CTO Technologies Ltd

Qualys software licensing and renewals

Delivering our focused cyber security services to the NHS and healthcare, we work in partnership with Qualys to offer licensing, renewals, initial discovery/readiness, solution design, migration/adoption, support/optimisation and management of their Qualys VMDR software, including licensing consultancy services to help our clients get the most from their Qualys deployment.

Features

• All-in-One Vulnerability Management, Detection, and Response (VMDR) platform
• 20+ powerful Apps
• Free Global Asset inventory App
• Focus on most urgent threats
• Automated patch deployment as well as ability to quarantine
• 6 Sigma accuracy scanning technology

Benefits

• Industry leading vulnerability scanning software
• Support critical infrastructure services
• Reduce and eliminate downtime
• Efficiently manage and optimise IT infrastructure performance
• Free-up IT teams' resources
• Transform from a 'Reactive' to 'Proactive' IT organisation
• Installation support from experienced and qualified engineers
• Configured offering NHS compliance reporting, administration for CareCERTs and DSPT

£10.00 a unit

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.bishop@ctotechnologies.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

992578772834557

Contact

Mark Bishop
0845 644 3830
mark.bishop@ctotechnologies.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Qualys software can be used as a stand-alone SaaS or integrated into CTO Tech’s Vulnerability Management services.
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements: Subject to product requirements.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: As defined by SLA
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: As defined by SLA
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Qualys offer a range of support and training facilities provided to help new and existing users. These range from FOC on-demand training through to professional services offered remotely and onsite. Online support portals and customers community forums are also available.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Downloadable in CSV or PDF formats.
• End-of-contract process: All customer data is removed and destroyed and access to the platform is revoked for all customer-approved users. VPN connectivity to the cloud is decommissioned.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Browser-based application, which will work on any internet-enabled device.
• Service interface: Yes
• Description of service interface: Web-hosted portal with a tailored dashboard of key data, showing a relevant summary, with drill-down capability.
• Accessibility standards: None or don’t know
• Description of accessibility: Access is through a web browser utilising TLS/SSL secure communication with standard accessibility options including display size of page elements (text, images, tables etc). Support is either via phone or email.
• Accessibility testing: None or don’t know
• API: Yes
• What users can and can't do using the API: Users can easily integrate and automate the sharing of capabilities and data.
• API documentation: Yes
• API documentation formats:
  • PDF
  • Other
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Qualys VMDR offers a wide capability to create, modify and save dashboards that can be set up based on the requirement of a client. CTO Technologies staff are fully trained and experienced to support such customisations.

Scaling

• Independence of resources: Effective and automated capacity planning.

Analytics

• Service usage metrics: Yes
• Metrics types: Vulnerabilities, Assets, Criticality, Patch rates, Trends, Compliance trends, Number of elements, Number of transactions, CareCERTs etc
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Qualys

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Qualys software has a built-in mechanism enabling users to export their own data from the dashboard throughout the duration of the contract and on contract end.
• Data export formats:
  • CSV
  • Other
• Data import formats:
  • CSV
  • Other

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: As defined by SLA
• Approach to resilience: Information available on request
• Outage reporting: As defined by SLA

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: When a user is set up, they are assigned a role, either a system default role or a bespoke one. Each role has a specific set of activities and permissions assigned. This is controlled by Admin User. The role of a user account can be changed or disabled at any time.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 8/01/2018
• What the ISO/IEC 27001 doesn’t cover: Further clarifications regarding the scope of the certificate and the applicability of requirements may be obtained by consulting the certifier.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO 9001:2015
  • Cyber Essentials Plus

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials Plus
• Information security policies and processes: We abide by an Information Security Policy and have rigorous induction and training methods which ensure policies are followed. We also follow a strict reporting structure ensuring that any areas of concern are highlighted as soon as possible. Violation, either automatically detected or manually detected will reach our technical department immediately from where the issue will be escalated accordingly.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our change management policy is designed to meet NIST best practices. Not all systems require the same amount of development, testing, and approval. Changes to some systems are routine and represent little or no risk. To ensure reasonable processing time for routine maintenance and low risk change requests, and to ensure that more significant, higher impact changes receive the appropriate scrutiny and planning, the following types of changes have been established. These types have corresponding development, testing, and implementation requirements as well as specific approvals necessary to process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Potential threats are assessed through Penetration Testing. ; Patches are deployed as soon as they are published by a vendor, during a maintenance window. ; Information on threats supplied by vendors.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Response are automated when possible. Otherwise, these are logged as security incident and responded to accordingly.
• Incident management type: Supplier-defined controls
• Incident management approach: Information Security Incident Management follows NIST frameworks, US-CERT guidelines and best practices. Notification will be made within 48 hours and not before the initial incident report, containing the basic facts, is completed. Notification will be sent to the data breach contact notification on file. Notification will be by email.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £10.00 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Free trials and Solution Demonstrations can be requested via CTO Technologies.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.bishop@ctotechnologies.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.