Caretower Ltd.

Symantec SEP Mobile

SEP Mobile offers the most comprehensive, accurate and effective mobile threat defense
solution, delivering superior depth of threat intelligence to predict and detect an extensive range
of existing and unknown threats. SEP Mobile’s uses a layered approach that leverages crowdsourced
threat intelligence, in addition to both device- and server-based analysis.


  • Identification and protection from suspicious networks and malicious developers
  • Public mobile app helps protect privacy and productivity
  • Rapid on-boarding with native iOS and Android apps
  • Automated IT policy enforcement via integration with existing enterprise EMM
  • Superior visibility into mobile vulnerabilities and threats and attacks
  • Defence against zero-day attacks
  • Discovering high volumes of novel vulnerabilities and threats
  • Proactive defence without third party integration
  • Engines to detect no compliance situations on App and devices


  • Rapid on-boarding with native iOS and Android apps
  • Identification and protection from suspicious networks and malicious developers
  • Automated IT policy enforcement
  • Provide visibility into mobile vulnerabilities, threats and attacks
  • Capability to detect no-compliant situation, make a correction action
  • Proactive defence against threat without third party integration
  • Minimum impact over device resources
  • Device risk score based on inventory, patch level, vulnerabilities
  • Detect and block vulnerabilities exploitation
  • Automated risk and threat detection and remediation


£25.79 to £26.87 per device per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


Caretower Ltd.

Davide Poli


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints The service is supported from IOS 8.x and Android 4.x up to the last version
System requirements
  • From IOS 8.x up to the last version
  • From Android 4.x up to the last version

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support is available on a twenty-four (24) hours/day by seven (7) days/week basis to assist
Customer with configuration of the Service features and to resolve reported problems with the
Service. The respond time is going to depend based on the incident criticality, - Critical 1
business hour* or less - High 8 business hours* or less - Medium 2 business days - Low 10
business days
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Chat with an agent allows to open support case, and talk about non-technical question
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels The product will come with standard support included as part of the services and includes online
support via our portal. In addition, if purchased directly from Symantec a remote cloud specialist
will be assigned to provide an account management style support. If purchased through a 3rd
party the remote cloud specialist is not provided and this would need to be provided by the third
party. For large (+10,000 users) and complex estates there is the possibility to purchase Business
Critical Services. This level of services can be bespoke to customer needs and will start from
approximately £20,000 per annum.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started There is a specific team which main function is to help users to make the initial setup,
configuration and deployment, ramp up, and get the end user satisfaction. Additionally,
professional services can help on-site in those complex integrations or those tasks that the
Ebuyer would be not able to do by itself with the previous team support
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Users can extract data, incidents, events or assets, from the service using different secure
ways or integrations during the service life. After 30 days of service termination, any user
data will be deleted.
End-of-contract process 30 days after the end of the contract the user / buyer's instance and its data will be deleted.
There is no additional cost

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service This service is designed to work on mobile devices
Accessibility standards None or don’t know
Description of accessibility The service provides detection and protection capabilities against malware and risk on
mobile devices. End User can access to mobile app to check the security posture through
Dashboard, and also review security alerts. Also, the service provides the option to not allow
end user interaction.
Accessibility testing Don't know
What users can and can't do using the API The service provides a REST API which allows to get information regarding security events,
security incidents and risk situations.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The buyer can customize End user message, alerts and interface to choose what
information will show to the end user. Also the buyer logo could include on specific screens.


Independence of resources SEP Mobile is elastic cloud service running on Symantec layer over AWS cloud
infrastructure, which can satisfy end users demands. The service is currently provided to
thousands of user without any performance impact, and escalating perfectly well for new
buyers, or end users.


Service usage metrics Yes
Metrics types It provides information regarding enrolled users and devices.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports


Supplier type Reseller providing extra support
Organisation whose services are being resold Symantec

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach There are several choices on the product console to export incidents or devices information
through CVS file. Also a rest API, and third party integration - SIEMS, allows to export specific
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
Data import formats
  • CSV
  • Other
Other data import formats EMM Integration which provides user and device data

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability SLA commitment for the service is an uptime of 99.5%. “Service Credit” means the amount of
money that will be credited to Customer’s next invoice after submission of a Credit Request
and validation by Symantec that a credit is due to Customer. Please check the following doc
mobile-2-2018-service-description-en.pdf for extended information.
Approach to resilience It's available on request. Regardless, our SEP Mobile service is running on AWS datacenter
which are designed to be resilient. Each critical server in SEP Mobile's cloud environment is
backed by either duplicate multiple instances or a slave node to which failover can be
performed, ensuring minimal system downtime in case of a critical failure. The automatic
failover process is triggered by Engine Yard infrastructure after it has been determined that a
component is unable to reliably respond to requests. The impact on end user experience in
cases of downtime is also minimal. There will not be any visible impact on the functionality of
users’ mobile devices, rather, only a delay in some of the alert notifications in cases where the
user experienced an attack during the downtime event. Database backups of SEP Mobile's
production system are taken daily and prior to any major upgrade or configuration change to
SEP Mobile's production environment. Backups are stored in an encrypted format and allow, in
the event of a disaster, the creation of a replica environment within a minimal period of time.
Disaster recovery scenarios are tested periodically by the SEP Mobile's operations team.
Outage reporting Email alerts and also Symantec Status page,

