Strata Insight provides single view of the cyber security and compliance of your ICT estate across both on-premises and cloud environments. It presents this view against your chosen risk or control framework providing you a view of your business risks and the technical issues they stem from.
- Asset reports, see the state of all your assets
- Security monitoring reporting, consolidate your alerts and event data
- Control frameworks, select your chosen security control frameworks
- Metric reporting, understand how compliant you are
- Risk modelling, understand risks in addition to compliance
- Reporting engine, schedule and run complex reports
- Dashboarding, provides at-a-glance summary of your compliance and risk
- IaaS based, supplier managed and resilient to failure
- Secure connectivity, to on-premises tools and users
- Collector framework, combine data from different tools in one place
- Custom control frameworks, develop frameworks to suit your requirements
- Get started quickly with pre-built control frameworks and content
- Understand current or developing compliance issues within your environment(s)
- Understand the risks to your specific environment(s)
- Save costs by planning activities against identified risks and metrics
- Improve processes by integrating tasking with monitoring
- Eliminate error-prone, manual security reporting
- Track performance of security operations teams or outsourced providers
£30000 per unit per year
3 0 1 6 1 4 9 0 5 8 9 0 9 0 2
STRATA SECURITY SOLUTIONS LIMITED
020 3095 1001
|Software add-on or extension||No|
|Cloud deployment model||
|Email or online ticketing support||Email or online ticketing|
|Support response times||Contractual response times vary depending on priority.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 AA or EN 301 549|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Strata provide a single level of support to all customers based on the criticality of the incident and the level to which it affects the solutions ability to deliver its services. We pro-actively monitor the solution and report to your teams any issues we have detected with obtaining up to date monitoring information.
You will be provided with a technical account manager that can assist in resolving any issues and provide guidance and support on how to resolve of any risks detected by the solution.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||We provide a users with an onboarding guide outlining how the solution functions and data requirements and describing the quick start process. This is followed by the on-site quick start engagement to integrate the user's agreed data sources and customise content to the customer's requirements.|
|End-of-contract data extraction||Users request a data extract via our support team, we then provide exports of recent audit reports and the control framework configuration as data file exports.|
|End-of-contract process||At the end of the contract the solution is terminated, user access revoked and the users instance decommissioned. Recent input data and configuration is retained for 30 days to support re-commissioning of the service unless it is requested that it is deleted earlier. In every case, we work with the customer to ensure that they are happy the data is securely erased after the service ends.|
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||No|
|What users can and can't do using the API||The API can be used to provide updated input data to the solution including the definition of new assets.|
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
The solution can include custom risk and supporting control frameworks as well as custom reporting and dash-boarding views. This will allow users to ensure the data is present to them in the most effective form and format.
Customisation are developed by our team of deployment consultants and then deployed into customer instances.
|Independence of resources||Each customer is deployed in a separate cloud instance (or cell) that has its own dedicated set of IaaS resources that is independent from, and logically seperated from all other customer cells.|
|Service usage metrics||Yes|
|Metrics types||We provide metrics on the consistency of input data availability, the performance of the service itself, user access to the service and any data processing errors.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users can request a complex data export via a support ticket or can use controls within the system to export data for common use-cases.|
|Data export formats||
|Other data export formats||
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
|Other protection within supplier network||
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services.
ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security.
Availability and resilience
AWS currently provides SLAs for several services. Due to the rapidly evolving nature of AWS’s product offerings, SLAs are best reviewed directly on our website via the links below:
• Amazon EC2 SLA: http://aws.amazon.com/ec2-sla/
• Amazon S3 SLA: http://aws.amazon.com/s3-sla
Well-architected solutions on AWS that leverage AWS Service SLA’s and unique AWS capabilities such as multiple Availability Zones, can ease the burden of achieving specific SLA requirements.
|Approach to resilience||The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions. AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS. AWS provides customers with the capability to implement a robust continuity plan, including the utilisation of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.|
|Outage reporting||In the event of service outage we will provide email based updates to our customers with details of the outage and the actions we are taking.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
Support requests are only responded to when received from an agreed and approved contact point that has been onboarded as a support contact.
Management interfaces are only available to supplier staff based on an RBAC model within the solution. Access to infrastructure and infrastructure management interfaces uses agreed multi-factor authentication mechamism.
User authentication is required to access the solution and changes to the solution configuration can only be made by authorised users.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||Our approach is aligned to ISO 27001 but we are not currently certified or implementing all of the technical controls.|
|Information security policies and processes||
We have an incident response process for handling any issues with our solution which contains specific steps for resolving security related incidents in our environments.
Our data classification and handling policy provides guidance and details to all staff on how to handle both client and internal data, including its storage and retention.
All issues are summarised and report to the board with a named board member then undertaking responsibility to investigate the issues and develop improvements to our processes and system.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
All components of our service are tracked though configuration management processes, based on our deployment approach using software defined infrastructure. Environments are built and changed using automated scripts drawing on versioned artefacts and configuration files that are stored in a repository. When in service components are tracked to ensure their health and patching status.
Changes to the solutions architecture and dependencies are reviewed internally prior to their deployment and then monitored while in service. All code undergoes a review against our coding standards.
|Vulnerability management type||Undisclosed|
|Vulnerability management approach||
Potentially threats are assessed based on which elements of the solution are vulnerable to them and the other mitigating controls that are in places on that element. Our solution design is based on a defence in depth approach layering, infrastructure and application controls together with protective monitoring in place.
Patches are deployed monthly, with the exception of security patches that will decrease the vulnerability of the solution, these can be deployed weekly.
Strata are in the process of apply to the Cyber Security Information Sharing Partnership run by the NCSC.
|Protective monitoring type||Undisclosed|
|Protective monitoring approach||
Our solution is based within AWS and combines the CloudTrail, CloudWatch capabilities with monitoring on instances and applications logs. Events and data from this solutions are presented to our support team to alert for unusual behaviour and potential compromises.
When a potential issues is found it is reported and handled via our incident handling approach. Incidents are then handled in line with our support SLA's.
|Incident management type||Undisclosed|
|Incident management approach||
All incidents are handled via our incident handling process, which includes pre-defined responses to DoS and other forms of generalised attack on the availability of the service.
Users can report incidents via our email support channels.
We provide summary reports of all incidents that have affected a clients IaaS cell alongside our standard monthly service reports. These are delivered by email to the clients named contact.
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£30000 per unit per year|
|Discount for educational organisations||No|
|Free trial available||No|