ACUITY RISK MANAGEMENT LIMITED

STREAM Integrated Risk & Assurance Manager

STREAM Integrated Risk Manager provides a holistic environment to capture integrated risk use cases within a Cloud infrastructure and provide clear reports. These use cases include Enterprise Risk, Cyber and IT, ISMS, Control and Compliance Assurance, Incidents, Audits and Findings, Policy, Business Continuity, Privacy, Vendor and Supply Chain, Vulnerability.

Features

• Holistic, quantifiable, cyber risk intelligence
• Integrated risk management for cyber security, HSSE, vendors and enterprise
• Automated controls assurance and compliance with multiple integrated frameworks
• Privacy, incident, policy, audit, threat, vulnerability and business continuity management
• Customisable reporting: including Heatmaps, Loss exceedance, Top 10 risks
• Integration with workflow, web forms, dashboards, BI and actions management
• APIs for integration with third party applications
• Quantitative, qualitative and mixed-mode risk assessments
• Risk-based approach, aligned with management’s tolerance for risk
• Rapid deployments with bespoke and out of the box offerings

Benefits

• Organisational resilience to data breaches and other loss events
• Effective and efficient use of cyber security risk management resources
• Optimised spending providing value for money from risk teams
• Return on investment visibility for security programmes and solutions
• Risk-informed strategic decision making for digital transformation
• Engagement and confidence from the Board on risk
• Assurance of compliance with GDPR and other regulations
• Reduced risk of fines and mitigation of damages from breaches
• Reduced costs of compliance and audit
• Reputational benefits from a professional approach to risk and compliance

£10,000 a licence

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at james.anderson@acuityrm.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

677566873684658

Contact

James Anderson
07780168962
james.anderson@acuityrm.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: N/A
• System requirements:
  • Windows 11
  • Browsers - Latest version Chrome, Latest version Edge.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 2 working days
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: For any customer we provide a support desk for any technical queries and depending on the requirement we assign a account executive/director to manage through the course of the contract. As part of the implementation/configuration the customer has access to our consultancy team and any training/support is included within the Statement of Work.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Our users are involved and included throughout the setup and implementation of STREAM with frequent project calls, so are exposed to how the platform is configured for them.; Once implementation is complete, we provide comprehensive training to clients specific to the use case(s) that they are using STREAM for. Our delivery team are happy to conduct training both onsite and online but will always come onsite to help customers if possible as we feel the training can be delivered best when in the same room as our clients. That being said, due to client preferences and locations, a large amount of our training now takes place via online calls and we find this is still extremely effective. ; Acuity have written and provide user guides to clients as part of the training and implementation, and where required will also provide bespoke guides if custom work has been carried out. Our support team is also available should there be any queries when getting started with the system, and beyond.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: At the end of the contract Acuity will provide a SQL DB export within 5 working days. Should alternative requirement be needed these will be discussed and agreed at the contracting phase.
• End-of-contract process: At the end of the contract we will have a meeting with the customer to understand how the service/tool were and any future needs or reasons for leaving. As part of the contract if the decision is to not renew then we will work with the relevant parties to provide the data from STREAM and organise any deletion of information, no additional costs are required.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
• Application to install: Yes
• Compatible operating systems: Other
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: API integration is performed between Acuity and the prospective customer. We offer multiple variations of integration through options like Zapier or direct integration through our comprehensive API. Acuity can provide consultancy services to work with customers to ensure the most appropriate method. Acuity provide comprehensive documentation for the API suite.STREAM customisation requires no coding and can be done within the front-end UI using the settings area. ; User permissions allow different user types to have different customisation abilities, but all changes to the front end can be made by users if the client requires. This permission can also be securely locked down. Acuity's team are also on hand to assist with any customisation required both during implementation and beyond.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: STREAM can be customised throughout, from the colours and branding present in the UI through to the record types and fields present in the platform. During scoping, our team will work with clients to determine how much bespoke configuration of the platform will be required outside of the normal functionality of the product.; STREAM customisation requires no coding and can be done within the front-end UI using the settings area. ; User permissions allow different user types to have different customisation abilities, but all changes to the front end can be made by users if the client requires. This permission can also be securely locked down. Acuity's team are also on hand to assist with any customisation required both during implementation and beyond.

