CyberScore is an automated testing service that provides visibility of security posture, peer rating and third party risks across large organisations and their supply chains. CyberScore generates consistent, easy-to-understand Get Well Plans, and incorporates workflow features at an affordable price, making it a cost-effective alternative to penetration testing.
- Automated technical testing service
- Identifies technical vulnerabilities and offers a security score
- Offers an easy to understand dashboard of potential impacts
- Shows peer rating, performance trends and mitigation options
- Creates get well plans and identifies local service providers
- Offers a view of risk across thousands of partners
- Identifies top / bottom performers, most improved etc
- Provides guidance when new threats emerge
- View suppliers by type, performance, location, criticality
- PASS / FAIL advisory for Cyber Essentials Plus
- Make security performance accessible to both tech and business users
- Dramatically lower your compliance penetration testing costs
- Receive consistent results based upon empirical evidence
- Share results and get well plans via a workflow platform
- Track mitigation and identify uplift in security posture
- Gain a view of risk across large diverse organisations
- Extend your view of risk across suppliers and partners
- Embed cyber security within procurement processes
- View suppliers performance versus Cyber Essentials Plus controls
- Release technical testing resources for strategic (red team) projects
£1 per unit
- Education pricing available
XQ DIGITAL RESILIENCE
CyberScore requires a minimum hardware configuration as follows:
4GB RAM, 2GB free disk space, Windows 8.1, Windows 10 Pro or similar server operating systems, an Internet connection.
The service is subject to planned maintenance subject to appropriate customer notice.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
XQ's support hours are Monday to Friday 0900 - 1730.
All questions are responded to within 4 hours.
XQ aims to resolve all issues within 24 hours.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
End users require email support only.
Larger clients with large numbers of third parties (suppliers, partners) can request on site support from XQ. A daily consultancy fee may apply in such cases at standard XQ consultancy rates.
|Support available to third parties||Yes|
Onboarding and offboarding
After initial registration, a series of explanatory screens guide users through the process of CyberScore installation and use. Users are shown the process via a series of screens explaining how the software works, what happens during scanning, where and how their data is stored, how to view performance, and how to create and share get well plans.
Users can create a scan for free, and are only required to pay for CyberScore if they require access to detailed technical information such as Get Well Plans.
CyberScore does not require onsite training, online training or user documentation. XQ is in the process of creating online tutorials to support customers and to enable them to get the most from CyberScore.
Larger customers wishing to implement CyberScore across their supply chain may request onsite support.
|End-of-contract data extraction||
Users can view and download reports at any point during the contract.
Users can contact firstname.lastname@example.org and can elect to have their data destroyed when the contract ends.
|End-of-contract process||Customers are charged for what they consume. There are no additional costs at the end of the contract. There are no charges for the removal of data.|
Using the service
|Web browser interface||Yes|
|Using the web interface||
All operations are conducted via a web interface.
New users are invited to join the service via a series of easy to understand screens, explaining their options and associated procedures for conducting their first CyberScore.
|Web interface accessibility standard||None or don’t know|
|How the web interface is accessible||The CyberScore interface does not rely exclusively on colour to convey meaning. Colour contrast is considered and buttons and text are readable for forms of colour blindness. Images have alt tags . All data tables have headers (important for screen readers). The interface employs aria tags and roles in HTML for screen readers. Heading tags and semantic HTML are also employed.|
|Web interface accessibility testing||In-house testing only.|
|Command line interface||No|
|Independence of resources||Service isolation and constraints, virtualisation with autoscaling, flexible provisioning.|
|Infrastructure or application metrics||Yes|
|Other metrics||Service usage|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||A third-party destruction service|
Backup and recovery
|Backup and recovery||Yes|
|What’s backed up||Not applicable|
|Backup controls||Not applicable.|
|Datacentre setup||Single datacentre with multiple copies|
|Scheduling backups||Supplier controls the whole backup schedule|
|Backup recovery||Users contact the support team|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||XQ strives to achieve 99.99% availability outside of scheduled maintenance periods.|
|Approach to resilience||Available on request.|
|Outage reporting||Not applicable.|
Identity and authentication
|Access restrictions in management interfaces and support channels||XQ stringently restricts administrative access to the CyberScore platform and utilises fully encrypted and authenticated remote access channels with independently issued user certificates. Support channels are accessible only with client certificates and from certain, specified locations.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Devices users manage the service through||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security accreditations||Yes|
|Any other security accreditations||Cyber Essentials Scheme|
|Named board-level person responsible for service security||Yes|
|Security governance accreditation||No|
|Security governance approach||
XQ employs security governance to bind together the core elements of cyber security and effective risk management. Governance gives context to our controls, as defined in our ISO 27001 framework, based upon our business goals and our risk tolerance threshold. By adopting a holistic approach XQ aims to minimise the likelihood of a breach.
Governance is also the mechanism by which risk-related values are reflected in the direction and judgment of our business plans, information architecture, security policies and procedures and operational practices.
Security governance is part of our CISO’s remit and is discussed at every board meeting.
|Information security policies and processes||
XQ is currently preparing for ISO 27001 certification; accreditation bodies will visit XQ during summer 2017. As such our current policies are aligned with the ISO27001 framework.
We ensure that these policies are appropriate and are regularly reviewed with time dedicated in board meetings for such activity.
All policies are stored centrally and are available to all staff at any time; new starters are required to read them before they are given access to XQ systems. All staff are reminded of their responsibilities annually as part of our performance management system.
XQ's CISO has a place on the Board. His direct reports include the Head of Infrastructure and Head of Development.
XQ undertakes regular audits and ad-hoc spot checks to ensure that policies are being adhered to, using external consultants where appropriate, in particular for penetration testing of both CyberScore and our infrastructure, and for incident response.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
XQ has an asset register of all CyberScore platform components, and makes extensive use of data centre infrastructure management tools
Each change is assessed by qualified security practitioners for potential security implications. All potentially service-impacting changes follow a strict 2-man authorisation rule.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||XQ conducts routine threat assessments. We have a standard weekly patching cycle with high profile patches implemented on a same-day basis. We subscribe to vendor security mailing lists and conduct our own in-house research. We are a member of the Cyber Security Information Sharing Partnership.|
|Protective monitoring type||Undisclosed|
|Protective monitoring approach||Undisclosed - available on request|
|Incident management type||Supplier-defined controls|
|Incident management approach||
XQ adopts a Cyber Incident Response (CIR) approach to incident management. XQ retains pre-defined processes for common events within a playbook created in consultation with an external third party provider. XQ rehearses its management and technical response to common incidents via desktop and real world exercises on a bi-monthly basis. These exercises simulate:
Determining the extent of an incident;
Managing immediate impact;
Remediation of any compromise;
Incident reporting to describe the scope of the problem, the technical impact, mitigation activities and an assessment of business impact;
Impact Assessment – where the incident affects partners or customers; and Crisis Communications.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Separation between users
|Virtualisation technology used to keep applications and users sharing the same infrastructure apart||Yes|
|Who implements virtualisation||Supplier|
|Virtualisation technologies used||VMware|
|How shared infrastructure is kept separate||Other software controls, such as operating systems, web servers or other applications, provide separation between users of the service.|
|Price||£1 per unit|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||Users can initiate CyberScore scans free of charge. Users are only charged for CyberScore when they wish to gain access to detailed technical information and Get Well Plans, and/or to share information with other system users.|
|Link to free trial||Www.xqcyberscore.com|
|Pricing document||View uploaded document|
|Skills Framework for the Information Age rate card||View uploaded document|
|Terms and conditions document||View uploaded document|