Regulator Online - Fitness to Practice
Regulator Online – Fitness to Practise module allows regulatory bodies to manage their full FtP lifecycle. This includes concern/complaint creation, triage, case creation, investigation, investigation plan, risk assessment, anytime task tools, automated emails and reminders, prepopulated documents, case closure, outcomes, and a host of features to handle hearings and adjudication.
Features
- Client customisable complaints form, workflows and email templates
- Prepopulated documents, emails, forms and dynamic risk assessment
- Full integration available for Microsoft Dynamics, Outlook
- Pre-built workflows for GP medical record collection/OHA referrals
- FortMail secure email with multi factor log in
- Multi pathway workflows for complex cases including Interim Orders
- PowerBI reporting including PSA submission templates
- Automatic reminders to external parties to reply to emails
- Everything needed to schedule and run hearings including committee selection
- Full audit and narrative trail on all complaints and cases
Benefits
- Work faster, smarter, and cleaner managing FtP processes
- Reduced costs and greater control as clients have full customisation
- Gold standard software built on the Microsoft stack of products
- Vast savings on labour intensive processes
- Portal access for all FtP contact types, groups and owners
- Continuous improvements and new features
- Over 1.2 million current users
- Fully responsive and Accessibility assessed
- Self-storing documents and emails
- Easy learning curve for new staff
Pricing
£1.25 to £2.60 a unit
Service documents
Request an accessible format
Framework
G-Cloud 14
Service ID
6 7 0 4 3 2 6 0 5 5 3 6 5 1 9
Contact
    FORTESIUM LIMITED
    
    julian khan
    
    
    Telephone: 0203 397 3712
    
    
    Email: julian.khan@fortesium.co.uk
    
  
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
- Can be used as full end to end standalone system for regulators, but implementation can also be approached as a much enhanced and scalable portal to partner with backend systems such as D365.
- Cloud deployment model
- Private cloud
- Service constraints
- No
- System requirements
- Recommended to have a corporate VPN
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- 
      Critical: 2 hour response, fix in 4 hours
 Major Issue: 4 hour response, fix in 48 hours
 Minor Issue: 8 hour response, fix in 72 hours
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AAA
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- Web chat
- Web chat support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support accessibility standard
- WCAG 2.1 AAA
- Web chat accessibility testing
- TBA
- Onsite support
- Yes, at extra cost
- Support levels
- 
      Support levels are standard across clients and support costs are included as part of our ongoing SaaS provision.  Support issues are categorised on triage and response times are as follows
 -Critical (L1). Description: Prevents core part of the system from working, there is no workaround - 2-hour response fix within 4 hours
 -Major(L2) . Description: There is a difficult workaround - 4-hour response fix within 48 hours
 -Minor(L3) . Description: There is an easy workaround - 8-hour response fix within 72 hours
 Support tickets are managed by a dedicated team of skilled and experienced Support Analysts. Each client has an Account Manager to escalate issues to if they are not satisfied with response times or outcomes.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- We have a tried and tested implementation methodology which includes the following stages, Project Start Up > Pre-discovery > Discovery > Configuration (Including bespoke development and integrations) > Environments (establishing hosting arrangements) > System Testing > Data Migration > Training > User Acceptance Testing > Deployment > Hypercare > Transition to Support & Maintenance. Facilitated training can be provided on site or via Teams / Zoom etc. Bespoke training videos and user manuals are developed as standard.
- Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
- The client should provide written notice 6 months prior to intended contract end date. On the contract end date agreed, a back up of the data will be taken by Fortesium, the data will be encrypted and made available securely to the user. The client / user will have a period of 30 calendar days to review the data and ensure that it is downloadable in an acceptable format. After Fortesium receive written confirmation that the data has been reviewed and the client is content for data held in the cloud environment to be deleted the data will be deleted.
- End-of-contract process
- 
      The high-level steps are listed below:
 • Receive written confirmation of decision to exit / end contract from client.
 • Fortesium and client to agree timeframes for exit.
 • Fortesium, client and, if necessary, the new supplier, to discuss and agree the scope and format of data to be transferred.
 • Fortesium to draft an exit plan including key activities, roles and responsibilities, and milestone dates.
 • Fortesium and client to agree and formalise exit plan – include any other relevant stakeholders.
 • Enact exit plan as per agreed schedule following the below steps:
 o Disable alerting services
 o Turn off website
 o Back up data in MS Azure – export the database to MS Azure storage in the client’s own resource group. Fortesium will provide access to this file within MS Azure and request that the client review and download / transfer within the timeframe agreed above (usually 30 calendar days)
 • Delete MS Azure app gateway
 • Wait for agreed period to allow for client review and download / transfer
 • Delete data services – Service Bus and any VMs
 • Request final written confirmation that data can be deleted by Fortesium
 • Delete databases in MS Azure
Using the service
- Web browser interface
- Yes
- Supported browsers
- 
      - Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari
- Opera
 
