Gradian Systems Ltd

Symantec's SEP Mobile

SEP Mobile offers the most comprehensive, accurate and effective mobile threat defense solution, delivering superior depth of threat intelligence to predict and detect an extensive range of existing and unknown threats. SEP Mobile’s uses a layered approach that leverages crowd-sourced threat intelligence, in addition to both device- and server-based analysis.


  • Identification and protection from suspicious networks and malicious developers
  • Public mobile app helps protect privacy and productivity
  • Rapid on-boarding with native iOS and Android apps
  • Automated IT policy enforcement via integration with existing enterprise EMM
  • Superior visibility into mobile vulnerabilities and threats and attacks
  • Defense against zero-day attacks
  • Discovering high volumes of novel vulnerabilities and threats
  • Proactive defense without third party integration
  • Engines to detect no compliance situations on App and devices


  • Rapid on-boarding with native iOS and Android apps
  • Identification and protection from suspicious networks and malicious developers
  • Automated IT policy enforcement
  • Provide visibility into mobile vulnerabilities, threats and attacks
  • Capability to detect no-compliant situation, make a correction action
  • Proactive defense against threat without third party integration
  • Minimum impact over device resources
  • Device risk score based on inventory, patch level, vulnerabilities
  • Detect and block vulnerabilities exploitation
  • Automated risk and threat detection and remediation


£39.28 per user

  • Free trial available

Service documents


G-Cloud 11

Service ID

5 6 1 7 7 8 2 6 7 6 6 3 7 6 3


Gradian Systems Ltd

Neil Buckley

01276 534771

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None.
System requirements
  • From IOS 8.x up to the last version
  • From Android 4.x up to the last version

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Please see Gradian Support Guide attached.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels Please see Gradian's Support Guide attached.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Gradian possess the skills and support to configure, deploy, support and run this service on your behalf. These services can be found under Gradian's Professional Service and Gradian's Managed Configuration Service. Alternatve support options can be found under Gradian's Technical Account Service Plan (T.A.S.P) and Gradian Support for Symantec Products.
Service documentation Yes
Documentation formats Other
Other documentation formats PowerPoint
End-of-contract data extraction Users can extract data, incidents, events or assets, from the service using different secure ways or integrations during the service life. After 30 days of service termination, any user data will be deleted.
End-of-contract process 30 days after the end of the contract the user / buyer's instance and its data will be deleted. There is no additional cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service This service is designed to work on mobile devices
Service interface Yes
Description of service interface The service provides detection and protection capabilities against malware and risk on mobile devices. End User can access to mobile app to check the security posture through Dashboard, and also review security alerts. Also, the service provides the option to not allow
end user interaction.
Accessibility standards None or don’t know
Description of accessibility The service provides the option to not allow end user interaction.
Accessibility testing N/A
What users can and can't do using the API The service provides a REST API which allows to get information regarding security events, security incidents and risk situations.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The buyer can customize End user message, alerts and interface to choose what information will show to the end user. Also the buyer logo could include on specific screens.


Independence of resources COME BACK


Service usage metrics Yes
Metrics types It provides information regarding enrolled users and devices.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Symantec's

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach There are several choices on the product console to export incidents or devices information through CVS file. Also a REST API, and third party integration - SIEMS, allows to export specific data.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability SLA commitment for the service is an uptime of 99.5%. “Service Credit” means the amount of money that will be credited to Customer’s next invoice after submission of a Credit Request and validation by Symantec that a credit is due to Customer. Please check the following doc for extended information.
Approach to resilience It's available on request. Regardless, our SEP Mobile service is running on AWS datacenter which are designed to be resilient. Each critical server in SEP Mobile's cloud environment is backed by either duplicate multiple instances or a slave node to which failover can be performed, ensuring minimal system downtime in case of a critical failure. The automatic failover process is triggered by Engine Yard infrastructure after it has been determined that a component is unable to reliably respond to requests. The impact on end user experience in cases of downtime is also minimal. There will not be any visible impact on the functionality of users’ mobile devices, rather, only a delay in some of the alert notifications in cases where the user experienced an attack during the downtime event. Database backups of SEP Mobile's production system are taken daily and prior to any major upgrade or configuration change to SEP Mobile's production environment. Backups are stored in an encrypted format and allow, in the event of a disaster, the creation of a replica environment within a minimal period of time. Disaster recovery scenarios are tested periodically by the SEP Mobile's operations team.
Outage reporting Email alerts and also Symantec Status page,"

