Grey Monarch Limited

Pathlock Cloud Continuous Controls Monitoring (CCM) for SAP

Pathlock Cloud CCM offers a comprehensive toolkit to enhance risk identification and assessment, reduce manual compliance controls efforts, and improve operational excellence. With this solution, organisations can streamline their process controls and mitigate risks more efficiently, enhancing their overall performance and success.

Features

• Centralized audit and process controls
• Financial Risk Quantification
• Reduced Manual Effort for financial controls
• Financial Impact Analysis
• Comprehensive Risk Assessment
• Improved Risk Decision Making
• Analyses various documents (POs, Invoices, etc.) to assess risk

Benefits

• Enhanced Financial Risk Identification
• Streamlined Controls Management
• Audit and process control compliance
• Centralised audit controls across multiple compliance frameworks
• Standardisation of Controls

£3,000 to £10,000 an instance a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.lloyd@pathlock.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

147908738149992

Contact

David Lloyd
0844 736 5879
david.lloyd@pathlock.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: None
• System requirements: Requires a local server to deploy a software agent on

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 4 Business Hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: The standard support level supplied inclusive within the SaaS offering is 8am to 6pm Mon-Fri.; Out of hours support can be provided for an additional fee of £10 per day. A Technical account manager is also assigned to each customer account.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Self service training is available or remote/onsite personalised training
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats: Masterclasses via Web Portal
• End-of-contract data extraction: Data can be downloaded to CSV or Excel.
• End-of-contract process: The monthly subscription fee includes all of the hardware, software, maintenance and support and a main ERP connector (for instance SAP, Oracle, Peoplesoft). Being a cross application access governance solution, Pathlock Cloud also has an additional 100+ connectors to line of business applications such as Ariba, SuccessFactors, Concur, ServiceNow, OKTA, Microsoft Active Directory, MS Entra etc. These connectors do incur an additional fee.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile service is mostly used for mobile workflow automation so that steps and processes can be completed by employees whilst out of the office.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Pathlock Cloud accepts incoming APIs to be able to initiate workflows within the product.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Users can create customised reports and change configuration settings associated with security monitoring - for instance Segregation of Duties rulesets. Users can also create custom events to monitor, for instance, to monitor access or usage of certain system activities (such as updated or accessing employee data).

Scaling

• Independence of resources: This service is provided within a 100% private cloud with no server sharing, operating system sharing, disk sharing or application sharing.

Analytics

• Service usage metrics: Yes
• Metrics types: User activity and application uptime
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported via on-screen menus into either XLSX pr CSV format
• Data export formats:
  • CSV
  • Other
• Other data export formats: Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network:
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: Microsoft dedicated network protection

