Barrier Networks

SecurityScorecard - Cybersecurity Risk Ratings Platform

SecurityScorecard is a comprehensive cyber security risk ratings platform that continuously monitors the cyber security health of organisations to inform cyber security risk management. SecurityScorecard identifies public facing vulnerabilities that create a security risk. Use cases include self monitoring, peer bench-marking, third party risk management and cyber insurance.

Features

• Instantly identifies vulnerabilities, active exploits and advanced threats
• Protects your business and strengthens your security posture
• Gives insight into what a hacker sees
• View the security posture of your vendors and partners
• Provides and maintains compliance with regulations and standards
• Insight into Cyberhealth of potential mergers or acquisitions
• Streamline cybersecurity compliance and due diligence using Atlas
• Machine learning enables validation of vendor responses in near real-time
• Peer Benchmarking

Benefits

• Simple and easy to use interface
• Monitor all your partners and/or vendors from a single platform
• Aids collaboration with vendors to improve their security posture
• Streamline and improve your vendor risk management programme
• Largest database of scored companies provides detailed risk analytics
• Passive, non intrusive and continuous security assessment
• Reduce cyber insurance premiums

£8 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@barriernetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

315057218328011

Contact

Iain Slater
0141 356 0101
info@barriernetworks.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: SecurityScorecard have developed a Splunk App which will allow you to extend your existing Splunk service.
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: N/a

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Mon-Fri 9am-5:30pm excl bank holidays customers receive an initial response within one business hour
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide support from priority 1 to priority 4 cases on any existing configuration or part of the platform that is in total or partial failure as well as not working as expected. We also provide configuration guidance and recommendations for use cases. Each customer receives their own Account Manager who works closely with Support and ensures that cases can be followed up. Barrtier's Support desk is available as a value added service in addition to the maintenance and support purchased alongside the license.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: You can request a free assessment of your own company. Once you have purchased relevant licences SecurityScorecard can be accessed via the browser by logging on with your personal credentials. Online Training can be provided.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: No proprietary information is stored. Users can extract Summary, Issues and Detailed reports on the companies they are monitoring
• End-of-contract process: At the end of the contract access to the platform will cease.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: SecurityScorecard collect terabytes of data on 1m+ of entities worldwide. Their forward-based threat intelligence capabilities are powered by a proprietary sensor network that spans the globe. Their data science and machine learning capabilities transform that telemetry into intelligence that can be used to identify risks and prevent exploits. Through API Connectors, they make this data consumable by technology companies, insurers, rating agencies, security teams, and more.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: No
• Customisation available: No

Scaling

• Independence of resources: SecurityScorecard are continually monitoring and enhancing their platform to provide the highest levels of service to their customers

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Security Scorecard

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data can be exported as .csv or .pdf
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Service Provider’s goal is to achieve 99.9% Availability of the Services for its customers. If uptime for the Services is less than 98.0% for a given month of the Term, then Service Provider shall issue Customer a service credit (“Service Credit”) in accordance with the schedule below, with the credit being calculated based on the fees for month of the affected Services. “Availability” is defined as the 24/7 access to the web interface to the SecurityScorecard SaaS platform being accessible and users can log-in to the system. Availability excludes issues due to internet and/or connectivity.
• Approach to resilience: Resilience has been built into the design of SecurityScorecard's cloud based offering with failover and dynamic resource allocation available and utilised
• Outage reporting: SecurityScorecard may perform any standard maintenance, upgrades, replacement of hardware or software or any other like activity that may result in unavailability (collectively, “Scheduled Maintenance”). SecurityScorecard shall notify Customer in advance of any anticipated Scheduled Maintenance, and provide the date, time and expected duration. Such notice will be provided by email or web notification. Scheduled Maintenance shall not be included in the Uptime Commitment calculation. SecurityScorecard may also perform any maintenance reasonably necessary to fix critical Service functionality, security or other vulnerabilities or material defects that may substantially impair the usability or performance of the Services, to the extent such maintenance cannot reasonable be performed during the Scheduled Maintenance window (“Emergency Maintenance”). SecurityScorecard shall notify Customer at least 24 hours’ notice (or at least as much notice as is reasonably possible, where 24 hours is not commercially reasonable) of any Emergency Maintenance, including its date, time and expected duration. Such notice will be provided by email or web notification.

Identity and authentication

• User authentication needed: Yes
• User authentication: Other
• Other user authentication: SAML
• Access restrictions in management interfaces and support channels: Users are assigned access levels within SecurityScorecard. A user can either be Read Only, User or Admin
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
• Description of management access authentication: SAML

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • C2M2
  • BSIMM

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO 27001 certification SOC2

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: SecurityScorecard adhere to industry good practise in terms of configuration and change management processes.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: SecurityScorecard not only provide security posture monitoring of thousands of companies worldwide but also use their own technology to monitor their own security posture. Regular internal vulnerability scanning is run and endpoint protection deployed
• Protective monitoring type: Undisclosed
• Protective monitoring approach: An automated or manually reported alert is sent. Once the incident has been acknowledged the first responder is responsible to triage the issue. For product related issues, there is a reference chart of team owners. For infrastructure related issues the incident will be escalated to either Infrastructure Services Team or the Site Reliability Engineering Team For security related incidents a conference bridge is opened and all members of the SecOps team attend. The IRT engineer continues to provide the high level updates to stakeholders. Once the incident is closed, the various parties work together to author the post mortem document.
• Incident management type: Undisclosed
• Incident management approach: Industry standard incident management processes are in place

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  • To create an environment in which individual differences and the contributions of all our staff are recognised and valued.; • Every employee is entitled to a working environment that promotes dignity and respect to all. No form of intimidation, bullying or harassment will be tolerated.; • Training, development and progression opportunities are available to all staff.; • To promote equality in the workplace which we believe is good management practice and makes sound business sense.; • We will review all our employment practices and procedures to ensure fairness.; • Breaches of our Equality Policy will be regarded as misconduct and could lead to disciplinary proceedings.; • This policy is fully supported by Senior Management.; • The policy will be monitored and reviewed regularly.

  Wellbeing

  • We promote an open, supportive company culture where employees look out for one another and feel comfortable discussing any difficulties. Mental health is valued equally to physical health.; • Employees have access to confidential counselling, therapy, and other mental health resources through our employee assistance program.; • We encourage taking time off when needed for mental health days in addition to sick days. Employees are trusted to manage their time off responsibly.; • Training is provided to managers on recognizing signs of burnout, ; work overload, and other mental health concerns. Managers work to ; proactively address issues and reduce employee stress.; • Employee workloads and schedules are designed to be reasonable ; and sustainable. ; • Wellness initiatives like meditation breaks, stress management ; workshops, mindfulness programs, and social events are offered ; throughout the year.

Pricing

• Price: £8 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Instant SecurityScorecard provides a free limited summary view into the security posture of your organisation that can be accessed every 30 days.
• Link to free trial: https://instant.securityscorecard.com/?custom_source=ssc_fp_free_score_button

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@barriernetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.