datb limited

datb - Risk Register

A cloud-hosted, fully configurable risk register for use by local authorities and other organisations, allowing tracking of risks, risk scores and mitigations at all points in an organisation's hierarchy. Risk versioning is used to ensure that reviews are undertaken appropriately and can be tracked.

Features

• Administrator-defined risk categories ensure alignment with corporate strategy
• Assignment of risks at any level in organisational hierarchy
• Configurable risk dimensions (financial, safety, HR etc.)
• User-defined reporting functionality
• Suited to publication of risk summaries to public audience
• Versioning of risks / scores / mitigations
• Full audit history ensures traceability
• Configurable user home page
• Risk management workflow controls risk review & publication lifecycle
• Role-based access rights control visibility & editability of risks

Benefits

• Clear risk ownership and responsibility through organisational hierarchy
• View time-based movement in risk scores & mitigations
• Workflows ensure that risks are reviewed when needed
• Escalation of late / missing information to ultimate owners
• Easy data take-on from documents / spreadsheets
• Clear public / stakeholder visibility of selected real-time risk data
• Configurable scoring mechanism to match existing methodologies
• Configurable online help texts to guide infrequent / inexperienced users
• Complete, robust and secure risk management out of the box
• Mobile or desktop access to all functionality

£15,000 a licence a year

• Free trial available

Service documents

• Pricing document

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.bushman@datb.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

699789706608078

Contact

Mark Bushman
020 7923 9239
mark.bushman@datb.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: None
• System requirements: Browser for end-user and administrative access

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: One hour during business hours; additional out-of-hours cover by arrangement.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our standard support agreement covers faults in the application by telephone, email or online, plus assistance to administrative users in the configuration and operation of the application. Additional levels of cover (out-of-hours, business support etc.) can be arranged by agreement. Reported issues are assigned a priority that determines the target time to resolution: Priority 1 - One business day, Priority 2 - Three business days, Priority 3 - 10 business days, Priority 4 - Next scheduled release. Support costs are included in the platform licence cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Users may request access to a cloud-hosted proof-of-concept environment to assess suitability. Documentation is available within the product as well as in the form of PDF documentation. Training can be undertaken online or on site as required
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data is stored using conventional relational database structures and can be accessed using conventional database tools from the DBMS provider or a third party. Alternatively, data can be accessed via web services defined within the application and described elsewhere in this document.
• End-of-contract process: No additional costs at the end of contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All functionality available on all device types.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: The platform enables the implementation web services supporting any XML- or JSON-based data interchange with other applications. Web services may operate as client (requesting data from an external interface) or as server (responding to requests from external systems). datb and our customers have developed interfaces to a wide variety of external systems including payments systems such as CivicaPay, financial systems such as SAP, Google Maps, SalesForce CRM, Microsoft 365 and many others.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Deployed as a stand-alone component, the Risk Register is fully configurable to meet existing risk management processes. When deployed as a part of datb's Local Government Platform, full customisation of all of the application's functionality is available.

Scaling

• Independence of resources: Instances of the platform are isolated within the chosen cloud environment and do not share resources with those of other clients.

Analytics

• Service usage metrics: Yes
• Metrics types: User sessions are recorded within the platform. Resource usage (memory, sessions etc.) is logged hourly. Service availability and status are subject to automated monitoring.
• Reporting types:
  • API access
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Web services allow querying of data as XML or JSON. Exports can also be performed using tools provided by the database vendor or a third party. datb can implement other data export functionality (Excel, PDF, CSV or other) to meet clients' specific requirements.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XML
  • JSON
  • PDF
  • Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • XML
  • JSON
  • Excel

