Galvanize Solution for Governance, Risk Management & Compliance (HighBond GRC Platform).
The Highbond Platform provides Governance, Risk and Audit Management and Compliance assurance (and applicable training services) around delivery of Government programs to ensure spend with beneficiaries, 3rd parties, and vendors is effective and efficient. The platform is utilised by 500+ public sector
organisations including Government Departments, agencies and local government.
- Apply objectiveness via data to identify risks.
- Execute assessments to ensure controls are effective and risks mitigated.
- Raise issues, assign actions, review progress and automate reminders.
- Your data can be automatically sliced, diced and disseminated.
- Engage stakeholders for 3rdparty compliance, customer complaints or incident hotline.
- Any flagged record from analytics/surveys can be actioned for response/remediation.
- Integrate analytics results into audits, compliance reviews or risk assessments.
- Assess current versions of standards, regulations, policies or legal obligations.
- Work offline and sync later where internet is unavailable.
- Create dashboard views with executive narratives across programs or agencies.
- It's easy to adopt and configure so there's rapid ROI.
- Can study disparate, complex agency operations in a normalized view.
- Customers are always on the latest and only software version.
- Easy to access and collaborate, teams gain efficiency, expand coverage.
- Galvanize manage infrastructure and software so no IT blockers.
- Library of on-demand resources to support beginners and advanced users.
- Single entry point to access the service or learning ecosystem.
- Integrate data or surveys in audit, risk or compliance assessments.
- Galvanize and Amazon exceed SOC2 and ITGC compliance standards.
- Galvanize drives user adoption through great design and crisp performance.
£15000.00 per licence per year
- Education pricing available
02039 00 1288
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Within 24 hours or less.
Weekends - Can be up to next working day
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 A|
|Phone support availability||24 hours, 7 days a week|
|Web chat support||Web chat|
|Web chat support availability||24 hours, 7 days a week|
|Web chat support accessibility standard||WCAG 2.1 A|
|Web chat accessibility testing||We run automated testing.|
|Onsite support||Yes, at extra cost|
24x7 Support for all clients at no extra cost. Included in license
fees. Technical account manager (Customer Intensity
|Support available to third parties||No|
Onboarding and offboarding
|Getting started||Clients generally begin with tailored on-site training delivered by our customer success team. This is complimented or supplemented by online training delivered through Galvanize's e-learning academy (no additional cost for licensed users). Comprehensive help documentation is available at www.wegalvanize.com/training-and-enablement/|
|End-of-contract data extraction||
The customer has the ability to backup/export their data from Projects in zip format; more details here;
|End-of-contract process||Highbond will retain your data for a period of 60 days after subscription termination to allow time for data extraction via the backup/export function.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||No differences|
|What users can and can't do using the API||Customers can use public API access via public tokens to programmatically access their GRC data.|
|API documentation formats||Other|
|API sandbox or test environment||No|
|Independence of resources||Processing capacity is monitored on an ongoing basis, and it can be increased rapidly if needed using the underlying elastic cloud-based architecture.|
|Service usage metrics||No|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||European Economic Area (EEA)|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||Physical access control, complying with SSAE-16 / ISAE 3402|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||The customer has the ability to backup/export their data from Projects in zip format; more details here; https://help.highbond.com/helpdocs/projects/current/user-guide/en-us/Content/projects/concluding_maintaining/backing_up_and_exporting_projects.html|
|Data export formats||Other|
|Other data export formats||
|Data import formats||Other|
|Other data import formats||Excel|
|Data protection between buyer and supplier networks||
|Other protection between networks||Data protection within supplier network|
|Data protection within supplier network||
|Other protection within supplier network||Galvanize HighBond is delivered securely via TLS with up to AES-256 bit encryption.|
Availability and resilience
SLA details can be found here under Schedule A;
|Approach to resilience||Highbond GRC has master and slave replicated database servers and failsafe attachment storage across data centers within each geographical region.|
|Outage reporting||Systems are also monitored for availability and performance using automated monitoring and alerting. https://status.highbond.com/ contains availability history and customers can subscribe to email alerts.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||
Only Highbond DevOps team members and Highbond production support personnel have access to Highbond GRC production systems using a principle of least privilege. Technical controls include username, passwords, IP whitelisting, OTP and asymmetric
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||
FEDRAMP standards are complied with
SOC2 standards are complied with
Alligned with ISO27001 and working towards full certification.
|Information security policies and processes||An Information Security Management Program is implemented that includes administrative, technical, and physical safeguards. To protect assets and data from loss, misuse, unauthorised access, disclosure, alteration, and destruction. The security program consists of risk management, asset management, security policies, HR policies, operational procedures, access control and communications. Incident Management is performed through the alerting, categorisation, performance process, escalation, & communication of incidents. Highbond has a communications plan in place to notify both internal employees and external customers during an incident response. Quarterbacks are established to coordinate communications over an incident period.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
SDLC methodology where all features are defined, designed, developed, tested and deployed – multiple iterations of testing and building are performed through the SLDC lifecycle (including security checklists, peer review, formal security QA automated and manual, and static code analysis.), in development environments, staging environments and production. The change management process ensures consistent code quality and security for
each change deployed to production.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||Highbond has weekly vulnerability scanning and re-mediates based on severity using the CVSS rating system. Weekly blue/green deployments allow us to continuously deploy patches into our environment.|
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
Highbond has developed procedures related to the monitoring of Highbond GRC systems for performance, availability, and security related events. System logs from Highbond GRC production systems are continuously monitored, and any
anomalies are investigated promptly by the Highbond production operations team. Processing capacity is monitored on an ongoing basis, and it can be increased rapidly if needed using the underlying elastic cloud-based architecture.
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
An incident response process has been defined to ensure timely and effective identification and response of security related incidents. All actions taken during the incident response process are documented and reviewed to ensure continuous improvement. Operations and support personnel follow defined protocols for resolving and escalating reported events according to the
incident response process. Internal and external users are informed of incidents in a timely manner based on need to know. Users are notified as needed via various collaboration tools.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£15000.00 per licence per year|
|Discount for educational organisations||Yes|
|Free trial available||No|