Concepta Security Services
Concepta Security Services are a suite of cyber-security solutions which, when applied synchronously, provides peace of mind regarding the IT infrastructure's security status. Concepta Security Services monitors key systems and provides real time actionable alerts. It is available in three variations; Essentials, Advanced or Complete dependant on the prevailing requirements.
Features
- Secure Domain Name System
- Authentication Logging
- Server Vulnerability Scanning
- Managed Firewall
- Intruder Detection / Intruder Prevention
- Geo-IP Blocking
- Network Access Control
- Posture Analysis
- Security Zones
- Consolidated Security Management Dashboard
Benefits
- Protects assets, reputation and the business, avoid costs of remediation
- Comprehensive security platform developed to cover broad requirements
- Fully integrated solutions avoiding potential costly software conflicts
- Single dashboard provides real time view of security threats
- Easy to understand dashboard provides data to all stakeholders
- Available as a full managed service
- Full training available if self service is required
- Three tiers ensuring solution tailored to current setup and requirements
- Supports and integrates with existing applications to protect investments
- Developed with open-source solutions removing costly vendor overheads
Pricing
£6.50 to £19 a user a month
- Education pricing available
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 11
Service ID
2 2 9 0 9 4 2 3 4 7 7 0 7 8 0
Contact
NVT Group
Dougie Weir
Telephone: 01698 749000
Email: public_sector@nvt.co.uk
Service scope
- Software add-on or extension
- No
- Cloud deployment model
-
- Public cloud
- Private cloud
- Hybrid cloud
- Service constraints
- Service is supported on all common operating systems, hypervisors, hardware, public and private cloud. Service will be subject to regular maintenance which will be conmmunicated through our Service Desk with contingencies in place.
- System requirements
-
- Requires VMWare, Hyper-V or KVM hypervisor
- Supplied as pre-confiured VM with an OS
- Minimum 2 x VCPUs
- Minimum 4GB RAM
- Mirror or tap port required from switching
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Questions will be answered when an engineer or consultant is available, typically within 4 hours. Support calls are as follows. Priority 1: Critical, e,g, inactive firewall– 15min acknowledgement, 4 hours technician onsite or remote access. Priority 2: Non-critical e.g. non mission critical service inactive – 1 hour acknowledgement, 8 hours technician remote access. Priority 3: Change requests & administrative requests - 8 hour acknowledgement, 72 hours technician remote access Where appropriate, if a critical failure cannot be resolved within 8 hours of the call being logged the NVT will provide a detailed plan including any escalation procedures required.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Onsite support
- Support levels
- Given the nature of the service there are no tiers of support available, NVT provide 24x7 support as standard with 3 priority levels for support calls. Given this there is a flat cost for support. Priority 1: Critical, e,g, inactive firewall– 15min acknowledgement, 4 hours technician onsite or remote access. Priority 2: Non-critical e.g. non mission critical service inactive – 1 hour acknowledgement, 8 hours technician remote access. Priority 3: Change requests & administrative requests - 8 hour acknowledgement, 72 hours technician remote access Where appropriate, if a critical failure cannot be resolved within 8 hours of the call being logged the NVT will provide a detailed plan including any escalation procedures appropriate. NVT will provide a dedicated service delivery function which will be responsible for co-ordinating all support services to the customer.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- NVT can and will engage with customers as required and permissable prior to and during the purchasing process to better understand the breadth of requires and complimentary technologies. NVT will engage to understand how the Concepta Security Services are to be deployed (public, private or hybrid cloud) and what paramaters, tolerances and policies are to be implemented. Users will be provided training (online or on-site) on how to create custom dashboards and collate/gather custom data feeds. Full documentation will also be made available as per our standard governance.
- Service documentation
- Yes
- Documentation formats
- End-of-contract data extraction
-
Concepta Security Services in it's Cloud Hosting form will not be storing any end user/customer data but merely providing security services to protect customer infrastructure, network and data.
The only user/customer data that will be stored relates to data collected as part of the security process (logs and analysis) along with custom dashboards, configurations and policies.
Any customer specific data and or policies/configurations will be provided to the customer on their chosen media along with comprehensive documentation before going through the apporpriate and necessary deletion/destruction. - End-of-contract process
-
The primary objective of the Exit Management Plan is to enable an orderly cessation and smooth migration from the Supplier to the customer and/or its Replacement Service Provider of responsibilities, services, assets and any other items or information necessary with a view to the customer and/or the Replacement Service Provider operating a replacement service for the Services with effect from the date of termination of this Agreement in a cost effective manner, which ensures business continuity and minimal disruption to the Council’s business operations.
In the event of the partial termination of this Agreement, or of the termination of a discrete Service Tower, the provisions of this Schedule shall be applied (with the necessary changes) in relation to the terminated Services in accordance with the provisions of our internal policies.
The Exit Management Plan will be prepared on the assumption that the Services will be transferred to the customer or a Replacement Service Provider on termination or expiry of this Agreement.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Firefox
- Chrome
- Safari 9+
- Application to install
- No
- Designed for use on mobile devices
- Yes
- Differences between the mobile and desktop service
- There is no dedicated app for our service, however, the service will run in a mobile web browser with dashboards viewable with a high level of fidelity in comparison to a standard web browser.
- Service interface
- Yes
- Description of service interface
- Accessible through a web based GUI, Concepta Security Services is designed to be - as close as possible - a fully managed service. Users will be provied with a live dashboard of the live services, how they are performing along with high level management information and statistics. User can run reports on the services through the dashboard as well as using the dashboard to drill into, low level, granular detail from the acive services. Users can do basic manipulatation of the dashboard look and feel either by changing pre-configured views OR by developing their own.
