Blackthorn GRC Limited

Law Enforcement Case Management

Our Law Enforcement Case Management service handles sensitive enforcement cases such as immigration, food standards, boarder control and human slavery. Users can capture, organise and manage information pertinent to an investigation with full audit and management reporting. Solution supports electronic data exchange with CPS. UK hosted to OFFICIAL .

Features

• Centralised management and handling of 'case' information
• Effective data management and collaboration across investigation team
• Role based security for secure partitioning of information
• Evidence tracking
• Two-way Interface (TWIF) for digital case data exchange with CPS
• Attach evidence (multiple file formats) to cases
• Intuitive, clear user interface with user configured reports and dashboards
• Auto-completed MG forms
• Powerful search engine for identifying associations across investigations
• Visualise relationships between cases and attributes (e.g. suspects, phones etc.).

Benefits

• Simplifies and automates complex processes
• Increases efficiency with electronic forms, workflow management and user alerting
• Full audit trail making users fully accountable for their actions
• Increased visibility through internet browser access
• Improves resource management
• Increases data quality by eliminating recurring errors and repetitive entry
• Clean, intuitive user interface reducing the training burden for users
• Wide range of supported platforms e.g. mobile, tablet, desktop
• Secure storage of data with channel encryption on remote links
• Digital communication with CPS reducing emails and paper.

£45.00 to £65.00 a person a month

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at g-cloud@blackthorn.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

792303634982046

Contact

Ian Hardman
02081237989
g-cloud@blackthorn.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: Cloud infrastructure requires regular security patching to eliminate zero day vulnerabilities. Some patching activities will result in the suspension of services for a period of time, no more than a few minutes a month. We work with customers to identify the best time for such maintenance activity.
• System requirements:
  • Browser (minimum Windows 7, IE9 or chrome)
  • Suggested connection speed of 1Mbps per concurrent user
  • SSL Certificate

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Support requests made by email or online are acknowledged within 30 minutes. Our acknowledgement will include a preliminary 'severity classification' based on impact to your operations: P1 (major business impact) through P4 (no discernible business impact). Initial (detailed) investigation response times and full resolution response times are tiered, based on impact (P1 to P4). Please see Service Description for more information. Support is administer 9 / 5 or 24 / 7 depending on support package purchased. If on 24 / 7 support, the above response times will be available at weekends.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Our Silver support level offers our clients access to support 9am-5pm.; The cost of Silver support varies according to user numbers and starts from £498 a month.; For clients who need on call 24/7 support, we offer a Gold level support package for P1 (business critical) and P2 (business significant) support issues. This provides direct access to technical support engineers as and when need and enables maintenance windows out-of-hours.; The cost of Gold support varies according to user numbers and starts from £6,498 a month.; Further details can be found in the Service Definition and Pricing Guide documentation.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Self-service, on-line training is provided as standard. Users are provided with a URL, (to the application), training account ID and temporary password. The URL is set to point to a dedicated training system, that has been pre-configured for training purposes.; Training material is provided to guide participants.; Classroom training, either using generic materials or bespoke packages developed in partnership with the customer, is available at additional cost.
• Service documentation: No
• End-of-contract data extraction: Users are able to export the underlying database in CSV format. Information can be selectively extracted using Blackthorn's reporting functionality and user configurable filters. Additionally, a backup of the application database (MS SQL) is supplied in an unencrypted format.
• End-of-contract process: A backup of the MS SQL Database will be provided as part of off-boarding and at no additional cost.; Should assistance be required to migrate the database and content to a new application or platform, we will assist. Such assistance, available under Lot 3 is at additional cost if above and beyond the scope of our standard off-boarding service. For example, the provisioning of a database and content in a mutually agreed format is free of charge. Mapping data from Blackthorn's database constructs to a third-party's data constructs will incur a charge. ; Servers used to deliver the retiring service (production, development, test, acceptance etc.) will be securely wiped and repurposed.; Any legacy backups not retained by the customer will be identified and securely wiped.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Our fully functioning web application is accessible from both mobile devices and desktops but there must be stable network connection. Screen size is also an important consideration as our web pages are designed for use on screens of at least 8.9” diagonal. ; ; Our IOS/Android/Windows App caters for off-line operation and provides full support for audit and survey functions, case specific information retrieval (if case records downloaded prior to disconnect), and case records update and maintenance. Any changes are replicated to the cloud service when a network connection is re-established.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Most aspects of the service are configurable; a separate and dedicated service interface ensures appropriate segregation between normal business activities and system admin activities. Different system administration roles can be defined, and the rights and permissions afforded to these roles adjusted to mirror the customer’s existing hierarchical structures.; As an administrator (permissions allowing), users can configure I/O, workflow, report templates, value ranges, and object types. Importantly, the system admin function allows the right and responsibilities of standard user roles to be defined, and access control to data and case artefacts. Normally access is awarded along team or regional boundaries.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We have experience of integrating our solutions with assistive technologies such as Dragon. Much of our HTML coding incorporates the ‘tags’ required by assistive technologies to help people with disabilities either access or enter information. Additionally, we have designed into our software features to aid use e.g. improved contrast and visibility for the hard of sight. Our policy to date has been to work with individual users experiencing accessibility problems and to find solutions that meet their specific needs. Incrementally, therefore, we are making our software compatible with applications that aid access but as yet have not achieved 100% coverage. It is our intention to continue with this approach.
• API: Yes
• What users can and can't do using the API: We have a number of API services for consumption by third party applications.; Where Blackthorn functions are supported by an API service, the functions behave and operate as if a user was logged directly onto the application.; API requests must be serviced by a standard user account (not system account) so that there is an auditable history of all actions invoked remotely. The user account can be dedicated to API requests, or an actual user's account can be used. In both cases, the account must be marked for API usage and a separate application key is required.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The application has a flexible user interface that allows terminology, workflow, taxonomies, form layouts, surveys, team structures etc. to be tailored to an organisation's individual needs.; A general user account, with appropriate account permissions, can configure dashboards, exports, mail merge reports, surveys etc. using an intuitive, filter based interface.; An administration account, with appropriate account permissions, can configure via the interface workflow, users, teams, taxonomies, forms layouts, emails etc. again via dedicated customisation interfaces.

