Codestone

Security-as-a-Service

We help business leadrs manage the risk associted with cyber threats at all levels. By offering a fully managed Security Service, we take the uncertainites away from the Customer's executives by delivering a complete Security-as-a-Service solution. from the endpoint device through the the Cloud services with a managed SOC .

Features

• 24/7/365 Network Security Monitoring and Remediation
• Set up, Configuration, Optimisation
• Testing and Training
• Penetration Testing
• Endpoint to Server Security across your network
• Secure Remote Access
• Fully Managed 24/7/365 environment
• Security Consulting and Advice
• Cyber Essentials Accreditation Services
• Perimeter Security

Benefits

• Identify ciritcal assets to highlight vunverabilities
• Protect tou services and shield from cyber attackes
• Manage the solution suite to identify a threat and block
• Respond to cyber-security events and ensure timely restoration
• Recover your systems or data and communicate relevant outcomes
• Maintain completely upto date securiy fabric across the estate

£25.00 to £75.00 a user a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gary.duke@codestone.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

166743513052169

Contact

Gary Duke
+447831526080
gary.duke@codestone.com

Service scope

• Service constraints: None
• System requirements:
  • Master Software Licence agreements
  • Secure remote access to infrastructure
  • Anti-Virus protection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Seciurity-as a Service will include a Service Level Agreement that is precisely matched to the user requirements. Up to 24/7/365.; SLA commits to respond to questions and resolve issues as; follows, however every client has the opportunity to alter the response times to fit their business needs:; Priority Critical 30mins; Priority High 30 mins; Priority Medium 8 Hours; Priority Low 16 Hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Web chat is available via the Support Service Portal and can also support Teams and WhatsApp messaging.; ; A self Service Portal is also available to user to review the knowledge base articles.
• Web chat accessibility testing: The onboarding of every client will go though extensive testing and user acceptance of the chat facilities to ensure that the service is used for optimum performance.
• Onsite support: Yes, at extra cost
• Support levels: Support is provided 24/7/365 from 1st through to 4th line. Additionally on-site support can be provided as part of a Flex day arrangement where specialist resource is provided on-site. Cost varies from £550.00 per day to £1,050 per day subject to the skills required.; ; All clients will have a Customer Success Manager appointed as to manage the quality of service and act as the technical account manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: As part of the Security Service agreement a full project plan for onboarding the Services will be agreed with the Client. This will include details on:; Responsibilities; Audit Controls}; Security Management; Training; Reporting; Documentation; Servlce Level Agreement; Customer Success Management
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The Service Agreement will include a specific clause(s) that define the requirements of off boarding the service, including data extraction and deletion and provision of editable documentation.
• End-of-contract process: The Client will be notified within three month of the expiry of the Contract and have the option to terminate at the end of the Term or Extend for another mutually agreed period. If notice to terminate is provided, the off boarding agreement (if appropriate) will commence.; ; Costs for off boarding will be provided based of the Scope of Work and Service agreed and maybe varied and the time notice is given.

Using the service

• Web browser interface: Yes
• Using the web interface: Typically the administration of the Security as a Service will be managed by Codestone under the Servie Agreement, however the Client will be provided full admin rights as required to facilitate on and off bording of users.; The scope of responsibilities will be agreed during onboadring of he Service and particularly the audit and security management.
• Web interface accessibility standard: None or don’t know
• How the web interface is accessible: This will be subject to the Service Definition and Scope of Work Agreement.
• Web interface accessibility testing: This will be subject to the Service Definition and Scope of Work Agreement.
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Manual
• Independence of resources: The Scope of Works will include demand management and reporting to ensure that optimum service levels are maintained consistently.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other
• Other usage reporting: Customer Success Manager will make direct contact with the Client representative in various means,.

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • Memory
  • Number of active instances
  • Other
• Other metrics:
  • Threat Detection report
  • Remediation Activities
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Microsoft, Fortinet, Cloud Guard AI, Rapid 7

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Full Back up and Recovery Service is included
  • Security Back ups will form part of the Customer Strategy
• Backup controls: Back up Services (scope, timings etc) are defined and agreed as part of the onbording Service.; ; As many alternative schedules and content can be offered.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: Private network or public sector network
• Data protection within supplier network: Other
• Other protection within supplier network: This will be subject to individual Client requirements.

Availability and resilience

• Guaranteed availability: Service Level Agreements are tailored to the specific requirements of the Clinet including the provision of Service Credits for failures to meet agreed service Levels.
• Approach to resilience: The Service is based on the 3rd party Cloud Infrastructure and therefore all service resiliency is as publised by the vendor
• Outage reporting: If an outage occurs the Customer Success Manager will be immediately notified and they will be responsilbe for managing the P1 situation and all communications (email, telephone and messaging applicatins) with the user community.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Access controls will be defined during onboarding and be subject to approval and change management for alterations to the processes. Access Security is controlled by the Service Delivery Manager liaising directly with the Customer.
• Access restriction testing frequency: Less than once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International
• ISO/IEC 27001 accreditation date: 08/12/2016
• What the ISO/IEC 27001 doesn’t cover: Anything that is NOT defined in the Statement of Work
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Codestone have a comprehensive suite of Security Processes and procedures that are reviewed regularly by the Executive Board.; The policies are the responsibility of the Operation Board who report to the Executive Board.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Codestone operate a Change Management Board that will work with the customer to plan, define, design that required changes that will be presented for approval before any changes are made. This will include thorough impact analysis, security assessment and once approved. All changes are subject to hyper care before acceptance into Business as Usual.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Vulnerability management is managed by the security team, with risk assessment and immediate Change Management Processes to deploy remediation and threat protection.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Infrastructure Monitoring and Management is a fully included service with IaaS and works in collaboration with the Security Team to identify compromises and potential incidents to remediate and protect the data and services. All incidents are treated a Priority 1 Major Incident and actioned accordingly.
• Incident management type: Supplier-defined controls
• Incident management approach: The Service Level Agreement will include pre-defined and approved processes for threats and incidents that are escalated to the Incident Management Team who immediate notify the Customer and action the remediation processes. Users are notified by pre-defined communications channels with updates provided as per the SLA.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: VMware
• How shared infrastructure is kept separate: The Client's Microsoft Tenant.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Refere to Microsoft

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  Codestone have a policy of extensive communications to all staff to ensure they are ket entirely up to date with the developments in the business, the opportunities that are open to all and to ensure that everyone has an opportunity to progress their skills and position in the company.

  Wellbeing

  The People and Culture Director has a team of specialists who take the responsibility of Well being extremely seriously. ; ; The resonsibilites include Mental Well being, general health and that every individual is respected, listened to and has a voice in the business.

Pricing

• Price: £25.00 to £75.00 a user a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gary.duke@codestone.com. Tell them what format you need. It will help if you say what assistive technology you use.