Creative Networks

Cloud Security Posture Management (CSPM)

Cloud Security Posture Management (CSPM) ensures the security of cloud infrastructure through continuous monitoring, automated remediation, policy enforcement, risk assessment, and reporting. It identifies and resolves misconfigurations, vulnerabilities, and compliance issues, providing visibility and prioritisation to safeguard against threats and maintain regulatory compliance.

Features

• Instant threat detection via real-time monitoring.
• Auto-fixes for misconfigurations and vulnerabilities.
• Policy enforcement to meet industry standards and compliance.
• Prioritised risk assessment for effective mitigation.
• Complete visibility into security and compliance status.
• Swift threat response with proactive alerts.
• Integration with existing security tools for seamlessness.
• Adaptable policies for evolving threats and regulations.
• Centralised dashboard for effortless tracking and auditing.
• Collaboration tools for coordinated security efforts.

Benefits

• Enhances cloud security and compliance, providing peace of mind.
• Prevents breaches by identifying and resolving vulnerabilities.
• Simplifies security with automated monitoring and remediation.
• Reduces errors, enhances efficiency with less manual effort.
• Maintains compliance with regulatory standards and industry mandates.
• Proactively mitigates risks to safeguard business operations.
• Offers insights for informed decisions and prioritisation.
• Adapts to evolving threats, increasing agility.
• Centralises operations, enhances collaboration, and boosts productivity.
• Fosters trust via transparent reporting and accountability.

£1,500.00 to £2,000.00 a licence

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at aj@creative-n.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

286183850818280

Contact

Azeem Javed
03303337337
aj@creative-n.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Private cloud
  • Hybrid cloud
• Service constraints: The service may have scheduled maintenance, limited support for legacy systems, and hardware compatibility constraints. Buyers should plan for potential downtime during maintenance windows, ensure their hardware aligns with compatibility requirements, and inquire about support for legacy systems. Additionally, geographic restrictions may apply, so buyers should verify availability in their region. Understanding these constraints upfront enables informed decision-making and effective planning for implementing and using the service within educational institutions.
• System requirements:
  • Compatible with Windows, macOS, or Linux OS.
  • Adequate CPU, RAM, and storage resources required.
  • Internet connectivity needed for cloud features.
  • Compatibility with educational software like LMS or SIS.
  • Integrates with existing network and security measures.
  • Compliance with GDPR, FERPA, and data protection standards.
  • Required software licenses for third-party applications.
  • Works with antivirus software for cyber threat protection.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support response times - 08:30 - 18:00 Weekdays, excluding Bank Holidays. Out of hours support available where necessary. 30 minutes to 8 hour response dependent on priority call, P1 - 30 mins, P2 - 1 hour, P3 - 4 hours, and P4 - 8 hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: We have not conducted any testing of web chat accessibility with users employing assistive technology.
• Onsite support: Onsite support
• Support levels: End-user training can be provided at an ad hoc cost. We provide a UK based Service Desk for support. Out of hours support is available. Our helpdesk is made up of 1st, 2nd and 3rd Line technical expertise. A Technical Account Manager will be assigned as standard as a part of our standard and premium IT Support, see our pricing schedule and SFIA Rate Card for details.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We assist users in adopting the service through a variety of resources tailored to their needs. Our user documentation offers step-by-step guides, FAQs, and troubleshooting tips for independent learning. Additionally, we provide interactive online training sessions and webinars led by experienced instructors to guide users through setup and configuration processes effectively. For those preferring personalised assistance, optional onsite training sessions can be arranged to address specific organisational requirements. Our dedicated technical support team is readily available to assist users with any inquiries or challenges they may encounter, offering prompt resolution via email, phone, or online chat. With these resources and support channels in place, we aim to ensure a smooth onboarding experience and empower users to harness the full capabilities of the service for their communication needs.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Exported upon request. Contact the Support Helpdesk or Technical Account Manager.
• End-of-contract process: At the end of the contract services will continue on a rolling 30 day agreement until either party serves notice. If it is decided the client will exit, Creative Networks will assist in transitioning and migration of services ensuring continuity and a smooth handover. We will, where applicable deliver an Exit Plan which sets out the proposed methodology for achieving an orderly transition of Services on the expiry or termination of the contract. The Exit Plan will contain at minimum: Separate mechanisms for dealing with Ordinary Exit and Emergency Exit. The management structure to be employed during both transfer and cessation of the services and a detailed description of both the transfer and cessation processes, including a timetable. Document how the Services will transfer including details of the processes, documentation, data transfer, systems migration, security and the segregation of technology components. Specify the scope of the Termination Services that may be required and any charges that would be payable for the provision of such Termination Services and detail how such services would be provided. Provide a timetable and identify critical issues and set out the management structure to be put in place and employed during the Termination Assistance Period.