Availability and resilience

• Guaranteed availability: 99.95% up-time. A lack of availability owing to customer-side connectivity issues and customer system downtimes are not taken into account with regard to SLAs.
• Approach to resilience: Resilience is built in at various levels including physical nodes, strorage controllers, disks, internet connectivity, remote access and firewalls. Our service uses UKFast data centres which operate at Tier 3 standards for uptime and availability. They use concurrently maintainable systems including UPS, standby diesel generators and high density infrastructures in excess of 15kW per rack.
• Outage reporting: Dashboards and eMail alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Secure VPN, Server level username/password, Application level username/password, specific user roles which define access rights
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: LRQA
• ISO/IEC 27001 accreditation date: 23/06/2016
• What the ISO/IEC 27001 doesn’t cover: All processes are covered
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Ultima Risk Management
• PCI DSS accreditation date: 22/08/2016
• What the PCI DSS doesn’t cover: Office network not covered
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • Cyber essentials / cyber essentials+
  • SOC 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Our full IT Security Policy document is available upon request but the essential principles are;; All IT Systems are to be protected against unauthorised access.; All data stored on IT Systems are to be managed securely in compliance with all relevant parts of the Data Protection Act 1998.; The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity and confidentiality of that data) lies with the IT Department unless expressly stated otherwise.; All IT Systems are to be installed, maintained, serviced, repaired and upgraded by Grey Monarch Technical Services (the “IT Department”) or by such third party/parties as the IT Department may from time to time authorise.; All breaches of security pertaining to the IT Systems or any data stored thereon shall be reported and subsequently investigated by the IT Department and, if necessary, escalated to the IT Director.; All Users must report any and all security concerns relating to the IT Systems or to the data stored thereon immediately to the IT Department, and, if necessary, escalated to the IT Director.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All components, hardware and software, can be identified by their version number, release number and modification level. The software architecture allows for hot patching whereby extremely focused updates can be applied without affecting other components within the system. Any changes are subject to our change control procedures and are tested within development and QA environments before being applied to any production environments. Scheduled maintenance will be required at regular intervals. Scheduled maintenance is excluded from any service availability.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The service infrastructure is ISO27001 certified and, as such, is subject to continual assessment to ensure that vulnerabilities are identified, risk assessed and treated/patched accordingly. Patches are prioritized according to risk and relevance to the service. Critical patches are typically applied within 24 hours of being available.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The service infrastructure undergoes continual Security Incident and Event Monitoring (SIEM) according to CESG and ISO27001 best practises. This monitoring is provided by a mixture of automated and manual monitoring and analysis. Incidents and any potential compromises are assessed and responded to according to their risk assessment. Critical incidents are responded to immediately.
• Incident management type: Supplier-defined controls
• Incident management approach: Pre-defined processes exist for common events. All incidents, whether internally identified, or reported by users are logged within our ticketing management system. Reported incidents are initially analysed and risk assessed. Either preventative measures or patches/fixes will be applied according to the severity and scope of any incident. Critical incidents will be escalated accordingly. Reports will be provided via eMail or telephone where appropriate and of a high risk nature.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • Health and Social Care Network (HSCN)
  • Other
• Other public sector networks: GC(RLI)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Grey Monarch as part of the Pathlock Group will continue to work with all suppliers and clients to reduce our emissions towards a zero greenhouse and gas emissions. We achieve this by educating staff and colleagues on the value of reducing our carbon footprint largely by;; • Reducing unnecessary travel and or keeping travel to a minimum. ; • Continuing to complete projects and meetings via remote access and video calls.; • Retaining our hybrid working with staff being able to work from home where possible and only visit the office for essential meetings, thus reducing travel fuel costs, and heating and lighting the office space.; • We also use digital tools instead of paper to avoid unnecessary exchange of written documentation.

  Covid-19 recovery

  • we will continue to offer a hybrid way of working for all staff so that they can work from home as much as possible; • Travel will continue to be kept to a minimum with most or all project being completed via remote access. ; • Continuing to use video calls for team meetings to discuss project work and work loads; • Managing work loads and proactive recruitment will ensure that the continued effects of COVID 19 are being monitored at all times. ; • Continued use of video calls will ensure that contact is kept to a minimum for all staff and client contact. ; • Explore ways of working with our customers to help struggling clients and suppliers through this difficult time. (fixed fee work T&E or monthly subscription options where possible.

  Tackling economic inequality

  We understand many of the the challenges of economic inequality and work very hard with other small businesses, especially within our supply chain to promote their businesses. We especially use local small businesses for recruitment and marketing assistance wherever possible.

  Equal opportunity

  We continue to offer equal opportunities for employment, pay and promotion. Grey Monarch have always been focused on ensuring that promotion and progress within our company is based upon the best person for the job, considering their qualifications, experience and knowledge.

  Wellbeing

  We continuously monitor our staff wellbeing with regular meetings and team social events. Projects and workload are particularly monitored and discussed on a regular basis to ensure that staff are not under any undue stress or pressure, and always have an avenue to openly discuss any ongoing concerns or issues. Our hybrid working model also means that staff can manage and balance home-life with work-life as best as possible.

Pricing

• Price: £3,000 to £10,000 an instance a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Free Proof of Concept and high level Security Risk Assessment

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.lloyd@pathlock.com. Tell them what format you need. It will help if you say what assistive technology you use.