Diegesis Limited

Integrated Security Management Platform

Our service comprises an integrated security platform based on the Cysure Virtual Online Security Officer, integration with opensource and COTS cyber security products, services to create bespoke integrations to customer data sources in databases such as Ingres and defined services propositions to assist customers to adopt the service.

Features

  • Knowledge base for cyber security best practice
  • Workflows to implement cyber security best practice
  • Management dashboard to monitor threat level and compliance
  • Agents deployed onto devices to monitor device compliance
  • Cloud VPN giving SME's extending security to mobile/home workers
  • Vulnerability scanning and consolidation of results into dashboard
  • Training resources to ensure staff are properly trained.
  • Record losses and near misses then escalate threats
  • Audit trail to demonstrate good practice when breached
  • Workflows implement incident response plan following practice or breach

Benefits

  • Ensure the organisation understands cyber security best practice.
  • Demonstrate it is following best practice.
  • Build protection in a cost effective and appropriate manner.
  • Built in advice simplifies Cyber Essentials certification
  • Report on differences between aspiration and fact
  • Data sources integration : Ingres, DB2, SQL Server, ORACLE
  • Develop integrations to data source in Ingres, DB2 etc.

Pricing

£1 to £10 per person per month

Service documents

G-Cloud 11

136489089010946

Diegesis Limited

Nicholas Denning

+44 20 8286 7587

nick.denning@diegesis.co.uk

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to We extend the Cysure Virtual Online Security Officer solution with additional security components and products and content.
Cloud deployment model Public cloud
Service constraints The solution is a public cloud solution so that primary constraint is that of browser support. We support all the major browsers in their latest versions. We have planned maintenance periods and we give advance notice of these taking place.
System requirements Supported browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times During UK working hours we provide an initial response within 2 hrs. We have a follow the sun capability through our office in California. We aim to respond to all questions within 1 working day.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We provide level 1 and level 2 support for some of the products we resell, with level 2 and 3 being provided by the vendors themselves through us where appropriate. Onsite services are provided at an extra cost as described in our DOS 3 offering. We can provide dedicated technical account managers and cloud support engineers where the value of the service and the complexity of the customer's needs warrants it.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The system has online videos and help text to assist people to enrol.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction We have an extract capability where users can export their data to file.
End-of-contract process There are no additional costs to complete a contract. The user terminates their direct debit and the system will automatically close the service.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility The service is accessible through the browser using keyboard and mouse only.
Accessibility testing None
API Yes
What users can and can't do using the API Currently the vendors control the API and limit its use to the development of interfaces between products.
API documentation No
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Technically users an customise a large amount of the content including documents, workflows and tasks. However this interface is not published so we do not advertise its availability particularly as our target market are SME's for whom the whole subject of cyber security is over complex anyway.

Scaling

Scaling
Independence of resources We cannot guarantee this, but we monitor the performance of the system which runs on AWS and can rapidly scale up the resources available to the system through both horizontal and vertical availability in the event of load on the system from other users.

Analytics

Analytics
Service usage metrics Yes
Metrics types A key purpose of the system is to enable executives to monitor the status of cyber security in their organisations and we provide metrics for them to do this. This is an expanding area and we intend to add additional metrics over time.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold We resell services from Cysure and IBM.

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach They select an option which generates an export file which they can then download. The structure of these records reflects the internal data structures of the system. It is an objective to make this a reloadable format but a reload capability is not yet tested.
Data export formats
  • CSV
  • Other
Other data export formats Format in which it was loaded, E.G. word or PDF
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats Any document format.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks We run on an AWS platform and implement AWS best practice for secure applications. The solution is protected by an AWS gateway / firewall at its interface to the public internet, each tier of the architecture is in a separate security domain and access between domains is limited to specific ports. All traffic is protected by HTTPS.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network We run on an AWS platform and implement AWS best practice for secure applications. The solution is protected by an AWS gateway / firewall at its interface to the public internet, each tier of the architecture is in a separate security domain and access between domains is limited to specific ports. All traffic is protected by HTTPS. All data in flight is encrypted, all data at rest is encrypted, and all data is regularly backed up to immutable AWS S3 storage.

Availability and resilience

Availability and resilience
Guaranteed availability We don't guarantee availability or provide a formal SLA and consequently we make no offers for refund if we do not meet these levels. Nevertheless we maintain statistics on availability through the using AWS monitoring tools.
Approach to resilience The service is horizontally and vertically scaleable. In the event that either an http server fails or an application server fails we can immediately and automatically start up a replacement server. We monitor the database server and can detect if the database is suffering performance problems and we can re-start the server if required. We take regular consistent backups of the database and LDAP server to AWS S3 storage and can restore from backup in the event of a failure. Our solution uses MariaDB and we have proven it using database replication and automatic fail over so there should be no loss of service but we have not yet deployed this into production. it is on our road map to do so as well as to exploit the High Availability options of that technology. In the event of a total failure of an instance on our system we can rebuild an instance and where relevant recover from a backup within a 30 minutes.
Outage reporting There is a public dashboard which starts up in the event of an outage, reporting that the system is down. This is primarily used when performing a system software upgrade. We can email users who are members of a groups when a planned outage is due to take place.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Where a support channel provides direct access to our infrastructure, connection is only permitted from defined IP addresses using encrypted links and accredited using generated keys provided by AWS.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Less than 1 month

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials and IASME Gold

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Cyber Essentials and IASME Gold
Information security policies and processes The purpose of the product is to define the activities required to implement our security policies and report when deviations occur and we use it to do so.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Our configuration and change management processes are implmenented using Atlassian, specifically Confluence, Jira, Service Desk and bitbucket. All customer requests are captured via service desk, triaged and where appropriate registered into Jira. The product owner then sets priorities for implementation, changes are designed and specified as tasks in Jira and delegated to developers. A branch is take for each change, the change is implemented, tested, demonstrated to the user and on agreed completion it is merged into the code line. Automated build procedures then create the deployable packages which are then installed using AWS code deploy.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Qualys is used to test platform and web application vulnerability. Reports are reviewed and findings acted on address type 4 and 5 vulnerabilities within 14 days of the patch being available. Every week we ensure standard patches are applied to all Linux machines using yum. When a patch to the database server is provided we first verify that the patch does not impact our code and we then deploy that patch using yum as well. Our security domains are partitioned minimising the chance of accessing our database by exploiting a vulnerability. All our products are supported by vendors providing patches.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Our service is deployed behind an AWS gateway which provides a first line of protection and can be monitored through the AWS monitoring capabilities.

The service optionally audits every service call made to the system and a system administrator can monitor and inspect those calls for unexpected behaviour.

Reports and dashboards enable system administrators to inspect activity for anomalous behaviour.
Incident management type Supplier-defined controls
Incident management approach We have pre-defined processes for reporting and then responding to common events.

A user can report an event as an incident or near miss.

These events generate an alert to a responsible person who can then inspect the available data, under take further investigation and if appropriate declare a corporate event triggering a range of pre-defined activities such as a breach response plan.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £1 to £10 per person per month
Discount for educational organisations No
Free trial available Yes
Description of free trial An administrator has access to all system components on registering, at no cost. General access for other users is enabled when a direct debit mandate is received. The vendor to override this control and to permit access on request subject at the discretion of the vendor.
Link to free trial Cysure-online.co.uk

Service documents

ods document: Pricing document pdf document: Service definition document odt document: Terms and conditions
Service documents
Return to top ↑