Skip to main content

Help us improve the Digital Marketplace - send your feedback

Resulting Ltd

Pathlock Cloud Cybersecurity Application Controls (CAC) for SAP

Pathlock Cloud CAC automatically scans SAP
systems for over 4000 security vulnerabilities and
cybersecurity weaknesses at any desired
frequency (e.g. daily, weekly, monthly). In this
way, the SAP systems remain up-to-date with
SAP security notes and patches. Other SAP
security risks are also quickly identified with clear
remediation instructions provided.

Features

  • 4000 automated SAP Vulnerability checks
  • Automated SAP Note patching and management
  • SAP Misconfigurations detected and reported
  • Clear remediation instructions are provided for each vulnerability found
  • Automated SAP interface map
  • SAP Security Risk Dashboard
  • Checks vulnerabilities at an application, database and operating system level
  • SAP Code and Transport Scanning
  • Real-time SAP threat detection

Benefits

  • SAP vulnerability management processes are automated
  • Complex activities made easier by information pointers and dashboards
  • Less dependent on expensive projects or consultancy
  • Always up-to-date with SAP Security notes
  • Better insight into SAP security risks, mitigation and trends
  • Clear risk and management reports for SAP Security Officers
  • From reactive and ad hoc to preventive and continuous protection
  • Better prepared for annual SAP audits
  • Real time threat detection
  • Assurance that all SAP code and transports are clean

Pricing

£1,500 to £8,000 a licence a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Hello@resulting-it.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

1 3 2 7 2 1 1 3 6 3 5 0 9 5 8

Contact

Resulting Ltd Robbert Willemse
Telephone: +44 1925 906 662
Email: Hello@resulting-it.com

Service scope

Software add-on or extension
No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
None
System requirements
Standard SAP

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 4 business hours
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
The standard support level supplied inclusive
within the SaaS offering is 8am to 6pm Mon-Fri.
Out of hours support can be provided for an
additional fee of £10 per day. A Technical account
manager is also assigned to each customer
account.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Training for the service is provided remotely -

only 2 hrs typically required.
Service documentation
Yes
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats
  • Other documentation formats
  • Online tutorials
End-of-contract data extraction
Data can be downloaded to CSV or Excel.
End-of-contract process
The annual subscription fee includes all of the
hardware, software, maintenance and support.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
Application to install
Yes
Compatible operating systems
Other
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The mobile service is generally used for real-time
notifications and management reports.
Service interface
No
User support accessibility
None or don’t know
API
No
Customisation available
Yes
Description of customisation
Security base level templates are made available
within the product

Scaling

Independence of resources
This service is provided within a private cloud so
cannot be shared with any other users.

Analytics

Service usage metrics
No

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Physical access control, complying with another standard
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Data can be exported via on-screen menus into

either XLSX pr CSV format
Data export formats
  • CSV
  • Other
Other data export formats
Excel
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
Microsoft dedicated network protection

Availability and resilience

Guaranteed availability
99.95% up-time. A lack of availability owing to
customer-side connectivity issues and customer
system downtimes are not taken into account
with regard to SLAs.
Approach to resilience
Resilience is built in at various levels including
physical nodes, strorage controllers, disks,
internet connectivity, remote access and
firewalls. Our service uses UKFast data centres
which operate at Tier 3 standards for uptime and
availability. They use concurrently maintainable
systems including UPS, standby diesel
generators and high density infrastructures in
excess of 15kW per rack.
Outage reporting
Dashboards, eMail alerts and SEIM

Identity and authentication

User authentication needed
Yes
User authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Secure VPN, Server level username/password,
Application level username/password, specific
user roles which define access rights
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
LRQA
ISO/IEC 27001 accreditation date
23/06/2016
What the ISO/IEC 27001 doesn’t cover
All processes are covered
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
Ultima Risk Management
PCI DSS accreditation date
22/08/2016
What the PCI DSS doesn’t cover
Office network not covered
Cyber essentials
Yes
Cyber essentials plus
No
Other security certifications
Yes
Any other security certifications
  • Cyber essentials / cyber essentials+
  • SOC 2

