CT-100 Cyber Essentials
The purpose of the service is continual cyber risk management, providing;
1. Continual alignment with the Cyber Essentials framework, reporting vulnerabilities and secure configuration issues for all Windows & Linux servers and user devices.
2. Pre-preparation of IT infrastructure for streamlined Cyber Essentials assessments & renewals.
- Continually monitors compliance with Cyber Essentials
- Reduces Cyber Risks by continual assessment of device security
- Includes the cost of Cyber Essentials certification assessment
- Secure and highly available, hosted in multi-site UK datacentres
- Centralised cloud-based dashboards & MI reporting
- User access protected through Multi-Factor authentication
- All data held within the UK with GDPR compliant processing
- Facilitates patch-management best practice
- Detects all devices in use, maintaining a device asset register
- Records installed software history, maintaining a digital asset register
- Continual security monitoring helps avoid cyber-attacks like WannaCry succeeding
- Automated configuration monitoring provides accurate management information aiding risk management
- Quickly establish organisation compliance state via central dashboards
- Avoid expense and delays preparing for annual Cyber Essentials audits
- Reduce risks through continual compliance rather than annual snapshot audits
- Provides vulnerability insights, difficult to uncover though normal operations
- Reduces security management overhead, freeing resource for business objectives
- CT-100 is flexible and extendible, future-proofing security administration
- Hosted on highly-available infrastructure complying with ISO27001 best practice
£1.00 to £3.50 per device per month
- Education pricing available
- Free trial available
Crystal Thinking (Crystal Marketing Limited)
+44 (0) 203 872 2162
|Software add-on or extension||Yes, but can also be used as a standalone service|
|What software services is the service an extension to||
Cyber Essentials Certification Preparation & Assessment
Vulnerability scans and penetration testing
|Cloud deployment model||
The service can be installed on Windows & Linux servers and user devices only. It does not currently support Apple Mac.
Devices in the scope of Cyber Essentials certification and assessment are network-connected devices. The service relies on frequent or permanent device connection to the internet.
Our policy is to maintain support for the last three version of the following browsers required to logon to the cloud portal management dashboard; Microsoft Edge Google Chrome Mozilla Firefox Apple Safari for macOS
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Monday - Friday 8am - 5.30 pm - 1hr
Saturday, Sunday and Bank holidays - 4hrs
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), 7 days a week|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||
Accessible via authenticated user support link on Crystal-thinking website. Supports voice, voice call-back, email, live text chat. The last three versions of the following browsers are supported;
Safari for MacOS
Web chat does not currently support WCAG accessibility options other than standard voice, voice call-back, email, live text chat and in-built browser accessibility options for the above browsers.
|Web chat accessibility testing||None at this time|
|Onsite support||Onsite support|
We offer 4 support tiers,0 -3. Tiers 0 -2 are included in the service pricing.
Tier 3 is supports cyber security incident response outside the scope of CT-100 service.
A dedicated account manager is appointed and included in the service pricing.
Tier 0 support is provided via account manager directly, self-help knowledgebase and FAQ located in customer portal.
Tier 1 support provided through ticketing system. The target is to achieve 80% first time resolution for issues such as username & password, service use guidance, report metric interpretation.
Tier 2 support is for more complex technical issues that cannot be resolved through Tier 1 support. Tier 2 support tickets are automatically escalated to account managers who liase directly with customers as appropriate.
Tier 3 support is provided for cyber security incidents such as cyber attack response outside the scope of CT-100.
|Support available to third parties||Yes|
Onboarding and offboarding
Fully supported installation and user training is provided on-site, UK within the cost of the service.
Pdf user manuals are available for direct download via the customer portal.
The CT-100 application can be trialled on one or more devices for the purpose of compatibility and user-acceptance where required. Organisational distribution of the application can be arranged according to country, site, device types, departments or other logical groupings enabling installation controls.
Installation of the CT-100 compliance application is optionally self-service, involving running a Windows MSI or Linux package on each device within the scope of Cyber Essentials. Installation normally takes less than a minute. Customers choosing to self-install require access to the customer portal which is arranged at the end of initial training or during supported installation.
