Zenzero

Qualys Vulnerability Scanning

Comprehensive vulnerability scanning including internal, external, network, application, compliance and agent-based scanning. Powered by Qualys, our scanning provides continuous assurance, identifies potential security weaknesses and threats across assets and provide actionable remediation advice.

Features

• Utilises industry leading vulnerability scanning solution
• Multiple vulnerability scanning deployment options
• Customisable scanning frequencies
• Dashboard reporting for vulnerability scan and remediation metrics
• Option to include 3rd party patching add-on

Benefits

• Real time visibility of organisational security posture
• Threat intelligence and early threat detection
• Enhanced reputation management
• Improved detection and response
• Adherence to compliance standards
• Assessment frequency customisation to suit organisational requirements
• Service driven by proven expertise in managed assurance
• Cost effective and scalable across all business sizes

£4.99 to £14.99 a user

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@zenzero.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

315590891052906

Contact

Adam Crossling
03333209900
hello@zenzero.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Qualys Patch Management can be procured as an additional option allowing for the quick and efficient deployment of security patches in line with compliance mandated timeframes.
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Agent must be able to reach Qualys Platform over HTTPS
  • Agent installation required admin privileges
  • Cloud agent requires 512 MB of RAM
  • Patch Management requires 1GB of RAM
  • Minimum 200 MB of available disk space

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Zenzero’s Microsoft certified, UK-based IT helpdesk provides unlimited support to customers 8:00-18:00, Monday to Friday via phone, email, and our website. In addition to this, we provide 24/7 out-of-hours emergency support as required. The majority of queries and issues we receive can be resolved remotely by our IT service desk, ensuring a fast, efficient response. For more complex issues, we can quickly arrange for onsite IT support from one of our experienced, friendly IT technicians. Business critical incidents are picked up within an hour. Medium severity within 4 hours and low priority on next business day. Support is available 24/7/365.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Zenzero’s Microsoft certified, UK-based IT helpdesk provides unlimited support to customers 8:00-18:00, Monday to Friday via phone, email, and our website. In addition to this, we provide 24/7 out-of-hours emergency support as required. The majority of queries and issues we receive can be resolved remotely by our IT service desk, ensuring a fast, efficient response. However, for more complex issues, we can quickly arrange for onsite IT support from one of our experienced, friendly IT technicians. We offer Technical Account Managers and Customer Success Managers to act as your primary point of contact for operational and procurement support. They will work with you on your cloud roadmap and help the organisation to achieve it's objectives. Support pricing is bespoke and tailored to the specific requirements of the buying organisation.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Full user documentation is provided.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: All data resides within the Qualys platform and can be extracted in a variety of formats where required e.g. CSV, XML, PDF, DOC, HTML.
• End-of-contract process: All pricing is identified for the duration of the contract (with the exception of any licence increase imposed by our suppliers).

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Linux or Unix
  • MacOS
  • Windows
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: [11:42] Adam Crossling; The service interface is via the myZenzero support portal where users can access ticket information, raise new tickets, provide updates on existing cases and close tickets. Notifications from Zenzero will also be received via the myZenzero service portal. Communication with end-users is via telephone where needed, ticket updates for passive comms and via portal to ensure users always know the latest updates on their requests.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: To ensure accessibility standards for our service interface, several types of interface testing have been performed including Text Resizing, Focus Indicator Testing and Responsive Design testing.
• API: No
• Customisation available: Yes
• Description of customisation: Vulnerability management dashboard and scan frequency can be configured.

Scaling

• Independence of resources: Qualys dynamically allocates resources based on demand. As scanning requirements fluctuate, Qualys has the ability to quickly scale up or down its infrastructure to accommodate the workload.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Qualys Vulnerability Scanner

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: On request via the Service Desk.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XML
  • PDF
  • HTML
  • DOC
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Qualys is available 24x7x365 and maintains 99% availability.
• Approach to resilience: Qualys employs a redundant architecture and distributes services across multiple data centres and regions to minimise the risk of single points of failure. Regular data backups are performed to ensure data integrity and rapid recovery in case of disasters.
• Outage reporting: All outage alerts are reported via email. ; ; Furthermore, the status of the Qualys service can be monitored at https://status.qualys.com.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Access to management interfaces is confined solely to trusted IP addresses and clearly defined Role Based Access Controls restrict access to individuals who specifically need access to functionality or data.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 02/07/2023
• What the ISO/IEC 27001 doesn’t cover: All sites other than London and Coventry
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO27001

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Any configuration changes within the Qualys platform are documented within the Ticketing system and communicated to relevant stake holders for approval prior to any scheduled changes. All changes are documented.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Potential threats are assessed via continuous internal, external, application, network and agent-based vulnerability scanning, supplemented via regular penetration testing.; ; Identified vulnerabilities are prioritised based on factors such as severity, potential impact and likelihood of exploitation. Remediation, including the application of security patches, is performed in a timely manner after evaluation and testing, typically shortly (< 24 hours) after vendor patch release.; ; Threat data is procured from a number of third party sources and integrated into our vulnerability management process.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Zenzero utilise our in-house Security Operation Centre to monitor all systems for potential compromises using a combination of automated monitoring tools and manual security assessments.; ; When a potential compromise is detected, our incident response team, consisting of experienced security analysts, investigates further. Depending on the nature of the compromise, response actions may include isolating affected systems, disabling compromised accounts, and implementing further containment measures.; ; Critical and high priority incidents are actioned immediately.
• Incident management type: Supplier-defined controls
• Incident management approach: Zenzero have pre-defined incident response playbook for common incidents outlining step-by-step procedures for addressing various types of events. Our processes are regularly reviewed and updated and align with industry best practices.; ; Users can report incidents through multiple channels including email, our IT service desk or via our security operations centre.; ; Throughout the incident lifecycle, and on resolution, regular communication and updates are provided to all stakeholders, culminating in an incident report detailing the timeline, impact, root cause analysis, actions taken, and lessons learned.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Zenzero is actively engaged in Environmental, Social, and Governance (ESG) work, demonstrating a strong commitment to sustainability and ethical practices. They are in the final stages of being a certified B Corporation, which means they meet high standards of social and environmental performance, accountability, and transparency. As part of their ESG efforts, Zenzero has joined the Tech Zero taskforce, aligning with other tech companies to tackle the climate crisis and drive progress towards net zero carbon emissions. They have pledged to become carbon neutral by 2027 and are implementing measures such as an electric vehicle salary sacrifice scheme and cycle to work schemes to reduce their travel emissions.

  Covid-19 recovery

  Covid-19 recovery During COVID 19 to support our workforce, we held (and continue to hold) regular team huddles and one-to-one calls via Microsoft Teams to check in with staff and understand the state of their wellbeing. This included ensuring that the environments they were working in were suitable and supportive. We are proud of the pastoral care we provide to our employees, particularly the younger members of staff and those who do not have a family around them that can operate as a support group. We provide all staff with private medical care via Vitality. These services provide them with full private healthcare benefits, including access to a mental health helpline and a range of complementary therapies, including holistic therapies. We regularly supports charitable organisations and educational establishments through donations of either money or end of commercial life IT equipment. For example, we have donated a number of reconditioned systems to a school in Kenya. Furthermore, we work with a number of local entrepreneurs who own small businesses, supporting them through employment opportunities, mentoring, and knowledge sharing.

  Tackling economic inequality

  Tackling economic inequality Zenzero regularly take on board apprentices and will continue to do. Some of our previous apprentices are still with the company and hold roles such as: technician, systems administrator, helpdesk team leader, and head of technical. Furthermore, to support our growth we have 27 open vacancies across all regions. Zenzero is an equal opportunity employer. Every employee benefits from a personalised training matrix that enables us to track their development and ensure they receive all the training required to perform their role to the highest possible standard. The scope of this internal training includes working with our primary software providers to help staff gain accreditation and degrees, including with Microsoft, as Zenzero is a Microsoft Solutions Partner. Furthermore, Zenzero encourages staff to pursue any additional QA training courses that will further develop their skills and knowledge.

  Equal opportunity

  Equal opportunity Zenzero is an equal opportunities employer and welcome applications from people from all backgrounds and experiences, including individuals with disabilities. All staff receive equality, diversity & inclusion (EDI) training, and any employee whose role includes conducting interviews also undergoes training on disability sensitivity. We are committed to supporting disabled employees with any reasonable adjustments they require, including: -Assistive technology, -Non-medical assistive support, such as ergonomic chairs, desks, and mice & keyboards, -Flexible working hours in order to accommodate their needs within the scope of our operations. Requests for reasonable adjustments are voluntary and confidential, and we will work closely with any employee who requests them to provide the support and accommodation necessary to enable them to fulfil their role. Zenzero has a multicultural workforce, with employees from a range of races, religions, and other protected characteristics under the Equality Act 2010. We are committed to providing all staff with the same support, guidance, and opportunities for development, and have procedures in place to prevent discrimination and promote EDI. Harassment or victimisation of any kind are not tolerated and will result in swift and severe action. We are also in the process of gaining Investors in People accreditation.

  Wellbeing

  Wellbeing To support the wellbeing of our workforce, Zenzero holds regular team huddles and one-to-one meetings to check in with staff and understand the state of their wellbeing. During the COVID-19 pandemic, these were conducted via Microsoft Teams, but we are now also introducing in-person meetings/huddles. During the pandemic, these calls including checking in with staff to ensure that the environments they were working in were suitable and supportive. We are proud of the pastoral care we provide to our employees, particularly the younger members of staff and those who do not have a family around them that can operate as a support group. In order to protect both their physical and mental wellbeing, we provide staff with private medical care via Vitality. These services provide them with full private healthcare benefits, such as access to a mental health helpline and a range of complementary therapies, including holistic therapies. We encourage staff to play a positive role in the community, and support them with knowledge & expertise, equipment, and money, as necessary, to enable them to do so. Additionally, Zenzero holds regular social events for all teams and regions globally to create a positive and fun working environment.

Pricing

• Price: £4.99 to £14.99 a user
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at hello@zenzero.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.