Castellan Solutions Limited

Riskonnect Business Continuity & Resilience (formerly Castellan)

Our web-based application facilitates, automates and simplifies Business Continuity Management (BCM) encompassing Business Impact Analysis (BIA), Planning, Exercising, Crisis Management, Threat Intelligence, Emergency Notification, Operational Resilience and Reporting modules. Our solution facilitates storage and maintenance of plans and procedures and delegation of responsibility across the enterprise for increased confidence.

Features

• Holistic view of the entire continuity and resilience program.
• Email driven user workflow engine.
• Customisable templates for BIAs, plans, exercises, and documents.
• Mobile app (iOS, Android).
• Simple importing of key organisational datasets via API connectors.
• Customisable user profiles to control access to data/features.
• Pre-built reports and customisable dashboards.
• Integrated, two-way notifications to employees, groups, or plan members.
• Crisis management, incident management, threat intelligence, and exercising capabilities.
• User interface designed for collaboration, accessibility, and ease.

Benefits

• A single platform to manage all readiness and response activities.
• Supports BCM best practice alignment to ISO 22301.
• Intuitive and simple to use for the occasional user.
• Minimal requirement for central administration.
• Empowers plan owners, managers, and other stakeholders to participate.
• Efficient, cost-effective plan development and maintenance.
• Mobile and offline access to plan information.
• Email-based task management features to save time.
• Speed, accuracy, and visibility through integrated data relationships and dependencies.
• Latest updates to plans are always available to authorised personnel.

£30,000 an instance a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@riskonnect.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

763415730958686

Contact

James Leathem
+447840657015
sales@riskonnect.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No, the majority of planned maintenance is undertaken with no client impact.
• System requirements:
  • User browser must Support TLS 1.2 encryption (https) of pages
  • User browser must have JavaScript Enabled.
  • Windows 8.1 or above
  • Mac OS X 10.6 or above

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide 24x7x365 Operational and Technical support delivered by our team of Service Delivery Specialists. The team is contactable by email, phone or via the customer support portal which logs and tracks tickets through to completion.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: All clients receive the same high level of support at no extra cost as it is all included within the licence fee.; ; After the initial software implementation carried out by our in-house experienced BC specialists, our support team is on call 24x7x365 and ready to address technical questions, offer strategic guidance, and provide software support when you need it most. Clients will also be assigned a dedicated Customer Success Manager for additional assistance and support and will hold Quarterly Business reviews (QBR's) to ensure you are always getting the very best out of your program.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Riskonnect's Business Continuity & Resilience offers comprehensive support throughout the implementation process, led by an experienced business continuity practitioner supported by our team of service delivery specialists. ; Our standard implementation service provides training to client system administrators such that they will be able to configure and administer the system going forward. Standard implementation covers the core development of BIAs and Plan entities. These sessions are delivered using a train the trainer approach to enable administrators with the required knowledge to complete the work with remote support from the software specialists. Each training session will focus on specific elements of system configuration with intervals allowed for completion of setup work by administrators as part of the formal implementation path. ; This provides the following benefits:; o Collaborative, short focused training sessions on system components with hands on activity;; o Integrated system set-up through the training sessions so that the training delivers real benefit and a system that is ready to be used;; o Knowledge retention is maximised by using the actual client system rather than a training system and through completing live setup; ; o Key learning opportunity for administrators ensuring that they retain the skills required to update and manage the site.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats:
  • Documentation is available via our integrated Customer Support Portal.
  • Video Tutorials via on screen links.
• End-of-contract data extraction: At any time, including at the end of the contract, client administrators are able to extract their data easily using the reports already built into the system which will output the data as Excel/CSV/ files for ease of use offline, without the need for technical assistance. In addition, users can print and save their BIAs and Plans in PDF format and administrators can output and save detailed reports in Excel format. We can provide additional support for this process if other formats are required.
• End-of-contract process: At the end of the contract, clients are able to extract all of their data including BIA and Plan content themselves via the client administrator interface and we can provide assistance with this process if required. For security and data protection purposes, we would permanently delete/destroy client data no later than 10 days after the end date of the contract. If the client requests the last available back-up of the data, this can be provided at no additional charge unless a specific format is required for which there may be an additional charge, otherwise there are no other additional costs relating to the end of the contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The desktop version is also viewable on mobile devices as it is delivered via a web browser. The layout of the screen will dynamically adapt to the screen size of the device used to access it. In addition the mobile app provides offline access to BC plans if there is a network outage.
• Service interface: No
• User support accessibility: WCAG 2.1 AAA
• API: Yes
• What users can and can't do using the API: We have a suite of API's for importing data including Employees, Resources, Suppliers and Sites. We also provide OOTB RESTful API's for integration with third party applications and import API's to programmatically manage data imports into the system. .; ; Once we enable API’s for a client there is a simple client administrator menu option which presents the user with a screen which is very similar to the Executive Dashboard screen, including a wizard-style interface to set up each API type required and which generates the required authentication keys. This means that the system (e.g. for employee data) the client is using at their end can be flexible since their IT team simply need to build the link to the appropriate API.; ; There are two options for automated data imports:; o Bulk File Transfer ; o RESTful API (single record) Using a RESTful API is preferred, as this:; o Places control of the data transfer with the client;; o Operates via a client specific URL on the existing client domain, so is not a shared data transfer service;; o Pushes data to our software requiring no access or any entry points within any client infrastructure;; o Is secure.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Client administrators can customise and configure their software instance as required. Edits to terminology to align to individual organisational language and the designing of new templates, documents, workflows and customisable dashboard reporting is all very straightforward and can be achieved using simple tick box, text box and drag and drop options.; ; The software supports role-based security through assigned custom roles to manage access and user permissions. Permissions can be customised directly from within the software and each user can be assigned a standard or custom role or given access at the individual document, BIA, plan, or exercise level.

