CTO Technologies Ltd

OTLO visibility and compliance dashboard

OTLO has been designed to provide the NHS, schools and the public sector with instant context driven visibility into their IT network. OTLO’s clear interface offers a combined view of all key areas for comprehensive vulnerability management and a compliance layer catering for NHS-specific security policy requirements, CareCERTs and DSPT.


  • Dashboard highlighting network vulnerabilities
  • Information driven by sector specific network context
  • Scanning of hardware and software of all network devices
  • Reporting including DS&P toolkit for the NHS organisations
  • Reconciliation and management of CareCERTs for the NHS organisations
  • Vendor agnostic


  • Increase visibility into your IT network
  • Proactively manage your risk to cyber attacks
  • Reduce the burden on IT staff
  • Improve compliance
  • Enable a single view of all your devices
  • Automate routine tasks
  • Quantify your risks at cyber hygiene level
  • Ease of use and assurance


£10 a unit

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.bishop@ctotechnologies.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 7 7 8 2 0 3 3 1 6 0 5 0 4 1


CTO Technologies Ltd Mark Bishop
Telephone: 0845 644 3830
Email: mark.bishop@ctotechnologies.co.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
OTLO can be used as a stand-alone SaaS or as an extension to our Vulnerability Management and Cyber Security Services
Cloud deployment model
Public cloud
Service constraints
System requirements
  • Local server to host the scanner service (virtual machine supported)
  • Specific hardware requirements dependent on number of devices to scan
  • CTO Technologies to deliver scanner server and support throughout contract

User support

Email or online ticketing support
Email or online ticketing
Support response times
As defined by SLA
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
As defined by SLA
Support available to third parties

Onboarding and offboarding

Getting started
We offer support and training to help new and existing users.
Service documentation
Documentation formats
End-of-contract data extraction
Downloadable in CSV formats.
End-of-contract process
All customer data is removed and destroyed and access to the platform is revoked for all customer-approved users. VPN connectivity to the cloud is decommissioned.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Browser-based application, which will work on any internet-enabled device.
Service interface
Description of service interface
Web-hosted dashboard displaying key data, showing relevant summaries, customisable, with reporting capability.
Accessibility standards
None or don’t know
Description of accessibility
Access is through a web browser utilising TLS/SSL secure communication with standard accessibility options including display size of page elements (text, images, tables etc). Support is either via phone or email.
Accessibility testing
None or don’t know
Customisation available
Description of customisation
CTO Technologies can work with the customer to deliver customisation to the dashboard view and information on show relevant to different user roles.


Independence of resources
Effective and automated capacity planning.


Service usage metrics
Metrics types
Vulnerabilities, Assets, Criticality, CareCERTs, etc
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users can export their data from the dashboard throughout the duration of the contract and on contract end.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
As defined by SLA
Approach to resilience
Information available on request
Outage reporting
As defined by SLA

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
User access restriction is available as a standard function. When a user is set up, they are assigned a role. Each role has a specific set of activities and permissions assigned. This is controlled by Admin User. The role of a user account can be changed or disabled at any time.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
The British Assessment Bureau
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Further clarifications regarding the scope of the certificate and the applicability of requirements may be obtained by consulting the certifier.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • • ISO 9001:2015
  • Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus.
Information security policies and processes
We abide by an Information Security Policy and have rigorous induction and training methods which ensure policies are followed. We also follow a strict reporting structure ensuring that any areas of concern are highlighted as soon as possible. Violation, either automatically detected or manually detected will reach our technical department immediately from where the issue will be escalated accordingly.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our change management policy is designed to meet NIST best practices. Not all systems require the same amount of development, testing, and approval. Changes to some systems are routine and represent little or no risk. To ensure reasonable processing time for routine maintenance and low risk change requests, and to ensure that more significant, higher impact changes receive the appropriate scrutiny and planning, the following types of changes have been established. These types have corresponding development, testing, and implementation requirements as well as specific approvals necessary to process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Potential threats are assessed through Penetration Testing. Patches are deployed as soon as they are published by a vendor, during a maintenance window. Information on threats supplied by vendors.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Response are automated when possible. Otherwise, these are logged as security incident and responded to accordingly.
Incident management type
Supplier-defined controls
Incident management approach
Information Security Incident Management follows NIST frameworks, US-CERT guidelines and best practices. Notification will be made within 48 hours and not before the initial incident report, containing the basic facts, is completed. Notification will be sent to the data breach contact notification on file. Notification will be by email.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£10 a unit
Discount for educational organisations
Free trial available
Description of free trial
Free trials and Solution Demonstrations can be requested via CTO Technologies.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.bishop@ctotechnologies.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.