Training for the use of the management portal is optionally provided through webinar or on-site and takes approximately 1 hour.
The service becomes effective immediately after CT-100 application installation.
|End-of-contract data extraction||Immediately following the termination date, CT-100 monitoring data collected and stored during the service period can be downloaded as csv files via the customer service portal. Portal access is maintained for one month following service termination. At the end of the period, we seek written permission to permanently deleted all CT-100 data and decommission the customer account.|
At the end of the contract, customers can optionally renew for a further period. If the customer chooses to terminate, items 1- 4 are included in the price of the service.
1. each of the CT-100 monitored devices are de-registered from the cloud environment.
2. The CT-100 can be uninstalled by the customer or with support from our staff.
3. Access to the CT-100 service portal is maintained for a further month for the purposes of reporting and downloading device monitoring data collected through the contract period.
4. Customer authority is sought for the permanent deletion of data and the decommissioning of the CT-100 cloud environment.
5. Further monitoring, data analysis or reporting is available at an additional cost depending on requirements.
Using the service
|Web browser interface||Yes|
|Application to install||Yes|
|Compatible operating systems||
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||
The CT-100 compliance monitoring application is designed to operate on Windows or Linux operating server and user systems, reporting compliance status to the CT-100 cloud.
The CT-100 central cloud dashboard can be accessed through desktop and mobile device browsers to view and report on device status.
|Independence of resources||
CT-100 cloud service is built on Amazon Web Service (AWS) infrastructure. The core infrastructure services we use are Lambda, S3, Dynamo Db. These services are provided at scale and auto-scale according to service demand.
Each customer cloud environment is created within a separate infrastructure and accounting environment.
CT-100 device monitoring applications use a small amount of network bandwidth for management data and monitoring data returned to the cloud. Devices and network performance is monitored for congestion with service monitors dynamically adjusting execution timing in response to congestion or local device resource availability.
|Service usage metrics||Yes|
Number of devices registered over time
Device registration detail & summary
Number of devices deregistered over time
Device de-registration detail & summary
Current active devices
Number of compliant devices over time
|Supplier type||Reseller providing extra features and support|
|Organisation whose services are being resold||Amazon Web Services cloud infrastructure|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Data collected during the period of the service can be downloaded as csv files via the customer portal at any time during the contract and for one month after the end of the contract.|
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
We offer a service level of 99.9 service uptime
Data uptime is defined as the percentage of time the CT-100 cloud service availability during a one-month billing period.
Service Credits are calculated as a percentage of the total charges paid by you for the CT-100 service affected for the billing cycle in which the Monthly Uptime Percentage fell within the ranges set forth in the table below.
Less than 99.9% but greater than or equal to 98.0%. Service Credit 10%
Less than 98.0% but greater than or equal to 95.0%. Service Credit 25%
Less than 95.0%. Service Credit 100%
|Approach to resilience||
The CT-100 service monitors security configuration of user devices, transmitting small report files to a central cloud location for storage, analysis and reporting.
CT-100 Service Resilience addresses the following resilience requirements;
This comprises the raw report files send by user devices to the cloud environment. The files are stored in a json format within AWS S3. AWS S3 resilience is backed by compliance certification with ISO/IEC 27001:2013, 27017:2015, 27018:2014, and ISO/IEC 9001:2015. . AWS S3 is built for 99.99% availability and guarantee 99.9% availability. AWS guarantee 99.999999999% annual durability, which is a measure of the ability to withstand file loss or damage.
When files are uploaded to AWS S3, AWS writes each file (file bits) to multiple devices and multiple locations.
Raw data files stored in AWS S3 is processed and stored in a database from which dashboard reports and other business intelligence is compiled. The database storage engine is also provided by Amazon and called AWS DynamoDb. Similar storage specifications and technology apply to DynamoDb as AWS S3. All dashboard and business intelligence reports can be entirely rebuilt from the original raw data files held on S3.
Further detailed availability information is available on request.