Scaling

• Independence of resources: The hosting is dedicated with fixed, predefined allocation of platform resources. This eliminates the possibility of memory bursts and contention by other parties.; Application servers are monitored and alerts automatically sent (to us) when a threshold is breached.; During our frequent service and maintenance reviews we assess performance to see if further resource should be allocated based on projections.; Additionally, the underlying architecture of the service is fully scalable allowing additional hardware (application servers) to be brought online if and when required.

Analytics

• Service usage metrics: Yes
• Metrics types: Service metrics are provided covering: service availability, memory usage, peek bandwidth demand. Customers opting for Blackthorn' s cloud Protective Monitoring solution (extra cost) additionally receive metrics on failed user account logins, firewall port status, denial of service attacks, authorised and unauthorised network access, application errors, server errors and service misuse. ; ; Service responsiveness can also be measured but requires a suitable host machine on which to run the monitoring software. Ideally, this machine needs to be on the customer's network.
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Other
• Other data at rest protection approach: Data-at-rest encryption is an optional feature. Our service incorporates server side encryption. The keys are auto generated and managed by the application. Once enables, all case information including raw data and uploaded files is encrypted and saved to the database in an encrypted format. The stored information is obfuscated and cannot be accessed by the Cloud Service Provider, or Blackthorn's staff without going through the standard business logic - itself provided by user access and authentication security controls.
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Facilities provided as standard to export data to CSV files.; Filters can be applied to the database to narrow down the data-sets exported at any given time.
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats: Email (requires mapping)

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: Where security targets demand that the service is hosted in a secure environment, the level of protection afforded by our Hosting provider is assured through the Government's security accreditation process (pan-government accredited).

