Crystal Thinking (Crystal Marketing Limited)

Compliance Cloud COBALT

Continual cyber risk management, providing;

1. Real-time browser-based compliance dashboard and incident alerting.

2. Continual alignment with the Cyber Essentials framework, reporting vulnerabilities and secure configuration issues for all Windows & Linux servers and user devices.

3. Pre-preparation of IT infrastructure for streamlined Cyber Essentials assessments & renewals.

Features

  • Continually monitors compliance with Cyber Essentials
  • Reduces Cyber Risks by continual assessment of device security
  • Includes the cost of Cyber Essentials certification assessment
  • Secure and highly available, hosted in multi-site UK datacentres
  • Centralised cloud-based dashboards & MI reporting
  • User access protected through Multi-Factor authentication
  • All data held within the UK with GDPR compliant processing
  • Detects all devices in use, maintaining a device asset register
  • Records installed software history, maintaining a digital asset register

Benefits

  • Continual security monitoring helps avoid cyber-attacks like WannaCry succeeding
  • Automated configuration monitoring provides accurate management information aiding risk management
  • Quickly establish organisation compliance state via central dashboards
  • Avoid expense and delays preparing for annual Cyber Essentials audits
  • Reduce risks through continual compliance rather than annual snapshot audits
  • Provides vulnerability insights, difficult to uncover though normal operations
  • Reduces security management overhead, freeing resource for business objectives
  • COBALT is flexible and extendible, future-proofing security administration
  • Hosted on highly-available infrastructure complying with ISO27001 best practice

Pricing

£1.50 to £3.50 a device a month

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gareth.owen@crystal-thinking.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

1 1 0 8 5 8 9 6 2 0 8 3 4 6 1

Contact

Crystal Thinking (Crystal Marketing Limited) Gareth Owen
Telephone: +44 (0) 203 872 2162
Email: gareth.owen@crystal-thinking.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Cyber Essentials Certification Preparation & Assessment
Vulnerability scans and penetration testing
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints
The service can be installed on Windows & Linux servers and user devices only. It does not currently support Apple Mac.

Devices in the scope of Cyber Essentials certification and assessment are network-connected devices. The service relies on frequent or permanent device connection to the internet.

Our policy is to maintain support for the last three versions of the following browsers required to logon to the cloud portal management dashboard; Microsoft Edge Google Chrome Mozilla Firefox Apple Safari for macOS
System requirements
  • Vendor supported Linux, Windows Server, Enterprise, Home or Professional
  • Frequent or permanent internet access
  • Outbound access to internet
  • Whitelisted cloud service addressing capability
  • 100Mb free space on all devices in scope

User support

Email or online ticketing support
Email or online ticketing
Support response times
Technical support staff monitor the COBALT service support tickets submitted via the COBALT portal between Monday – Friday 7.00am and 10.00pm with a 1hr response. Saturday, Sunday and Bank holidays with a 4hr response.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Accessible via authenticated user support link on Crystal-thinking website. Supports voice, voice call-back, email, live text chat. The last three versions of the following browsers are supported;
Microsoft Edge
Mozilla Firefox
Google Chrome
Safari for MacOS

Web chat does not currently support WCAG accessibility options other than standard voice, voice call-back, email, live text chat and in-built browser accessibility options for the above browsers.
Web chat accessibility testing
None at this time
Onsite support
Onsite support
Support levels
We offer 4 support tiers, 0 -3. Tiers 0 -2 are included in the COBALT service pricing.
Tier 3 is supports cyber security incident response outside the scope of Cloud Compliance COBALT service.
A dedicated account manager is appointed and included in the service pricing.
Tier 0 support is provided via account manager directly, self-help knowledgebase and FAQ located in the COBALT customer portal.
Tier 1 support provided through ticketing system located in the COBALT customer portal. The target is to achieve 80% first time resolution for issues such as username & password, service use guidance, report metric interpretation.
Tier 2 support is for more complex technical issues that cannot be resolved through Tier 1 support. Tier 2 support tickets are automatically escalated to account managers who liaise directly with customers as appropriate.
Tier 3 support is provided for cyber security incidents such as cyber-attack response outside the scope of Compliance Cloud COBALT.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Fully supported installation and user training is provided on-site, UK within the cost of the service.

Pdf user manuals are available for direct download via the customer portal.