- Accessibility standards
- WCAG 2.1 AA or EN 301 549
- Accessibility testing
- NVT engage with our human resource partner and local further education institutes to test both internally and externally on the suitability of our interface for assistive technology users.
- API
- No
- Customisation available
- Yes
- Description of customisation
-
All customisable content is accessed through the web based GUI. Users
are able to create custom dashboards and provide custom data feeds into the service (assuming data provided is security related). Configurations can only be done by approved users.
Scaling
- Independence of resources
-
Concepta Security Services are deployed as a single instance with it's own dedicated resources eliminating the "noisy neighbour" effect and ensuring high QOS.
Concepta Security Services can also be
Analytics
- Service usage metrics
- Yes
- Metrics types
- Numerous metrics available depending on the tier of solution procured and the data available
- Reporting types
-
- Real-time dashboards
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Conforms to BS7858:2012
- Government security clearance
- Up to Baseline Personnel Security Standard (BPSS)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- United Kingdom
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- ‘IT Health Check’ performed by a CHECK service provider
- Protecting data at rest
- Physical access control, complying with another standard
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- A third-party destruction service
Data importing and exporting
- Data export approach
- Concepta Security Services is not a data storage platform, it's primary function is to provide a suite of tools to provide a platform to protect network, data and infrastructure.However any data generated by the suite of tolls (DNS logs, vulnerability scan results) will be erased and historical data can be provided on the clients preferred media then subjected to destruction during decommissioning process.
- Data export formats
- Other
- Other data export formats
- JSON
- Data import formats
- Other
- Other data import formats
- JSON
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- Private network or public sector network
- TLS (version 1.2 or above)
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
- Concepta Security Services run on a dedicated instance of NVT's Viia Private Hybrid Cloud Solution. NVT proatively monitor the Viia platform regardless of deployment type (pending any internal or contractual data access poliies) and have build the platform on best of breed hardware running in best of breed datacentres and powered by a suite of software backed by NVT's 30 years of experience. All this means we can guarantee 99.9% uptime.
- Approach to resilience
-
As Concepta Security Software & Services is a highly customisable security platform the resiliency involved will be highly dependant on whether it is deployed as a fully hosted solution or a hybrid solution.
If fully hosted, the solution will reside within iomart datacentres. Iomart carry out regular testing and maintenance of infrastructure with the N+1 policy applied to data centres providing the basis of continuity controls. This is enhanced by the provision of multiple communication routes and the replication of iomart’s network infrastructure. iomart data centres are also located outside flight paths, flood plains, have no seismic threat, and are a minimum of 3km outside sites who could pose a potential accident or hazardous threat (as governed by HSE). Therefore, in the event of any given location being lost, the primary impact to iomart would be on office facilities, but with 6 UK Offices and 10 UK Data Centres providing hosting services and support, this impact is limited and mitigated with standing arrangements to relocate staff to the nearest iomart site.
If hosted on-premise or in a hybrid manner then the solutions resiliency would be done in line with customer's existing policies, infrastructure and locations. - Outage reporting
- Any service outages are reported via our Information Technology Service Management (ITSM) system which automatically alerts clients via email and client web portal.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
- Access is stringently restricted by way of federated active directory services and two factor authentication
- Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Identity federation with existing provider (for example Google Apps)
- Limited access network (for example PSN)
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- User-defined
- How long system logs are stored for
- Between 1 month and 6 months
Standards and certifications
- ISO/IEC 27001 certification
- Yes
- Who accredited the ISO/IEC 27001
- Exova BM Trada
- ISO/IEC 27001 accreditation date
- 06/08/15
- What the ISO/IEC 27001 doesn’t cover
- N/A
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- ISO/IEC 27001
- Information security policies and processes
- NVT Group are certified for ISO27001 and as such have a set of policies and processes in place to ensure compliance. NVT Group have an appointed Compliance officer to interface with the management on security aspects and also is the conduit to the UKAS accredited audit partner.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- Our certified standards ISO9001, & ISO27001 define our configuration and change management processes and procedures are fit for purpose. Each change request is logged and tracked through our call management application, subject to approval and manged to successful implementation or conclusion.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
- The concepta service is based on our hosted platform ViiA. The ViiA platform using Network Access Control technology, posture assessments can be conducted before access to the corporate network is made available. ViiA is kept fully up to date by way of subscription to industry recognised malicious software services to ensure a comprehensive knowledgebase of prevailing threats. Patches are applied on an ad-hoc basis depending on the threat severity.
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Concepta is based on our ViiA platform. ViiA is continuously monitored to identify potential issues. Each issue is viewed on its own merit and treated accordingly. NVT Group decided not to have a set of standard approaches as experience tells us that there are not a standard set of potential issues that may occur. Each compromise alerted will be addressed immediately on discovery by our technical team and a resolution devised and an implementation plan agreed. If a resolution is not readily available then a work-around will be put in place whilst a permanent resolution is sought and actioned.
- Incident management type
- Supplier-defined controls
- Incident management approach
- NVT Group operate an ITIL aligned customer Service desk. The service desk will be the focal point for the reporting, tracking and management of all incidents. Incidents can be reported either by phone, email , portal self service or can be automatically reported via our Monitoring and Management solution. Incident reporting and escalations are in line with ISO9001 standards with a clear and defined process in place and available upon request.
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Public sector networks
- Connection to public sector networks
- Yes
- Connected networks
- Public Services Network (PSN)
Pricing
- Price
- £6.50 to £19 a user a month
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- Concepte Security Essentials Bundle available a a limited trial with no custom configurations done.