G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with NVT Group are still valid.
NVT Group

Concepta Security Services

Concepta Security Services are a suite of cyber-security solutions which, when applied synchronously, provides peace of mind regarding the IT infrastructure's security status. Concepta Security Services monitors key systems and provides real time actionable alerts. It is available in three variations; Essentials, Advanced or Complete dependant on the prevailing requirements.

Features

  • Secure Domain Name System
  • Authentication Logging
  • Server Vulnerability Scanning
  • Managed Firewall
  • Intruder Detection / Intruder Prevention
  • Geo-IP Blocking
  • Network Access Control
  • Posture Analysis
  • Security Zones
  • Consolidated Security Management Dashboard

Benefits

  • Protects assets, reputation and the business, avoid costs of remediation
  • Comprehensive security platform developed to cover broad requirements
  • Fully integrated solutions avoiding potential costly software conflicts
  • Single dashboard provides real time view of security threats
  • Easy to understand dashboard provides data to all stakeholders
  • Available as a full managed service
  • Full training available if self service is required
  • Three tiers ensuring solution tailored to current setup and requirements
  • Supports and integrates with existing applications to protect investments
  • Developed with open-source solutions removing costly vendor overheads

Pricing

£6.50 to £19 a user a month

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at public_sector@nvt.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

2 2 9 0 9 4 2 3 4 7 7 0 7 8 0

Contact

NVT Group Dougie Weir
Telephone: 01698 749000
Email: public_sector@nvt.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
Service is supported on all common operating systems, hypervisors, hardware, public and private cloud. Service will be subject to regular maintenance which will be conmmunicated through our Service Desk with contingencies in place.
System requirements
  • Requires VMWare, Hyper-V or KVM hypervisor
  • Supplied as pre-confiured VM with an OS
  • Minimum 2 x VCPUs
  • Minimum 4GB RAM
  • Mirror or tap port required from switching

User support

Email or online ticketing support
Email or online ticketing
Support response times
Questions will be answered when an engineer or consultant is available, typically within 4 hours. Support calls are as follows. Priority 1: Critical, e,g, inactive firewall– 15min acknowledgement, 4 hours technician onsite or remote access. Priority 2: Non-critical e.g. non mission critical service inactive – 1 hour acknowledgement, 8 hours technician remote access. Priority 3: Change requests & administrative requests - 8 hour acknowledgement, 72 hours technician remote access Where appropriate, if a critical failure cannot be resolved within 8 hours of the call being logged the NVT will provide a detailed plan including any escalation procedures required.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Onsite support
Support levels
Given the nature of the service there are no tiers of support available, NVT provide 24x7 support as standard with 3 priority levels for support calls. Given this there is a flat cost for support. Priority 1: Critical, e,g, inactive firewall– 15min acknowledgement, 4 hours technician onsite or remote access. Priority 2: Non-critical e.g. non mission critical service inactive – 1 hour acknowledgement, 8 hours technician remote access. Priority 3: Change requests & administrative requests - 8 hour acknowledgement, 72 hours technician remote access Where appropriate, if a critical failure cannot be resolved within 8 hours of the call being logged the NVT will provide a detailed plan including any escalation procedures appropriate. NVT will provide a dedicated service delivery function which will be responsible for co-ordinating all support services to the customer.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
NVT can and will engage with customers as required and permissable prior to and during the purchasing process to better understand the breadth of requires and complimentary technologies. NVT will engage to understand how the Concepta Security Services are to be deployed (public, private or hybrid cloud) and what paramaters, tolerances and policies are to be implemented. Users will be provided training (online or on-site) on how to create custom dashboards and collate/gather custom data feeds. Full documentation will also be made available as per our standard governance.
Service documentation
Yes
Documentation formats
PDF
End-of-contract data extraction
Concepta Security Services in it's Cloud Hosting form will not be storing any end user/customer data but merely providing security services to protect customer infrastructure, network and data.

The only user/customer data that will be stored relates to data collected as part of the security process (logs and analysis) along with custom dashboards, configurations and policies.

Any customer specific data and or policies/configurations will be provided to the customer on their chosen media along with comprehensive documentation before going through the apporpriate and necessary deletion/destruction.
End-of-contract process
The primary objective of the Exit Management Plan is to enable an orderly cessation and smooth migration from the Supplier to the customer and/or its Replacement Service Provider of responsibilities, services, assets and any other items or information necessary with a view to the customer and/or the Replacement Service Provider operating a replacement service for the Services with effect from the date of termination of this Agreement in a cost effective manner, which ensures business continuity and minimal disruption to the Council’s business operations.

In the event of the partial termination of this Agreement, or of the termination of a discrete Service Tower, the provisions of this Schedule shall be applied (with the necessary changes) in relation to the terminated Services in accordance with the provisions of our internal policies.

