SureCloud Limited

Cyber Essentials and Cyber Essentials PLUS Certification Service

SureCloud is a CREST accredited certification body for the Cyber Essentials Scheme. SureCloud's trusted consultants will provide expert advice to prepare and guide you through each stage of the Cyber Essentials certification programme, starting with the initial scoping exercise.

Features

  • Cloud Based Software-As-A-Service Delivery Model
  • Expert Consultants
  • Experiance of delivery across all sectors
  • Guidance through the whole process
  • Full workflow, task assignment and management tools
  • Integrates closely with other SureCloud platform areas

Benefits

  • SureCloud were heavily involved in creation of the scheme
  • One of the UK's first Certifying Bodies
  • Backed by SureCloud's CESG CHECK and CREST Accredited Team

Pricing

£1200 to £20000 per licence per year

Service documents

G-Cloud 9

999435524451408

SureCloud Limited

Scott Bridgen

0208 012 8544

sales@surecloud.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints No
System requirements A web browser and internet connectivity.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times SureCloud commit to a response to tickets within 4 business hours.

Support coverage is from 08:30 to 17:30 Monday to Friday (excluding bank holidays).

There is support cover during the weekends, but it is limited.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels All support is part of SureCloud's standard licensing and pricing model.

We have an SLA of responses to submitted tickets within 4 business hours.

A main technical contact is provided whom can also act as an escalation point if required.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Full onsite and/or remote training (via Webex) is provided depending on what is preferred and also procured from a consultancy perspective.

Full documentation is also provided around platform use.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Users can extract all data from the platform to CSV/Excel format when the contract ends if required.
End-of-contract process Full access to the licensed features of the SureCloud platform are provided. These are split into the separate 'applications' and the buyer purchases as needed.

There are no additional costs outside of the licensed bracket and implementation costs.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Full functionality is available from mobile devices.
Accessibility standards None or don’t know
Description of accessibility Users can zoom the screen to improve readability.
Some, but not all the information, is compatible with screen readers.
Accessibility testing None
API No
Customisation available Yes
Description of customisation A customised instance of the SureCloud can be provided with corporate branding, logos and colour schemes. An organisation specific URL is also provided.

Scaling

Scaling
Independence of resources The environment is scaled, as needed, to meet demand. Each individual platform is also monitored to ensure that the service remains optimal for all users.

Analytics

Analytics
Service usage metrics No

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can download all data to Excel and/of PDF format as required.
Data export formats
  • CSV
  • Other
Other data export formats PDF
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Monthly Uptime Percentage|Service Credit
<99%|2.5%
<98%|5.0%
<95%|7.5%
Approach to resilience SureCloud has designed and built its own private cloud infrastructure with data at two physical geographically separate locations. The environment has been setup to ensure there are no single points of failure.

Further information is available upon request.
Outage reporting Email Alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Management access to the underlying infrastructure is only permitted to 3 trusted individuals. These individuals have go through multiple layers of authentication and authorisation before access is possible.

Support staff only have access to accounts within SureCloud they are actively involved in supporting. This is tightly controlled by permissions within the SureCloud application itself.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • Cyber Essentials PLUS
  • CREST Member Company
  • CESG CHECK 'Green Light'
  • PCI Approved Scanning Vendor

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes All policies and processes are accredited to ISO 27001.

Copies of reporting structure and policies themselves are available upon request.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach SureCloud utilises its own technology and platform for management of change requests, which track the whole lifecycle of a change.

A high-level over of the form is as follows:

- Date
- Date change due to be implemented
- Details of change
- Security Impact of change
- Affected systems
- Change reserve plan
- Change success measure
- Change to be authorised by?
- Change Approved?
- Change Completed?
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach SureCloud utilises its own Vulnerability Management platform and technology for scanning and management of its network.

Scans are run on a weekly basis, with automated tasks set to immediately alert the Security Team of any high or critical vulnerabilities.

Patches are deployed to all critical and high vulnerabilities immediately. Medium/low severity vulnerabilities are patched within 1 month.

The security team obtain threat intelligence data from a partner and are subscribed to all relevant social media channels for new vulnerability alerting.
Protective monitoring type Supplier-defined controls
Protective monitoring approach SureCloud uses its own technology and solution Event Manager for this purpose.

The solution has been designed around GPG13 and the PCI Standard Event Management requirements.

Each event is severity weighted and anything high or critical is immediately alerted to the Security Team.

Any potential compromise follows SureClouds incident response processes and, due to the nature of the activity, are actioned immediately.
Incident management type Supplier-defined controls
Incident management approach SureCloud has fully documented incident response policies and procedures, which all staff are extensively trained on.

Users report incidents via the SureCloud platform using the 'Incident Manager' Application, which triggers workflow and escalation to their line manager and incident panel.

Any incidents relating to client data are reported to them within 1 business day, as per SureClouds procedure.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £1200 to £20000 per licence per year
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