Falanx Cyber Ltd

Nol-ij, the Continuous Information Risk Management Dashboard

Nol-ij is a cost effective, Continuous Information Risk Management Dashboard, that supports and streamlines governance, information risk management and security assurance through identification, evaluation, treatment and management of strategic, operational and project security risks, ensuring decision makers have the necessary information at their fingertips to confidently manage their risk portfolio.

Features

  • Comprehensive risk management dashboard across organisations systems & services
  • Real-time reporting to highlight information risk & assurance status
  • Centralise your Governance, Risk Management, Data Protection and Security Assurance
  • Risk and Assurance tasks roadmap for upcoming deadlines and reviews
  • Drill down to specific services, view, mitigate, and sign-off risks
  • Flags upcoming deadlines, risk management progress and assurance status
  • Role-based access, including: separate access for DPOs or SIRO sign-off
  • Alerting integrations with email, Slack, and other services
  • Supports GDPR Compliance with DPIA screening and information Asset Register
  • Detail on data types, security classifications and Records of Processing

Benefits

  • Continuously manage your risks with up-to-date Information Risk details
  • A holistic mechanism to manage risk & plan remedial actions
  • Clean & user friendly portal for Information Risk management
  • Enforce standardisation of risk recording and scoring
  • Smart alerts allow to effectively prioritize and manage risk effectively
  • Allows senior management to have summarized information useful for decision-making
  • Highly suitable for large and small organisations
  • Unlimited number of Users, Risk Managers, DPOs, SIROS,etc
  • Significant resource and time savings due to continuous assurance activities
  • Suitable for OFFICIAL (including OFFICIAL-Sensitive) classified services

Pricing

£1200 per licence per year

  • Free trial available

Service documents

G-Cloud 10

505299840779995

Falanx Cyber Ltd

Tom Evans

07525592168

GCLOUD@falanx.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No
System requirements NIL

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Securestorm can provide email support, Monday to Friday between 9am and 5pm, UK time, with response within 24 hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Users can ask questions of the web chat operative available at that time.
Web chat accessibility testing The web chat function is a third party service with unknown testing for accessibility.
Onsite support Yes, at extra cost
Support levels Securestorm provides free email support is available Monday to Friday, 9am to 5pm, UK time, with a response within 24 hours for the Nol-ij Standard subscription plan. The Managed and enterprise subscription plans include a dedicated Support Manager, and phone support, Monday to Friday, 10am to 5pm, UK time. Securestorm can provide on-site support, configuration and consultancy, as part of a separate Cloud Support Service on the Digital Marketplace.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Buyer organisation details and user accounts are created and setup as part of on boarding. Half a day user training is provided within the Standard Plan.
With the Managed Plan, two half day user training packages are included, along with 2 half day customisation packages. User documentation is available. Further on site training can be provided separately via Cloud Support Services.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Nol-ij has Zero data lock-in. Request an export of your records at any time as a CSV or JSON file. With the Standard Plan, at the end of the contract or subscription period, access to the Nol-ij dashboard will be closed, and the data erased after 7 days. It is suggested that prior to the end date, any data to be retained is requested as an export, either in a CSV or JSON format. With a Managed Service Plan, the account manager will liaise with the Buyer to extract the required data, in the desired format, and securely transfer it to the Buyer.
End-of-contract process Nol-ij has Zero data lock-in. Request an export of your records at any time as a CSV or JSON file. With the Standard Plan, at the end of the contract or subscription period, access to the Nol-ij dashboard will be closed, and the data erased after 7 days. It is suggested that prior to the end date, any data to be retained is requested as an export, either in a CSV or JSON format. With a Managed Service Plan, the account manager will liaise with the Buyer to extract the required data, in the desired format, and securely transfer it to the Buyer.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Users can only use Nol-ij through the web interface. There are no limitations via the mobile interface, though it is suggested that to gain the best view of the dashboards, you should not use a mobile phone or small tablet.
Accessibility standards WCAG 2.0 AAA
Accessibility testing WCAG 2.0 AAA site checking service has been conducted against the platforms web interface.
API Yes
What users can and can't do using the API Nol-ij has a comprehensive API that can be configured. The Nol-ij API is organized around REST. Has predictable, resource-oriented URLs, and uses HTTP response codes to indicate API errors. Nol-ij uses built-in HTTP features, like HTTP authentication and HTTP verbs, which are understood by off-the-shelf HTTP clients. The API follows most conventions of RESTful architecture. Any requests which require authentication must always be authenticated, as our servers do not retain information from previous requests. Our routes are reliably simple and lack more than a few levels of nesting. All data sent to and from the API must be in JSON format.
API documentation No
API sandbox or test environment No
Customisation available Yes
Description of customisation A range of elements can be customised on the Nol-ij platform specific to the buyers needs if required. The Nol-ij Managed and Enterprise subscription plans include a number of half-day customisation packages. Securestorm also provides consultancy and customisation services which can be purchased via the G-Cloud Support Services category.

Scaling

Scaling
Independence of resources Nolij is built on AWS cloud infrastructure and as such, has been architected to scale on demand without effecting user services.

