Mitigate is an innovative internal risk mitigation solution, which has been certified by the UK’s Government Communications Headquarters (GCHQ). Mitigate calculates and presents level of internal risk according to a range of metrics from Cyber, Compliance and GDPR. Mitigate reduces risk and strengthen's resilience within organisations.
- Real time risk reporting
- Measure internal risk
- Policy management
- Employee and admin dashboard
- Detailed user reporting
- 16 GCHQ Certified training courses
- Template cyber security policies
- Policy enforcement & generator tool
- Algorithm for assessing resilience
- User assessments
- Improve internal compliance
- Build internal resilience
- Reduce internal cyber liability
- Employees receive GCHQ certified training certificate
- Policy management process is ISO 27001 & GDPR compliant
- Improves HR efficiency
- Presents audit trail for insurance, compliance and GDPR purposes
- Count towards CPD points
- Save time and cost
- Updates annually and regulatory changes
£2.50 per user per month
- Education pricing available
- Free trial available
Xyone Cyber Security
0333 323 3981
|Software add-on or extension||No|
|Cloud deployment model||Hybrid cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Mon-Fri: Response time up to 24 hours.
Sat-Sun: Response time up to 48 hours.
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Standard: Mon-Fri 9-5 - Response up to 24 hours. Support available by email and ticket.
Premium: Mon-Fri 9-5 - Response up to 8 hours. Support available by email, ticket and phone.
Bespoke: Mon-Fri 9-5 - Response up to 8 hours. Support available by email, ticket, phone and on-site. Additional Cost. Dedicated account manager.
|Support available to third parties||Yes|
Onboarding and offboarding
For end users, they have access to a user guide and built in walk through when logging into solution for the first time. A get started and continue button is built into the solution to allow users to 'pick up where they left off' when logging back in.
For client admins remote and on-site training is provided. User documentation is also provided to assist with the roll out of the Mitigate solution.
|End-of-contract data extraction||The client raises a support ticket and mitigate support will export all requested data and provide this in a suitable format for the client.|
|End-of-contract process||The client will go through the renewal process and if the client decides not to renew the data is stored in line with GDPR unless the client has requested permanent deletion.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|Description of customisation||
e-Learning content can be customised at additional cost. This can include the following customisation's: Branding, Text Changes, Translations, Audio Voice Overs, Video Embedding.
This customisation is controlled by Mitigate Support and no user can customise the e-learning content directly.
Client admins can also customise their own training, assessments and policies.
Re-sellers of the Mitigate solution can customise the logo, re-seller web interface login to be hosted on the re-sellers sub domain.
|Independence of resources||
As we our services are based on AWS we can theoretically expand and contract our server pool to meet expectations. Our development team is looking into ways of making this more efficient to do, moving more resources into the cloud.
The development team is also looking at AWS Shield and Web Application Firewall, to improve our capability in this area.
|Service usage metrics||Yes|
Real-time dashboard and risk scales.
Real-time report generation
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Supplier-defined controls|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||Physical access control, complying with CSA CCM v3.0|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
Users cannot directly export their data.
If a user wishes to get access to exported data they submit a request to the support team who will supply this information directly.
|Data export formats||
|Other data export formats|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||
Availability and resilience
The Company shall provide at least a 99.5% uptime service availability level (Uptime Service Level). This availability refers to an access point on the Company hosting provider’s backbone network. It does not apply to the portion of the circuit that does not transit the hosting provider’s backbone network, as the Reseller is responsible for its own internet access. Availability does not include
Maintenance Events as described in paragraph 2.1 of Schedule 6, Reseller-caused or third party-caused outages or disruptions (except to the extent that such outages or disruptions are caused by those duly authorised third parties sub-contracted by the Company to perform the Services), or outages or disruptions attributable in whole or in part to force majeure events within the meaning of Clause 18.
3.1 If availability falls below the Uptime Service Level (as defined in paragraph 1 of Schedule 7) in a given calendar month (Service Delivery Failure), the Company shall credit the Reseller’s account by an amount calculated as the product of the total cumulative downtime (expressed as a percentage of the total possible uptime minutes in the month concerned) and the total Monthly Hosting Fee and Monthly Software Licence Fee owed for that month (Service Credit).
|Approach to resilience||Information available upon request|
Email alerts are issued to company admins and user reporting any minor or major incidents.
Users are kept up to date depending on the stage of the incident
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||
There are various different user roles with access to management interfaces and support channels.
Mitigate support team has access to front end support and there are two levels of Mitigate support:
For the back end, this is limited to the development team and is restricted to the office IP. There is also 2-Factor Authentication enabled.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
|Description of management access authentication||Restricted to IP address|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||Alcumus|
|ISO/IEC 27001 accreditation date||19/09/2014|
|What the ISO/IEC 27001 doesn’t cover||Accounting|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||Cyber Essentials Plus|
|Information security policies and processes||
We use our internal Mitigate software to train, test and store policies available to all employees in Xyone. It is mandatory training for new starters to complete the training and sign the relevant information security policies. The following policies are on the Mitigate portal:
Password policy; Communications Policy; Internet Usage Policy;
Information Classification Policy; Cryptographic Controls Policy; Back-Up Policy;
Social Engineering Policy; Disposal & Destruction Policy; Clean Desk Policy;
Remote Working Policy; Public Wi-Fi Policy; BYOD Policy;
Data Protection Policy;
The mitigate portal tracks user compliance and logs when users sign each policy. If a policy is updated on the portal then 'Compliance' status is revoked and users are alerted to re-sign the relevant policies.
It is a requirement that all training, assessments and policies are taken at a minimum of every 12 months.
More information on Mitigate can be found here which has been certified by GCHQ- https://mitigatehub.com/
As per our ISO 27001 accreditation and Cyber Essentials Plus accreditation we have to provide evidence that our information security policies are not only in place but up to date and understood by all employees.
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
The specification is put forward to Management. A course of action and priority are decided by them and development team. This committee will also factor in predicted development time and number of users affected to decide a project ordering.
Once development is completed and tests run, new features are deployed to a live-like staging area.
Deployment and user tests are carried out.
If this passes with no incident the new feature is merged into the main codebase and put live at the next available window.
After that we are reliant on error catching software and customers to identify future issues.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
On a regular basis we make use of code reviews to make sure there are no glaring vulnerabilities. As part of the ongoing project maintenance we make sure that the underlying software our projects rely on is kept up to date.
The error catching software used to find errors can be used to discover vulnerabilities and when on is discovered a fix is written, tested and deployed with the higher priority. Critical and high level vulnerabilities are patched immediately. Threat alerts gathered from university research.
Finally, we penetration test the portal at a minimum quarterly and on every major release.
|Protective monitoring type||Undisclosed|
|Protective monitoring approach||
As our resources AWS we make use of the monitoring tools to observe several different diagnostics. Should one of these diagnostics change dramatically we’ll investigate to find the cause and deploy any patches required.
Critical and high level issues are investigated on the same day.
We are currently investigating the use of additional AWS services to streamline this process.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
ISMS Section 16 Incident Management process is followed. Users can report incidents through our support functionality and built in support ticketing system. In the case of major incidents, immediate notification to the CTO/ISM is required in order to ascertain how best to contain and rectify the incident.
Incident reports are logged and stored in line with our ISMS as part of our ISO 27001 certification.
Incident reports are documented and stored internally. If requested users can ascertain redacted incident reports.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£2.50 per user per month|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||
Free 14 day trial with access to 3 cyber security modules, 1 assessment and 1 policy.
No certificate of completion.