Availability and resilience

• Guaranteed availability: We have SLA's defining targets for initial analysis time and resolution time. The targets are a function of the severity of the incident and therefore vary. Only normal working hours count towards the measurement of response times. For example, if an incident was reported one day and not resolved until the next, the over-night non-working hours would not count in the determination of actual response times.; Response times targets for initial analysis and resolution are provided below for different priorities of incident: Priority 1, 30 minutes and 5 hours respectively: Priority 2, 4 working hours and 8 working hours respectively; Priority 3, 1 working day and 3 working days respectively;; Priority 4, 3 working days and 5 working days respectively.; ; Should we fail to meet these targets for an incident or KPI 3 or more times and customers are awarded service credits:; ; 3 breaches of targets = 1% service credit, 4-5 breaches = 2%, 6-7 breaches = 3%, 8-9 breaches = 4%, 10+ breaches = 5% service credit.; ; We are also able to provide 24x7 support, fully details are in the accompanying product description documents.
• Approach to resilience: Our application runs in a virtualized cloud environment. If a virtualised server fails, such as a web server, other web servers within the virtualised environment will take up the load, until a new instance of the failed server can be brought back on line (minutes).; If the primary data centre is lost, real-time data replication to the DR data centre ensure continuity of service with short Recovery Point Times. The DR facility is normally passive and has a Recovery Time Objective (RTO) of less that 4 hours. Within this recovery time, a fully operational mirror of the Production service can be up and running.; Our enhanced offering comprises of multiple production web servers, so in the event one fails, the other can continue. Obviously there are TMGs and IPS units. There is also a DR site which can be used for fail over.
• Outage reporting: We have monitoring services installed on servers within the Data Centre but outside the main production environment. These monitoring service call API's with the application to determine its health. If the application is non-responsive, the monitor alerts us by email. Our service desk email is continuously monitored by support staff (mostly 24 x 7) to ensure outages are detected soonest and an appropriate recovery plan is executed.; ; The hosting provider also has monitoring software with real-time dashboards, copies of which are made available during each monthly service review meeting.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Username or password
  • Other
• Other user authentication: Active Directory federation services which offer single sign-on to cloud service from a customer's terrestrial networks.; Oracle Web Single Sign-on which offers secure, cross domain user authentication.; Two factor authentication using a chipcard and mobile App for verification code generation.; Shared link (hyperlink in email) with security credentials embedded in token giving recipient immediate but controlled (limited) access to online services.; Additionally, we can further restrict access by limiting visibility of services through use of VPN tunnelling and IP address restrictions.
• Access restrictions in management interfaces and support channels: Our cloud service providers' management interfaces authenticate with a minimum of ID and password. 2 Factor authentication is used by suppliers offering environments with enhanced data protection. Additionally, we apply IP addressing restrictions so connections can only be made from know (approved) external devices.; Our management interfaces apply the onion ring principle of security with multiple layers of user authentication including, Bitlocker, Windows (local) authentication, VPN user authentication, RDP session (cloud) authentication. IP addressing restrictions are also applied so that access is only permissible from authorised remote support devices.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: Management access is administered and controlled in the same manner as Support Access. There is no distinction. Please see 'Access Restrictions in management interfaces and support channels' above.; All access to our cloud environments is logged and cross-checked against support tickets to verify legitimacy. Auditing is conducted on a monthly basis.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 05/03/2020
• What the ISO/IEC 27001 doesn’t cover: Our ISO 27001 certification extends to all areas of the business; there are no exclusion. ; It covers software engineering, product development and support, cloud service design, and cloud service execution and delivery. Additionally, all related business operations and services such as sales, marketing, finance, HR and IT service management and customer service management.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Cyber Essentials +
  • Hosting provider certified to ISO27001/17,18 , ISO 9001

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Blackthorn GRC operates under the auspices of a high-level Information security policy, underpinned by topic-specific policies on subject such as Access Control and Security in Development. People, procedural and technical security control are the embodiment of the policies and supported by guidance documents, checklists and standards that ensure all staff are clear of their responsibilities, understand the threats and risks to information and the channels for reporting concerns. Checklist and automated audit processes are used extensively to monitor the security landscape and ensure security controls are working, e.g. we use protective monitoring in our cloud hosting environments to maintain 24x7 surveillance and immediately report suspicious or unauthorised behaviour.; Staff induction training, Acceptable Use agreements and pre-employment vetting ensure that we have trustworthy staff who are clear about their information security responsibilities.; Vendor security policies ensure that our partners, especially hosting partners, uphold our high standards and have security practices that are commensurate with our own. ; Our MD is ultimately responsible for information security, but this responsibility is delegated down to ensure accountability at all levels, effective reporting and oversight. A separate audit activity, reporting to board-level, polices the system to ensures our policies, processes and procedures are being duly upheld.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our Configuration and Change Management is compliant with ISO 27001. Change management is applied over the full change life-cycle starting with a detailed account of the change, an impact assessment, and plan of the delivery steps. Change board approval is required at various control gates; the Change Board might include customer representation. Immediately prior to deployment the Change Board reconvenes to reconsider the risks, review the deployment plan, roll-back strategy, and to attest to the testing. Our CCM process is fully documented, identifying gate keepers and associate controls.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Our Vulnerability Management process is ISO 27001 compliant. Vulnerability assessments are carried out using automated tools as part of every major code release. Additionally, network vulnerability assessments are conducted to identify any security weaknesses that might have been missed by regular Operating System security patching. The results are reviewed by Blackthorn and weakness mitigated either as part of development, or under full change control. Operating System patches are deployed automatically via our Windows Server Update Service. Monthly security auditing verifies patch management effectiveness, and identifies any servers that must be restarted to complete installation. Reboots are scheduled with client authority.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Threat management and intrusion protection monitoring at the data centre boundary protects against threats at external networks (e.g. internet, PSN, HSCN), perimeter routers and firewalls, the VM Hypervisor, and physical infrastructure. Visualised machines hosting service applications are protected by Blackthorn's dedicated intrusion protection system looking for suspicious, unusual, or unexpected activity at application, server and virtual network level. ; Our hosting provider acknowledges incidents and advises about tests to remediate. Significant incidents are escalated to ourselves, Priority 1 within 30 minutes, priority 2 within 3 hours. Alerts triggered by our PM are investigated immediately and handled within terms of our SLA.
• Incident management type: Supplier-defined controls
• Incident management approach: We use an instance of the Blackthorn Case Management Tool to monitor and track security incidents. Each type of incident has its own predefined workflow for coordinating the response activity and mitigating the threat as quickly as possible. Our workflows are optimised to the incident type. Incidents can be raised through our online web portal, by emailing or phone. Our monthly Service Management Reviews and associated reporting includes incident details (if any) and metrics showing how well we have performed against our support and remedy response times (as specified in our SLA). Controls and root causes are aligned to ISO27001.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • Health and Social Care Network (HSCN)

