MONDAS CONSULTING LTD

Vulnerability Management

Uncover hidden vulnerabilities throughout your IT landscape using our ISO27001 certified platform to gain a better understanding of the ways threat actors will be able to exploit the weaknesses within your infrastructure. Use this information to patch or remediate the weaknesses to strengthen your security posture.

Features

• Automatically discover all of your IT assets, applications and users
• Real-time and continuous monitoring all assets across all attack vectors
• Complete visibility into all types of assets
• Remediation reports cover the security status of your assets
• Remediate, mitigate or accept the risk associated with a vulnerability
• Prioritise vulnerabilities based on which poses the biggest risk

Benefits

• Identify weaknesses in your environment before hackers can exploit them
• Define the risk level that exists within your business
• Understand which areas are most exposed and allocate resources efficiently
• Mitigate the risk of malicious behaviour
• Allows for long term planning of your businesses security posture
• Enhanced credibility with stakeholders
• Aligns with data protection and compliance, ISO27001 & PCI/DSS

£350 to £1,600 a unit

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at george@mondas.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

224100773793400

Contact

George Eastman
07738619533
george@mondas.co.uk

Service scope

• Service constraints: Any service constraints will be highlighted within the client contract where applicable
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times will be defined within SLA's
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Account Manager, Client services manager & service delivery manager are all available depending on the scope of the project
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Onsite training, online training and user documentation are all provided by Mondas before the service goes live should the service be required by the client
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: All data will be provided in the requested readable format which will be agreed with the client at the point of termination.
• End-of-contract process: For contracts of 3 years or above all handover work is included in the price of the contract. For shorter contracts, handover work will be charged at our standard daily rates as per our SFIA matrix.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: We have a dedicated team defined with SLAs for each of our clients. Regular service reviews are also built into our contract as defined by the client. Each customer has their own single tenancy instance with our service so that performance can not be effected by the demand of other users.
• Usage notifications: Yes
• Usage reporting:
  • API
  • Email
  • Other

Analytics

• Infrastructure or application metrics: Yes
• Metrics types: Number of active instances
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Nessus

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• Backup controls: Backup schedules are defined and agreed upon as part of the onboarding process
• Datacentre setup: Multiple datacentres
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Guarantee 99.99% availability with service credits available should we fail to meet this target.
• Approach to resilience: Available on request
• Outage reporting: Our outages are reported via an API directly to our clients service centre or via an email.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Access is provisioned on the basis of least privilege and roles specific
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
• Devices users manage the service through: Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 12/05/22
• What the ISO/IEC 27001 doesn’t cover: Annex A Ref 14 and 12.1.4
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Cyber Essentials certified ; Cyber Essentials Plus certified ; ISO27001 certified ; Work to SOC II Type 2 ; Align to the NIST framework

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We follow ITIL best practise and our change management programme also falls within our ISO27001 audit programme.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We have a robust risk management programme in place which is audited both internally and externally
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We have a robust risk management programme in place which we audit both internally and externally. We also use our own SIEM tool to monitor our in house systems.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a company wide incident management policy and process which is regularly tested and audited both internally and externally. Further information is available on request.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: We utilise AWS datacentres

Social Value

• Covid-19 recovery:

  Covid-19 recovery

  Our strategy through and post Covid-19 is to continue to grow our business to create more roles for staff both in the UK and Spain. From March 2020 to date we have increased our employee base over 70% and we are actively in the process of growing by another 30% in 2022. We have committed to developing our employees skills with training courses and providing growth opportunities. We enabled shielding with our working from home strategy, one which we continue to operate alongside our physical office for those that wish to go back to an office environment to regain social interactions.; We have also carried out an office improvement plan which has improved the facilities and also offered this to our staff working from home whereby if they have wanted to improve their office set up we have funded this so that everyone feels valued and comfortable in their working environment. In addition we held remote social engagement events so that whilst everyone was on lockdown they were still able to access social engagements in an online manner to keep up the team inclusion and ensure no one felt isolated. This is something we have continued with remote and in person team events.
• Tackling economic inequality:

  Tackling economic inequality

  Mondas empowers all staff to have an equal voice within the organisation, which is something we pride ourselves on. We encourage everyone to seek opportunities for new business but also to develop and grow an existing business contract, department or service. We operate a One Team approach so that everyone has an equal voice in business direction and services.; Where we have a skills shortage we in the first instance took to existing staff members to understand if it is a role they would like but with training and development before we look to the market. We also have training and development plans to grow staff and keep them engaged in their role and in the company.; All staff are encouraged and supported to become SME’s in their area of expertise but also reach outside of their comfort zone and strive to achieve the SME status in a different area. Which provides the business with greater resilience but also the member of staff. No one regardless of client support is left to feel isolated, we value the social aspects of a workplace to encourage staff to feel part of Mondas and our end goals. Where possible we also seek to support local businesses instead of going to a larger organisation as part of our social responsibility targets.

Pricing

• Price: £350 to £1,600 a unit
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at george@mondas.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.