Protecht.ERM

For:
  • Audit, risk and compliance
  • Legal

Protecht.ERM is a full function enterprise risk management solution for organisations of all sizes and industry sections. Protecht.ERM is a cloud-based solution that is accessed by users through standard web browsers on desktop, laptop and mobile devices.

Protecht.ERM offers the following key modules:
• Central libraries – tags, risk events, controls, risk causes and business units
• Risk and control assessment.
• Compliance obligations and attestations.
• Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs).
• Incidents and other registers – flexible form design to capture any type of information.
• Audit and Audit Findings
• Issues and Actions
• Workflow
• Risk Analytics and reporting – fully integrated BI tool allowing high
quality, highly visual dashboards and reports to be created by end users.
• Custom Applications – enables users to build their own applications using the Protecht.ERM
framework. The applications can consist of data, entry forms, workflow and reporting.
Applications can access other areas of the product such as central libraries.

The Protecht.ERM solution has been developed to provide maximum flexibility to the end users such that customers are able to design and build their own processes, forms, dashboards and reports without the need for developers.

    Features

  • Fully configurable data entry forms without needing vendor involvement or IT skills and experience
  • Fully integrated enterprise risk management
  • Fully integrated reporting and dashboard tool
  • Able to integrate with other systems via web services and APIs
  • Fully configurable workflow module for sending notifications and alerts based on one or more conditions being met in one or more fields in a record
  • Conditional field rules to simplify data entry
  • Device agnostic via HTML5 support, rendering the output to the device screen size and orientation
  • Hosted in Australia in ASD Certified hosting environment with full DR facilities
  • Support for all commonly user browsers
  • IRAP Assessed to PROTECTED security classification

    Benefits

  • Provides and organisation wide view of information and trends
  • Greater process consistency and terminology
  • Reduction in redundant activities
  • Greater and swifter information availability
  • Timely escalation of exceptions and non-compliance to the right person
  • Coordination across audit, risk, compliance, governance, etc.
  • Improved ability to measure operational performance
  • Improved ability to balance risk and reward in decision making
Minimum price
$20,000.00 AUD Per named user per annum (minimum of 20 users) or enterprise licence
Maximum price
$350,000.00 AUD Per named user per annum (minimum of 20 users) or enterprise licence
Variables affecting pricing

Protecht.ERM is licensed based on the number and type of users. User types are:
- Full users who are able to access all data and functionality, restricted by their permission level
- Data entry only users who are able to enter data into forms, review / modify their own data, respond to compliance attestations, update tasks / actions assigned to them, access reports and dashboards based on their role.

Enterprise licence option is available for large user numbers

Licence fees are payable annually in advance.

Implementation fees are based on configuration scope of work as well as integration requirements.

Become a registered buyer to purchase this product.

Onboarding and offboarding

Onboarding assistance

Protecht provides full implementation services to configure Protecht.ERM to meet client requirements. Implementation services are inclusive of up to 2 days face to face super user training; 2 days face to face training for key users needing advanced knowledge on the analytics functionality; and creation of end-user 'how to' guides. Implementation services fees are provided as a fixed price based on the agreed scope of work.
Post implementation, the Protecht Support Desk, located in Sydney, is available for super users to report issues and seek 'how to' help. Critical issue support is provided on a 24 x 7 basis.
The Protecht Account Director will meet with super users on at least a quarterly basis to provide assistance in adoption of Protecht.ERM outside of the initial implementation focus.
Additional training for super users can be provided at the rate of $2,000+GST per day
Additional configuration assistance can be provided, with fees charged on a fixed price based on an agreed scope of work.

Offboarding assistance

At contract termination, Protecht will provide the client's data stored in the Protecht.ERM database in .csv format and any attachments in their native format. All storage devices are purged of client data 30 days after contract termination as per security policies
Protecht can assist in transition out based on an agreed statement of work for a fixed price fee.

Availability and support

Guaranteed availability (excluding scheduled outages)

Protecht.ERM is available on a 24 x 7 basis, with availability SLA of 99.5% excluding scheduled downtime. Unscheduled downtime credits can be negotiated if required.

Support options available
  • Phone
  • Email
  • Online
Which options come at additional cost

All support is provided as part of the Protecht.ERM licence fee.

Support levels, availability hours (AEST) and whether additional costs are involved

Critical issue support on 24 x 7 basis
Online Service Desk portal on 24 x 7 basis
Support Desk manned between 7am and 6pm during normal business days

Reporting and analytics

Metrics reported

Protecht is able to provide availability and performance statistics on a quarterly basis.

