Quod Orbis

Cybersecurity Controls and Automation

Via the Digital Risk Engineering, Analytics and Management platform we deploy real-time monitoring and automation of controls, security metrics, threat modelling and continuous reporting. Working closely with our clients in alignment with their business priorities we:

Identify real risk, vulnerabilities.
Automate measures and controls.
Monitor and continuously improve.

Features

  • Control Identification using scientific, quantitative and proven methodologies
  • Organisational Compliance
  • Automate and measure controls and maturity in key control areas
  • Monitor and Continuously reduce risk

Benefits

  • Improve and continually assess effectiveness of controls against defined objectives
  • Identify areas for improvement at the micro and macro levels
  • Demonstrable improvements to the organisations treatment of risk
  • Define and prioritise controls to close exposures and ensure compliance
  • Pragmatic guidance for Cyber/Digital Risk Management

Pricing

£5,000 a licence a year

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ami.penolver@quodorbis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

4 7 0 6 7 1 0 2 6 0 7 8 7 9 3

Contact

Quod Orbis Ami Penolver
Telephone: 02039622206
Email: ami.penolver@quodorbis.com

Service scope

Service constraints
None that we are aware of at this stage
System requirements
  • None
  • None

User support

Email or online ticketing support
Email or online ticketing
Support response times
Immediately (inc weekends)
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AAA
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Onsite support
Support levels
Support levels and costs depend on the customer requirement and the number of security controls that are being defined and monitored. This can range from 0 - 250 controls in line with our mandate to continually monitor and improve.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Every Quod Orbis Cyber Security Controls and Automation project is delivered using our team of service specialists. All the onboarding requirements are defined during the initial service workshop
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Once the contract ends Quod Orbis can provide all service data held on behalf of the client. All data held by Quod Orbis will be destroyed 30 days after the end of contract unless otherwise previously agreed.
End-of-contract process
If required Quod Orbis can provide end of contract migration services at an additional cost. That is, costs that fall outside of the initial contract.

Using the service

Web browser interface
Yes
Using the web interface
Web interface provides full functionality.
Web interface accessibility standard
WCAG 2.1 AAA
Web interface accessibility testing
None at this stage
API
No
Command line interface
No

Scaling

Scaling available
Yes
Scaling type
Automatic
Independence of resources
As well as continuously monitoring the environment, Quod Orbis offers a SLA of 99.9% across the service.
Usage notifications
Yes
Usage reporting
Email

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • Virtual machines
  • Data
  • Databases
Backup controls
Part of the service not user controlled.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Service availability SLA is 99.9%. A percentage of the monthly service charged is paid back to the client for missing the agreed SLA
Approach to resilience
Available on request
Outage reporting
For any outages we will email and SMS any service administrators

Identity and authentication

User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
Access restrictions in management interfaces and support channels
Management interfaces only accessible to Quod Orbis using IP whitelisting and secure authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
We have aligned our ISMS to ISO/IEC 271001. We are a new company and we are working towards accreditation
Information security policies and processes
Quod Orbis is working towards ISO 27001 and is developing a full information system

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The Quod Orbis portal provides a full ticketed change management system. All changes are logged and available for viewing in the portal. Before any change is implemented a security risk assessment is performed.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Quod Orbis has a three stage Vulnerability Management process.

1. Continuous automated vulnerability assessment by a 3rd party service
2. Quarterly vulnerability testing by Quod Orbis internal team
3. Bi-annual testing by a CREST or Tiger accredited organisation
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our protective monitoring processes are based and run in accordance with the service and customer requirements.

The Quod Orbis service is monitored 24x7 for potential service compromises and breaches. If such an occurrence would happen we will notify the client or clients immediately we are aware of the impact identify potential compromises.
Incident management type
Supplier-defined controls
Incident management approach
We have a number of pre-defined process for common events and ones specific to the Quod Orbis service. If a user were to need to report an event we have three methods: Portal, email or for urgent events telephone. We provide incident report reports via the Quod Orbis portal.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Third-party
Third-party virtualisation provider
AWS
How shared infrastructure is kept separate
The underlying virtualisation technology deployed by our cloud provider ensures the separation of client instances.

Energy efficiency

Energy-efficient datacentres
No

Pricing

Price
£5,000 a licence a year
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ami.penolver@quodorbis.com. Tell them what format you need. It will help if you say what assistive technology you use.