Moebian ARQ is a low cost cloud service providing auditors and information security teams an easy to use comprehensive information security audit tool. Moebian ARQ is ideal for managing and implementing risk based auditing needed to meet ISACA and ISO27001 guidelines.
- Easy to use and access via standard web browsers.
- Record information and digital assets.
- Perform and record risk and threat assessments against your assets.
- Design and build audits to test security and compliance.
- Plan, undertake and monitor progress of audits.
- View and analyse audit results risk impacts in real time.
- Produce high quality management and operational reports.
- Add improvement tasks and monitor progress of actions.
- Online training and help guidance.
- Real time analysis saves time wading through spread sheet results.
- Collaborative working to increase audit team performance.
- Low cost value for money
£49 to £250 per licence per month
- Free trial available
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||Additional enhanced reporting packages.|
|Cloud deployment model||
|System requirements||Clients require a standard internet browser.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Monday to Friday same working day. Support is only offered between 09.00 and 16.30 weekdays.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
|Support levels||Support is provided via email and online access to the Moebian Helpdesk. This provides clients with access to technical support engineers.|
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Online training and online user documentation is provided.|
|End-of-contract data extraction||At the end of the contract data can be exported using built in reports or a request for a full extract can be made via a request to the help desk.|
At the end of contract the system is retained for six months. During this time the system administrator will be allowed access to extract data as xml files via standard export features. A standard extract can be provided in csv format via a request to the helpdesk.
Non standard extracts that are requested by the customer will be considered. If the request requires significant work then a quotation will be provided based on the standard charges for bespoke services.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Access is via internet browsers rather than dedicated apps. Screens automatically adapt to device displays.|
|Description of customisation||The system is configurable to local user requirements. A system Administrator role is provided to with permissions to configure the system.|
|Independence of resources||The Moebian ARQ Architecture is scalable with each customer allocated a separate database. The application is hosted in a secure Microsoft Azure service which is able to be adapted as required.|
|Service usage metrics||Yes|
|Metrics types||We extract and make available as part of the user adoption and education process as well as service reviews.|
|Reporting types||Regular reports|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||The system has export tools that export data in XML format.|
|Data export formats||
|Other data export formats||XML|
|Data import formats||Other|
|Other data import formats||XML|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Standard is 99.5. Higher level can be defined as part of enhanced requirements for large organisations.|
|Approach to resilience||Available on request. All components in the solution have multiple redundancy.|
|Outage reporting||Public dashboard.|
Identity and authentication
|User authentication needed||Yes|
|User authentication||Username or password|
|Access restrictions in management interfaces and support channels||Access is restricted by role based access security systems.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||Username or password|
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||We ensure alignment with 27001 as well as other standards and are undertaking official compliance in 2020.|
|Information security policies and processes||All access, loging, checking storage processes and threat protection solutions are audited regularly and all align to good practice.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||A common code set is applied to all customers systems when updates are released. The release of updates is applied monthly or as necessary if urgent updates need to be applied. Customers are advised of the changes and any downtime in line with the service contract.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||The core systems are provided by Microsoft Azure hosting. Updates are controlled by Microsoft.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||Risk assessments are undertaken on a regular basis in accordance to the Moebian security policy. Vulnerabilities will be responded to based on the risk posed by the vulnerability or compromise. This may be immediately or through a controlled urgent patch.|
|Incident management type||Supplier-defined controls|
|Incident management approach||Incidents are logged on the help desk and responded to based on the priority of the incident. The help desk provides feedback mechanisms via email and a knowledge base. In addition messages can be posted on the help desk landing page to alert to serious incidents or outages.|
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£49 to £250 per licence per month|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||Full access to the system for 28 days.|