Cloud 21 Limited

Qualys Software Licensing and Renewals

Delivering our focused cyber security services to the NHS and healthcare, we work in partnership with Qualys to offer licensing, renewals, initial discovery/readiness, solution design, migration/adoption, support/optimisation and management of their Qualys VMDR software, including licensing consultancy services to help our clients get the most from their Qualys deployment.

Features

• All-in-One Vulnerability Management, Detection, and Response (VMDR) platform
• Web App Scanning (WAS)
• Free Global Asset inventory App
• Focus on most urgent threats
• Automated patch deployment - Patch Management (PM)
• File Integrity Monitoring (FIM)
• Enterprise TruRisk Managment (ETM)
• CyberSecurity Asset Management (CSAM)
• External Attack Surface Management (EASM)
• Policy Compliance (PC)

Benefits

• Industry leading vulnerability scanning software
• Support critical infrastructure services
• Reduce and eliminate downtime
• Efficiently manage and optimise IT infrastructure performance
• Free-up IT teams' resources
• Transform from a 'Reactive' to 'Proactive' IT organisation
• Installation support from experienced and qualified engineers
• Configured offering NHS compliance reporting, administration for CareCERTs and DSPT
• Reduce Cyber Security Attack Surface
• Desktop CIS baseline configuration assessment

£6.71 to £15 a device a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid-management@cloud21.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

189992432736775

Contact

Steve Gray
0845 838 8694
bid-management@cloud21.net

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Qualys software can be used as a stand-alone SaaS or integrated into Cloud21's Vulnerability Management services (as a Managed Service).
• Cloud deployment model: Public cloud
• Service constraints: Depending on the modules procured, there may be the need for an on-premise server - Qualys Virtual Scanner Appliance
• System requirements:
  • 1 x vCPU up to 16x
  • 40GB virtual HDD
  • 1.5 GB RAM up to 16GB RAM

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Qualys Customer Service and Technical Support is available 24/7/365 should any issues arise, and tickets follow specific SLAs. Technical Account Managers/Sales Managers can also escalate tickets if the need arises. For further details including links to Qualys SLAs please visit https://www.qualys.com/support/
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Chat Support is available only for Authenticated users on Qualys Support portal, and this support portal is hosted on Salesforce.; As part of Pre-Deployment stage Penetration testing was been performed for the Support.; Testing is based on general product knowledge along hybrid testing with accessibility testing tools such as text-to-speech and web accessibility evaluation tool.
• Onsite support: Yes, at extra cost
• Support levels: No on-site support provided for shared cloud platform. Cloud21 provides on-site support and technical support service levels. These are chargeable additions.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Qualys offer a range of support and training facilities provided to help new and existing users. These range from FOC on-demand fully certified training through to professional services offered remotely and onsite. Online support portals and customers community forums are also available. ; Pre-Sales and Post-Sales TAM’s are available to support onboarding and using subscription to fullest.
• Service documentation: Yes
• Documentation formats:
  • ODF
  • Other
• Other documentation formats:
  • Online Training
  • Classroom on-site training
• End-of-contract data extraction: Customer has rights to perform purging/deletion operation during subscription, the data further cannot be recovered. Apart from that; Upon request by Customer made within 60 days after the effective date of termination or expiration of the Agreement, Qualys will make Customer Data available to Customer for export or download. After such 60-day period, Qualys will have no obligation to maintain or provide any Customer Data, and will thereafter delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control, unless legally prohibited.
• End-of-contract process: Each Order will automatically renew for an additional one (1) year terms unless Customer provides written notice that it does not intend to renew the Order not later than sixty (60) days prior to the end of the then-current Subscription Term.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Qualys offers a service interface for all its products. The Qualys Cloud Platform is an integrated solution that provides businesses with asset discovery, network security, web application security, threat protection and compliance monitoring, among others. Customers can simply log into their account from any web browser to access the service interface and secure all their IT assets.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Qualys uses "Siteimprove" plug-in to test accessibility compliance and continuously improving on the UI components.; Testing is based on general product knowledge along hybrid testing with accessibility testing tools such as text-to-speech and web accessibility evaluation tool.
• API: Yes
• What users can and can't do using the API: Using the Qualys API, users can integrate applications with Qualys cloud security and compliance solutions using an extensible XML interface. Users with a Qualys user account may access the API functions. When a subscription has multiple users, all users with any user role (except Contact) can use the Qualys API. Each user’s permissions correspond to their assigned user role.
• API documentation: Yes
• API documentation formats:
  • ODF
  • Other
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: Profiles for detecting vulnerabilities can be customized to show vulnerabilities specific to categories of device, infrastructures or O/S specific vulnerabilities. Also specific categories or types of vulnerability. Reporting and dashboards are fully customizable to show information relevant to the user, team or specific reporting requirement. Compliance frameworks can be customized to support bespoke requirements

