Grey Monarch Limited

ProfileTailor™ Dynamics

ProfileTailor™ Dynamics provides continuous security monitoring, audit and controls of your SAP systems. Cleanse authorizations, sensitive activity and Segregation of Duties (SoD) violations. Control SAP access. Detect potential fraud, data theft and cyber attack. Automate security processes such as Joiner, Mover, Leaver and Emergency Access.


  • SAP Continuous Security Monitoring and Controls
  • Out of the box Segregation of Duties best practice ruleset
  • SAP Authorization user and role cleansing
  • High risk and sensitive access and activity monitoring
  • Workflows to automate security processes such as Emergency Access
  • Starter, Mover, Leaver Automation
  • SAP HR / HCM Monitoring
  • Fraud, Data Theft, Cyber Attack Detection


  • Ultra fast clean-up of SAP user authorizations and roles.
  • Immediate notification of all Segregation of Duties violations.
  • Immediate notification of users with access to high risk transactions
  • Immediate notification of real usage of high risk transactions
  • Automate Starter/Mover/Leaver processes using workflows across platforms
  • Emergency Access automation and auditing
  • Self-Service Password Reset
  • Automate and audit the re-certification of user authorizations
  • Quickly remove all redundant roles and authorizations
  • Protect yourself against data theft, cyber attack and fraud


£1250 to £2000 per instance per month

  • Education pricing available

Service documents

G-Cloud 9


Grey Monarch Limited

David Lloyd

0844 736 5879

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements None, this is a fully hosted Software as a Service

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard support is 8am to 6pm Mon-Fri with a response time of 2 hours.
Out of hours support (evenings and weekends) can be supplied at an extra cost.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels The standard support level supplied inclusive within the SaaS offering is 8am to 6pm Mon-Fri.
Out of hours support can be provided for an additional fee of £10 per day. A Technical account manager is also assigned to each customer account.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Training is included within the service which is typically a one day course.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Data can be downloaded to CSV or Excel.
End-of-contract process The monthly subscription fee includes all of the hardware, software, maintenance and support. Additional 'deep-dive' modules can be provided for an extra fee. These would cover environments such as SAP HR/HCM and SAP BI.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Normal administrator use would be through a desktop browser, however, mobile device support is provided for workflows and would typically be used for mobile approval (or sign-off) steps to be completed via a mobile.
Accessibility standards None or don’t know
Description of accessibility Our service is only accessible using standard Operating System and Browser accessibility and assistance features.
Accessibility testing Only very limited testing using standard browser accessibility features.
What users can and can't do using the API The API can be used for triggering workflows and events to start within ProfileTailor™ Dynamics; for instance, when you add a new epmployee to your HR system, it could call the ProfileTailor API to provision a new SAP user account for that employee.
API documentation Yes
API documentation formats Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation ProfileTailor™ Dynamics Software as a Service is provided as single tenancy allowing users to fully customize the solution. Customizations include; Segregation of Duties rulesets, alerting and events and custom reports.


Independence of resources Yes. Each customer is 100% single tenancy (private cloud)


Service usage metrics Yes
Metrics types Full audit trails of user activity within the product are provided as standard.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can directly export data to CSV or Excel
Data export formats
  • CSV
  • Other
Other data export formats Excel
Data import formats
  • CSV
  • Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Private network or public sector network
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network Microsoft dedicated network protection

Availability and resilience

Availability and resilience
Guaranteed availability 99.95% up-time. A lack of availability owing to customer-side connectivity issues and customer system downtimes are not taken into account with regard to SLAs.
Approach to resilience Resilience is built in at various levels including physical nodes, strorage controllers, disks, internet connectivity, remote access and firewalls. Each area is quite detailed and can be provided upon further request.
Outage reporting Dashboards and eMail alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Secure VPN, Server level username/password, Application level username/password
Access restriction testing frequency At least once a year
Management access authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA and ASA
ISO/IEC 27001 accreditation date LRQA Sept 2016, ASA Jan 2013
What the ISO/IEC 27001 doesn’t cover N/a
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Nettitude
PCI DSS accreditation date May 2016
What the PCI DSS doesn’t cover Platforms that do not handle card holder data are not covered.
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our full IT Security Policy document is available upon request but the essential principles are;
All IT Systems are to be protected against unauthorised access.
All data stored on IT Systems are to be managed securely in compliance with all relevant parts of the Data Protection Act 1998.
The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity and confidentiality of that data) lies with the IT Department unless expressly stated otherwise.
All IT Systems are to be installed, maintained, serviced, repaired and upgraded by Grey Monarch Technical Services (the “IT Department”) or by such third party/parties as the IT Department may from time to time authorise.
All breaches of security pertaining to the IT Systems or any data stored thereon shall be reported and subsequently investigated by the IT Department and, if necessary, escalated to the IT Director.
All Users must report any and all security concerns relating to the IT Systems or to the data stored thereon immediately to the IT Department, and, if necessary, escalated to the IT Director.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All components, hardware and software, can be identified by their version number, release number and modification level. The software architecture allows for hot patching whereby extremely focused updates can be applied without affecting other components within the system. Any changes are subject to our change control procedures and are tested within development and QA environments before being applied to any production environments. Scheduled maintenance will be required at regular intervals. Scheduled maintenance is excluded from any service availability.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The ProfileTailor™ Dynamics service infrastructure is ISO27001 certified and, as such, is subject to continual assessment to ensure that vulnerabilities are identified, risk assessed and treated/patched accordingly. Patches are prioritized according to risk and relevance to the service. Critical patches are typically applied within 24 hours of being available.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach The ProfileTailor™ Dynamics service infrastructure undergoes continual Security Incident and Event Monitoring (SIEM) according to CESG and ISO27001 best practises. This monitoring is provided by a mixture of automated and manual monitoring and analysis. Incidents and any potential compromises are assessed and responded to according to their risk assessment. Critical incidents are responded to immediately.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Pre-defined processes exist for common events. All incidents, whether internally identified, or reported by users are logged within our ticketing management system. Reported incidents are initially analysed and risk assessed. Either preventative measures or patches/fixes will be applied according to the severity and scope of any incident. Critical incidents will be escalated accordingly. Reports will be provided via eMail or telephone where appropriate and of a high risk nature.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Public Services Network (PSN)


Price £1250 to £2000 per instance per month
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