Turnkey Consulting (UK) Limited

SAP GRC as a Service

A managed services approach to GRC provides the opportunity for companies to access the latest GRC software quickly, via the cloud through a subscription model. This helps smooth the upfront implementation costs to reduce capital expenditure. The service can also include the cost of the SAP license, further decreasing capex.

Features

• Access SAP GRC from a secure, cloud-based environment
• Plan budgets more effectively with a more predictable cost model
• Relieve the burden of technical support and maintenance
• Leverage SAP GRC best practice & knowledge transfer
• Access to the full portfolio of SAP GRC products
• Ensure your business is supported by GRC & risk experts

Benefits

• Reduced requirement to hire and retain specialist skills
• Predictable costs using a capex model
• On-demand access to SAP security & controls experts
• Best-practice deployment & operation of SAP GRC

£5,000 to £150,000 a unit a month

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at finance@turnkeyconsulting.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

221812113346178

Contact

Jo Chuter
02072882578
finance@turnkeyconsulting.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: Buyers should be aware that the service uses standard SAP technology and technical constraints applying to their existing SAP landscapes may also apply.
• System requirements: BYO SAP GRC licences or Turnkey can provide

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times range depending on the priority and agreed service tier. ; The following shows the ranges: ; Priority 1 = 30 mins (Platinum) - 4 hours (Bronze); Priority 2 = 1 hour - 8 hours ; Priority 3 = 2 hours - 24 hours; Priority 4 - as agreed with individual customers
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Webchat is available through a combination of Hubspot and Zendesk capabilities. ; Tests are ongoing with automated responses and bots to provide quick resolutions and ticketing triage.
• Onsite support: Yes, at extra cost
• Support levels: All clients get a base level of support covering incident logging, remote support and our patch and bug fix library. We typically provide a support package that is tailored to client requirements based around the following service tiers.; ; Bronze tier: 8h support p/m + 5d critical support cover per quarter. ; Silver tier: 10h support p/m + 10d critical support cover p/q; Gold tier: 32h support p/m + 15d critical support cover p/q; Platium tier: 64h support p/m + 20d critical support cover p/q; ; Costs p/a based upon 3y commitment:; Bronze: £23,120; Silver: £46,240; Gold: £78,030; Platinum: £127,160
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Typically we provide onsite training which is supplemented by a set of guides that can be used in generic format or tailored to a clients specific processes.; ; Where required we can also provide remote training covering all of the roles required to use the service effectively.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats: Microsoft office formats
• End-of-contract data extraction: 1. Turnkey provide client administrators with access to extract data; 2. Turnkey can extract data for client if required
• End-of-contract process: At the end of the contracted period the connection (typically VPN) between our service and the client network is terminated. Assuming that the client does not want to continue with the service, the servers are decommissioned. We are typically able to meet any client specific decommissioning requirements as part of the core service.; ; At additional cost the service can be kept "warm" and data backups retained.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • Windows
  • Other
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile service provides basic data display and approval capability through SAP Fiori applications.
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: Customisation is possible within the service and is subject to the standard restrictions around customising SAP software. Any of the SAP software can be extended subject to application and data limitations.; ; Customisation can be performed by customer and Turnkey developer resources, subject to appropriate agreement and uses standard SAP techniques included ABAP Development Workbench, Fiori UI Theme Designer Tool, Floorplan Manager etc.

Scaling

• Independence of resources: Each client has an instance specifically for their own use and hosted on a virtualized stack that has been sized for their requirements and does not have any other tenants.

Analytics

• Service usage metrics: Yes
• Metrics types: Each of our clients has different requirements for metrics and are identified during project initiation.
• Reporting types: Regular reports

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: SAP, Sailpoint, ServiceNow, Diligent, OneTrust, Profile Tailor

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Data in SAP is stored in a number of locations. Client administrators can have direct access to all data and can export using native SAP tools, alternatively we can perform exports for clients.; ; Application data generated by the service can be exported through standard reports and in a number of formats e.g. csv, odf, xlsx etc.
• Data export formats:
  • CSV
  • ODF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: IPsec or TLS VPN gateway
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The standard availability for the service is 98.5%, High Availability options are available based on client requirements. Refunds/service credits are subject to individual clients requirements.
• Approach to resilience: Available on request
• Outage reporting: Service outages are reported by email alerts as standard. Integration with client reporting systems is available if required.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Access to management interfaces is provided only to administrators authorised by the customer. Access is based upon best practice support roles and additional customer requirements can be incorporated.; ; Application support users are restricted to named Turnkey individuals and, where appropriate, named client individuals. Supporting infrastructure is restricted to named individuals working with our hosting partner.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Security for our service is owned by the Director responsible for our cloud offerings.; ; The Director oversees a service-specific ISMS that is broadly based around ISO27001. the Director is responsible for ensuring that the ISMS stays current and that policies and standards are being adhered to.
• Information security policies and processes: The service delivery team report to the Director responsible for the service and the director is responsible for monitoring adherence to policies.; ; Our policy framework is based around: ; ; Service AUP; Service Information Security Policy; Service Access Policy; Service Emergency Access Policy; ; Processes exist for:; Service build and deployment; Service user management; Service onboarding; Service configuration & change management; Service problem & incident management; Service shutdown/offboarding

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Application configuration and change management processes follow customer processes.; ; Infrastructure configuration and change management processes follow SSAE16 accredited process.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Application patching (security and functional) is performed every 6 months as standard but can vary based upon client requirements.; ; Infrastructure patching is performed every 3 months as standard but can vary based upon client requirements.; ; Critical and High rated patches (rating by SAP - application vendor) are reviewed monthly and decision made with client whether to deploy or wait until next release.; ; Potential threat information is gathered from SAP, US-CERT and research vendors that we have relationships with.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our applications sit within our hosting providers landscape and are integrated with our hosting providers SOC.; ; Application (SAP) specific monitoring is performed by weekly monitoring of SAP Audit Log and Gateway Log events.; ; We are able to incorporate any specific requirements of customers into our monitoring solution for their service.
• Incident management type: Supplier-defined controls
• Incident management approach: We have defined processes for incidents and problems. Incidents are reported via: Phone to on-call service manager; email to support inbox (monitored 8x5 as default but can be monitored up to 24x7x365 if required); or via our ZenDesk ticketing system.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Covid-19 recovery:

  Covid-19 recovery

  Supporting more timely reporting of user access and operational risk indicators to recover and manage operational costs more efficiently. Managing the issues of legislative reporting more efficiently
• Tackling economic inequality:

  Tackling economic inequality

  Allowing institutions to manage their regulatory requirements more efficiently allowing cost avoidance in unnecessary spend.
• Equal opportunity:

  Equal opportunity

  Tracking KPIs for inclusiveness and diversity through appropriate risk and control managements for the indicators of positive and negative patterns.

Pricing

• Price: £5,000 to £150,000 a unit a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at finance@turnkeyconsulting.com. Tell them what format you need. It will help if you say what assistive technology you use.