The Compliance Cloud application can be trialled on one or more devices for the purpose of compatibility and user-acceptance where required. Organisational distribution of the application can be arranged according to country, site, device types, departments or other logical groupings enabling installation controls.

Installation of the Compliance Cloud application is optionally self-service, involving running a Windows MSI or Linux package on each device within the scope of Cyber Essentials. Installation normally takes less than a minute. Customers choosing to self-install require access to the customer portal which is arranged at the end of initial training or during supported installation.

Training for the use of the management portal is optionally provided through webinar or on-site and takes approximately 1 hour.

The service becomes effective immediately after Compliance Cloud application installation.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Immediately following the termination date, Compliance Cloud monitoring data collected and stored during the service period can be downloaded as csv files via the customer service portal. Portal access is maintained for one month following service termination. At the end of the period, we seek written permission to permanently deleted all Compliance Cloud data and decommission the customer account.
End-of-contract process
The following decommissioning items are included within the COBALT service

• Each of the Compliance Cloud monitored devices are de-registered from the cloud environment.
• Compliance Cloud can be uninstalled by the customer or with support from our staff.
• Access to the Compliance Cloud service portal is maintained for a further month for the purposes of reporting and downloading device monitoring data collected through the contract period.
• All device monitoring data collected through the contract period is permanently deleted after the second month following the termination date.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Yes
Compatible operating systems
  • Linux or Unix
  • Windows
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The Compliance Cloud monitoring application is designed to operate on Windows or Linux operating server and user systems, reporting compliance status to the Compliance Cloud dashboard.

The central cloud dashboard can be accessed through desktop and mobile device browsers to view and report on device status.
Service interface
No
API
No
Customisation available
No

Scaling

Independence of resources
Compliance Cloud service is built on Amazon Web Service (AWS) infrastructure. The core infrastructure services we use are Lambda, S3, Dynamo Db. These services are provided at scale and auto-scale according to service demand.

Each customer cloud environment is created within a separate infrastructure and accounting environment.

Compliance Cloud device monitoring applications use a small amount of network bandwidth for management data and monitoring data returned to the cloud. Devices and network performance is monitored for congestion with service monitors dynamically adjusting execution timing in response to congestion or local device resource availability.

Analytics

Service usage metrics
Yes
Metrics types
Number of devices registered over time
Device registration detail & summary
Number of devices deregistered over time
Device de-registration detail & summary
Current active devices
Number of compliant devices over time
Reporting types
  • Real-time dashboards
  • Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data collected during the period of the service can be downloaded as csv files via the customer portal at any time during the contract and for one month after the end of the contract.
Data export formats
CSV
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Service Levels;

We offer a service level of 99.9 service uptime

Data uptime is defined as the percentage of time the Compliance Cloud service availability during a one-month billing period.

Service Credits

Service Credits are calculated as a percentage of the total charges paid by you for the Compliance Cloud service affected for the billing cycle in which the Monthly Uptime Percentage fell within the ranges set forth in the table below.

Less than 99.9% but greater than or equal to 98.0%. Service Credit 10%

Less than 98.0% but greater than or equal to 95.0%. Service Credit 25%

Less than 95.0%. Service Credit 100%
Approach to resilience
The Compliance Cloud service monitors security configuration of user devices, transmitting small report files to a central cloud location for storage, analysis and reporting.

Compliance Cloud Service Resilience addresses the following resilience requirements;

Raw data-storage

Comprising the raw report files send by user devices to the cloud environment. Files are stored in a json format within AWS S3. AWS S3 resilience is backed by compliance certification with ISO/IEC 27001:2013, 27017:2015, 27018:2014, and ISO/IEC 9001:2015. . AWS S3 is built for 99.99% availability and guarantee 99.9% availability. AWS guarantee 99.999999999% annual durability, which is a measure of the ability to withstand file loss or damage.

When files are uploaded to AWS S3, AWS writes each file (file bits) to multiple devices and multiple locations.

Processed data-storage

Raw data files stored in AWS S3 is processed and stored in a database from which dashboard reports and other business intelligence is compiled. The database storage engine is also provided by Amazon and called AWS DynamoDb. Similar storage specifications and technology apply to DynamoDb as AWS S3. All dashboard and business intelligence reports can be entirely rebuilt from the original raw data files held on S3.