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes
Our full IT Security Policy document is available
upon request but the essential principles are; All
IT Systems are to be protected against
unauthorised access. All data stored on IT
Systems are to be managed securely in
compliance with all relevant parts of the Data
Protection Act 1998. The responsibility for the
security and integrity of all IT Systems and the
data stored thereon (including, but not limited to,
the security, integrity and confidentiality of that
data) lies with the IT Department unless
expressly stated otherwise. All IT Systems are to
be installed, maintained, serviced, repaired and
upgraded by Grey Monarch Technical Services
(the “IT Department”) or by such third
party/parties as the IT Department may from time
to time authorise. All breaches of security
pertaining to the IT Systems or any data stored
thereon shall be reported and subsequently
investigated by the IT Department and, if
necessary, escalated to the IT Director. All Users
must report any and all security concerns relating
to the IT Systems or to the data stored thereon
immediately to the IT Department, and, if
necessary, escalated to the IT Director.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All components, hardware and software, can be
identified by their version number, release
number and modification level. The software
architecture allows for hot patching whereby
extremely focused updates can be applied
without affecting other components within the
system. Any changes are subject to our change
control procedures and are tested within
development and QA environments before being
applied to any production environments.
Scheduled maintenance will be required at
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The service infrastructure is ISO27001 certified
and, as such, is subject to continual assessment
to ensure that vulnerabilities are identified, risk
assessed and treated/patched accordingly.
Patches are prioritized according to risk and
relevance to the service. Critical patches are
typically applied within 24 hours of being
available.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The service infrastructure undergoes continual
Security Incident and Event Monitoring (SIEM)
according to CESG and ISO27001 best
practises. This monitoring is provided by a
mixture of automated and manual monitoring and
analysis. Incidents and any potential
compromises are assessed and responded to
according to their risk assessment. Critical
incidents are responded to immediately.
Incident management type
Supplier-defined controls
Incident management approach
Pre-defined processes exist for common events.
All incidents, whether internally identified, or
reported by users are logged within our ticketing
management system. Reported incidents are
initially analysed and risk assessed. Either
preventative measures or patches/fixes will be
applied according to the severity and scope of
any incident. Critical incidents will be escalated
accordingly. Reports will be provided via eMail or
telephone where appropriate and of a high risk
nature.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

Fighting climate change

Grey Monarch as part of the Pathlock Group will
continue to work with all suppliers and clients to
reduce our emissions towards a zero
greenhouse and gas emissions. We achieve this
by educating staff and colleagues on the value of
reducing our carbon footprint largely by; •
Reducing unnecessary travel and or keeping
travel to a minimum. • Continuing to complete
projects and meetings via remote access and
video calls. • Retaining our hybrid working with
staff being able to work from home where
possible and only visit the office for essential
meetings, thus reducing travel fuel costs, and
heating and lighting the office space. • We also
use digital tools instead of paper to avoid
unnecessary exchange of written documentation.

Covid-19 recovery

we will continue to offer a hybrid way of working
for all staff so that they can work from home as
much as possible • Travel will continue to be kept
to a minimum with most or all project being
completed via remote access. • Continuing to
use video calls for team meetings to discuss
project work and work loads • Managing work
loads and proactive recruitment will ensure that
the continued effects of COVID 19 are being
monitored at all times. • Continued use of video
calls will ensure that contact is kept to a
minimum for all staff and client contact. • Explore
ways of working with our customers to help
struggling clients and suppliers through this
difficult time. (fixed fee work T&E or monthly
subscription options where possible.

Tackling economic inequality

We understand many of the the challenges of
economic inequality and work very hard with
other small businesses, especially within our
supply chain to promote their businesses. We
especially use local small businesses for
recruitment and marketing assistance wherever
possible.

Equal opportunity

We continue to offer equal opportunities for
employment, pay and promotion. Grey Monarch
have always been focused on ensuring that
promotion and progress within our company is
based upon the best person for the job,
considering their qualifications, experience and
knowledge.

Wellbeing

We continuously monitor our staff wellbeing with
regular meetings and team social events.
Projects and workload are particularly monitored
and discussed on a regular basis to ensure that
staff are not under any undue stress or pressure,
and always have an avenue to openly discuss
any ongoing concerns or issues. Our hybrid
working model also means that staff can manage and balance home-life with work-life as best as
possible.

Pricing

Price
£1,500 to £8,000 a licence a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
We provide a free Proof of Concept for a single
SAP system for organisations to understand their
current exposure to SAP vulnerabilities and other
cyber security threats.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Hello@resulting-it.com. Tell them what format you need. It will help if you say what assistive technology you use.