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- 
      UI is fully responsive on mobile devices using modern frameworks to ensure usability and accessibility requirements.
 Testing for member portals is carried on on a variety of devices to ensure compatibility - full functionality is always available so mobile users aren't experiencing a cut down version of the system.
- Service interface
- No
- User support accessibility
- WCAG 2.1 AAA
- API
- Yes
- What users can and can't do using the API
- 
      Our API are available to technical teams within customers organisation, they are not publicly accessible. Each action that can be carried out in our portal is available as an API .
 Our customers would request set up for use of the API and we would exchange secure keys in order to allow them to access the APIs.
- API documentation
- Yes
- API documentation formats
- Open API (also known as Swagger)
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- 
      Logos, colour scheme for branding
 Emails
 Email templates
 Forms (for collection of organisation specific data from their users)
 Fields
 Validation
 Pre-population of data
 Workflows (for processing form and payment collection)
 Workflow configuration
 Mapping to users and groups
 trigger emails
 Search the register configuration (for public site searching capability)
 Indexing capability
 Search configuration (selection of fields for both user selection and search results)
 Detail page results configuration
Scaling
- Independence of resources
- 
      Regulator Online Azure SQL databases are not shared between customers - they are independently provisioned in Azure and resourced at a level specifically for that customer.
 Front end services are also similarly independent and scaled to ensure demand is dealt with on a per customer basis
Analytics
- Service usage metrics
- Yes
- Metrics types
- 
      Any metrics can be provided based on client requirements via regular reports.  Metrics required can be discussed and agreed at discovery stage to meet specific client needs.  Typical metrics provided as an example however include
 # support tickets raised
 Support ticket response and resolution time as measure against SLA
 System uptime and availability
 System performance metrics - volume testing, response times etc
 Security Incident rate
- Reporting types
- Regular reports
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- 
      - United Kingdom
- European Economic Area (EEA)
- Other locations
 
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
- Physical access control, complying with CSA CCM v3.0
- Data sanitisation process
- No
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Users can export their data in a range of different ways. PowerBI can be used to extract and analyse data for reporting, data extracts to CSV are possible throughout the solution and full data back ups are taken regularly and can be provided to the client as a full data back up in the format required.
- Data export formats
- CSV
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- Legacy SSL and TLS (under version 1.2)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- As a cloud hosted environment, our SLAs match those provided by Microsoft within the Microsoft Azure platform. During discovery phase Fortesium will identify the most appropriate availability service levels based on your requirements. Uptimes of up to 99.99% with service credits ranging from 10% to 100% of Azure hosting costs depending upon service level provided.
- Approach to resilience
- Deployments are made using Microsoft Azure App Containers technology, a subset of kubernetes. Every aspect of the system is designed to run at dynamic scale and provide fault tolerance by use of containers. Backend data storage is in Azure SQL Server, which again can be provisioned at a level of resiliance to match our customers required availability SLAs.
- Outage reporting
- Email alerts are used to track outages of our systems. We use internal dashboards and Azure platform dashboards to track and monitor each individual component of the platform.
Identity and authentication
- User authentication needed
- Yes
- User authentication
- 
      - Dedicated link (for example VPN)
- Username or password
 
- Access restrictions in management interfaces and support channels
- Management interfaces are limited to customer VPN access only so users not on their VPN are unable to access the admin/management features of Regulator Online.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
- 
      - Dedicated link (for example VPN)
- Username or password
 
