Capgemini UK plc

SYNERGi GRC

IRM's SYNERGi Platform provides a cost-effective and comprehensive GRC software solution for rationalising IT GRC, managing cyber risk, incident & vendor management, and meeting regulatory requirements not limited to IS1, IS2, ISO27001/2, PCIDSS, ISO31000, DPA/GDPR, BIA, PIA, ISO, NIST, SANS 20, CIS, SOX, 22301/BS25999, SPF, Asset Management, CTAS, HIPAA, ISO27005.

Features

• Supports Accreditation, Clustering, SPF and Departmental Security Health Check requirements
• Populated with industry standards (ISO27001, NIDS, Compliancy and NIST)
• Six modules (Governance, Risk, Compliance, Audit, Vendor and IT Security)
• Unlimited user license arragement
• Only UK cyber essentials certified software platform
• Operational Risk Compitable
• SaaS and On-Premise Deployment
• Real-Time Reporting and Dashboard
• Pentesting
• Award winning platform

Benefits

• Consistent Risk Framework aligned to IS1, IS2, ISO27005 and ISF
• Intuitive and simple user interface
• Able to orchistrate and manage task management
• Central Repository for Policy, control and evidence management
• Only UK platform certified by the NCSC for Cyber Essetials
• Scalable to meet current cyber maturity
• Delivered by IRM's GRC Consultants
• Proven track record across multiple HMG Departments

£22,000 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@irmsecurity.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

287961848499408

Contact

Matt Griffiths
01242 225200
hello@irmsecurity.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: We no longer support IE 7/8/9/10.
• System requirements: Latest web browser for IE, Chrome and Firefox

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 24 hours, first working day if received on weekend.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: All support calls are sent to a support engineer. All calls are prioritised, upon receipt, by IRM and resources allocated to meet the definition of the SLA. Support is included with the license cost and their are no additional costs.; ; IRM will provide quarterly technical account review meetings to capture monitor service level disputes and if IRM is unable to resolve these in a reasonable time frame, IRM will discuss options for service level credits and options for determination of the contract.; ; You will have the right to terminate your Master Subscription Agreement with us in the event (a) Service Availability of the solution drops below 98% for two months in a rolling 6 month period, or (b) there are more than two (2) Priority 1 matters that are not resolved within the Target Resolution Time or three (3) Priority 2 matters that are not resolved within the Target Resolution Time in a six (6) month rolling period. If you elect to terminate under any of these circumstances, we will refund a pro-rata portion of the pre-paid fees for the unused portion of the term of the Master Subscription Agreement.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: IRM provide a professional services work package called QuickPath. It covers project management, configuration, library load, training and reporting. This is supported by an online and offline user manual.
• Service documentation: No
• End-of-contract data extraction: This information can be downloaded from the system. IRM will support this process and provide all data in an executable SQL file
• End-of-contract process: At the end of the term, IRM will continue to support the client until written confirmation has been provided that the customer instance can be closed down. If this last more than 30 days IRM will charge a monthly pro-rata licence rate.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There are no differences between the two. As long as a user has a web browser they can access and operate SYNERGi
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: SYNERGi has an API Management Interface to allow API's to be installed. A list of API's not limited to HPE ArcSight, PowerBI and SharePoint are available. A list of other API's are available upon request.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Individual User interface, grid tables etc can be bespoke to the individual. The platform can also have Custom Fields created, alongside Role creation that allows the configuration of visibility of data within the software.

Scaling

• Independence of resources: Customers are provided with a dedicated environment. This covers a frontend webserver and backend maria database. A sandpit environment is also provided and the service is load balanced. We also operate a fail-over service.

Analytics

• Service usage metrics: Yes
• Metrics types: SYNERGi provides a complete audit history of all usage and changes made by an end user. The metrics are not visually reported.; ; Further more it has a powerful dashboard and reporting capability that supports all modules and standards activated. The reporting support Quantitative and actionable decision making.
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: SYNERGi can generate backup files of your data on a weekly or monthly basis depending on your edition. You can export all your org’s data into a set of comma-separated values (CSV) files.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: 99.999%
• Approach to resilience: We’re ISO 27001 Certified and as such we have an Information Security Management System (ISMS). ; ; BCP plan is in place and was tested annually but a schedule is in place for quarterly tests. The tests are desktop reviews and scenario exercises. Due to the nature of IRM business operations a full invocation is not possible.; ; Primary Tier 1 Data Centre with a Secondary failover Tier 1 Data Centre. Failover to DR site for test instances are scheduled biannually.; ; Backups are taken every 24 hours.
• Outage reporting: Email Alert