Scaling

• Independence of resources: Acuity's infrastructure is monitored 24/7 using monitoring tools from Microsoft Azure. Alerting is setup to advise Acuity technical team should there be an issue. The team will then actively investigate and resolve.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics are provided via the account management team as part of agreed review meetings.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users of STREAM can export data via reporting.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Issue resolution:; Critical - 4 hours ; High - 8 hours ; Medium - 72 hours ; Low - 240 hour; ; Email response - 2 working days
• Approach to resilience: Available on request
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Acuity operates a strict access control policy as part of its ISO 27001 accreditation.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 14/07/2023
• What the ISO/IEC 27001 doesn’t cover: The scope of our ISMS is as follows, and includes ALL activities and services of the company:; "Design, development, hosting and sales of Integrated Risk Management solutions (STREAM), and provision of supporting consultancy, training and application support services to client worldwide."; There are no exclusions.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: We are committed to adhering to ISO 27001 standards, we've implemented a robust framework of information security policies and processes. These policies cover a wide range of areas critical to safeguarding our assets, including data protection, access control, incident response, and regulatory compliance. ; Our policies undergo a thorough approval process, involving the ISM and CTO. These policies are then made available through shard drives and are communicated to all through comprehensive training sessions and onboarding programs. This ensures that every member of our organisation understands their role in maintaining security and compliance.; Central to our IS structure is a clearly defined reporting hierarchy supplemented by our information security management responsibilities policy. Our ISM oversees our security efforts and ensures alignment with policies and regulations. Supporting the ISM are the ISO and CTO who share responsibility for implementing security measures, monitoring for threats, and responding to incidents as they arise.; Enforcing policy adherence is a multifaceted process. We utilise a combination of regular audits, assessments, security training and awareness and technology solutions to monitor compliance and detect any violations. Our access management systems and security controls play a crucial role in enforcing policy requirements and preventing unauthorised access to sensitive information.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We employ a formalised change management process to assess, authorise, and implement changes to our IT environment. This process includes documenting change requests, assessing potential impacts, obtaining approvals, and implementing changes in a controlled manner.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Should issues or new vulnerabilities be found Acuity assess the issue an assign a risk profile. From this Acuity can determine the severity and act accordingly. Should a critical issue be found Acuity will perform an emergency mandatory hotfix. Should the risk or severity be lower, the fix will be applied with the next scheduled update.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Acuity operate monitoring across its infrastructure. Should issues be found alerts will be sent to the infrastructure team to respond and resolve. This process has been defined by Acuity as part of its IT operations approach.
• Incident management type: Supplier-defined controls
• Incident management approach: Acuity utilise monitoring within Azure and have setup rules and alerting to support the agreed SLA's.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality

  Fighting climate change

  Acuity’s STREAM platform delivers integrated risk management and compliance configurable to our customers’ needs and priorities. This includes, environmental, social and governance (ESG) assessment, monitoring and reporting. ; ; Customers can use Acuity’s G-Cloud service provision to manage climate risk, and to drive continual improvement by measuring and reporting on performance against ESG targets.

  Covid-19 recovery

  Digital transformation which was already gaining momentum has accelerated as a result of the pandemic with new ways of living and working enabled by new digital products and services. ; ; Acuity’s G-Cloud service provision enables our customers to embrace digital opportunities and address the challenges associated with digital transformation by providing the visibility required to manage risk in an increasingly interconnected world.

  Tackling economic inequality

  Acuity’s G-Cloud service provision delivers a proven and trusted approach for increasing supply chain resilience and capacity.; ; We help our customers to create smarter, more resilient businesses through holistic and quantifiable risk intelligence. Unlike some approaches which impose box-ticking overheads on suppliers, our STREAM platform supports a collaborative approach between the customer and its supply chain.; ; By focussing on risks in the supply chain which are material to the achievement of business objectives and then collaborating with suppliers to manage these down to an acceptable level our customers can ‘do more for less’ - improving security, resilience and capacity at lower cost to themselves and to their suppliers.

Pricing

• Price: £10,000 a licence
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at james.anderson@acuityrm.com. Tell them what format you need. It will help if you say what assistive technology you use.