The Exit Management Plan will be prepared on the assumption that the Services will be transferred to the customer or a Replacement Service Provider on termination or expiry of this Agreement.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
There is no dedicated app for our service, however, the service will run in a mobile web browser with dashboards viewable with a high level of fidelity in comparison to a standard web browser.
Service interface
Yes
Description of service interface
Accessible through a web based GUI, Concepta Security Services is designed to be - as close as possible - a fully managed service. Users will be provied with a live dashboard of the live services, how they are performing along with high level management information and statistics. User can run reports on the services through the dashboard as well as using the dashboard to drill into, low level, granular detail from the acive services. Users can do basic manipulatation of the dashboard look and feel either by changing pre-configured views OR by developing their own.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
NVT engage with our human resource partner and local further education institutes to test both internally and externally on the suitability of our interface for assistive technology users.
API
No
Customisation available
Yes
Description of customisation
All customisable content is accessed through the web based GUI. Users
are able to create custom dashboards and provide custom data feeds into the service (assuming data provided is security related). Configurations can only be done by approved users.

Scaling

Independence of resources
Concepta Security Services are deployed as a single instance with it's own dedicated resources eliminating the "noisy neighbour" effect and ensuring high QOS.

Concepta Security Services can also be

Analytics

Service usage metrics
Yes
Metrics types
Numerous metrics available depending on the tier of solution procured and the data available
Reporting types
  • Real-time dashboards
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Concepta Security Services is not a data storage platform, it's primary function is to provide a suite of tools to provide a platform to protect network, data and infrastructure.However any data generated by the suite of tolls (DNS logs, vulnerability scan results) will be erased and historical data can be provided on the clients preferred media then subjected to destruction during decommissioning process.
Data export formats
Other
Other data export formats
JSON
Data import formats
Other
Other data import formats
JSON

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Concepta Security Services run on a dedicated instance of NVT's Viia Private Hybrid Cloud Solution. NVT proatively monitor the Viia platform regardless of deployment type (pending any internal or contractual data access poliies) and have build the platform on best of breed hardware running in best of breed datacentres and powered by a suite of software backed by NVT's 30 years of experience. All this means we can guarantee 99.9% uptime.
Approach to resilience
As Concepta Security Software & Services is a highly customisable security platform the resiliency involved will be highly dependant on whether it is deployed as a fully hosted solution or a hybrid solution.

If fully hosted, the solution will reside within iomart datacentres. Iomart carry out regular testing and maintenance of infrastructure with the N+1 policy applied to data centres providing the basis of continuity controls. This is enhanced by the provision of multiple communication routes and the replication of iomart’s network infrastructure. iomart data centres are also located outside flight paths, flood plains, have no seismic threat, and are a minimum of 3km outside sites who could pose a potential accident or hazardous threat (as governed by HSE). Therefore, in the event of any given location being lost, the primary impact to iomart would be on office facilities, but with 6 UK Offices and 10 UK Data Centres providing hosting services and support, this impact is limited and mitigated with standing arrangements to relocate staff to the nearest iomart site.

If hosted on-premise or in a hybrid manner then the solutions resiliency would be done in line with customer's existing policies, infrastructure and locations.
Outage reporting
Any service outages are reported via our Information Technology Service Management (ITSM) system which automatically alerts clients via email and client web portal.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Access is stringently restricted by way of federated active directory services and two factor authentication
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Exova BM Trada
ISO/IEC 27001 accreditation date
06/08/15
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
NVT Group are certified for ISO27001 and as such have a set of policies and processes in place to ensure compliance. NVT Group have an appointed Compliance officer to interface with the management on security aspects and also is the conduit to the UKAS accredited audit partner.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our certified standards ISO9001, & ISO27001 define our configuration and change management processes and procedures are fit for purpose. Each change request is logged and tracked through our call management application, subject to approval and manged to successful implementation or conclusion.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The concepta service is based on our hosted platform ViiA. The ViiA platform using Network Access Control technology, posture assessments can be conducted before access to the corporate network is made available. ViiA is kept fully up to date by way of subscription to industry recognised malicious software services to ensure a comprehensive knowledgebase of prevailing threats. Patches are applied on an ad-hoc basis depending on the threat severity.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Concepta is based on our ViiA platform. ViiA is continuously monitored to identify potential issues. Each issue is viewed on its own merit and treated accordingly. NVT Group decided not to have a set of standard approaches as experience tells us that there are not a standard set of potential issues that may occur. Each compromise alerted will be addressed immediately on discovery by our technical team and a resolution devised and an implementation plan agreed. If a resolution is not readily available then a work-around will be put in place whilst a permanent resolution is sought and actioned.
Incident management type
Supplier-defined controls
Incident management approach
NVT Group operate an ITIL aligned customer Service desk. The service desk will be the focal point for the reporting, tracking and management of all incidents. Incidents can be reported either by phone, email , portal self service or can be automatically reported via our Monitoring and Management solution. Incident reporting and escalations are in line with ISO9001 standards with a clear and defined process in place and available upon request.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Yes
Connected networks
Public Services Network (PSN)

Pricing

Price
£6.50 to £19 a user a month
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Concepte Security Essentials Bundle available a a limited trial with no custom configurations done.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at public_sector@nvt.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.