ITHQ LTD

Rapid7 InsightVM Continuous Vulnerability Assessment

InsightVM provides highly available, scalable & efficient vulnerability assessments and risk scoring. InsightVM discovers vulnerabilities in real-time and prioritises them for your team with executive reporting to ensure you're actually reducing risk across your organisation. Provides automated reporting and workflows on compliance SLAs, based on risk and priority.

Features

• Real Risk Prioritisation
• Live Dashboards
• IT-Integrated Remediation Projects
• Cloud and Virtual Infrastructure Assessment
• Container Security
• Integrated Threat Feeds
• Goals and SLAs
• Policy Assessment
• Automation-Assisted Patching
• Automated Containment

Benefits

• Actionable vulnerability intelligence
• Risk prioritisation
• Remediation assistance and automation
• Integration with ticketing systems to drive workflows
• Highly scalable

£9 to £30 a device a year

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidteam@ithq.pro. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

434450412921543

Contact

Dale Nursten
02039977979
bidteam@ithq.pro

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Integrates with Rapid7 InsightIDR to provide risk intelligence to SIEM / SOAR data.
• Cloud deployment model:
  • Public cloud
  • Hybrid cloud
• Service constraints: Console/Engine has a minimum requirement of a dual-core processor with 8GB RAM and 100GB of HDD. This will allow you to scale to ~1000 assets. Further hardware configurations are available for up to 400,000 assets.
• System requirements: https://www.rapid7.com/products/insightvm/system-requirements/

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: S1 - Critical - <2 hours S2 - High - <4 business hours S3 - Medium - <12 business hours
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Customer Support Levels: https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-customer-support-guidebook.pdf/; ; Technical Account Management: https://www.rapid7.com/contentassets/27cecc8df3274f698972f0c2a69e6b40/rapid7-technical-account-management-support-brief.pdf/
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: ITHQ will support the on-boarding of the solution with an agreed Scope of Works document customised to meet the customers' requirements.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Data export tools within the platform.
• End-of-contract process: At the end of the contract the customer will be offered the option of extending their subscription or ceasing to use the platform.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Linux or Unix
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: N/A
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: InsightVM offers the InsightVM Application Programming Interface (API) Version 3. This API supports the Representation State Transfer (REST) design pattern. Unless noted otherwise, this API accepts and produces the application/json media type. This API uses Hypermedia as the Engine of Application State (HATEOAS) and is hypermedia friendly. All API connections must be made to the security console using HTTPS.; Documentation for the RESTful API Version 3 is available here: https://help.rapid7.com/insightvm/en-us/api/index.html
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: InsightVM is highly configurable to meet specific customer requirements. Users can customise dashboards, reports, scan schedules, scan templates, configurate and compliance policy templates, alerts, sites, asset groups, role based access controls, and more. ; ; Customisation will be discussed and agreed as part of a Scope of Works document with ITHQ around the integration with external systems and any customised reporting or alerting required by customers.

Scaling

• Independence of resources: Cloud components are hosted in AWS. Rapid increases in CPU, memory, storage, and networking capacity are performed on demand to meet the scaling and performance needs of enterprise customers. There are currently more than 9000 customers using the platform globally.

Analytics

• Service usage metrics: Yes
• Metrics types: All logins and changes are audited and available in reporting.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Rapid7

