Blue Lights Digital

Change, Risk & Impact platform (Risk Estimate AnaLyse Manage) - Blue Lights REALM - Proximity based

REALM provides proximity based business change & intelligence information through an automated assessment processes to aid tactical and strategic decision making, an improved understanding of changing risks whilst aiding the prioritisation of resources. Analytics produce automated reports enhancing understanding of current change, risks, feeding organisational knowledge.

Features

• LEA & Public Sector risk methodology validated by academia
• Developing codes of practice for public consultation on openspace initiatives
• Create tactical risk assessments on individuals or groups vulnerabilities
• Create risk assessments on thematics for strategic assessment documents
• Track assessments over time building organisational memory & knowledge
• Assessing service capability/maturity aligned with police security accreditation requirements
• Developing methods to support data quality compliance alongside the collegeofpolicing
• Aligns with national requirements for Organised Crime Group Mapping, ViSOR
• Established LEA change implementation networks aligned with OKIP & NPCC
• Aligns with policing’s STCG, TTCG and NDM models

Benefits

• Assessment of an organisations change capacity, capability and demand
• Automated processes reduce impact on resources
• Big data scalability, can be scaled regionally or nationally
• Fully auditable system as required for public sector deployment
• Streamlined analysis saves manual configuration and processing time
• Secure Hosted Cloud with automated functionality
• Secure: Official sensitive caveat and GDPR compliant
• Connect to Change Impact Assessment tool via HTTPS using SSL/TLS
• Connect via PNN N3 via VPN for increased security posture
• Identity Access Management (IAM) built in for increased security

£1,000 to £10,000 a unit a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at claire.stanley@bluelightsdigital.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

763792874496249

Contact

Claire Stanley
07847258384
claire.stanley@bluelightsdigital.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: Shared REALM instances are subject to Identity Access Management and Risk Mitigation Document Set (RMADS), Systems Security Operations Agreements (SyOps). Platform is available in Amazon Web Services, Azure and on a Private Cloud.
• System requirements:
  • Access to HTTPS services
  • Presentation to PNN VPN end termination unit
  • Presentation to secure gateways
  • Access to 2 factor and 3 factor authentication

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Secure Official rated Service Desk ; Mon to Fri 9-5 ; SLA - 1 hour response . ; ; Technology is Fresh Service ; Hosted in EU
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support is on a reasonable endeavour basis and is included in our pricing. Dedicated ‘operational’ support can be provided under our standard day rates for an investigating officer.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Onsite training is available in REALM risk management methodologies. All trainers are security cleared and are experienced in providing education in this area. ; Onsite training is available in REALM risk management applications.; Online training is available in REALM risk management applications.; Content is navigated by breadcrumbs and visual pointers. ; The application has been UX tested for systems usability. ; Identity Access Management (IAM) is set with access being granted by the Blue Lights Digital product owner.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data can be extracted by snapshot of image in Amazon Web Services and provided as a working model to the client. ; Data an be extracted by Microsoft Excel (CSV) format and exported to the client by a secure encrypted bearer. ; Data can be deleted. ; Backups can be deleted or retained subject to agreements.
• End-of-contract process: Data Deletion Policy detailing how our Clients’ Data is deleted, particularly in connection with the cancellation, termination or migration of a Contract, is available on our website. ; ; Generally, Data should only be retained for as long as necessary. The retention periods can differ based on the type of data processed, reasons, said timescales, as appropriate to the needs of both the Company and the contract data owner.; ; Legal requirements may apply for the retention of the particular data, as per regulations regarding certain professions, e.g. Policing.; ; In the absence of any legal requirements, the contract data owner may only be retained as long as necessary for the purpose of processing. ; ; The data subject may request in writing for the erasure of data or for the restriction of processing. This should be confirmed by the Company.; ; Contracts are drawn up on an individual basis and the retention period will be established in the contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile application is limited in functionality. ; Dashboards are limited view. ; Input assessments are limited to field assessment. ; Mobile has no Admin Access
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: The API is for ingest of other product assessments into REALM and export of a REALM assessment to the products is available but would need testing and Dev Op resource to validate. ; ; No changes can be made. Only Push and Pull calls from one assessment application to another.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The product can be changed by feature request.

Scaling

• Independence of resources: The services scale up through cloud scalable architecture. Threshold management deploys new resources in the form of virtual machines and load balancing to ensure high availability of REALM Services. Clients can share an instance or have a dedicated instance with elastic IP for session management.