Scaling

• Independence of resources: The production environment runs on highly available hardware in the Azure infrastructure. The primary data centre and failover data centres regions are determined by the customer. We backup our ; systems every hour to Azure backup using industry best practices and encryption via standard SQL management tools. Those backups are ; also automatically replicated to our recovery servers, so we can fail-over at any time. ; ; The infrastructure is sustained at 25% capacity, with the remaining capacity held to support spikes in usage.

Analytics

• Service usage metrics: Yes
• Metrics types: Client Administrators are able to monitor and track service usage themselves. Using the Customisable dashboards, Administrators can use a simple wizard-style interface to create a number of graphs which provide an at-a-glance, real-time, overview of the BC program. These can be used to report to upper management. Client Administrators can also track BC program compliance using the default dashboard which can be filtered by area. Many of the built in reports can also be scheduled to provide regular reports or run on request by the user including audit and user access reports.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: There is a wealth of reporting available as part of our standard licence, including the capability of creating custom reports. The suite of pre-built reports includes Gap Analysis, and RAG indicators to show warnings, strategic and planning reports such as 'What If' and critical data analysis reporting. ; ; Data can be exported as an Excel file or as a pdf. We also provides a public reporting API which allows clients to access their data to produce reporting extracts to upload into a third party analytics tools they may be using (e.g. Power BI or Tableau).
• Data export formats: Other
• Other data export formats:
  • Excel
  • PDF
  • Zip File
  • Reporting API
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • Excel
  • Zip File