Reporting types
  • Regular reports
  • Reports on request
Outage reporting
  • Email alerts
Usage reporting
  • Email alerts

Identity and authentication

User authentication needed
Yes
User authentication
  • Username and password
  • Two-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (eg. Google Apps)
  • Limited access over a government network
  • Dedicated link (eg. VPN)
Other user authentication

Environment

Cloud deployment model
  • Other cloud model
Other deployment model

Macquarie Government Cloud Services

Software add-on or extension

No

API

rest

What users can and can't do using the API

Push and pull data in real time, batch or on demand

Compatible API automation tools

Protecht.ETL

Connected government networks
  • GovDC
Web interface
Yes
What users can and can't do using the web interface

Full configuration of data entry forms

Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application for users to install
No
Designed to work on mobile devices
Yes
Differences in the mobile and desktop functionality

Uses HTML5 to render to device type and orientation

Accessible to WCAG 2.0 AA or above

Exclusions apply

Areas which are accessible (and exclusions)

Only data entry forms

How the product or service scales

Scales automatically

Locations

Whether users can control where their data is stored, processed and managed in Australia
No
Locations where user data is stored, processed and managed

In Australia by default

Whether the seller operates their own data centres
No
Whether third parties are involved in storing, processing or managing buyer data
Yes
The third parties involved

Macquarie Government Cloud Services
Secure Collaboration Pty Ltd

User data

Data import formats
  • Comma-separated values (CSV)
Data export formats
  • Comma-separated values (CSV)
Whether there are restrictions on users accessing or extracting data
Yes
The restrictions on users accessing or extracting data
Yes
Whether users can access audit information about activities and transactions
Yes
The maximum time audit information data is stored

For the duration of the contract term

The maximum time system logs are stored

For the duration of the contract term

Approach to secure data disposal

ISO 27001 certified data destruction processes.

Backup and recovery

What is backed up

Everything by default

How often backups are performed

Supplier controls frequency

How users recover backups

Users contact the support team

Data protection

Data protection between buyer and supplier networks
  • Private network or government network
  • TLS (v1.2 or above)
Data protection within the supplier's network
  • TLS (v1.2 or above)
Data protection at rest
  • Physical access control, complying with SSAE-18/ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Who controls encryption keys

Supplier controlled

Security standards

Data centre security standards

Managed by a third party

ISO/IEC 27001:2013 certification
Yes
Who accredited the ISO/IEC 27001:2013 certification

Lloyds Register

When the ISO/IEC 27001:2013 certification expires
09/01/2019
What the ISO/IEC 27001:2013 certification doesn't cover

N/A

ISO/IEC 27017:2015 certification
No
ISO/IEC 27018:2014 certification
No
CSA STAR certification
No
PCI DSS certification
No
SOC II certification
No
IRAP assessed

Yes, successful at stage 1 and stage 2

Certified by the Australian Signals Directorate (ASD)
Yes
Australian data security classification certification
  • Protected
Further information about security assessments

Security practices

Approach to secure software development best practice

Conforms to a recognised standard, but self-assessed

How often the supplier conducts penetration testing

At least once a year

The supplier's approach to penetration testing
  • Performed by a CREST-approved service provider

Separation between users

Virtualisation used to keep users sharing the same infrastructure apart
Yes
Who implements the virtualisation technology

third-party

Third party providing virtualisation

Macquarie Government Cloud Services

Technologies used to provide virtualisation
  • VMware
Approach to separating different organisations on the same infrastructure

Each client has their own instance of the application and analytics server

Operational security

Configuration and change management processes

A recognised standard, for example CSA CCM v3.0 or SSAE-18/ISAE 3402

Configuration and change management approach

ISO 27001 Certified Change Management policy and procedures which can be viewed at Protecht premises only

Vulnerability management processes

Supplier-defined process

Vulnerability management approach

A firewall provides the network perimeter protection. The firewall is configured with minimum access policy. Administration is performed over IPsec VPN. Additional controls for network traffic include Host based intrusion detections/prevention and anti-virus software.

Host based intrusion detection and prevention is installed on all servers (HIPS).
Macquarie Telecom also provides anomaly detection for Protecht. The intrusion detection and prevention allows for picking up anomalies and abnormal traffic trends. This is different from a firewall which looks at IP addresses.

The IDP is made up of two components, the IDS (Intrusion Detection System) which monitors abnormal traffic patterns and the IDP (Intrusion Detection Prevention) which works to stop malicious attacks. These components provide a zero day protection against a large number of attacks such as worms, Trojans, spyware, key loggers and malware from penetrating the
network or spreading from already infected users.