Scaling

• Independence of resources: Qualys Cloud Platform supports a parallelised scanning architecture (i.e. load balancing a scan across more than one scanning device). This important engineering effort makes the scalability of Qualys Cloud Platform limitless. Most other solutions are limited to running one scan from one scanner at a time.

Analytics

• Service usage metrics: Yes
• Metrics types: Vulnerabilities, Assets, Criticality, Patch rates, Trends, Compliance trends, Number of elements, Number of transactions etc
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Qualys

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Customer can download data including scan results, Activity logs in xml, csv, html, pdf and mht format.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XML
  • HTML
  • PDF
  • MHT
• Data import formats:
  • CSV
  • Other
• Other data import formats: API

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: All ingress and egress traffic to and from the core switch infrastructure is port filtered by firewalls which are configured to deny by default and permit by exception. Additionally, traffic to and from the core switch passes through our Intrusion Prevention System (IPS) infrastructure. Flows in and out of the environment are closely monitored by our Security Operations (SecOps) Team on a 24x7 basis.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: All Communication between the web, application, and database tiers is filtered by firewall infrastructure.; Production and Non-Production environment are segregated on networks.

Availability and resilience

• Guaranteed availability: Cloud Services will be available to Customer twenty-four (24) hours a day, seven (7) days a week, with a 99.5% uptime, calculated on a monthly basis (“Cloud Services Uptime”).; Promptly after a notice from Customer regarding Qualys failure to meet the Cloud Services Uptime, Qualys, as its sole obligation and liability, will (a) perform a root-cause analysis to identify the cause of such failure; (b) attempt to correct such failure; and (c) if the root-cause analysis demonstrates that such failure was due to the fault of Qualys, provide Customer with a service credit (“Cloud Services Credit”) consisting of a one-week extension of any Cloud Services subscription impacted by the Cloud Services Uptime failure.
• Approach to resilience: Qualys has well defined Contingency Planning Policy including Contingency Planning procedure, Alternate Storage site, Alternate Processing site, Contingency Plan testing, Contingency Training, Information System backup, Recovery and Reconstitution, Telecommunication service.; Qualys platforms are also designed with multiple means of high availability which provides protection from various types of disasters and failures. Periodic Disaster Recovery Tests are performed to ensure the same.
• Outage reporting: Qualys services status, including any outages or scheduled maintenance, is posted on the Qualys Status page at https://status.qualys.com/; ; Customers may subscribe to receive email notifications of Qualys service status and scheduled maintenance: https://status.qualys.com/

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Qualys has well-defined access control procedure and follows access control matrix in which accesses are defined on the need-to-know basis, Least privilege and individual’s role and responsibility. Additionally, the Qualys Cloud Platform (QCP) System has been built to use Role Based Access Control (RBAC) standards. The Qualys Cloud Platform (QCP) System use security configuration standards documented and use of hardened configurations meeting CIS Benchmark Level 1. As part of the Server hardening, All unnecessary services are uninstalled or disabled.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Schellman
• ISO/IEC 27001 accreditation date: 22/01/2024
• What the ISO/IEC 27001 doesn’t cover: This only includes:; Qualys US and India Offices ISMS, Software Development & Engineering, Exec Leadership, Operations, Customer Support Functions, HR and Legal; And ; Qualys Datacentres in US, Switzerland, India and Canada.
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 25/01/24
• CSA STAR certification level: Level 2: CSA STAR Attestation
• What the CSA STAR doesn’t cover: IN SCOPE : ; The scope of the STAR Certification is aligned to the scope of the information security management system (ISMS) supporting ; the Qualys Enterprise TruRisk Platform and includes the following services, and in accordance with the statement of applicability, ; version 4.2 dated September 12, 2023, and aligned to meet the control implementation guidance and additional control sets of ; ISO/IEC 27017:2015 and ISO/IEC 27018:2019; ; Technical configurations of the infrastructure supporting the Qualys services running within Oracle Cloud Infrastructure (OCI) ; locations are included within the scope of the ISMS.
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • FedRamp-Moderate
  • Privacy Shield SWISS-U.S. Privacy Shield Framework
  • Privacy Sheild EU-US. Privacy Shield Framework