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Access to SEP Mobile's production servers or their managing interfaces (e.g. Engine Yard’s
management console) is restricted to SEP Mobile's operations and support personnel and a
small number of SEP Mobile's R&D team members, who require this access to perform their duties. Access to these systems is controlled via a two-factor authentication process.
Access controls to production servers are reviewed every six months at a minimum
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ISO 27001 and FISMA certified data centers managed by Amazon
ISO/IEC 27001 accreditation date Managed by Amazon
What the ISO/IEC 27001 doesn’t cover SEP Mobile uses ISO 27001 and FISMA certified data centres managed by Amazon
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Uses PCI-compliant 3rd-party services (Stripe) to manage credit card transactions
PCI DSS accreditation date Stripe
What the PCI DSS doesn’t cover Skycure uses PCI-compliant 3rd-party services (Stripe) to manage credit card transactions,
and does not store or see any credit card information. For more info about Stripe’s security, go
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach SEP Mobile has assigned Yair Amit, SEP Mobile CTO and co-founder as its Information
Security Officer. The security officer’s main responsibility is protecting the confidentiality,
integrity, and availability of SEP Mobile's data and computing assets. Other key responsibilities
include: • Product security architecture and strategy • Vulnerability management • Security
incident response • Risk assessment and audit • Security awareness • Periodic review of
information security policy SEP mobile's performs regular risk assessments. Security policy
can be provided if is needed.
Information security policies and processes SEP Mobile has specific security policy which defined the following processes which are
followed: 1) INFORMATION ACCESS CONTROL MANAGEMENT - which includes : Customer
Environment Access, Access to Production Servers, Data Segmentation between
Organizations, Network Access, Billing, Vendor Management 2) HUMAN RESOURCES
SECURITY MANAGEMENT - which includes : Background Checks, Security Training, Offboarding,
3) PHYSICAL SECURITY MANAGEMENT- which includes: Data Center and offices
4) OPERATIONS MANAGEMENT - which includes: Development and Testing, Malware
Mitigation, High Availability, Disaster Recovery and Database Backup, Data Retention and
Destruction, Data Archive, Network Security, Monitoring, 5) RISK ASSESSMENT AND
Password and Authentication Controls, Laptop Security Controls, Mobile Device Security
Controls, Vulnerability Management, Source Code Controls, Incident Reporting and
Management, Exception Procedure, Disciplinary Action, Policy Review

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All code changes being deployed to production undergo a mandatory code review as well as
an automatic inspection process. Configuration changes are managed and documented by
the SEP Mobile DevOps team.
Vulnerability management type Supplier-defined controls
Vulnerability management approach SEP Mobile cloud servers use the Gentoo Linux distribution. The Gentoo Foundation
demonstrates their security commitment by frequently updating their host operating system
to address security issues. In addition, SEP Mobile's security officer receives periodic
notifications from various information security resources and SEP Mobile's operations
personnel runs a periodic vulnerability scan on SEP Mobile's production servers. When a threat is discovered, an assessment of its impact is performed and mitigation steps are
planned and implemented by the SEP Mobile R&D team. Critical vulnerabilities are mitigated
within a period of 30 days
Protective monitoring type Supplier-defined controls
Protective monitoring approach SEP Mobile uses multiple internal and 3rd-party tools for monitoring its production
environment and protecting it against potential threats or errors: • An internal notification
mechanism is in place to alert SEP Mobile's operations and support teams on different
anomalies detected in production. • New Relic analytics tool is configured to continuously
monitor SEP Mobile's production environment status • An Airbrake error reporting tool is
installed on SEP Mobile's production servers and alerts on different issues detected. • An
internal production monitoring dashboard aggregates information from SEP Mobile's multiple
systems. • SEP Mobile also operates a support ticketing
Incident management type Supplier-defined controls
Incident management approach Customers will be notified by SEP Mobile team once an incident that potentially impacts
them has been confirmed. As the incident investigation proceeds, customers will receive
proactive updates on the nature of the incidents and its impact on them. If an actual security
breach occurs, actions will be taken. Additionally, there is a pre-defined process to handle
common events. Detailed information regarding the process can be provided if it is required.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £25.79 to £26.87 per device per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial The trial version is exactly the same as production one. The trial should be
requested to Symantec sales rep.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