Using the service

• Web browser interface: No
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The mobile service offers essential features optimised for smaller screens, prioritising portability and ease of use. It provides quick access to key functionalities such as monitoring alerts and support tickets. In contrast, the desktop service offers a comprehensive user interface with advanced tools and configuration options. It leverages the larger screen size and computing power of desktop devices to provide a wider range of capabilities and enhanced user experience. While both versions aim for consistency, the mobile service focuses on on-the-go usage, while the desktop service delivers more extensive features suited for desktop environments.
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: The service interface provides a user-friendly experience with intuitive navigation and interactive elements. It includes a dashboard for key metrics like system status and security alerts, accessible through categorised menus. Users can visualise data with interactive charts and graphs, and customise settings to suit their preferences. With search functionality and filters, tasks can be efficiently executed. Overall, the interface streamlines user interaction for effective management of IT resources.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Creative Networks have not conducted any interface testing with users of assistive technology.
• API: Yes
• What users can and can't do using the API: Through the API, users can automate the setup and configuration of the service by provisioning resources, creating user accounts, and defining access permissions. They can also make changes to configurations, settings, and resources, enabling automated maintenance and adjustments to meet evolving needs. Additionally, users can retrieve data such as monitoring metrics and system logs for analysis and integration with other systems. However, there are limitations to API usage. Certain administrative tasks may be restricted to maintain security, and rate limits may apply to prevent abuse of resources. Some features available in the user interface may not be accessible via the API, and users must authenticate and be authorised to access it. Overall, while the API offers flexibility and automation capabilities, users should be mindful of limitations and adhere to security measures to ensure safe and effective use of the service through the API.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Users can customise the service to suit their specific needs and preferences through various means:; ; Configuration: Adjust settings such as user permissions, notifications, and workflow rules to align with organisational requirements.; Branding: Customise branding elements like logos, colour schemes, and themes to reflect corporate identity.; Integration: Integrate the service with other software applications and systems to facilitate seamless data exchange and workflow automation.; Extensions: Install or develop extensions or plugins to add new features or enhance existing functionalities.; API Access: Leverage the service's API to develop custom integrations, automate tasks, and build custom applications tailored to specific requirements.; Administrators typically have authority over customisation, with the ability to modify settings and configurations. End users may have limited customisation options, such as personalising their interface or configuring preferences. Developers can customise the service through API access, enabling the creation of custom integrations, extensions, and applications. These customisation options empower users to tailor the service to their unique needs, enhancing its relevance and effectiveness within their organisation.

Scaling

• Independence of resources: We ensure users are unaffected by demand fluctuations through scalable infrastructure, fair resource allocation, load balancing, proactive monitoring, and SLAs. Infrastructure scales dynamically to meet demand peaks, while resources are allocated fairly and load balanced to prevent overloading. Continuous monitoring identifies and resolves performance issues, optimising system configurations. SLAs provide performance guarantees, holding suppliers accountable for meeting service quality standards. These measures collectively maintain consistent service quality and performance, safeguarding users from disruptions caused by varying demand or usage patterns.

Analytics

• Service usage metrics: Yes
• Metrics types: The service provides usage metrics including statistics on usage frequency, performance, resource consumption, user activity, and customisable reports. These metrics offer insights into service utilisation, reliability, and user behaviour, facilitating informed decision-making and optimisation of service usage.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: Less than once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Users export data from the service via:; ; Built-in export functionality, selecting datasets and formats.; API access for programmatic data retrieval and integration.; Scheduled reports, automating data delivery via email or download.; Direct database access, querying data using SQL or similar languages. These methods offer flexibility for users to export data in various formats and frequencies, empowering them to analyse, share, and utilise data beyond the service environment.
• Data export formats:
  • CSV
  • ODF
• Data import formats:
  • CSV
  • ODF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We guarantee a high level of availability for our service, typically backed by service level agreements (SLAs) outlining specific availability targets and compensation mechanisms for any service disruptions.
• Approach to resilience: The service is engineered for resilience, employing several strategies to ensure uninterrupted availability and reliability. Redundant infrastructure components are utilised to create backup systems, minimising the impact of hardware failures or maintenance activities. Geographic distribution of infrastructure across multiple locations ensures accessibility, even during localised outages or disasters. Load balancing techniques evenly distribute incoming traffic across multiple servers, preventing overload and enhancing overall performance. Automated failover mechanisms detect and respond to failures in real-time, redirecting traffic to healthy resources or backup systems to minimise downtime. Comprehensive disaster recovery plans mitigate the impact of catastrophic events, with procedures for data backup, restoration, and recovery in place. Continuous monitoring and testing identify potential vulnerabilities or performance issues proactively, ensuring the effectiveness of failover mechanisms and disaster recovery plans. Through these resilience features, users can rely on the service to remain available and reliable, even in challenging circumstances.
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Supplier defined controls.
• Access restriction testing frequency: Less than once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Less than 1 month
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Less than 1 month
• How long system logs are stored for: Less than 1 month