Controls that are in place include:
Core Infrastructure- The core infrastructure provides the first level of defence. This infrastructure is the entry point into the Macquarie Telecom infrastructure.
Core routing and switching - The core routing and switching is configured to filter out all unnecessary traffic in order to prevent the most common attacks such as DOS, DDOS, Bad IP Address, SYN flooding, Ping attacks and Crafted TPC Packets.
Firewall - The core firewall has a ‘deny all’ policy with only required ports opened based on business requirements.
Network Intrusion detection and prevention - The intrusion detection and prevention provides another layer of protection picking up anomalies and abnormal traffic trends. This is different from a firewall which looks at IP addresses. The IDP is made up of two components, the IDS (Intrusion Detection System) monitors abnormal traffic patterns and the IDP (Intrusion
Detection Prevention) works to stop malicious attacks. These component provide a zero day protection against a large number of attacks such as worms, Trojans, spyware, key loggers and malware from penetrating the network or spreading from already infected users.
Private Infrastructure -The private infrastructure is the managed infrastructure dedicated to Protecht.
Private Firewall - The private firewall provides a secondary defence for the network layer. The firewall is configured with multiple VLANS segregating the public internet, applications servers and database servers. It also provides connectivity to disaster recover zones.
Host based Intrusion detection (HIDS) - Host based intrusion detection provides protection from malicious attacks at the individual server level.
Anti-Virus/ Anti-Spam - Anti-Virus/Anti-Spam software provides protection against viruses and malware that may have evaded previous threat detection/prevention layers. This manages the server to automatically update ensuring that it is always kept at the latest level for maximum protection.

Protective monitoring processes

Supplier-defined process

Protective monitoring approach

A firewall provides the network perimeter protection. The firewall is configured with minimum access policy. Administration is performed over IPsec VPN. Additional controls for network traffic include Host based intrusion detections/prevention and anti-virus software.

Host based intrusion detection and prevention is installed on all servers (HIPS).
Macquarie Telecom also provides anomaly detection for Protecht. The intrusion detection and prevention allows for picking up anomalies and abnormal traffic trends. This is different from a firewall which looks at IP addresses.

The IDP is made up of two components, the IDS (Intrusion Detection System) which monitors abnormal traffic patterns and the IDP (Intrusion Detection Prevention) which works to stop malicious attacks. These components provide a zero day protection against a large number of attacks such as worms, Trojans, spyware, key loggers and malware from penetrating the
network or spreading from already infected users.

Controls that are in place include:
Core Infrastructure- The core infrastructure provides the first level of defence. This infrastructure is the entry point into the Macquarie Telecom infrastructure.
Core routing and switching - The core routing and switching is configured to filter out all unnecessary traffic in order to prevent the most common attacks such as DOS, DDOS, Bad IP Address, SYN flooding, Ping attacks and Crafted TPC Packets.
Firewall - The core firewall has a ‘deny all’ policy with only required ports opened based on business requirements.
Network Intrusion detection and prevention - The intrusion detection and prevention provides another layer of protection picking up anomalies and abnormal traffic trends. This is different from a firewall which looks at IP addresses. The IDP is made up of two components, the IDS (Intrusion Detection System) monitors abnormal traffic patterns and the IDP (Intrusion
Detection Prevention) works to stop malicious attacks. These component provide a zero day protection against a large number of attacks such as worms, Trojans, spyware, key loggers and malware from penetrating the network or spreading from already infected users.
Private Infrastructure -The private infrastructure is the managed infrastructure dedicated to Protecht.
Private Firewall - The private firewall provides a secondary defence for the network layer. The firewall is configured with multiple VLANS segregating the public internet, applications servers and database servers. It also provides connectivity to disaster recover zones.
Host based Intrusion detection (HIDS) - Host based intrusion detection provides protection from malicious attacks at the individual server level.
Anti-Virus/ Anti-Spam - Anti-Virus/Anti-Spam software provides protection against viruses and malware that may have evaded previous threat detection/prevention layers. This manages the server to automatically update ensuring that it is always kept at the latest level for maximum protection.

Crisis and incident management processes

A recognised standard, for example CSA CCM v3.0 or SSAE-18/ISAE 3402

Crisis and incident management plan

Process has an ITIL incident management process that requires any such
incident (Security, downtime, service degradation) to be logged as soon as we are
aware of the issue. Any breach of the facility or application would be classified as
a major or critical event, and notification to Executives (CEO, CIO, Executive
Directors) automatically occurs once the issue is logged. Triage is performed,
including notification to clients through this process. The process includes Investigation and Improvement actions; these are all managed through the Protecht.ERM system.
Clients impacted by an incident are notified within 24 hours of a breach.

How often access controls are tested

At least once a year