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: This service is hosted within Oracle Cloud Infrastructure (OCI), which offers 99.9% or greater availability for the components that we deploy (server, database, load balancer etc.)
• Approach to resilience: For Oracle Cloud Infrastructure (OCI), please refer to https://www.oracle.com/a/ocom/docs/caiq-oracle-cloud-applications.pdf
• Outage reporting: Datb performs automated monitoring of application instances; clients may elect to receive this information or rely on datb's monitoring, as appropriate.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Access to specific functionality such as configuration changes can be restricted to whitelisted networks if required. Access to the management interface is typically via SSO or user name and password, requiring additionally a second authentication factor (for instance a one-time code generated by Google Authenticator or similar, or emailed to the user). Access to the support portal is via user name and password.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Approachable Certification (UKAS 8320)
• ISO/IEC 27001 accreditation date: 15/03/2024
• What the ISO/IEC 27001 doesn’t cover: Nothing
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: The selected cloud infrastructure provider will have appropriate additional certifications.

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We hold ISO27001 certification and Cyber Essentials Plus. Our technical director holds overall responsibility for security policy. All staff are required to undertake a security self-assessment semi-annually; we conduct a semi-annual security questionnaire to ensure that staff are aware of correct processes. All security exceptions are logged within our internal management system and reviewed weekly at board level. We monitor threat reporting services to ensure that we are aware of emerging threats. End-user devices (desktops, laptops) are encrypted and centrally managed. Mobile devices with corporate access must be of defined types with biometric security, and are required to be kept up-to-date with security patches. Our activities are also controlled by our ISO 9001 certification.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All components of the service are subject to change management processes in compliance with ISO27001. All changes are subject to a quality review; this includes an assessment of all code and configuration changes with specific reference to any security impacts that they may have.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We monitor a variety of threat notification resources weekly and assess these in terms of any threat that they may present. We deploy patches regularly, or in response to a newly-identified security issue. We commission comprehensive penetration testing at least annually - this involves a skilled third party with full knowledge of, and access to, a configured application server in order to attempt to exploit any vulnerability present in our standard build.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We monitor cloud infrastructure logs, network activity logs and application event logs. The application server monitors and records all external access attempts. Security exceptions (failed login attempts, CSP violations etc.) are recorded and reported to the management server, which is configured to alert administrative users of significant events / exceptions. If a potential compromise is suspected, our security exception process ensures that specific actions are taken to minimise impact, preserve evidence, ensure that appropriate people are informed and to prevent further compromise.
• Incident management type: Supplier-defined controls
• Incident management approach: Our internal management application requires staff to record an 'exception' in response to any out-of-the-ordinary incident. Depending on the exception type, a variety of processes may be appropriate, but will generally result in the recording of an 'intervention', this being used to record the steps required to mitigate the incident. Exceptions and interventions are reviewed weekly in order to determine changes to processes, training needs etc. to prevent recurrence. Customers are notified of specific event types such as security exceptions.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Our staff have worked remotely since 2002, reducing the impact of transport emissions. We seek to minimise use of consumables in our work. datb recognises the importance of climate change issues and addresses these in the following ways: The company does not produce a physical product requiring tangible resources; All staff work from home, largely eliminating the carbon footprint of commuting; Staff equipment is selected with regard to its energy efficiency, longevity and recyclability; All of our servers are cloud hosted, which has been shown to reduce energy use and the carbon footprint; Suppliers providing cloud hosting are vetted by datb to ensure that they hold ISO27001 certification, this will ensure that these suppliers have considered the impacts of climate change upon their services. More significantly, our technology facilitates the development of systems enabling collaborative working by geographically separated teams, reducing travel requirements and greatly reducing the need for paper documentation.

Pricing

• Price: £15,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We can provide a test instance of the Risk Register suitable for a trial exercise, allowing potential clients to investigate capabilities with no commitment. This provides all functionality available within the full product. Timescales are subject to discussion with the potential client.

Service documents

• Pricing document

  ODT

• Service definition document

  ODT

• Terms and conditions

  ODT

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.bushman@datb.com. Tell them what format you need. It will help if you say what assistive technology you use.