CoreStream Ltd

Compliance Third Party Risk Manager

Third-Party Risk Manager is a comprehensive solution for screening 3rd (and nth) parties against a wide variety of risk domains. Flexible workflows, surveys, risk scoring and wide library of existing data source integrations can be blended into a solution fully tailored to your specific requirements.

Features

• Risk segmentation aligned to your risk model
• Dashboards and drill down reporting
• Workflows based on risk
• Interfaces with ERP and other systems
• Inherent risk and third-party questionnaires
• Third-party document uploads
• Sanctions and adverse media screening
• Deep dive due diligence using data providers you choose

Benefits

• Automation frees time for risk management focus.
• Streamlined risk assessments with dynamic monitoring for third parties.
• Reduction in reporting time.
• Clear vision drives focus, integrity guides action.
• Supply chain agility for emerging disruptions.

£800 to £8,000 a licence a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@CoreStream.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

762034809537491

Contact

Matthew Eddolls
0207 100 4378
tenders@CoreStream.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: The CoreStream Platform is a fully integrated set of components for solving common, Governance, Risk and Compliance Challenges. Please refer to the G-Cloud Catalogue. Whilst each module can operate independently, additional modules can be provided for lower incremental cost, allowing to to advance your GRC practice with ease.
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements: All modern browsers are supported (including Mobile operating systems)

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 30 minutes, within UK business hours (8am to 6pm)
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our standard model is for 2nd and 3rd line support to be included in our license fee. ; First line support is typically best provided by our clients, but can be provided by CoreStream if necessary. This would be by separate negotiation as it will depend on system complexity and number of users
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Training can be arranged as required, however our system is designed with intuitiveness and user-friendliness in mind, and formal training is rarely required. Full documentation of client specific configuration will be provided in online guides, contextual help, and on-screen prompts
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Data repatriation will be provided free of charge (in raw text and PDF formats)
• End-of-contract process: Data repatriation and purging / destruction of data from all servers including backups is included. Additional requirements for delivery of the data in non-standard file formats or with transformations applied will be chargeable per the standard rate card.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Our user interface is a mobile-first design and fully responsive for all screen sizes from smartphone mobile devices, up to full desktop machines.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: Our application is built upon formal architectural layers, with APIs enabling communication between them. As such, all features are available via API (both read and write operations), subject to permissions.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Admin users can be trained to configure any part of the system, though this is typically limited to forms, reporting dashboards and exports.

Scaling

• Independence of resources: For each installation we deploy dedicated server virtual machines which are guaranteed a minimum level of resources from the physical host. This level of resource is set for double the number of target users as standard. If these resources become unavailable due to aggregate load on the physical host, we utilise intelligent switching to seamlessly move VMs to an alternative host. We continually operate with 100%+ spare physical capacity in our hosting capability.

Analytics

• Service usage metrics: Yes
• Metrics types: Logins, session length
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Excel, PDF and fully formatted / branded Word extracts can be provided as required
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • MS Word
  • PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.9% guaranteed, with service credits should this level not be achieved (10% refund of the monthly licence fee per 2% below 99.9%)
• Approach to resilience: We utilise multiple resilience arrangements and regularly practice disaster recovery scenarios. For security reasons, full details are available on request.
• Outage reporting: Email alerts will be generated upon a service being unavailable for a period of 5 minutes.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: Single Sign On via OAuth or SAML 2.0
• Access restrictions in management interfaces and support channels: Hidden webpages with additional security group requirements.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Other
• Description of management access authentication: Single Sign on via oAuth or SAML 2.0

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 26/11/2021
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Annual Penetration Testing by a CREST and CHECK accredited specialist.

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials Plus
• Information security policies and processes: - Production information never replicated and stored in non production environments. Administrator access to production environments is limited to a handful of senior, named individuals who can only access via secure VPN, and named server accounts. CoreStream has a documented ISMS policy which is continually reviewed and redistributed to employees on an annual basis. Information Security events are recorded in a central database and reviewed by board-level management with actions and follow-ups implemented as required.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Software changes are subject to a standard requirements definition template and reviewed by senior functional and security design resource before being approved for development.; ; Once developed, changes are assigned to a specific release, with this release passing through a defined 'path to live' - escalating from development to test environment before being placed in a stage environment for final checks.; ; New changes, once developed are reviewed by a security test specialist and also subject to ongoing vulnerability scanning and penetration testing.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We employ an ongoing third party fully managed service to continually review our servers for known vulnerabilities. (Daily scans); ; Once a vulnerability is discovered, a user story is raised for a new software or configuration change, which will be then pass through our standard development process outlined above, however for serious vulnerabilities a specific patch release will be created to speed up the release process.; ; The most serious vulnerabilities will be resolved within 6 hours.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We employ an ongoing third party service to continually review our servers for known vulnerabilities and this forms the same process for protective monitoring.; ; Once a compromise is discovered, a user story is raised for a new software or configuration change, which will be then pass through our standard development process outlined above, however for serious vulnerabilities a specific patch release will be created to speed up the release process.; ; The most serious compromises will be resolved within 6 hours.
• Incident management type: Supplier-defined controls
• Incident management approach: We make use of our own software platform for incident reporting using an online form. Incidents are then automatically escalated to a fortnightly director meeting for review.; ; Incidents impacting clients will be communicated on an ad-hoc basis if and when they occur.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  CoreStream has identified seven areas in which we have a direct or indirect environmental impact, and where we can implement initiatives to manage and reduce these impacts. These initiatives combined will enable CoreStream to meet our target of net zero emissions by 2035. Our full environmental policy is available on request, but includes targets in the following areas: - Reduction in paper use - Reduction in Energy use - Travel - Awareness Training - Waste Management - Office Supplies - Supplier Management - Laptops and Electronics recycling

  Equal opportunity

  CoreStream is fully committed to providing equality in the workplace and all opportunities for, and during employment, will be afforded to individuals fairly and irrespective of age, disability, gender, gender reassignment, marital or civil partnership status, pregnancy or maternity, race including colour, ethnic or national origins and nationality, religion or belief or sexual orientation (“the protected characteristics”). We aim to create a working environment that is free from discrimination and harassment in any form, in which all staff, customers and suppliers are treated with dignity and respect. CoreStream will not unlawfully discriminate in the arrangements we make for recruitment and selection or in the opportunities afforded for employment, training or any other benefit. All decisions will be made fairly and objectively. We aim, as far as reasonably practicable, to ensure that all our working practices are applied fairly and consistently and, where necessary, we will take reasonable steps to avoid or overcome any particular disadvantage these may cause and to promote equality. CoreStream respects an individual’s right to choose whether or not to belong to a trade union and membership status will have no bearing on an applicant’s suitability for employment or result in any detrimental treatment when working for CoreStream.

  Wellbeing

  CoreStream has a programme of wellness initiatives with a mixture of funded and unfunded activities. Advice and external counselling support on all matters, including managing work / life balance is available to all staff. Staff are encouraged to exercise, and supported to have a comfortable and safe working environment both in the office and at home. CoreStream also supports regular charity volunteering days, allowing staff time out of the office to work on social projects.

Pricing

• Price: £800 to £8,000 a licence a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A fully functioning trial system can be arranged by negotiation

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@CoreStream.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.