made available through SFTP with SHA-256 minumum encryption algorithmn. SFTP authentication is via public/private key pair.
Where possible portal and SFTP access will be restricted to allow connectivity from customer specified IP addresses only. - Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
-
The supplier's required availability for all services is 99.5% uptime, not counting planned maintenance times. The 99.5% availability metric will be measured by a rolling six month period during the
Term of the Agreement. The Services Target is not to break more than three times per twelve months' during the Term of the Agreement. A break is defined as the loss of access to a vital business function. The expectation is for the services not to break at all during the Term of the Agreement, however there will periodically need to be scheduled maintenance times that will be
restricted to out of hours. For the avoidance of doubt, all scheduled maintenance times must be agreed in advance with the customer. - Approach to resilience
- Available upon request.
- Outage reporting
-
Email alerts.
Incident Management Process
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
- User access is defined at setup. Hierarchical access is granted depending upon user rights etc.
- Access restriction testing frequency
- Less than once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users have access to real-time audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Audited by British Assessment Bureau who are UKAS certfied.
- ISO/IEC 27001 accreditation date
- 22/05/2023
- What the ISO/IEC 27001 doesn’t cover
- All aspects of the product delivery are covered.
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
-
- ISO/IEC 27001
- Other
- Other security governance standards
-
GDPR
CE+ - Information security policies and processes
-
Doc-works’ approach to governance is the set of
responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.
Periodic reviews are undertaken in line with existing and future customer demand. Training of all staff in the implementation and protection of information assets is reviewed and undertaken annually.
Benefits of information security governance to Doc-works and as advisors in turn to its customers is continually under review, with particular
attention paid to GDPR.
Doc-works Information Security policy is driven from the top-down, with communication documented in the defining of roles, responsibilities, authority and accountability.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- All changes must follow Doc-works change management policy, designed and based on the ITIL framework and recording in our Change Management Log. CAB meetings are held weekly to review requested changes. Application changes must go through UAT and are assessed for security impact prior to deployment to live.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- All doc-works servers and workstations are continually assessed for vulnerabilities using Micosoft Defender in line with out Vulnerability management process. Vulnerabilities are assessed against CVSSv3 and any vulnerabilites greater than 7 must be patched within 14 days, in line with Cyber Essentials Plus accreditation.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Logs are ingested into SIEM tool, a combination of alerts and proactive checks are utilised to identify suspicious activity. IP addresses flagged by our firewall IPS are investigated and will be blocked + reported for abuse where applicable. If compromise is suspected, systems are isolated from the network whilst investigations take place
- Incident management type
- Supplier-defined controls
- Incident management approach
-
"Incidents are recorded in our IT Service Management software.
A seniour support engineer categorises the incident, if this has not automatically been met by rules.
The incident is assigned to a member of the support team.
The incident is diagnosed, which could result in escalation.
The ticket is resolved, with communication being sent to the affected users.
The incident is closed.
Analysis is made and reported. Close-out actions are undertaken, if required."
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- Yes
- Connected networks
-
- NHS Network (N3)
- Health and Social Care Network (HSCN)
Social Value
- Social Value
-
Social Value
- Fighting climate change
- Covid-19 recovery
- Tackling economic inequality
- Equal opportunity
- Wellbeing
Fighting climate change
Doc-works products and solutions enable our customers to work towards a paperless environment which helps to reduce CO2 (carbon dioxide) emissions, reduce their impact on forests, decrease the amount of landfill waste, cut energy use and help lessen the impact of climate change.
Doc-works also recognises and supports the policies, strategies and objectives for effective environmental management which are applicable to the operation of Doc-work’s staff, buildings, equipment and activities.
Our objective is to minimise the impact of our activities on the environment through:
• Continuously improving our environmental performance and integrating recognised environmental management best practice into our business.
• Measuring and taking action to reduce the carbon footprint of our business activities by working towards our Carbon Neutral Certification.
• Working towards the ISO 14001 Certification by improving our environmental performance through more efficient use of resources and reduction of waste.Covid-19 recovery
Throughout the pandemic and beyond Doc-work’s focus is on supporting our customers, partners, and employees. Our priorities are the welfare of our customers and our staff whilst we continue to deliver a high-quality service for our customers and reduce the potential spread of the virus throughout the business, enabling us to maintain our high service levels to support our NHS Trust, public and private sector customers.Tackling economic inequality
Our aim is to increase supply chain resilience and capacity and create new jobs and skills. This includes creating a diverse supply chain and including new businesses and entrepreneurs, supporting innovation, modernising delivery, and increasing productivity.Equal opportunity
Our employment policies for recruitment, selection, training, development, and promotion are designed to ensure that no job applicant or employee receives less favourable treatment on the grounds of race, colour, nationality, ethnic or national origin, religion or belief, sex, sexual orientation, marital status, disability or part-time or fixed term status.Wellbeing
Doc-works is committed to creating a harmonious working environment, which is free from harassment and bullying and in which every employee is treated with respect and dignity.
It is committed to ensuring that individuals do not feel apprehensive because of their religious belief, political opinion, gender, marital status, sexual orientation, race, age, disability or any inappropriate behaviour.
The Company is committed to supporting its employees, including; training and development programs, wellbeing-based employee benefits and regular employee events.
Pricing
- Price
- £6,000.00 to £35,000.00 a licence a year
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
-
A proof-of-concept free trial is often provided for large users, sometimes across multiple departments for 2-4 weeks, with
clearly defined success criteria agreed up front. Once the success criteria is confirmed, immediate roll-out proceeds according to the original proposal.