Further detailed availability information is available on request.
Outage reporting
We offer two methods of reporting service outages;

The underlying infrastructure provided by AWS has a corresponding public dashboard and RSS feed providing the current and historical status of each service in each region. Compliance Cloud customers are provided with the specific region and service identifiers allowing status reporting. https://status.aws.amazon.com/

The second method is via email alerts to nominated customer personnel. Crystal Thinking operates health heartbeats and probes for each service component in Compliance Cloud. In the event of missing heartbeats, scheduled events or service probe reporting mal-functioning services breaching prolonged outage periods, an alert email is despatched, outlining the problem and severity regularly until the service resumes.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels
We operate an IAM system restricting access to management interfaces through a series of controls. The primary control is via TLS & 2FA with permissions to dashboard components restricted according to the minimum permissions principal for the role. The second is programmatic, used by the Compliance Cloud application installed on user devices where access is initially restricted to installation packages presenting an authenticated site-code and 64-bit access key. The process is conducted via TLS with key rotation application restarts.
Support access is managed through a combination of VPN authentication to a bastion server, fixed source IP and 2FA.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essnetials Plus
  • IASME Governance Gold Standard

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
IASME Governance Gold Standard
ISO / IEC 27001 (not audited)

Our infrastructure provider (AWS) complies with;
CSA CCM version 3.0
SO/IEC 27001
Information security policies and processes
We operate an Information Security Management System (ISMS) comprising and information security policy with statements detailing technical and personnel security control policies.

Central to operations is a risk management system comprising, incident monitoring, reporting and management, regulatory and legal compliance monitoring conducted at least quarterly and audited internally at least bi-annually and annually by a third-party Certification Body through IASME Certification Authority for Cyber Essentials Plus and every three years against the IASME Governance standard.

Our ISMS also include Business Continuity and Disaster Recovery Plans. Disaster Recovery plans and continually reviewed and exercised at least annually.

All audit and risk management outcomes are reported to the CISO.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
The components of the Compliance Cloud Service are recorded within our digital asset register detailing version. Our version control system tracks major and minor releases according to the significance of change using automated version control tools within AWS.

Change control comprises a 5-gate process involving several processes; initial needs analysis & risk review, requirements analysis, high-level design, owner approval, implantation, testing, staged-release. Design, implementation and testing is based on CCA & OWASP security principals.

All components versions are designed for backward compatibility, code reviewed regression tested in a staging environment prior to release.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Potential threats are assessed through a combination of frequent risk review of technical, legal and environmental threats. Technical threats are assessed according to CVSS Ver 3.0.

Patches are prioritised according to CVSS rating. Critical security patches are applied within 24 hours of becoming available, High & Medium CVSS rated patches within 72 hours. All other patches are applied within 14 days of patches becoming available.

Out threat intelligence comes from a variety of sources, including CVE notifications, automated vulnerability scan reports, OWASP, Information Security Forums, incident reporting, system log analysis, risk reviews, internal and external audit reports.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
All system events are logged for each customer environment. Monitoring and analysis is performed automatically against rules that create alerts for unusual behaviour such as repeated, failed portal access or failed process executions. Events meeting this criterion are emailed and SMS'd to nominated staff.

Where potential compromises are detected automatically, the originating IP is blocked and added to a blacklist. Where repeated, failed access attempts against a specific account is detected, account access is immediately blocked.

Automated incident response is immediate. Staff alerted responses are based on significance with Emergency & Critical within 15 minutes, Warning within 2 hrs.
Incident management type
Supplier-defined controls
Incident management approach
We follow the NIST SP 800-61 R2 guidelines on incident management, largely similar to ISO 27001 / CCA standards.

We operate pre-defined processes for common events which include (repeated / prolonged DDOS, account break-in, lost credentials)

Users report incidents via a dedicated customer portal ticketing system or directly with the customer account manager. A process is in place for verifying the authenticity of the reporter where the incident has not been reported anonymously.

Incident reports are made available as downloadable encrypted documents via the customer portal or sent encrypted via email to the customer nominated incident management contact.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£1.50 to £3.50 a device a month
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Compliance Cloud COBALT application installation for up to 5 devices.

Included in the trial are device compliance reports against the current Cyber Essentials standard. Reports are automatically emailed to the nominated customer representative, highlighting compliance issues on a weekly basis.

The trial length is limited to three months.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gareth.owen@crystal-thinking.com. Tell them what format you need. It will help if you say what assistive technology you use.