Software Box Limited (SBL)

SBL Tenable.io

A cloud-based vulnerability management solution

Features

  • Integrated applications
  • Container security
  • Comprehensive scan options
  • Asset tracking
  • Documented API and integrated SDK
  • SLA with uptime guarantee

Benefits

  • Customer-friendly, elastic asset licensing
  • SLA with uptime guarantee
  • Integrated container security
  • Accurate asset-based vulnerability tracking
  • Modern Cloud and Mobile Architecture
  • Comprehensive Configuration Auditing
  • Widest Coverage for Vulnerabilities and Compliance
  • Regulations
  • Unified Dashboards View and Experience
  • Malware Detection

Pricing

£12.15 per device per year

  • Free trial available

Service documents

G-Cloud 9

785747816283177

Software Box Limited (SBL)

Benjamin Jackson

01347 812100

tenders@softbox.co.uk

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Tenable.io can be configured as an extension to SecurityCenter Continuous View, however it is not mandatory.
Cloud deployment model Public cloud
Service constraints Tenable IO must be accessed via a web browser
System requirements
  • Google Chrome (40+)
  • Apple Safari (8+)
  • Mozilla Firefox (38+)
  • Internet Explorer (11+)
  • Scanners and agents collect data to be reported by Tenable.io.
  • Tenable.io is configured with a regional, specific cloud scanner.
  • Users can link Nessus & PVS scanners, and Nessus Agents.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times RTO varies due to the critical nature, but all within a 24 hour window; comprehensive information can be found http://static.tenable.com/prod_docs/Tenable_Technical_Support_Plans.pdf
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Detailed information relating to accessibility can be found here: https://www.tenable.com/section-508-voluntary-product-accessibility
Web chat accessibility testing Detailed information relating to accessibility can be found here: https://www.tenable.com/section-508-voluntary-product-accessibility
Onsite support Yes, at extra cost
Support levels Nessus Pro, Standard, Premium and Premium for Government. Each support level includes 24x7x365 Email, Portal and Chat support, the Standard and Premium Packages include Phone Support. Additional details can be found in http://static.tenable.com/prod_docs/Tenable_Technical_Support_Plans.pdf
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started There are a range of support and training facilities provided to help new users. These range from FOC on-demand training through to professional services onsite; an online support portal and customers community forums.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Should a customer's account expire or terminate, Tenable will retain the data, as it was at the time of expiration, for no more than 180 days for customers to download their records accordingly. After that time, this data may be deleted and cannot be recovered.
End-of-contract process Should a customer's account expire or terminate, Tenable will retain the data, as it was at the time of expiration, for no more than 180 days for customers to download their records accordingly. After that time, this data may be deleted and cannot be recovered.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Nessus Manager and Tenable.io integrate with leading Mobile Device Management (MDM) products (Microsoft Exchange, Apple Profile Manager, MobileIron, AirWatch, Good for Enterprise) to capture device info for iOS, Android and Windows phones to perform vulnerability and compliance assessments. Unmanaged devices can continue to be assessed for vulnerabilities and security issues via Passive Vulnerability Scanning - inspection of network traffic generated by the mobile devices.
Accessibility standards None or don’t know
Description of accessibility Access to Tenable.io is through a web browser utilising TLS/SSL secure communication. Support is either via phone, email or our support portal.
Accessibility testing N/A
API Yes
What users can and can't do using the API Users can easily integrate and automate the sharing of capabilities and vulnerability data, or build on the Tenable.io platform, leveraging a fully documented API set and SDK. There is no extra cost to use these tools to maximize the value of your vulnerability data.

Online via the website https://cloud.tenable.com/api#/overview
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment No
Customisation available Yes
Description of customisation Tenable.io has a large number of filtering options available for the purpose of filtering down the resultant vulnerability and configuration data. These filters can be combined in various ways and allows for the organization to quickly filter down to the subset of the data that is pertinent to the task at that time.

