CareCubed

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: 1) currently covers data across England, Scotland and Wales
2) requires use of a browser which supports secure SSL protocols
System requirements: Browser that supports the most secure SSL protocols

User support

Email or online ticketing support: Email or online ticketing
Support response times: For questions (rather than reports of system issues) we aim to reply within a business day. Depending on the nature of the query this may be a holding reply.
User can manage status and priority of support tickets: No
Phone support: No
Web chat support: No
Onsite support: Yes, at extra cost
Support levels: Level 0: CareCubed has a very significant level of self-service support with online/context sensitive help and uses the WalkMe online virtual assistant to provide assistance appropriate to the user's level of confidence with CareCubed.
Level 1: and above via support desk which is staffed during usual business hours (9-5, Mon-Fri excluding bank holidays), level 2 and above to technical/subject matter experts via escalation from support desk.
Support available to third parties: Yes

Onboarding and offboarding

Getting started: All new customers benefit from "getting started" instructions, online help, checklists, and introductory training videos (self-service). For many this is absolutely sufficient for their needs. Varying levels of implementtaion support are also available, including wrap-around consultancy about engaging with care providers/commissioner, negotiation, embedding CareCubed in work processes.
Service documentation: Yes
Documentation formats: HTML

PDF

Other
Other documentation formats: Videos
End-of-contract data extraction: Primary users may download a full data export of their organisation's CareCubed data at any time. This is initiated by the user, with output as a CSV file.
End-of-contract process: In advance of the contract end, the main business contact and/or primary users are advised of the end date and prompted to download any dat they wish to retain, and to delete any cases from CareCubed if they wish to. On the contract expiry date, the iESE system administrators then switch off access to CareCubed for the exiting organisation.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: Yes
Differences between the mobile and desktop service: There is no difference; the applications are responsive web apps so will fold down gracefully for mobile
Service interface: Yes
User support accessibility: WCAG 2.1 AAA
Description of service interface: There is an administrative control area which allows iESE to edit functions, see data, adjust settings and text.
We use a combination of WAVE and SiteImprove to regularly test the application, ensuring all aspects of accessibility (colour contrast, labelling, section ordering making sense to screen reading technology etc) remain at AAA standard.
Accessibility standards: WCAG 2.1 AAA
Accessibility testing: One of iESE's Local Authority clients has tested the service with JAWS
API: No
Customisation available: No

Scaling

Independence of resources: IESE have their own pair of servers, and our private network is connected to ioMart's main backbone - so there is sufficient server resource and bandwitdh available to mitigate the impact of high service demand. We do not cap specific customers' network speed, but our Firewall does allow this if necessary.

Analytics

Service usage metrics: Yes
Metrics types: Realtime dashboards are available to customers on system usage in terms of no. of users, last log on dates for users, no. of cases created, cases shared with partners, cases with/without key data items (to drive improved use of system).
Reporting types: Real-time dashboards

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom
User control over data storage and processing locations: No
Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency: At least once a year
Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process: Yes
Data sanitisation type: Deleted data can’t be directly accessed
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Primary users may download a full data export of their organisation's CareCubed data at any time. This is initiated by the user, with output as a CSV file.
Data export formats: CSV
Data import formats: CSV

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)

IPsec or TLS VPN gateway
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: 99.8% uptime
Approach to resilience: We use VMWare with both Veeam and Altaro to continually replicate virtual machines to another datacentre and to thco HQ (for data at rest) to provide a number of potential points of recovery. In the event of a disaster, the backup VMs can be brought online quickly.
Outage reporting: We use UptimeRobot to continually monitor the service from an https perspective, which tells us of any issues within 60 seconds of them occuring. Our Cisco Firewall will also give us alerts of any downtime or intrusion.