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Riskonnect's Business Continuity & Resilience is provided on a high availability environment that provides an 99.97% uptime SLA for application availability excluding scheduled downtime and agreed client maintenance.
• Approach to resilience: The servers for the service are located across two geographically separate locations and are configured for redundancy and resilience:; ; o Data is stored on a highly redundant storage array;; o Databases are serviced by a database cluster;; o Websites are serviced by a load balanced pair of web servers;; o Security patches are applied monthly after they have been tested; ; o For DR purposes data is replicated to a secondary location within the same geographic region via an encrypted private backbone network;; o An Azure traffic manager is used to redirect traffic between the Primary and Secondary sites; ; In the event of a catastrophic failure we can switch over to the secondary location within our standard RTO of three hours, with an RPO of fifteen minutes.
• Outage reporting: Riskonnect's Business Continuity & Resilience is a high availability application, availability is proactively monitored 24x7 by our own technical staff. This includes monitoring software which provides automated alerts via email.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: All access to the underlying infrastructure is via two-factor VPN, and limited to users who require access to undertake their role.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: PECB MS
• ISO/IEC 27001 accreditation date: 06/09/2010
• What the ISO/IEC 27001 doesn’t cover: All areas of the business are covered and the scope is provided below. All ISO27002 controls apply.; ; Castellan Solutions Limited covers the business activities relating to the provision; design; development; maintenance and management of Internet and Web services and systems, in accordance with the latest Statement of Applicability”
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SoC 2 Type II

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Riskonnect's Business Continuity & Resilience has a suite of detailed security policies in line with our ISO 27001 certified. ; In addition, our Information Security Forum which consists of the Global Head of Strategy, Head of Administration and Special Projects, Head of Global Infrastructure Architecture and The Information Security Manager. All managers ensure that documented security procedures and work instructions within their area of responsibility are carried out correctly to achieve compliance with security policies and standards.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Components of the service are tracked within our asset register which is reviewed every three months. When components near end of life a migration plan is created to move to new components prior to the end of life date.; ; All changes to software and components are tracked via a ticketing system with appropriate sign-offs by different teams. This includes security and risk assessments, confidentiality, integrity, availability, alignment to product roadmap and rollback plans.; ; Customers are communicated to via predefined channels prior to any changes which could impact the availability of the solution.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: To assess potential threats to our services, we run monthly vulnerability scans to identify security vulnerabilities and software configuration issues in all our environments.; ; Patches are deployed as follows, depending on their category:; • High: within 7 days (normally within 24 hours); • Moderate: within 30 days; • Low: At our discretion; • Informational: At our discretion; ; Information on potential threats is obtained from: Cyber Security Information Sharing Partnership (CiSP), Microsoft, Homeland Security “National Cyber Awareness System” and ManageEngine Desktop Central.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our monitoring process aligns with ISO27001.; ; We have SecureWorks Red Cloak - Threat Detect and Response (TDR) & Managed Detect and Response (MDR) in place which is monitored 24/7/365 to identify potential compromises. Events are sent to Azure Log Analytics and reviewed periodically.; ; If the SecureWorks Red Cloak sees a security threat our incident process is invoked.; ; If suspicious activity is found within logs, a more detailed investigation is undertaken to find the root cause which may involve specialist forensic investigation. An incident is raised within our incident management tool, and appropriate actions taken.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a fully documented process for incident management ensuring that a consistent methodology is followed when an incident occurs which impact the services we provide, such that full service is restored as quickly as possible.; ; Users can report incidents through our Help Desk ticketing system or by telephone or email through our Service Delivery team. Incidents can also be automatically detected via our monitoring tools and escalated.; ; During an incident, reports are provided to clients at a frequency that is consistent with the deadline assigned to resolution of the incident, but typically every 30 minutes via email or SMS.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity

  Fighting climate change

  As a provider of software solutions, Riskonnect makes minimal use of raw materials in the development of our products and services aside from the engagement of our employees to develop and implement our solutions. We regularly seek opportunities to reduce the environmental impact of our facilities, computer hardware and cloud infrastructure hosting services among other areas of the business.

  Equal opportunity

  Riskonnect is an Equal Opportunity Employer that does not discriminate on the basis of the person's race, color, national origin, age, religion, disability status, sex, sexual orientation, gender identity or expression, genetic information or marital status., or other non-merit based factors. Our management team is dedicated to this policy with respect to all management practices and decisions, including recruitment and hiring practices, appraisal systems, promotions, training, and career development programs.

Pricing

• Price: £30,000 an instance a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: A fully functioning demonstration version of the software is available after a mutual non disclosure agreement has been signed.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@riskonnect.com. Tell them what format you need. It will help if you say what assistive technology you use.