Analytics

• Service usage metrics: Yes
• Metrics types: Role Base Access Controls (RBAC) can be queried by date, time and session length as an admins function. The REALM dashboard provides service usuage by local user, regional user and national user. RBAC is used to provide credentials and consent of different user types. The RBAC logic is determined by the license owner.
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: By CSV export to an e-mail or by a choice of secure media.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We will use commercially reasonable efforts to make the REALM Services available with a Monthly Uptime Percentage (defined below) of at least 99.99%, in each case during any monthly billing cycle (the “Service Commitment”). In the event any of the Included Services do not meet the Service Commitment, you will be eligible to receive a Service Credit as described below.; ; Less than 99.99% but equal to or greater than 99.0% 5%; Less than 99.0% 10%
• Approach to resilience: We use object, block, and file storage services which are built for optimal durability and availability so that you can access your data anytime, anywhere. Data is distributed across physical facilities within a Region and data can be automatically replicated to another Region if consented to do so. Our cloud supplier enables backup & restore where you operate for business and compliance purposes.
• Outage reporting: Outage reports are sent by e-mail from our Service Management function and can be broadcast as a status page on our dedicated website. Our website does not share a domain with the REALM instances. ; ; Functionality exists within our Evolve application to notify clients with a status update in real time to their authenticated end point device.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: We use policy management. We manage access during a specific range of dates and times. We manage specific access when using multi factor authentication during a specific range of dates and deny access based on the source IP address if not within policy.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
• Description of management access authentication: IP White listing

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 18 September 2015
• What the ISO/IEC 27001 doesn’t cover: Detailed technical specifications or solutions; Specific software or hardware configurations; Compliance with other standards not directly related to information security; Non-information security-related processes or procedures within BLD group
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: IASME
• Information security policies and processes: 1. Introduction to Information Security Management System is mandatory for all employees. ; 2. Key Principles of IT and IS ; 3. IT Department Roles & Responsibilities ; 4. Users’ Responsibilities ; 5. Software Security Measures ; 6. Anti-Virus Security Measures ; 7. Hardware Security Measures ; 8. Access Security ; 9. Data Storage Security Policy ; 10. Data Protection ; 11. Internet and Email Use ; 12. Reporting IT Security Breaches ; 13. Policy Review ; 14. Implementation of Policy; ; ALl policies are provided to all employees as a mandatory requirement of company employment. Governance of these policies is managed by the registered Data Protection Officer of the company and audited quarterly.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The REALM planning and management includes items such as:; personnel; responsibilities and resources; training requirements; definition of procedures and tools; processes; configuration control and configuration-status; naming conventions; audits and reviews. Change Controls can be applied to all of the above.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: If the vulnerability is found to affect a third party product, we will notify the author of the affected software. We coordinate between you and the third party. Your identity will not be disclosed to the third party without your permission.; If the issue cannot be validated or is not found to be a flaw, this will be shared with you. We use version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate vulnerabilities. This helps quantify the severity of the issue and prioritises our response.; ; We monitor multiple platforms for security bulletins eg. Cyber Incident Security Platform (CISP).
• Protective monitoring type: Undisclosed
• Protective monitoring approach: We utalise Intrusion Detection Systems (IDS) to detect a wide array of attack methods included in the OWASP Top 10. We use Log management to meet compliance requirements and to identify suspicious behavior. We provide full visibility and visualisation of all your assets in your cloud environment with pre-built or ad hoc reports that include: trend analysis; risk levels; threat details; potential impact and detailed remediation recommendations.; We use a broad set of security compliance controls for PCI DSS, HIPAA & GDPR—including PCI ASV attestation reporting, daily log review and fully managed and centralised logging is available.
• Incident management type: Supplier-defined controls
• Incident management approach: We ensure that relevant staff understand which services are on what instance within our cloud environments. ; We ensure that relevant support staff are aware of the SLAs associated with all REALM technical services and integrate those SLAs into our existing Enterprise Incident Management infrastructure.; REALM has defined explicit SLAs including resolution time scales with Incident Severity Levels and Priorities for all services running on the Blue Lights infrastructure.; We ensure 360 degree ticket integrations are available for seamless on-premises and cloud systems. Where human intervention is required, that intervention is done by Phone, E-mail or IM which utilises automated processes.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: Police National Network (PNN)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  The delivery of solutions and software from BLD can significantly contribute to fighting climate change through various means. Implementing BLD risk mitigation services can optimise law enforcement resources which can lead to reduced carbon emissions. Additionally, integrating smart technologies to replace the transportation of physical devices or media to and from crime scenes facilities reduces fuel consumption and greenhouse gas emissions. Furthermore, software solutions that facilitate remote work and virtual meetings can help reduce the need for unnecessary travel for data recovery, thus lowering carbon footprints.; ; The social value of these contributions can be measured by quantifying the reduction in carbon emissions resulting from the implementation of BLD risk mitigation Services . This can involve calculating the energy savings achieved by optimising processes and systems, as well as estimating the reduction in vehicle and airmiles travelled due to the adoption of risk mitigation Services technologies.