Scaling

Scaling
Independence of resources Tenable commits to provide 99.95% average uptime with respect to the Cloud Services during each calendar month of the subscription term. http://static.tenable.com/prod_docs/Service_Level_Commitment.pdf

Analytics

Analytics
Service usage metrics Yes
Metrics types Patch rate, vulnerability trends, compliance trends
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Tenable

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Encryption of all physical media
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Tenable IO has the facility to allow users to export their data either via the console or via the API
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • HTML
Data import formats Other
Other data import formats Nessus Scanner

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network At rest all customer data collected are encrypted using AES-256 encryption. Tenable.io uses state-of-the-art container technology to create and segregate customer environments. All customer accounts, vulnerability data and user settings are contained within a container uniquely allocated to each specific customer. Data contained within one container cannot leak or otherwise be intermingled with another container, thus ensuring the privacy, security and independence of each customer environment.

Availability and resilience

Availability and resilience
Guaranteed availability Tenable commits to provide 99.95% average uptime with respect to the Cloud Services during each calendar month of the subscription term. If in any calendar month this uptime commitment is not met by Tenable and Customer was negatively impacted, Tenable shall provide, as the sole and exclusive remedy for unavailability or performance degradation of the specific Tenable Cloud Services, a service credit.
Approach to resilience Tenable uses health and status data to detect and address potential issues in a timely manner, thereby maintaining SLA commitments. Tenable Cloud services are replicated both within and across AWS regions. Should both instances in a region fail (or the region suffers an outage in general), the regional-failover layer (usually using dynamic DNS) will instead direct traffic to the other three regions. Failover is closest-path to the traffic origin.
Outage reporting Tenable.io disaster recovery procedures have several levels and are designed to react to situations that may occur from anywhere between once in five years to once in 50 years. Depending on the scope of the disaster, the recovery procedures vary in time from 60 minutes to 24 hours.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels User accounts are assigned roles that dictate the level of access a user has in Tenable.io. You can change the role of a user account at any time, as well as disable the account.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification PCI
PCI DSS accreditation date 01/05/2012
What the PCI DSS doesn’t cover N/A full scope covered.
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards Other
Other security governance standards Yes. Tenable's policies were written based on the National Institute of Standards and Technology (NIST) cybersecurity framework, CEB library best practices , SANS institute documents and Tenable's own professional experience. Policies are shared with business units and reviewed collectively during internal workshop meetings.
Information security policies and processes Yes. Tenable's policies were written based on the National Institute of Standards and Technology (NIST) cybersecurity framework, CEB library best practices , SANS institute documents and Tenable's own professional experience. Policies are shared with business units and reviewed collectively during internal workshop meetings. Once approved, policies are disseminated to all employees via our internal network portal. Policies are reviewed, revised, and updated on annual basis.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Not all systems require the same amount of development, testing, and approval. Changes to some systems are routine and represent little or no risk. Therefore, to ensure reasonable processing time for routine maintenance and other low risk change requests, and to ensure that more significant, higher impact changes receive the appropriate scrutiny and planning, the following types of changes have been established. These types have corresponding development, testing, and implementation requirements as well as specific approvals necessary to process. Classification of Change Types:
Provisioning
Configuration
Maintenance/ Upkeep
Development (existing)
Development (new)
Vulnerability management type Undisclosed
Vulnerability management approach Tenable does internal vulnerability scans on a daily, weekly and monthly basis. Penetration tests are done annually. Discovered vulnerabilities are remediated based on vulnerability management policy. High and Critical vulnerabilities are given priority.
Protective monitoring type Undisclosed
Protective monitoring approach All systems connected to Tenable's corporate environments are configured to send logs to a centralized syslog server configured for further log analysis.
Incident management type Undisclosed
Incident management approach Information Security Incident Management follows NIST frameworks, US-CERT guidelines and best practices. Notification will be made within 48 hours and not before the initial incident report, containing the basic facts, is completed. Notification will be sent to the data breach contact notification on file. Notification will be by email.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £12.15 per device per year
Discount for educational organisations No
Free trial available Yes
Description of free trial 60 day trial periods can be arranged through SBL to provide managed evaluations. Nessus Home (free) is limited to 6 IP addresses and the inability to perform compliance checks.

Documents

Documents
Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