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Access to SEP Mobile's production servers or their managing interfaces (e.g. Engine Yard’s management console) is restricted to SEP Mobile's operations and support personnel and a small number of SEP Mobile's R&D team members, who require this access to perform their duties. Access to these systems is controlled via a two-factor authentication process. Access controls to production servers are reviewed every six months at a minimum.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ISO 27001 and FISMA certified data centers managed by Amazon
ISO/IEC 27001 accreditation date Managed by amazon
What the ISO/IEC 27001 doesn’t cover SEP Mobile uses ISO 27001 and FISMA certified data centers managed by Amazon
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Uses PCI-compliant 3rd-party services (Stripe) to manage credit card transactions
PCI DSS accreditation date Stripe
What the PCI DSS doesn’t cover Skycure uses PCI-compliant 3rd-party services (Stripe) to manage credit card transactions, and does not store or see any credit card information. For more info about Stripe’s security, go to:
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach SEP Mobile has assigned Yair Amit, SEP Mobile CTO and co-founder as its Information Security Officer. The security officer’s main responsibility is protecting the confidentiality, integrity, and availability of SEP Mobile's data and computing assets. Other key responsibilities include: • Product security architecture and strategy • Vulnerability management • Security incident response • Risk assessment and audit • Security awareness • Periodic review of information security policy SEP mobile's performs regular risk assessments. Security policy can be provided if is needed.
Information security policies and processes SEP Mobile has specific security policy which defined the following processes which are followed: 1) INFORMATION ACCESS CONTROL MANAGEMENT - which includes : Customer Environment Access, Access to Production Servers, Data Segmentation between Organizations, Network Access, Billing, Vendor Management 2) HUMAN RESOURCES SECURITY MANAGEMENT - which includes : Background Checks, Security Training, Off-boarding, 3) PHYSICAL SECURITY MANAGEMENT- which includes: Data Center and offices 4) OPERATIONS MANAGEMENT - which includes: Development and Testing, Malware Mitigation, High Availability, Disaster Recovery and Database Backup, Data Retention and Destruction, Data Archive, Network Security, Monitoring, 5) RISK ASSESSMENT AND MANAGEMENT 6) INFORMATION SYSTEMS SECURITY MANAGEMENT - which includes: Password and Authentication Controls, Laptop Security Controls, Mobile Device Security Controls, Vulnerability Management, Source Code Controls, Incident Reporting and Management, Exception Procedure, Disciplinary Action, Policy Review

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All code changes being deployed to production undergo a mandatory code review as well as an automatic inspection process. Configuration changes are managed and documented by the SEP Mobile DevOps team.
Vulnerability management type Supplier-defined controls
Vulnerability management approach SEP Mobile cloud servers use the Gentoo Linux distribution. The Gentoo Foundation demonstrates their security commitment by frequently updating their host operating system to address security issues. In addition, SEP Mobile's security officer receives periodic notifications from various information security resources and SEP Mobile's operations personnel runs a periodic vulnerability scan on SEP Mobile's production servers. When a threat is discovered, an assessment of its impact is performed and mitigation steps are planned and implemented by the SEP Mobile R&D team. Critical vulnerabilities are mitigated within a period of 30 days.
Protective monitoring type Supplier-defined controls
Protective monitoring approach SEP Mobile uses multiple internal and 3rd-party tools for monitoring its production environment and protecting it against potential threats or errors: An internal notification mechanism is in place to alert SEP Mobile's operations and support teams on different anomalies detected in production. New Relic analytics tool is configured to continuously monitor SEP Mobile's production environment status An Airbrake error reporting tool is installed on SEP Mobile's production servers and alerts on different issues detected. An internal production monitoring dashboard aggregates information from SEP Mobile's multiple systems. SEP Mobile also operates a support ticketing
Incident management type Supplier-defined controls
Incident management approach Customers will be notified by SEP Mobile team once an incident that potentially impacts them has been confirmed. As the incident investigation proceeds, customers will receive proactive updates on the nature of the incidents and its impact on them. If an actual security breach occurs, actions will be taken. Additionally, there is a pre-defined process to handle common events. Detailed information regarding the process can be provided if it is required.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £39.28 per user
Discount for educational organisations No
Free trial available Yes
Description of free trial The trial version is exactly the same as production one. The trial should be requested to Gradian sales.

Service documents

Return to top ↑