Analytics

Analytics
Service usage metrics No

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Nolij has Zero data lock-in. Export your records at any time into CSV or JSON files.
Data export formats
  • CSV
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Nolij provides a 99.9% uptime guarantee. This means that for any given month, while unlikely, it is possible that Nolij may experience an average downtime of up to 2678 seconds excluding scheduled maintenance. If an outage exceeds a cumulative of 2678 seconds in a month, Nolij will credit 4% of the Your base monthly recurring fee for the affected account, per hour of downtime. THE TOTAL CREDIT ALLOWANCE PER MONTH IS CAPPED AT 100% of THAT MONTH'S MONTHLY RECURRING FEE FOR THE AFFECTED ACCOUNT. This guarantee covers Nolij's internal infrastructure including application and database servers, routers, switches, the cables connecting them, and connectivity to our backbone providers. This guarantee does not cover email delivery. Scheduled Maintenance means any maintenance on the equipment and services that affect the uptime of Nolij, for which You are notified at least 24 hours in advance. Notice of Scheduled Maintenance will be provided to your account administrator email. Nothing in this agreement shall prevent Nolij from conducting emergency maintenance on an as-needed basis.
Approach to resilience Nolij is built on AWS cloud infrastructure, and has been built to be resilient by design. Nolij mitigates database failures by storing your data in multiple databases, so if one database goes down the other databases can pick up the slack. Each change made to your database immediately propagates to these redundant versions. Having multiple databases won't help if they are all stored in a single location. One well placed meteor landing and those databases are gone. Nolij uses AWS features like Auto-Scaling and Elastic Load Balancing to ensure that our production systems remain online and traffic is always routed to healthy instances. Nolij continuously replicates your data and has it ready to bring online if any primary nodes fail. Nolij stores physical backup files in a separate location from the servers as a final safeguard in case of major catastrophe. These backups are made daily and are encrypted using AES-256 encryption keys.
Outage reporting Email alerts will be provided for any scheduled or unscheduled down time. In the event that scheduled maintenance may unduly affect Your operations, it shall be Your responsibility to so notify your Nolij account manager.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication Nol-ij uses encrypted password technology, so that only authenticated users can access it. Advanced Logins - Integrate your Active Directory or LDAP users for Single Sign On to limit access to your established users. IP Blocking - Optionally restrict access to your app to specific IP addresses or IP blocks. Nol-ij is designed so that each logged-in user can only access the records that are connected to them.
Access restrictions in management interfaces and support channels Securestorm management access to Nol-ij is strictly controlled and permission only given to carry out specific tasks. Every access request to your data by a Securestorm employee is logged and time-stamped. We can confirm exact access by the Securestorm team to any data in the unlikely case that this log is needed. Support Access - The Securestorm team will sometimes need to access your data for support services. We only do this at your request and when necessary to resolve the issue.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 EY CertifyPoint
ISO/IEC 27001 accreditation date 11/11/2016
What the ISO/IEC 27001 doesn’t cover The Amazon Web Services ISO27001 certification includes the infrastructure that the Nol-ij Platform is built on. The Nol-ij platform, however, is not included within the ISO27001 certification scope.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Coalfire Systems, Inc.
PCI DSS accreditation date 25/01/2018
What the PCI DSS doesn’t cover The Amazon Web Services (AWS) PCI DSS certification covers the AWS infrastructure that the Nol-ij platform is built on. The Nol-ij platform is not covered by the certification scope.
Other security certifications Yes
Any other security certifications
  • Cyber Essentials
  • Assured by a Government Organisation
  • National Cyber Security Centre certified Cyber Security Consultancy

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
  • Other
Other security governance standards Securestorm is Cyber Essentials certified. The underlying infrastructure is provided by Amazon Web Services, who are: ISO27001:2013, PCIDSS, CSA CCM, SOC2, BSI C5 and Cyber Essentials certified.
Information security policies and processes Securestorm has implemented an Information Security Policy, including: Data Protection and Privacy, Classifications, Backup and Recovery, Encryption, Data Erasure and Destruction, Change Management and Testing. All processes that staff are required to follow are detailed in the Securestorm Employee Handbook. All security issues are report to the Securestorm CISO.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Securestorm tracks and records all changes to Nol-ij. Any changes are assessed prior to approval to implement, and the details documented. The change is then tracked from backlog, through the development phases, through to implementation in Live.
Infrastructure is provided by Amazon Web Services - See AWS SOC2 Report, September 2016, CC7.4. See also AWSCA-6.1 - Applies a systematic approach to managing change.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Securestorm runs Continuous Technical Security Vulnerability Assessments monthly against Nol-ij. Any issues are immediatly raised with the development team. If it is an infrastructure issue, then it is raised with AWS.
Infrastructure is provided by AWS - See AWS SOC2 Report, September 2016, CC3.1, CC6.1, CC7.4.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Infrastructure is provided by AWS - See AWS SOC2 Report September 2016, CC3.1, CC6.2, CC7.4.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach AWS provides a robust platform that is not only pre-built to mitigate some attacks, but it also allows Nol-ij to react quickly to spread out impact if there is an attack. Infrastructure is provided by AWS - See AWS SOC2 Report September 2016, CC3.1.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £1200 per licence per year
Discount for educational organisations No
Free trial available Yes
Description of free trial A one month free trial of the full service can be provided.

Documents

Documents
Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