We offer two methods of reporting service outages;
The underlying infrastructure provided by AWS has a corresponding public dashboard and RSS feed providing the current and historical status of each service in each region. CT-100 customers are provided with the specific region and service identifiers allowing status reporting. https://status.aws.amazon.com/
The second method is via email alerts to nominated customer personnel. Crystal Thinking operates health heartbeats and probes for each service component in CT-100. In the event of missing heartbeats, scheduled events or service probe reporting mal-functioning services breaching prolonged outage periods, an alert email is despatched, outlining the problem and severity regularly until the service resumes.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
We operate an IAM system restricting access to management interfaces through a series of controls. The primary control is via TLS & 2FA with permissions to dashboard components restricted according to the minimum permissions principal for the role. The second is programmatic, used by the CT-100 application installed on user devices where access is initially restricted to installation packages presenting an authenticated site-code and 64-bit access key. The process is conducted via TLS with key rotation application restarts.
Support access is managed through a combination of VPN authentication to a bastion server, fixed source IP and 2FA.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||
|Other security governance standards||
Cyber Essentials Plus
IASME Governance Gold Standard
ISO / IEC 27001 (not audited)
Our infrastructure provider (AWS) complies with;
CSA CCM version 3.0
|Information security policies and processes||
We operate an Information Security Management System (ISMS) comprising and information security policy with statements detailing technical and personnel security control policies.
Central to operations is a risk management system comprising, incident monitoring, reporting and management, regulatory and legal compliance monitoring conducted at least quarterly and audited internally at least bi-annually and annually by a third-party Certification Body through IASME Certification Authority for Cyber Essentials Plus and every three years against the IASME Governance standard.
Our ISMS also include Business Continuity and Disaster Recovery Plans. Disaster Recovery plans and continually reviewed and exercised at least annually.
All audit and risk management outcomes are reported to the CEO (Gareth Owen).
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
The components of the CT-100 Service are recorded within our digital asset register detailing version. Our version control system tracks major and minor releases according to the significance of change using automated version control tools within AWS & Jira.
Change control comprises a 5-gate process involving several processes; initial needs analysis & risk review, requirements analysis, high-level design, owner approval, implantation, testing, staged-release. Design, implementation and testing is based on CCA & OWASP security principals.
All components versions are designed for backward compatibility, code reviewed regression tested in a staging environment prior to release.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Potential threats are assessed through a combination of frequent risk review of technical, legal and environmental threats. Technical threats are assessed according to CVSS Ver 3.0.
Patches are prioritised according to CVSS rating. Critical security patches are applied within 24 hours of becoming available, High & Medium CVSS rated patches within 72 hours. All other patches are applied within 14 days of patches becoming available.
Out threat intelligence comes from a variety of sources, including CVE notifications, automated vulnerability scan reports, OWASP, Information Security Forums, incident reporting, system log analysis, risk reviews, internal and external audit reports.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||
All system events are logged for each customer environment. Monitoring and analysis is performed automatically against rules that create alerts for unusual behaviour such as repeated, failed portal access or failed process executions. Events meeting this criterion are emailed and SMS'd to nominated staff.
Where potential compromises are detected automatically, the originating IP is blocked and added to a blacklist. Where repeated, failed access attempts against a specific account is detected, account access is immediately blocked.
Automated incident response is immediate. Staff alerted responses are based on significance with Emergency & Critical within 15 minutes, Warning within 2 hrs.
|Incident management type||Supplier-defined controls|
|Incident management approach||
We follow the NIST SP 800-61 R2 guidelines on incident management, largely similar to ISO 27001 / CCA standards.
We operate pre-defined processes for common events which include (repeated / prolonged DDOS, account break-in, lost credentials)
Users report incidents via a dedicated customer portal ticketing system or directly with the customer account manager. A process is in place for verifying the authenticity of the reporter where the incident has not been reported anonymously.
Incident reports are made available as downloadable encrypted documents via the customer portal or sent encrypted via email to the customer nominated incident management contact.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£1.00 to £3.50 per device per month|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||
CT-100 application installation for up to 5 devices.
Included in the trial are device compliance reports against the current Cyber Essentials standard. Reports are automatically emailed to the nominated customer representative, highlighting compliance issues on a weekly basis.
The trial length is limited to three months.