Nettitude Limited

STREAM PCI DSS Application

Users of STREAM are able to plan and coordinate their PCI-DSS compliance programmes, record compliance and schedule checks for maintaining compliance. The ROC can be populated automatically from data held in the STREAM database and STREAM’s extensive reporting capability provides compliance views against the PCI-DSS clauses and milestones with analysis.

Features

  • Measure and report on compliance for specific payment channels
  • Collate PCI DSS evidential checks and documentation
  • Automatically schedule future checks with email reminders
  • Raise, assign and track actions for remediation with reminders
  • Automatically generate the Report on Compliance (RoC)
  • Single-user or multi-user Enterprise deployment
  • Status information on risks, controls, vulnerabilities, incidents and events
  • Track overdue actions, assessments and approvals
  • Assign responsibilities

Benefits

  • Improve staff productivity
  • Reducing time required to gather, collate and report on compliance
  • Avoid the risk of lapsed compliance from missed assessments
  • Reduce the risk of incidents resulting from non-compliances
  • Saving costs associated with incident response
  • Direct losses and reputational damage
  • Reduce the cost of compliance audits
  • Having up-to-date PCI DSS compliance status infromation
  • Compliance status information available on demand

Pricing

£35 per user per month

  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

5 7 4 3 4 2 8 2 2 6 1 6 8 8 8

Contact

Nettitude Limited

Jazz Bhambra

0345 5200085

jbhambra@nettitude.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
The STREAM service consists of a rich client running on the application server and distributed over the network via one of two virtualisation platforms: Ericom Connect ('Ericom') or Microsoft Remote Desktop Web Access ('RemoteApp'). Ericom offers best performance and compatibility with all client networks but does not allow direct linking to client-side resources. RemoteApp permits direct linking to client-side resources but often requires explicit authorisation through client network firewalls.
System requirements
  • Ericom: HTML5-capable browser
  • RemoteApp: Windows OS with HTML5-capable browser
  • RemoteApp: Android, iOS, Mac OS with Remote Desktop Client app

User support

Email or online ticketing support
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
All STREAM service subscriptions include the same support level.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Initial setup with power user accounts for designated customer contacts >> Handover email to designated contacts with instructions for first login and further user creation >> Optional run-through of the system over the phone >> Further resources available self-service (online training videos, user manual and other written references
Service documentation
No
End-of-contract data extraction
The customer should request a backup of their SQL Server database from our support desk. The database backup (a BAK file) will be made available to the customer via a secure file transfer method.
End-of-contract process
Provided 60 days' notice is given prior to contract termination, no additional costs are incurred at the end of the contract. Failure to provide 60 days' notice prior to termination commits the buyer to another year's subscription.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Ericom option: No difference -mobile access through web browser ; RemoteApp option: Mobile access through Remote Desktop Client app.
Service interface
No
API
No
Customisation available
Yes
Description of customisation
The following can be customised as standard: - User accounts, user roles and permissions on organisation tree - Tree structure for organisation risk registers and assets - Additional tree views ('virtual trees') - Assets and linking of assets to relevant part(s) of the tree - Risk and control frameworks - Risk and control assessment schemes - Relationships between risk, controls and assets - Configurable fields and settings for Risks, Controls, Assets, Events, Actions and Documents objects - Automations for risk and control identification, risk and control assessment, activity scheduling and object referencing - Custom Reports (tabular report based on Risks, Controls, Assets, Events or Actions object and data from linked objects). All of the above is configurable in the STREAM user interface. Access to the relevant configuration screens is subject to user permissions.

Scaling

Independence of resources
Acuity Cloud base infrastructure consists of a multi-tenanted virtual Microsoft Active Directory (AD) domain using AD Organisational Units (OU) to isolate tenants. A multi-tenanted virtual SQL Server farm back-end provides hosting for the STREAM databases. Applications servers are dedicated to individual clients and provide access to the STREAM application, related applications and file-sharing. Group Policy and other techniques are used to harden application server security and prevent access to administrative functions.

Analytics

Service usage metrics
No

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Consultancy expertise

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users may export the data in the CSV format using the "Export" button available in the STREAM user interface as standard or in the XLS format using special STREAM utilities which may be setup on request.
Data export formats
  • CSV
  • Other
Other data export formats
XLS
Data import formats
  • CSV
  • Other
Other data import formats
XLS

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Hosting portal availability: 99.9%; STREAM application faults classified into priority Level as follows: Critical (severe business impact): Initial Response - 30 minutes, Target Resolution- 4 hours ; High (high business impact): Initial Response - 1 hour, Target Resolution- 8 hours ; Medium (moderate business impact affecting only non-business critical applications or business processes): Initial Response - 1 hour, Target Resolution- 72 hours ; Low (limited business impact affecting only non-business critical applications or business processes): Initial Response - 2 hours, Target Resolution- 240 hours ; Response times apply during UK Business Hours Mon-Fri 09:00-17:30. No refunds provided on failure to meet SLA but service subscription time may be extended as appropriate, after review with customer.
Approach to resilience
The Private Cloud is hosted on multiple hardware clusters with automatic failover. The Base Infrastructure is distributed across independent hardware clusters to provide continuity in the event of a single entire cluster failure. All individual hardware components used to build clusters and other infrastructure are completely fault-tolerant including servers, storage, switches and other devices. Fault-tolerant features include but not limited to hardware RAID, dual PSU, dual CPU and multiple RAM. Bench stock is retained for hardware back up. All hardware clusters have multiple independent paths of connectivity and power.
Outage reporting
We send Reason For Outage (RFO) reports by email as part of our incident management process.

Identity and authentication

User authentication needed
Yes
User authentication
Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels
Self-service User Management interface provided for management of user accounts on service. Access to User Management restricted to designated users and managed through dedicated Active Directory groups. Configuration of STREAM application contents and logic managed from within the application and subject to user permissions. Support channels: email, phone.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Hosting Supplier Handstand: Accredited by BMTRADA; 4D-Datacentre: Accredited by NQA
ISO/IEC 27001 accreditation date
24/06/15; 14/05/16
What the ISO/IEC 27001 doesn’t cover
STREAM back office administration
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
PCI DSS security comliant data centre

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
We follow ISO27001 principles
Information security policies and processes
We follow ISO27001 principles

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes managed as service requests on internal ticketing system. Service request tickets are linked to the appropriate asset(s) in the configuration management database (CMDB) and tracked until implementation and documentation
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Physical host and virtual machine operating system critical and security patches will be applied within 30 days of release. Other patches will be applied within 90 days of release. We subscribe to all the well-known vulnerability feeds and Microsoft update alerts.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Intrusion detection system (IDS) is in place on our firewall clusters and server-based IDS on the host machines. Email or SMS alerts are sent when suspicious activity is detected on monitored systems. We also take into account incident reports from end-users or staff members when they suggest any unusual activity. As soon as suspicious activity is detected, we login to investigate the affected systems as a matter of priority and take action where required.
Incident management type
Supplier-defined controls
Incident management approach
Incidents are defined as occurrences of events with potential to compromise information security on the host infrastructure. Information security incidents are logged as soon as detected and tracked until adequate resolution and closure. Incident management workflow: detection > logging > containment > remediation > root-cause analysis > security review > planning of improvements and preventive actions to protect against recurrence > incident closure. When appropriate, a Reason for Outage report (RFO) is generated and sent to users by email.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£35 per user per month
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
A one month full trial period is offered with access for 2 concurrent users, if software is not purchased the database will be wiped.

Service documents

Return to top ↑