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: UKAS
• ISO/IEC 27001 accreditation date: 24/10/2022
• What the ISO/IEC 27001 doesn’t cover: Areas not covered by ISO/IEC 27001 certification include specific business processes unrelated to information security, certain third-party services or suppliers, or compliance with other industry-specific regulations.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Organisations adhering to ISO 27001 establish robust information security practices. They develop policies aligned with ISO 27001 requirements, covering areas like access control, data protection, and incident response. Through risk assessments, they identify and prioritise security risks, implementing controls to mitigate them. Employees receive training on security policies and procedures to enhance awareness and compliance. Monitoring and review processes ensure the effectiveness of security controls, with regular audits and assessments conducted. A designated individual or team oversees the implementation and maintenance of the Information Security Management System (ISMS), reporting to senior management or the board. To ensure policy adherence, organisations employ various mechanisms such as audits, reviews, and ongoing monitoring. Non-compliance issues prompt corrective actions and improvements to the ISMS. By following these practices, organisations demonstrate their commitment to information security and continuously strive to enhance their security posture in line with ISO 27001 standards.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Creative Network's have in place a Change Management Process that follows the ISO 20000 Standard. A change is proposed with the Change Manager and then added to the Changes-overview. The change is scheduled to be executed and a roll back plan is created (if necessary). Rollback is actioned immediately upon confirmation as per following the rollback matrix, resources are freed and announcements are published. Periodically, the overview of archived changes is checked.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Creative Network's have a Vulnerability Management process that implements the following: Receives information about zero day threats from the National Cyber Security Center; Subscribe to newsletters from vendors and used products, in contact with special interest groups; Technical vulnerabilities are handled either using the Incident management process or the Change management process; Patches are tested following the Installation of software on operational systems.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: All devices have a monitoring agent on them which can identify potential issues and report back to our service desk. If an issue is identified we have an internal 4 hour SLA to ensure remedial actions are carried asap, the seriousness of an incident will be assessed on discovery so that any priority issues can be responded to quickly. We have multiple alert systems in place and monitor them constantly. We exclusively use Linux for phone system hosting. We automatically patch daily as and when required.
• Incident management type: Supplier-defined controls
• Incident management approach: Fully developed Business Continuity and Disaster Recovery management process developed in line with ISO 22301. Creative Network's have a pre-defined Incident Management Process in place where by an incident is reported with the Incident Manager and then added to the Incidents-overview. After which, relevant log files (from all systems affected) and evidence is gathered. The incident is corrected by implementing a patch, temporary fix or workaround. It is determine whether future occurrences of the incident can be prevented, e.g. by modifying/strengthening one or more controls. Periodically, the overview of archived incidents is checked for apparent trends and effectivity of corrections.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  CSPM services assist organisations in optimising their cloud infrastructure, reducing energy consumption and carbon emissions linked with inefficient data centres. Through automated monitoring and remediation, CSPM aids in resource optimisation, supporting energy efficiency and sustainability initiatives.

  Covid-19 recovery

  Amid the Covid-19 pandemic, there's been a significant shift towards remote work and digital reliance. CSPM services secure this digital transition, safeguarding remote workers and sensitive data from cyber threats. By ensuring security and compliance, CSPM aids businesses' resilience and continuity during recovery phases.

  Tackling economic inequality

  Access to secure cloud services can help bridge the digital divide by offering affordable and scalable infrastructure for organisations of all sizes, including small businesses and non-profits. CSPM services ensure even resource-constrained entities can use the cloud securely, enabling them to compete equally with larger enterprises.

  Equal opportunity

  Secure cloud infrastructure creates a fair platform for innovation and entrepreneurship, fostering equal opportunity for individuals and businesses in the digital economy. CSPM services contribute by mitigating security risks and enabling organisations to focus on innovation and growth without security concerns hindering them.

  Wellbeing

  Ensuring cloud environments' security and compliance enhances overall wellbeing by protecting sensitive data and mitigating cyber threats that could result in financial or reputational harm. By providing peace of mind and reducing the likelihood of security incidents, CSPM services promote a safer and more secure digital environment for individuals and organisations alike.

Pricing

• Price: £1,500.00 to £2,000.00 a licence
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at aj@creative-n.com. Tell them what format you need. It will help if you say what assistive technology you use.