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Qualys has an information security policy in line with its ISO 27001 certified security standards. Its applicability extends to all the organisation's staff. the Policy is documented and reviewed at least annually.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Qualys has a Change Management process that adds oversight, transparency, and control of all changes to the production environment. It establishes guidelines and standards to formally authorize, manage, test, document, monitor, and implement information system changes in the production environment.; All Changes to the Qualys Cloud Platform environment are approved by the Change Management Board before implementation in the production environment. Changes are tested in a development or staging environments prior to CMB approval and then released to the production environment.; Qualys employs a ticketing system for change management that is used to log changes throughout the change management process.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Qualys adheres to and complies with FedRAMP security vulnerability assessment(s) in remediating/patching on a regularly basis.; Qualys uses three different severity categories for vulnerabilities as per the FedRAMP requirement.; Critical / High: Qualys aim to have patch rolled out under 30 days; Medium: Qualys aim to have patch rolled out under 60-90 days; Low: Qualys aim to have patch rolled out under 180 days.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Approach Qualys uses SIEM along with other tools and compute system methods which are implemented for monitoring and assuring proactively incidents are prevented. The SIEM tool supporting Qualys Cloud Platform (QCP) is configured to use custom content and use case content to analyse audit log information coming into the system. Events that conform to current security use cases generate an incident ticket for further review and investigation.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Qualys has an Incident Response Plan that defines the requirements for responding to incidents, including detecting, analyzing, prioritizing, and handling of incidents. Security incidents are reported and monitored by Security and Operations teams 24x7.; Qualys uses SIEM along with other tools and compute system methods which are implemented for monitoring and assuring proactively incidents are prevented. The SIEM tool supporting Qualys Cloud Platform (QCP) is configured to use custom content and use case content to analyse audit log information coming into the system. Events that conform to current security use cases generate an incident ticket for further review and investigation.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Wellbeing

  Fighting climate change

  Cloud21’s quality and compliance team have been extremely busy over the last 24 months and have recently become ISO14001 certified demonstrating our commitment to reducing its environmental impact.; Ambitions for 2024/25; For this service we will: ; ; • Implement a reduce, reuse and recycle scheme (coffee pods, pens and batteries); • Eliminate single use plastic bottles from our office headquarters; • Promote rail travel over air travel for practical journeys; • Promote the ‘green leaf hotel’ scheme where practical to do so; • Accurately measure commutable mileage ; • Reduce paper use and printing at the our headquarters ; • Reduce emissions by 7.14% (19.23 tCO2e) from baseline ; ; We believe it is all about making small changes in order to make a big impact and promoting environmental sustainability. ; ; Cloud21 has implemented a carbon reduction plan in line with the NHS’s carbon reduction roadmap.

  Wellbeing

  We have a company-wide approach called VIBE (Valuing Inclusion, Belonging and Equity), which includes the provision of resources and support to improve physical, emotional and mental health and wellbeing which complements our company values. ; ; Our VIBE team promote social inclusion and wellbeing by running events that supporting charities, such as Samaritans and MIND.; ; We understand stress can impact a person’s mental health, this can result in absences and even resignations, but more importantly, it can impact people's lives fundamentally. Making sure that work is a safe place to discuss wellbeing and mental health by creating an inclusive and supportive environment will provide employees with the tools needed to manage mental health.; ; We look to reduce the pressure and stress involved in modernising systems and technology leveraging our past experience and sharing this with all stakeholders involved. ; ; Initiatives we are looking to run within the next 18 months:; • Run Health and wellbeing webinars and sharing resources to support our teams such as ‘NHS Every mind matters’ and the ‘6 ways to wellbeing’. ; • Continue to raise mental health awareness through running company lead events such as ‘fun-runs’ or ‘Movember’ to promote mental health awareness.; • Offer mentoring support from trained mental health first aiders to support our staff.; • Ensuring we continue to develop our Wellbeing policy.

Pricing

• Price: £6.71 to £15 a device a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Qualys trials offer free access and unlimited scope, for up to 30 days. Prospects can try the entire suite of Qualys Cloud Apps to discover all assets ins scope and gain visibility — whether on premises, in cloud instances or remote endpoints.
• Link to free trial: https://www.qualys.com/free-trial/

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid-management@cloud21.net. Tell them what format you need. It will help if you say what assistive technology you use.