Cysure has mapped the security component of GDPR into VOSO (Virtual Online Security Officer) that breaks down the regulation into a set of discrete actions providing an easy to follow, staged approach to compliance with GDPR regulatory requirements.
- Virtual Online Security Officer
- Inbuilt CE, IASME and GDPR compliant security policies/plans
- Contains all on-line security training videos for continual staff training
- Compliance dashboard displays your progress against selected standard
- Compliance history and audit trail
- In-built security events issue training videos, plan reviews, vulnerability scans
- Remote monitoring of all networked devices to ensure compliance
- Asset mapping, vulnerability scanning and patching
- Network and device secure configuration
- Access management and control, password management
- VOSO reduces requirement for cybersecurity consultants/compliance officers
- A fraction of the cost of its human counterpart
- Continual cybersecurity process that maintains a cybersecure posture
- Ensures compliance with CE, IASME and GDPR requirments and certification
- Provides dashboard for board oversight of cybersecurity and regulatory compliance
- Mitigates the risk of law suits and regulatory fines
- Reduced remediation and insurance costs
- Continual training of the workforce to offset social media campaigns
- VOSO contains all policies required for cybersecurity regulatory compliance
£1 per person per month
- Free trial available
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||
Virtual Private Network
Remote cyber-security monitoring
Remote user access control and management and password administration
Malware and firewall management
Vulnerability mapping, scanning and patch managment
Remote network and device secure configuration
On and offsite backup
|Cloud deployment model||Public cloud|
|Service constraints||We have planned maintenance windows during which time we update the solution. these are generally out of working hours.|
|System requirements||Up to date and supported browser.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Within 2 hours Monday to Friday 9 - 5.30pm
Within 12 Hours at weekends
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.0 AA or EN 301 549|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||
Help available through website
Initiate a chat window
|Web chat accessibility testing||N/A|
|Onsite support||Yes, at extra cost|
We provide a level 1 support to users who need help using the system as is, level 2 support for users wishing to update the configuration and level 3 support for effort to identify and resolve bugs that generally requires a release of the system.
We provide a single level of support for use of the system.
We do not provide a named account manager or support engineer as a standard facility though provide an equivalent for large customers who identify a single point of contact for interaction with their organisation.
However customers using our system often find that they reach the limits of their knowledge and skill and require assistance services. We can provide onsite consultancy for process consultation and certification, either from Cysure or by introduction of third parties who are already users of VOSO.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Registration is an automated process that includes entering details that then on-board the organization. There are on-line help and videos at each section.|
|End-of-contract data extraction||Users can produce time series reports and certification documents as well as download any data input documents.|
|End-of-contract process||Cybersecurity is a continual process. Should a user decide to cancel the service they give 30 days notice. They have 30 days to down load any reports and certifications held in the system. Their account is then disabled.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||There are no differences apart from the ability to complete certain tasks may be impacted by the screen size of the device. Mobile devices may be used to view status and track progress and in some cases complete tasks but it is primarily designed to be used on a workstation. Our support is reasonable on tablets. We will continue to develop in this area to support phones.|
|Accessibility standards||None or don’t know|
|Description of accessibility||We have not made any specific provision to meet WCAG|
|What users can and can't do using the API||
Our API is currently focused on providing integration with other vendor products deployed by users so that a single view of the truth is possible from our dashboard.
Our system is web based and as such exposes all services through an API. Ensuring no abuse of this is a key element of our security testing.
We do not current publish this API to users and will not expose it until there is a specific business requirement for users to access it.
|API sandbox or test environment||Yes|
|Description of customisation||A key element of our solution is the knowledge base, events that can occur and the description of the activities that should be undertaken on a regular or ad-hoc basis to deliver an appropriate level of cyber protection. Users are able to load details of new content and to modify the tasks that we provide. A key element of our development plan is to expose the content loading and editing capbilities.|
|Independence of resources||Our solution runs on AWS in a single multi-tenanted instance employing a strong security model to enable partitioning of data and the ability for an organisation to expose under tight control certain subsets of data. (Actually we have an instance in the US for that market, and a separate instance in the UK for the EU market). To that extend users are not partitioned. However we have carefully designed our locking model to minimise interaction between customers. Our model is to exploit AWS monitoring and scalability tools to ensure that as demand grows we can assign additional resources.|
|Service usage metrics||Yes|
|Metrics types||We have the provision to record all service calls made to the system. This is primarily for the purposes of a security audit trail. System administrators can modify the filters to record summaries of calls by users or calls by service. Details of service usage is available to a system administrator and on screen. In the future we expect to extend this to include KPIs|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Other data at rest protection approach||
All our data at rest is encrypted by: encrypting the AWS machines before we deploy them. Encrypting the database tables in our MySql database and encrypting the S3 backups using AWS encryption keys service.