  Covid-19 recovery

  The delivery of solutions and software as a systems integrator plays a crucial role in supporting post-Covid-19 recovery efforts, particularly in addressing the multifaceted challenges individuals encounter upon returning to work. This includes skills attrition and experience leaving public service for new roles in the third sector. Beyond health concerns, there is also a pressing need to mitigate the negative outcomes exacerbated by the pandemic, such as increased vulnerability to crime. During the lockdown periods, many individuals were targeted by fraudulent schemes exploiting the uncertainties and disruptions caused by the pandemic. These were often manifested through breaches of privacy and then obfuscation of activities within social media and corporations and their technology providers. ; ; The social value of BLD risk mitigation Services can be measured by assessing the effectiveness of enhanced skills in detection and prevention measures delivered as conferences and sensitive equity webinars through BLD risk mitigation Services that reaches beyond the local community. This involves quantifying the reduction in fraudulent activities targeting individuals returning to work, as well as evaluating the efficiency of response mechanisms in addressing reported cases. Additionally, feedback from affected individuals and stakeholders can provide insights into the perceived impact of these initiatives on restoring trust and confidence in economic activities post-pandemic.

  Tackling economic inequality

  The delivery of risk mitigation Services from BLD can contribute to tackling economic inequality by enhancing access to essential services and opportunities for marginalised communities. For example, implementing digital platforms for government services can streamline processes and reduce barriers to access for individuals with limited mobility or internet connectivity. If these online services are corrupted or attacked, then harm is often amplified on the most vulnerable in the community. Additionally, providing training and support for digital literacy can empower underserved populations to participate more fully in the digital economy. BLD provide access through level 4 Apprenticeships in Digital Forensics Examiners, PCSO and Digital Analyst that include skills and competences in BLD risk mitigation services & systems. An example of the this work is in Violence Against Women & Girls (VAWG) and Rape & Serious Sexual Offences where proactive data from investigations, intelligence based searches and stops can be calibrated into risk and harm indexes for intelligence development and proactive policing. ; ; The social value of these contributions can be measured by assessing the extent to which they contribute to reducing disparities in the use of government services development of new roles of employment in the investigation and intelligence marketplace, educational opportunities for new workforce entrants, and economic recoveries among different police forces.

  Equal opportunity

  The delivery of risk mitigation Services from BLD can promote equal opportunity by removing barriers to access and participation for individuals from diverse backgrounds. For example, implementing inclusive design principles in risk mitigation Services development can ensure that digital products and services are accessible to people with disabilities. Additionally, providing training and support for digital skills development can empower individuals from underserved communities to pursue career opportunities in technology fields. BLD provide access through a level 4 apprenticeships that includes skills and competences that are automated within workflow within the BLD risk mitigation Services SaaS portfolio. ; ; The social value of these contributions can be measured by assessing the degree to which they promote inclusion and diversity within the workforce and society at large. This can involve tracking metrics such as the representation of marginalised groups in technology-related fields, the level of accessibility and usability of digital products and services, and the impact on social attitudes and perceptions toward diversity and inclusion.

  Wellbeing

  Implementing the automation of risk mitigation Services, prioritises professional reach back and lawfulness along with work-life balance and flexibility. This supports emotional wellbeing by reduces stress and burnout associated with overwork and excessive job demands. These services are highly technical and need collaborative working environments to develop and iterate new solutions that drives effectiveness. The tools and services provided through BLD saves significant time and effort in this endeavour. The wellbeing of officers and the wellbeing of the public is enhanced by faster results in deduction of investigation & intelligence link analysis . REALM insights improves relations between government organisations and also in the community with the enhanced optics that crime, hate and fraud is being tackled. ; ; The social value of these contributions can be measured by assessing their impact on key indicators of individual wellbeing, such as physical health, mental health, work-life balance, trust from the community in recovery of trust in public services along with overall satisfaction with life. REALM is an underpinning tool of risk analysis and mitigation that supports proactive policing, uncovers insidious crime types and counters hate based narratives that are destructive to the wellbeing in society.

Pricing

• Price: £1,000 to £10,000 a unit a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at claire.stanley@bluelightsdigital.com. Tell them what format you need. It will help if you say what assistive technology you use.