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: The software has a security domains feature that allows Role-based Access to be assigned across the platform. This can be provisioned for the management interfaces ad support channels. The System Administrator/Operations Team are responsible for ensuring that logical access rights are up to date and maintained to:; • The operating system;; • The database;; • The application
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Description of management access authentication: Organisations can limit the IP range from which access is possible

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 31/01/2017
• What the ISO/IEC 27001 doesn’t cover: It covers all operations
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The Executive Board are responsible for ensuring that appropriate information security requirements have been considered and applied proportionately based upon legal and regulatory obligations, risk assessment and business needs and that legal and regulatory controls are identified, implemented and maintained throughout the company. A set of policies and procedures have been developed and are part of our JML process which is managed by HR and the relevant line managers.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Within the operational information systems changes are commonplace as part of normal business activity, however if they are not controlled effectively there is the potential for disruption to business operations and product delivery. The objective of IRM's processes is to make sure that all changes to the live systems and production environments are controlled and conducted properly. A formal policy covers the following headings and more detail across each section can be provided upon request:; 1. Scope; 2. Third Party Suppliers; 3. Change implementation; 4. System monitoring; 5. Responsibilities
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: There is a formal process to test and approve all:; i. network connections; ii. Security monitoring and patching; iii. firewall and router configurations; b. Test for the presence of unauthorised wireless access points.; c. Internal and external network vulnerability scans; d. Quarterly vulnerability scans ; f. Conduct internal and external penetration testing at least annually or after any significant infrastructure or application upgrade ; ; We consume threat intelligence data and perform regular threat led risk assessments.; ; We create and maintain a plan with milestones to document remedial actions to correct weaknesses, vulnerabilities and deficiencies noted
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: A. Corporate networks incorporate tools (software and hardware based) for real-time monitoring, measuring and reporting of network connections and performance are in place. ; b. The use of network resources shall be monitored, tuned and used for making projections on future capacity requirements to maintain system performance for business operations;; c. Monitoring systems are capable of immediately providing at least three months of data for review with a minimum of one year availability off-line;; f. Upon detection of any event affecting the security of the corporate network, reporting and escalation actions in accordance with the Incident Response Management Policy.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Reporting security incidents and vulnerabilities is an important contributory factor to maintain the security of corporate information systems. Intelligence on the type and frequency of security incidents enables the company to continually monitor the effectiveness of the technical and procedural controls in place. The IRM policy covers the following headings and can be provided upon request:; ; 1. Objective;; 2. Scope;; 3. Type of breach;; 4. Incident description; and; 5.Security Incidents, Events and Categories

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  The group has a long‐standing commitment to environmental sustainability, with a strategy focusing on managing and reducing our own environmental impacts and deploying our expertise in technology and business transformation to help clients address their sustainability challenges. Our Group environmental sustainability ambition is to be Carbon neutral no later than 2025 and transforming to net zero by 2040 as approved by SBTi.; ; We integrate sustainability into our existing structures and solutions where applicable with our impacts being calculated using our online carbon impact calculator, underpinned by our methodology.; ; PUBLIC AND HYBRID CLOUD:; Scalability can reduce the future need to replace hardware; increased efficiency reduces energy consumption; and pay per use encourages companies to only use what they require, increasing energy efficiency.; ; CLOUD APPS: ; Cloud Native apps can be agile, flexible and scalable to a variety of innovative outcomes e.g. Smartly, facilitating electric vehicle charging. Direct energy reduction through efficient equipment.; ; APPS MASS MIGRATION TO CLOUD:; Assessment of where it is possible to retire and rationalise legacy applications, as well as reducing inefficiencies, lowering operating costs and enabling business model innovation. This could all reduce energy consumption across the estate; ; ERP MIGRATION TO CLOUD: ; Delivering operational efficiencies through the wider operations can lead to energy savings as well as cost and time across the business.
• Covid-19 recovery:

  Covid-19 recovery

  The group has implemented a flexible working policy allowing all our employees to request arrangements for hybrid working where appropriate in view of client and team requirements.; ; We have made strides in helping communities gain access and skills to cope with the situation. We forged a new collaboration with Digital Unite, a leading Digital Inclusion organization in the UK. For over two decades the organization has been helping third sector organizations build digital capacity by helping them recruit and train a network of ~4000 Digital Champions, who then directly engage communities and help tens of thousands of people to learn basic digital skills. We have also launched Digital Futures initiative, spearheaded by our Cloud Infrastructure Services leaders and colleagues. The initiative is designed to help and support thousands of digitally excluded people in their journey to inclusion through digital literacy projects. Initiatives such as this is a testament to our collective commitment towards digital inclusion actions. The group aims to support digitally marginalised people through digital literacy programme across the world.; ; The group Research Institute recently published “The Future of Work: From Remote to Hybrid” to specifically look at how changes to working practices driven by the pandemic are likely to persist and what these changes mean to organisations such as the group and our clients.
• Tackling economic inequality:

  Tackling economic inequality

  The group is committed to ensuring that digital transformation creates an inclusive and sustainable future for all. This means opening doors to technology careers for people who are currently far from the digital skills job market, such as refugees whose studies/career journeys have been interrupted.; ; We open up digital job opportunities by collaborating with CodeYourFuture. This UK-based non-profit organisation supports refugees/individuals, possibly at a disadvantage, to become software engineers.; ; The group plays an active role in creating a CodeYourFuture community of coders ready to help one another. Our employees volunteer to ensure practical access to working professionals through which students can gain clarity on what working in the tech sector is like. Sessions include homework clubs, immersion workdays at our offices, sharing insights into careers and pathways to get there, and we also offer one-to-one mentoring for programme participants. 500+ employees have volunteered their help (March 2022).; ; In 2021, the group sponsored 128 students and helped run four CodeYourFuture courses in London, Birmingham and Manchester. We also assisted classes in Glasgow with job opportunities and support from volunteers.; ; The group continues to offer Code Your Future insights into market demand based on what our clients are requesting, helping evolve the programme curriculum to best prepare graduates for employment. As of March 2021, the group has employed 53 Code Your Future programme graduates – helping us ensure we extend employment opportunities to individuals from disadvantaged backgrounds through this new recruitment channel.; ; Code Your Future graduates who have joined the group are now working on client assignments across the Public and Private sectors.; ; We support our charity partners to build their digital skills and increase their impact through digital transformation. In 2021-22 we completed a pro-bono project to improve the functionality and inclusiveness of the Future Steps fundraising App.
• Equal opportunity:

  Equal opportunity

  The group is a member of the Business Disability Forum that provides training, podcasts and comprehensive advice on conditions and adjustments. We hold a Disability Confident Employer badge, which recognises the group’s commitment to supporting team members with disabilities.; ; At the group we want technology to be an opportunity for everyone. As more services such as healthcare, housing, banking, shopping and education move online, it is critical that everyone can access them. We aim to inspire those at risk of being left behind, to build the digital skills needed for life and work.; ; Working closely with our partner Digital Unite we have developed a new model for corporate support of digital skills training in the UK. Previously digital skills training was not typically supported by corporate volunteers and instead led by charities and non-profits. Together we have created Inspire, a training programme to support the group employees to become Digital Champions. We developed and piloted the model in 2020, before rolling out Inspire across the group from January 2021. By embedding Champions within communities, people can more easily access regular support and have a more personal connection with those teaching them digital skills.; ; Inspire trains our employees on how to teach digital skills. The group employees, for example, have advanced technology skills but can lack knowledge and confidence on how best to share these with their families, friends and local communities. To change this, employees attend a ‘Digi Day’ session to learn about digital exclusion, complete training on how to share skills via an e-learning module, and are encouraged to make a pledge to help others.; ; The Inspire training gives our volunteers the ability to support individuals from any community and background as chosen by our volunteers and includes access to specific modules on digital skills and disability.
• Wellbeing:

  Wellbeing

  The group is proud to be an accessible and inclusive organisation where people of all abilities want to work and collaborate: nothing is a barrier to success.; ; From the first stages of recruitment through to each working day with the group, support is always at hand. For team members with a disability, mental health condition or caring responsibility, our Disability, Carers & Allies employee network provides a space to meet others at the group and share advice, questions and experiences.; ; Here’s a snapshot of what we’ve achieved so far:; -The group has signed the Time To Change Employer Pledge: committing to continue building a working environment where employees feel able to talk openly and honestly about mental health – and know where to go when seeking help.; -We have educated and mobilised over 120 mental health champions to support colleagues.; The group is a member of the Business Disability Forum that provides training, podcasts and comprehensive advice on conditions and adjustments; -We hold a Disability Confident Employer badge, which recognises the group’s commitment to supporting team members with disabilities.; -Our commitment to supporting our people’s mental health has been recognised by Mind, who -awarded us Silver in their 2017/18 Workplace Wellbeing Index.; -We are committed to raising awareness and supporting team members with hidden disabilities. Also, a member of The Hidden Disabilities Sunflower Campaign.; ; The group is putting a spotlight on invisible disabilities via a new campaign: ‘Now You See Me’. While raising awareness of a number of conditions, we will also be adopting the nationwide ‘Sunflower Scheme’ and looking at best industry practices to see where we can improve.

Pricing

• Price: £22,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: All modules, support and maintenance and training is provided. This is typically delivered under a controlled Proof of Value for up to 60 days.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@irmsecurity.com. Tell them what format you need. It will help if you say what assistive technology you use.