On specific occasions we download production data for investigation. When this takes place the download to an encrypted drive, the download is logged and deletion of the data is recorded in the log.
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||
Documents and other artefacts can be downloaded from the system using the interactive interface.
Data can be output using reports via the report generator as documents.
Users can export their data in its entirety in CSV files on a table by table basis with details of the table definitions provided. We envisage this will be most appropriate to take a copy of data on leaving the system.
|Data export formats||
|Other data export formats||
|Data import formats||
|Other data import formats||
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||
Availability and resilience
|Guaranteed availability||We don't currently provide an SLA within our T&Cs but are happy to enter into an appropriate SLA.|
|Approach to resilience||
We have the following resilience mechanisms in place:
We take regular backups. Currently these are every 24 hrs but could be taken more regularly if there is customer demand.
We have designed our solution to include database replication so that there would be a permanent alternative database maintained in real time to support immediate fail over.
Our LDAP credentials server is backed up every 24 hrs and we have a mechanism for synchronisation between LDAP and database.
We monitor the status of all elements of the platform and can respond in the event of a failure of any component.
The solution is designed to be multi-level and we can start up additional components in parallel and load balance across them in the event that the web server or application server fail or overload.
Building a server is automated and we can build and deploy additional resources in minutes.
If our database server grows unexpectedly, we can stop, resize/expand the disks memory or CPU resources and restart within 5 minutes.
As we run on AWS we have access to the power and scalability of AWS.
We have a public dashboard which is enabled during planned outages.
We provide email alerts of predicted outages.
In the event an outage occurs we expose an alternative web page reporting this.
Identity and authentication
|User authentication needed||Yes|
|Other user authentication||
We intend to extend our solution to include TFA and implementation of this is in our development pipeline.
Access for most users is limited to port 443 for secure web traffic.
|Access restrictions in management interfaces and support channels||
General management access is via the AWS management console and for this we have TFA configured.
Administrative access to individual machines is available via ssh using AWS encryption keys between specific IP addresses: our main site and the home networks of selected key employees for 24 x 7 access.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||You control when users can access audit information|
|How long supplier audit data is stored for||Between 1 month and 6 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||Other|
|Other security governance standards||Cyber Essential Plus and IASME|
|Information security policies and processes||Cyber Essentials Plus and IASME compliant information security policies|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||All of our components are tracked through their lifetime using the cloud development suite Atlassian|
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
We use Qualys scanning.
We deploy patches regularly (typically within 14 days) having first trialed them on our development platforms and as part of our release procedures.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
We rely primarily on AWS facilities for our protective monitoring. We have monitoring facilities wired up to report exceptions to on immediately they occur by email.
We initiate a response immediately during working hours and for emergencies 24 x 7 once the first person has received the alert.
|Incident management type||Supplier-defined controls|
|Incident management approach||
We take regular backups of our solution data.
We have automated build procedures so we can re-build a solution instance within minutes if necessary.
this rebuild process is practised fortnightly as part of our release procedures.
Our data recovery process is similarly practices regularly as part of our release procedures.
Backups from production servers are regularly tested for integrity and the ability to recover them on a quarterly basis.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£1 per person per month|
|Discount for educational organisations||No|
|Free trial available||Yes|
|Description of free trial||We do not commercially offer a "free trial" but there is a defacto free trial period between registering and completing payment setup. During this period a system administrator has the ability to review all of the functionality of the system. The period is in the T&Cs on sign up.|
|Pricing document||View uploaded document|
|Service definition document||View uploaded document|
|Terms and conditions document||View uploaded document|