Diegesis Limited

Integrated Security Management Platform

Our service comprises an integrated security platform based on the Cysure Virtual Online Security Officer, integration with opensource and COTS cyber security products, services to create bespoke integrations to customer data sources in databases such as Ingres and defined services propositions to assist customers to adopt the service.

Features

  • Knowledge base for cyber security best practice
  • Workflows to implement cyber security best practice
  • Management dashboard to monitor threat level and compliance
  • Agents deployed onto devices to monitor device compliance
  • Cloud VPN giving SME's extending security to mobile/home workers
  • Vulnerability scanning and consolidation of results into dashboard
  • Training resources to ensure staff are properly trained.
  • Record losses and near misses then escalate threats
  • Audit trail to demonstrate good practice when breached
  • Workflows implement incident response plan following practice or breach

Benefits

  • Ensure the organisation understands cyber security best practice.
  • Demonstrate it is following best practice.
  • Build protection in a cost effective and appropriate manner.
  • Built in advice simplifies Cyber Essentials certification
  • Report on differences between aspiration and fact
  • Data sources integration : Ingres, DB2, SQL Server, ORACLE
  • Develop integrations to data source in Ingres, DB2 etc.

Pricing

£1 to £10 per person per month

Service documents

Framework

G-Cloud 11

Service ID

1 3 6 4 8 9 0 8 9 0 1 0 9 4 6

Contact

Diegesis Limited

Nicholas Denning

+44 20 8286 7587

nick.denning@diegesis.co.uk

Service scope

Software add-on or extension
Yes
What software services is the service an extension to
We extend the Cysure Virtual Online Security Officer solution with additional security components and products and content.
Cloud deployment model
Public cloud
Service constraints
The solution is a public cloud solution so that primary constraint is that of browser support. We support all the major browsers in their latest versions. We have planned maintenance periods and we give advance notice of these taking place.
System requirements
Supported browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
During UK working hours we provide an initial response within 2 hrs. We have a follow the sun capability through our office in California. We aim to respond to all questions within 1 working day.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
We provide level 1 and level 2 support for some of the products we resell, with level 2 and 3 being provided by the vendors themselves through us where appropriate. Onsite services are provided at an extra cost as described in our DOS 3 offering. We can provide dedicated technical account managers and cloud support engineers where the value of the service and the complexity of the customer's needs warrants it.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
The system has online videos and help text to assist people to enrol.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
We have an extract capability where users can export their data to file.
End-of-contract process
There are no additional costs to complete a contract. The user terminates their direct debit and the system will automatically close the service.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
No
Service interface
Yes
Description of service interface
The service interface is via a browser.
Accessibility standards
None or don’t know
Description of accessibility
The service is accessible through the browser using keyboard and mouse only.
Accessibility testing
None
API
Yes
What users can and can't do using the API
Currently the vendors control the API and limit its use to the development of interfaces between products.
API documentation
No
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Technically users an customise a large amount of the content including documents, workflows and tasks. However this interface is not published so we do not advertise its availability particularly as our target market are SME's for whom the whole subject of cyber security is over complex anyway.

Scaling

Independence of resources
We cannot guarantee this, but we monitor the performance of the system which runs on AWS and can rapidly scale up the resources available to the system through both horizontal and vertical availability in the event of load on the system from other users.

Analytics

Service usage metrics
Yes
Metrics types
A key purpose of the system is to enable executives to monitor the status of cyber security in their organisations and we provide metrics for them to do this. This is an expanding area and we intend to add additional metrics over time.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
We resell services from Cysure and IBM.

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Encryption of all physical media
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
They select an option which generates an export file which they can then download. The structure of these records reflects the internal data structures of the system. It is an objective to make this a reloadable format but a reload capability is not yet tested.
Data export formats
  • CSV
  • Other
Other data export formats
Format in which it was loaded, E.G. word or PDF
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
Any document format.

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
We run on an AWS platform and implement AWS best practice for secure applications. The solution is protected by an AWS gateway / firewall at its interface to the public internet, each tier of the architecture is in a separate security domain and access between domains is limited to specific ports. All traffic is protected by HTTPS.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
We run on an AWS platform and implement AWS best practice for secure applications. The solution is protected by an AWS gateway / firewall at its interface to the public internet, each tier of the architecture is in a separate security domain and access between domains is limited to specific ports. All traffic is protected by HTTPS. All data in flight is encrypted, all data at rest is encrypted, and all data is regularly backed up to immutable AWS S3 storage.

Availability and resilience

Guaranteed availability
We don't guarantee availability or provide a formal SLA and consequently we make no offers for refund if we do not meet these levels. Nevertheless we maintain statistics on availability through the using AWS monitoring tools.
Approach to resilience
The service is horizontally and vertically scaleable. In the event that either an http server fails or an application server fails we can immediately and automatically start up a replacement server. We monitor the database server and can detect if the database is suffering performance problems and we can re-start the server if required. We take regular consistent backups of the database and LDAP server to AWS S3 storage and can restore from backup in the event of a failure. Our solution uses MariaDB and we have proven it using database replication and automatic fail over so there should be no loss of service but we have not yet deployed this into production. it is on our road map to do so as well as to exploit the High Availability options of that technology. In the event of a total failure of an instance on our system we can rebuild an instance and where relevant recover from a backup within a 30 minutes.
Outage reporting
There is a public dashboard which starts up in the event of an outage, reporting that the system is down. This is primarily used when performing a system software upgrade. We can email users who are members of a groups when a planned outage is due to take place.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
Where a support channel provides direct access to our infrastructure, connection is only permitted from defined IP addresses using encrypted links and accredited using generated keys provided by AWS.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
Less than 1 month

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials and IASME Gold

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
Cyber Essentials and IASME Gold
Information security policies and processes
The purpose of the product is to define the activities required to implement our security policies and report when deviations occur and we use it to do so.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Our configuration and change management processes are implmenented using Atlassian, specifically Confluence, Jira, Service Desk and bitbucket. All customer requests are captured via service desk, triaged and where appropriate registered into Jira. The product owner then sets priorities for implementation, changes are designed and specified as tasks in Jira and delegated to developers. A branch is take for each change, the change is implemented, tested, demonstrated to the user and on agreed completion it is merged into the code line. Automated build procedures then create the deployable packages which are then installed using AWS code deploy.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Qualys is used to test platform and web application vulnerability. Reports are reviewed and findings acted on address type 4 and 5 vulnerabilities within 14 days of the patch being available. Every week we ensure standard patches are applied to all Linux machines using yum. When a patch to the database server is provided we first verify that the patch does not impact our code and we then deploy that patch using yum as well. Our security domains are partitioned minimising the chance of accessing our database by exploiting a vulnerability. All our products are supported by vendors providing patches.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our service is deployed behind an AWS gateway which provides a first line of protection and can be monitored through the AWS monitoring capabilities.

The service optionally audits every service call made to the system and a system administrator can monitor and inspect those calls for unexpected behaviour.

Reports and dashboards enable system administrators to inspect activity for anomalous behaviour.
Incident management type
Supplier-defined controls
Incident management approach
We have pre-defined processes for reporting and then responding to common events.

A user can report an event as an incident or near miss.

These events generate an alert to a responsible person who can then inspect the available data, under take further investigation and if appropriate declare a corporate event triggering a range of pre-defined activities such as a breach response plan.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£1 to £10 per person per month
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
An administrator has access to all system components on registering, at no cost. General access for other users is enabled when a direct debit mandate is received. The vendor to override this control and to permit access on request subject at the discretion of the vendor.
Link to free trial
Cysure-online.co.uk

Service documents

Return to top ↑