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication
Access restrictions in management interfaces and support channels: Access is provided using the principle of least privilege (PoLP), where it is limited to the smallest number of users possible with only the access they need to complete the tasks required, and is revoked once access is no longer needed. This applies at all levels for system support, management, and development.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: Users contact the support team to get audit information
How long supplier audit data is stored for: User-defined
How long system logs are stored for: User-defined

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: No

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: No
Security governance approach: Our information security policy (ISP) maintains a security governance framework for iESE products and services to ensure operational security & all consumer data is protected
The ISP includes guidance for the Team and subcontractors. outlines responsibilities and empowers staff, it ensures that partners and suppliers support IESE security objectives
Cyber security and the ISP are standard agenda items on Team meetings which enables training & constant re enforcement– making it real for the team to understand and practically deal with issues if they arise.
Responsibility for the production, maintenance, and communication of the ISP lies with the iESE Executive.
Information security policies and processes: The iESE information security Policy provides a framework for the management of information security throughout IESE, responsibility for the production, maintenance and communication of this Information Security Policy lies with the iESE Executive..
Training is undertaken as part of employee induction. Home & mobile working policy sets out Info security standards and these are audited yearly by external IT company. All staff prompted to refresh training and required to undertake an online test at least annually. The team are regularly briefed on the practical behaviours needed to enforce the policy and risks & issues are discussed at appropriate project & team meetings
The ISP, Home working and GDPR policy includes policies and processes relating to Information security including:
• Responsibilities and Ownership
• Information Classification and Categories
• User Management
• Software Management
• Reporting Losses
• Mobile Computing
• Data retention policy
Specific processes outlined include:
• Information Classification & Handling
• Do’s and Don’ts of Information Security
• Privacy Policy Notices
• Legitimate Interest Assessment Process
• Data Protection Impact Assessments
• information Security Incident Response Procedure
• Data Protection Impact Assessments (DPIA)
• Data Breach Management
• Data Sharing

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: We identify and document changes in the first instnace, normally grouping them into releases. These high level details are then fleshed out to a complete description of the change on a technical level. Changes are then developed in a completely separate environment to the customer's live servers, and contains no real data. The release is then rolled out onto a sandbox, again separate from the live environment, to allow customers to test and trial the changes. Once approved, they are then rolled out into the live environment, and monitored for 2 to 4 weeks to ensure there are no issues.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Using the tools -UptimeRobot for downtime or general application errors, Snort for internal monitoring, Cisco's alert service for intrusion on the firewall and Intruder.io (automated CREST level scan) , and monitoring the latest operating system and VM ware patches, we then assess any alerts or reports for false positives. If a vulnerability has been validated, we assess the risk. A decision is then made to fix or patch a vulnerability entirely, or, when there is no fix at present, mitigate the vulnerability by another means . The reports, alerts and logs are received regularly and form our continuous vulnerability assessment.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: We use a combination of UptimeRobot for downtime or general application errors, Snort for internal monitoring, Cisco's alert service for intrusion on the firewall and Intruder.io to automatically scan for security issues in the application itself
Incident management type: Supplier-defined controls
Incident management approach: IESE have an incident management process and flowchart described our GDPR policy documentation.
Users have the ability to report incidents to specific individuals via email, website, online via carecubed community and telephone.
• initial impact assessment to decide the appropriate response.
• Investigate and classify
• Containment:
• Report: Produce a report to clarify when, what happened, what the data contained, how many individuals were affected, and the cause of the breach
• Communicate outcome as per policy
This procedure is replicated within our sub-contract organisations.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Social Value

Tackling economic inequality

iESE have been, and continue to be, innovators in the domain of cost of care work. iESE developed the Care Funding Calculator (CFC) back in 2008 to support the management of a market in crisis. This was ground-breaking at the time – Co-designed with care providers, commissioners, and social workers to bring a robust cost of care model and benchmarking data together for the first time, to bring transparency to managing the cost of specialist care. We can therefore demonstrate collaboration throughout the supply chain, with a fair and responsible approach to working with our supply chain partners to deliver sustainable outcomes.

We have continued that engagement with multiple stakeholders to develop further modules working with the suppliers of care and Local Authorities and NHS. A user-centred approach is central to everything we do and iESE appreciate the value of stakeholder engagement and co-design of systems, an approach that has served us and our customers well, creating a sustainable eco system which is futureproof and creates resilience in the supply chain.

Our pragmatic commitment to tackling economic inequality is demonstrated by our recent development of the Fair Cost of Care model, which we offered at zero cost as we believe a transparent, fair cost of care tool would have a significant impact across the sector, supporting a sustainable market which benefits both buyers and suppliers, this tool remains free of charge as our continued commitment to the sector.

Pricing

Price: £13,000 to £27,000 a licence a year
Discount for educational organisations: No
Free trial available: No

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

CareCubed

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents