SAPPHIRE TECHNOLOGIES LIMITED

GRC Tool

An online tool that allows organisations to self-assess and manage their compliance against cybersecurity and information standards such as ISO:27001, CIS Controls, PCI DSS, NIST, and NIS Directive, providing real-time visibility of their cybersecurity posture.

Features

• Real-time visibility via a live dashboard
• Reporting with sorting and filtering functions
• Task generation with email capabilities
• Simple action creation using Action Manager
• Risk Assessment module

Benefits

• Self-assess and manage standard conformance
• Quickly complete assessments through use of intuitive workplan system
• Provide conformance reporting for Boards, Regulators, Auditors, Risk Managers
• Easily identify and prioritise mitigation and remediation activities
• Demonstrate improvement or highlight risks

£1,950 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@sapphire.net. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

423245958445518

Contact

Katie Smith
0845 58 27001
info@sapphire.net

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None.
• System requirements: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 08:30 till 17:00 Monday to Thursday and 08:30 till 16:30 on Friday, excluding Bank Holidays.
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Sapphire provides best efforts support and guidance in the usage of the platform. This is as opposed to support in the completion of the questions of the chosen standard, which would only be available as part of combined consultancy purchased separately.; ; Sapphire will not have visibility of the customer's instance of the SAM platform unless a customer has given 3rd party authority for Sapphire to have access as part of a consultancy project.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: A video demonstration of the platform (using a specific Framework as an example) is provided to the user in the first instance, which will support general understanding of how it works and its capabilities.; ; At the point of sale, basic customer information is obtained, including customer logo if required, and any authority from the customer for 3rd party access, all of which is supplied to vendor. A customer profile linked to the required framework is created on the SAM platform by the vendor, who sends the account information directly to the customer.; ; The platform is intuitive but should support in its usage be required, this is available via a Support email on the platform. Best efforts guidance is provided by Sapphire where they have not been provided with 3rd party access at the customer's request.
• Service documentation: No
• End-of-contract data extraction: The full Compliance report can be exported in a CSV file. Full Compliance is captured monthly, and the most current and historic reports can be extracted/exported at contract end.
• End-of-contract process: The price paid is a on a subscription per framework basis and the price paid is for access to the requested framework on the GRC tool. Subscriptions are annual and expire on the annual anniversary unless pro-rated to align with an entity’s existing expiry date. ; ; Subscription renewal notifications will be sent to the customer 50 days prior to the expiry date. A further reminder renewal notification will be sent to the customer 20 days prior to the expiry date if the subscription has not been renewed. Access is revoked is the subscription is not renewed.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: SAM works very well on mobile devices and uses adaptive code. But it would be less user friendly on a mobile phone due to the quantity and type of information displayed on the platform.
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: Content of an existing framework can not to added to or changed as they are all pre-defined but it is possible to create a framework especially customised for the user.

Scaling

• Independence of resources: The software operates on hyper scale cloud with replication and so can be expanded easily. We also use geographic scaling in that our customers are global for this platform hence load is distributed through usage from differing time zones.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: SAM for Compliance

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: No
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: The full Compliance report can be exported in a CSV file. Full Compliance is captured monthly, and the most current and historic reports can be extracted/exported in this way.; Notes, tasks and actions reports are simply extracted by copy and pasting into Excel.
• Data export formats:
  • CSV
  • Other
• Data import formats: Other
• Other data import formats: There is no upload function as there is no requirement

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We operate OLA only for availability
• Approach to resilience: Available on request but based on hyper scale cloud
• Outage reporting: We only report outages when customers contact to report problems.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Username or password
  • Other
• Other user authentication: Multi-factor authentication will be available from November 2024
• Access restrictions in management interfaces and support channels: Access to the platform is provided by the 3rd party supplier to a super user within the customer organisation. That super user is then responsible for providing access to only those that require it. In all cases, access is controlled by email and password verification.
• Access restriction testing frequency: Never
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: SGS
• ISO/IEC 27001 accreditation date: 12/09/2023
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Sapphire are ISO27001 and Cyber Essentials+ certified.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The service runs as a Web App on a managed service platform. Any changes to the application are subject to an in-house peer review process prior to being handed over to an external developer for coding. Changes are tested with a development system prior to live deployment. Where the peer review process determines that user access control or identity management may potentially be impacted then an external penetration test is required prior to the code being enabled for use on the live service. All code changes are recorded within a code repository and a backoff mechanism is available if required.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: Our penetration and threat hunting team will verify these on our behalf
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: In this instance we are reliant on the hyper scale cloud provider protective monitoring
• Incident management type: Undisclosed
• Incident management approach: We are reliant on hyperscale cloud provider for this feature

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We make sure that we recycle where we can and take appropriate modes of transport to get to clients. Our offices in Darlington and Glasgow are easily accessible by public transport meaning that many of our colleagues go to an office by these means. For other colleagues, we offer remote working, and colleagues are able to attend an office when they need We are pricing our services to encourage customers to prefer remote access and remote working where possible. One of Sapphire staff is undertaking a part time PHD studying the carbon consequences of cyber crime and it’s mitigation which is inclusive of Sapphire customers and partners.

  Covid-19 recovery

  We have encouraged our staff back to office working especially in the SOC which runs 24*7 shift patterns. We have recently engaged in local communities by hiring space in local charity buildings for company meetings as in house face to face meetings. We have performed pro-bono work with charities to check their security status and help them move onwards from Covid in the face of increased cyber attacks on charities.

  Equal opportunity

  We have an Equal Opportunities policy which everyone in Sapphire adheres to. We are currently at 29% of females in our organisation, a number that has grown over the last few months. Our recruitment processes allow us to interview the best people for the roles we have available, and we insist on 50:50 short-lists for all roles. We value the views of others and see as a strength our openness to challenge. We employ military reservists, and are supportive of their overseas deployment commitments on behalf of HM Government. Recently we have signed documentation to join the NCSC Cyber First scheme to help young people especially women and girls to join the ranks of cyber professionals. We also mentor young people who are keen to move into cyber at some stage in their career.

  Wellbeing

  We take the wellbeing of our colleagues seriously; we offer an Employee Assistance Programme, have health cover, a pension scheme and Life Cover. We also provide opportunities for colleagues to Give Back to local projects/schemes and they can use a day a year to do this.

Pricing

• Price: £1,950 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: On the vendor website, there is an option to request a demo. When making that request, the user should select the 'Request A Seven Day Evaluation Account' from the options presented. The user also selects the framework that they wish to trial.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@sapphire.net. Tell them what format you need. It will help if you say what assistive technology you use.