SureCloud Limited

Vulnerability Management

With ever increasing levels of cyber crime, it is critical that organisations identify and remedy the high severity vulnerabilities which are exposing critical IT assets to threats. SureCloud provides full vulnerability life cycle management, including identification, correlation, assessment, remediation and reporting.

Features

  • Simple to use interface
  • Cloud based Software-as-a-Service offering
  • Business Risk Reporting
  • Vulnerability Status Dashboard
  • User Customisable Reports
  • Custom extracts of vulnerability data can be created and downloaded
  • Detailed descriptions and solutions for each vulnerability identified
  • Full workflow, task assignment and remediation management tools
  • Upload Scan outputs with ease
  • Backed by SureCloud's experienced team

Benefits

  • Ease of Administration
  • Low Total Cost of Ownership
  • Fully Managed
  • Simply and Ease to Use Interface
  • Regularly run to identify vulnerabilities ahead of your annual ITHC
  • Backed by SureCloud's NCSC CHECK and CREST Accredited Team

Pricing

£1,050 a licence a month

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@surecloud.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

3 3 0 0 4 7 8 3 5 6 3 3 0 5 3

Contact

SureCloud Limited SureCloud
Telephone: 0208 012 8544
Email: gcloud@surecloud.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
No
System requirements
A web browser and internet connectivity.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Tickets are replied to within 4 hours (UK business hours, 9am - 5pm Mon-Fri excluding public holidays)
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
All support is part of SureCloud's standard licensing and pricing model.

For the delivery of implementation services, a dedicated single point of contact is provided who can also act as an escalation point if required.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Full onsite and/or remote training (via Webex) is provided depending on what is preferred and also procured from a consultancy perspective.

Full documentation is also provided around platform use.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Users can extract all data from the platform to CSV/Excel format when the contract ends if required.
End-of-contract process
Full access to the licensed features of the SureCloud platform are provided. These are split into the separate 'applications' and the buyer purchases as needed.

There are no additional costs outside of the licensed bracket and implementation costs.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Full functionality is available from mobile devices.
Service interface
No
API
No
Customisation available
Yes
Description of customisation
A customised instance of the SureCloud can be provided with corporate branding, logos and colour schemes. An organisation specific URL is also provided.

Scaling

Independence of resources
The environment is scaled, as needed, to meet demand. Each individual platform is also monitored to ensure that the service remains optimal for all users.

Analytics

Service usage metrics
No

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can download all data to Excel and/of PDF format as required.
Data export formats
  • CSV
  • Other
Other data export formats
PDF
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Monthly Uptime Percentage|Service Credit
<99%|2.5%
<98%|5.0%
<95%|7.5%
Approach to resilience
SureCloud has designed and built its own private cloud infrastructure with data at two physical geographically separate locations. The environment has been setup to ensure there are no single points of failure.

Further information is available upon request.
Outage reporting
Email Alerts

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Management access to the underlying infrastructure is only permitted to 3 trusted individuals. These individuals have go through multiple layers of authentication and authorisation before access is possible.

Support staff only have access to accounts within SureCloud they are actively involved in supporting. This is tightly controlled by permissions within the SureCloud application itself.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
British Standards Institution (IS 664769)
ISO/IEC 27001 accreditation date
29/08/17
What the ISO/IEC 27001 doesn’t cover
Certificate applies to all products and services delivered both internally and externally by SureCloud globally.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • Cyber Essentials PLUS
  • CREST Member Company
  • NCSC CHECK 'Green Light'
  • PCI Approved Scanning Vendor

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
All policies and processes are accredited to ISO 27001.

Copies of reporting structure and policies themselves are available upon request.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
SureCloud utilises its own technology and platform for management of change requests, which track the whole lifecycle of a change.

A high-level over of the form is as follows:

- Date
- Date change due to be implemented
- Details of change
- Security Impact of change
- Affected systems
- Change reserve plan
- Change success measure
- Change to be authorised by?
- Change Approved?
- Change Completed?
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
SureCloud utilises its own Vulnerability Management platform and technology for scanning and management of its network.

Scans are run on a weekly basis, with automated tasks set to immediately alert the Security Team of any high or critical vulnerabilities.

Patches are deployed to all critical and high vulnerabilities immediately. Medium/low severity vulnerabilities are patched within 1 month.

The security team obtain threat intelligence data from a partner and are subscribed to all relevant social media channels for new vulnerability alerting.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
SureCloud uses its own technology and solution Event Manager for this purpose.

The solution has been designed around GPG13 and the PCI Standard Event Management requirements.

Each event is severity weighted and anything high or critical is immediately alerted to the Security Team.

Any potential compromise follows SureClouds incident response processes and, due to the nature of the activity, are actioned immediately.
Incident management type
Supplier-defined controls
Incident management approach
SureCloud has fully documented incident response policies and procedures, which all staff are extensively trained on.

Users report incidents via the SureCloud platform using the 'Incident Manager' Application, which triggers workflow and escalation to their line manager and incident panel.

Any incidents relating to client data are reported to them within 1 business day, as per SureClouds procedure.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£1,050 a licence a month
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@surecloud.com. Tell them what format you need. It will help if you say what assistive technology you use.