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- NQA
- ISO/IEC 27001 accreditation date
- 1/7/2023
- What the ISO/IEC 27001 doesn’t cover
- TBA
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- Yes
- Cyber essentials plus
- Yes
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- 
      We are Accredited to ISO27001: 2022 standards and as such follow all associated policies and procedures including but not limited to:
 • Mobile Device and Remote working policy
 • Asset Management and Media Handling Policy
 • Network Security and Access Control Policy
 • User Access Management
 • Cryptographic Controls
 • Privacy Notice
 • Back Up and Deletion Policy
 • Logging and Monitoring Policy
 • Acceptable Use Policy
 • Software Development Policy
 • Confidentiality Policy
 A member of our Senior Management Team is the Information Security Management System Representative and reports to the rest of the Senior Management team any issues or new risks or threats relating to information security. The SMT has a formal ISO27001 review meeting annually and touch on risks and issues at weekly SMT meetings. All policies and processes are internally audited for compliance at a frequency set out in the standards. For recertification purposes a full external audit is conducted by a certified auditor annually.
 We are also certified to Cyber Essentials Plus and as such ensure all devices are compliant with the latest security updates, undertake regular penentration testing and have all company devices registered in InTune to support consistent configuration management and device wiping.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- We use Team City, GitHub and InTune to support configuration management for software and devices. These tools allow us to track all changes to our solution through their lifetime and all changes undergo peer review and AI code review in GitHub prior to deployment. Additionally GitHub alerts our team to threats and suggests changes. As per our ISO27001 Software Development Policy any changes planned will be subject to a High Level Design process that includes a thorough and formal threat assessment to consider potential security risks at design stage and put in place plans to mitigate if required.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- We use an ISO27001 compliant SIEM tool to identify threats and recommend actions. The tool adds a rating to each threat to support assessment of the risk as it applies to Fortesium. We also conduct regular internal and external pen testing to identify threats and vulnerabilities. Our team take action to resolve or mitigate vulnerabilities in line with the risk rating attached. We are subscribed to the NCSC to receive regular threat reports which alert us to new and emerging threats. Server Patching timelines Critical / High Risk - 14 days, Medium - 21 days and Low - 28 days
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Use of an ISO27001 Compliant SIEM (Security Incident and Event Management) tool in Azure Environments flags alerts and offers a range of information on emerging threats and recommends remediations. We also conduct regular penetration testing conducted by an external expert and internally using pen testing tools. This allows us to identify vulnerabilities before they become compromises.
- Incident management type
- Supplier-defined controls
- Incident management approach
- As an ISO27001 accredited supplier we have a pre-defined and compliant Incident Management approach dictated by a comprehensive Incident Impact Analysis that risk rates a range of possible incidents and had a subsequent detailed Business Continuity Plan for those potential incidents rated as medium or high risk. User can report incidents in a variety of ways, through direct contact by phone, email or instant message with the Account Manager or any member of the team or via the service desk. Following an investigation the client and any other affected users will receive an incident and remediation report from Account Manager.
Secure development
- Approach to secure software development best practice
- Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)
Public sector networks
- Connection to public sector networks
- No
Social Value
- Social Value
- 
      Social Value - Fighting climate change
- Equal opportunity
 Fighting climate change We are in the initial stages of partnering with The Conservation Volunteers (TCV). By partnering with TCV we intend to undertake group conservation volunteering days to include woodland management, tree planting, grassland management and community gardening. The activities we aim to undertake will be chosen based on alignment with the values and aims of our clients and the potential impact said activity will have on our local community and our carbon footprint. Alongside our community conservation activities we are fighting climate change by assessing our carbon footprint as a company and taking steps to reduce our footprint where possible and ensuring our climate impact is a consideration with making any business decisions. As an example, after our carbon footprint assessment we took steps to change the configuration of our test environments to ensure they go into 'sleep mode' out of normal business hours when they are typically not in use. The impact to our clients have been minimal to none and the reduction in carbon emissions has been significant.Equal opportunity ortesium are registered on the Disability Confident Employer Scheme meaning we are committed to
 1. Ensuring our recruitment process is inclusive and accessible by ensuring against discrimination throughout our processes, making job adverts accessible, providing information in accessible formats and accepting applications in alternative formats.
 2. Communicating and promoting vacancies in an accessible way bey advertising through a range of channels and using the Disability Confident badge in job adverts to show applicants that we are an inclusive employer. Additionally we will take advice from Work and Health Programme providers, recruiters and disabled peoples user led organisations on job advert content and promotional channels. We also commit to regularly review all our recruitment processes and make changes where issues with accessibility or potential barriers to equal opportunity are noted.
 3. Offering interviews to disabled people. Utilising Positive Action techniques we will aim to increase the diversity of applications we receive and commit to offering interview to people with a disability or those marginalise in any way who also meet the minimum criteria of the role.
 Having just established a new office location in Belfast we have taken steps to partner with local Further Education Colleges to offer Higher Level Apprenticeships. In line with our commitments as a Disability Confident Employer we will be applying our commitments to our Higher Level Apprenticeship offering and hope to encourage people with disabilities and other marginalised groups who may not have considered a career in tech to apply and gain new skills in this exciting field that is abound with opportunities.
Pricing
- Price
- £1.25 to £2.60 a unit
- Discount for educational organisations
- No
- Free trial available
- No