Social Value

• Fighting climate change:

  Fighting climate change

  All our hosting options are hosted on Carbon Net Zero infrastructure. We are presently engaging with suppliers and third parties to ensure all parts of the contract are Net Zero or Carbon Negative.
• Covid-19 recovery:

  Covid-19 recovery

  Our workspace is in an innovation area where we work closely with other small businesses, sharing ideas and supporting each other, to enable growth within the Croydon area. During Covid, our business was barely affected (as most of our activities can be immediately swapped to virtual). Where there were specific security concerns, these were managed individually. This resulted in increased business activity during the period rather than less and successful implementations. Coming out of Covid, we have introduced further longer-term measures such as greater opportunity to work from home. This reduces our Carbon footprint. However, we continue to maintain concern for staff wellbeing and are constantly reviewing on an individual basis.
• Tackling economic inequality:

  Tackling economic inequality

  We offer our staff the ability to volunteer for local charities with the company providing half of the normal salary. We also encourage staff to carry out fundraising activities which we sponsor. Our workspace is situated within a small business enterprise zone. We actively aid fellow organisations within our workspace, to help them grow alongside us. We chose this area as we believed it was in a location that required elevation and an area in which we believed we could make a difference. The workspace is closely paired with Sussex University, but we are also looking at links with the London Business School, to provide opportunity within the area. We offer all staff an individual training programme, to meet their and the company's needs. Similarly, we regularly assist our clients, to improve their knowledge, skills and expertise. When engaging with potential suppliers, we look for a number of factors, including what benefit our custom will aid the supplier and the impact of such to the local community, the wider community and the environment. However, our suppliers must be resilient, as we are with our clients. We believe suppliers should be paid immediately and fairly. Our ethos is a fair price for a fair job which can be seen on our website. We would hope that our future clients adopt that ethos as well.
• Equal opportunity:

  Equal opportunity

  We have users within our user group who are hard of sight. We work hard to ensure no matter their abilities, no user is disadvantaged. We are a member of Living Wage Foundation and actively ask our suppliers to conform to the standard. We are a fairly small team, but we do assess our cultural divergence within our organisation and actively promote new candidates from minority groups. Similarly, we would ask our suppliers and future clients to adopt a similar ethos.
• Wellbeing:

  Wellbeing

  We carry out annual health and safety reviews of our staff and regularly enquire about suppliers and clients wellbeing during our day-to-day business dealings, without being intrusive or interrupting business activities. Within our workspace community (Sussex Innovation), there is the offer of digital wellbeing care, a confidential service that our staff can access online. We believe it is not just a system we are delivering, but a long-term relationship and therefore we have a vested interest in ensuring the wellbeing of our clients, suppliers and staff.

Pricing

• Price: £45.00 to £65.00 a person a month
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: This service is hosted with a commercial service provider and should not be used to run trials with confidential / PM information. All test data should be anonymised before uploading. We do not guarantee the availability of the service.; ; It includes the full functionality that the production system will have.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at g-cloud@blackthorn.com. Tell them what format you need. It will help if you say what assistive technology you use.