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: InsightVM supports data exports, real-time alerts, scripted API integrations to deliver results and coordinate activity between these solutions. Depending on the type of integration desired and the solution in place, InsightVM data can be delivered and custom functionality can be created enabling integrations.; InsightVM provides a variety of reports in parseable formats. Reports can be created for human delivery in PDF, RTF, Text, HTML, and XML, or in parseable formats including CSV export, a variety of XML exports, and direct-to-database export. Report content is based on the report template selected as well as filter criteria for vulnerability types and severities.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • XML
  • RTF
  • HTML
  • Multiple machine readable formats (CSV etc)
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: During the term of Customer’s subscription, the Service will perform in accordance with and subject to this Service Level Agreement (“SLA”). Rapid7’s target is 100% System Availability. If the System Availability during a given month is less than 99.95%, Customer may be eligible for a credit (“Service Credit”), which is the sole and exclusive remedy for any failure to meet the SLA.
• Approach to resilience: Rapid7 maintains a Business Continuity Plan for the Insight platform. The primary goal of this plan is to ensure organizational stability, as well as coordinate recovery of critical business functions in managing and supporting business recovery in the event of disruption or disaster. Thus, the plan accomplishes the following: • Ensures critical functions can continue during and after a disaster with minimal interruption; • Identifies and decreases potential threats and exposures; and • Promotes awareness of critical interdependencies. We can share a high-level overview of our Business Continuity Plan for the Insight platform upon request.
• Outage reporting: Service status is available at status.rapid7.com. Users may elect to subscribe to notifications from this site.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: All access is granted through role-based access controls and utilises a least privilege and zero trust approach. Members of the team using InsightIDR can be made Administrator (full access), Investigator (Incident-only access), or Read Only. These roles will limit the functional access of the user, but will not restrict the data that is accessible in InsightIDR. Creating this three-level structure allows interested members outside of the security team to gain insight into the network and view incident alerts without disrupting the workflow of others.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International Ltd
• ISO/IEC 27001 accreditation date: 15/03/2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: The Insight platform is hosted by AWS. All AWS compliance and audit reports, including SOC 2, SOC 3, FedRAMP Partner Package, ISO 27001:2013 SoA etc. are easily accessible; ; SOC2 Type II; HIPAA; GDPR
• Information security policies and processes: The Information Security team distributes relevant policies internally upon hire, including the Rapid7 Acceptable Use Policy, which addresses the following standards: Asset Usage, Data Protection, Secure Access, Software Usage, Monitoring, Loss and Theft, and Physical and Computer Security. The Information Security and Information Technology groups are responsible for monitoring compliance with data security policies and procedures. Users found in violation of information security policies may be subject to disciplinary action, up to and including termination of employment and legal action. When required, Information Security will work with Legal and People Strategy to address any instance of noncompliance.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Rapid7 applies a systematic approach to managing change so that changes to services impacting Rapid7 and our customers are reviewed, tested, approved, and well communicated. Separate change management processes are in place for corporate IT systems and Insight platform systems to ensure changes are tailored to the specifics of each environment. The goal of Rapid7’s change management process is to prevent unintended service disruptions and to maintain the integrity of services provided to customers. All changes deployed to production undergo a review, testing, and approval process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The Information Security team continuously monitors Rapid7’s corporate IT and Insight platform environments for system vulnerabilities in accordance with formally documented vulnerability management processes and procedures. Information Security conducts network and agent-based vulnerability scans of these environments on a continuous basis using InsightVM, with new vulnerability results coming in daily or weekly. Information Security partners with Rapid7’s Managed Vulnerability Management team to augment our vulnerability management processes.Rapid7 also utilizes InsightAppSec and Information Security partners with Rapid7’s Managed AppSec team to monitor Insight platform and Rapid7 web properties for web application vulnerabilities.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The Platform Security team ensures security is built into our products by providing security requirements, code analysis, and infrastructure configuration monitoring throughout multiple stages of our software development lifecycle
• Incident management type: Supplier-defined controls
• Incident management approach: Rapid7 uses InsightIDR to monitor on-premises and cloud environments for security incidents. Information Security partners with the MDR and Incident Response services teams to augment Rapid7’s incident response program. InsightIDR alerts are regularly reviewed by analysts and escalated via a paging system when indications of potentially malicious activity are detected.Rapid7 maintains a formal Incident Response process for analysis, containment, eradication, recovery, and follow up in the event of a security incident. Rapid7 will notify customers of any breaches affecting their data within 48 hours. For other breaches, Rapid7 will follow internal policy and all applicable federal, state, and local laws

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Tackling economic inequality
  • Equal opportunity

  Tackling economic inequality

  ITHQ runs a corporate social responsibility programme called Life In IT in South East England. Life In IT allows us to recondition tech devices donated from businesses headed for disposal and pass them on to local non- profit organisations that put them to great use. Schools in particular are now benefitting from free technology that creates fresh learning opportunities through increased access to education platforms for more students.

  Equal opportunity

  To specifically address equal opportunity, our Life In IT programme prioritises collaboration with schools that support students from diverse backgrounds, including low-income families, minorities, and those with disabilities. We provide customised technology solutions that cater to a wide range of learning needs and styles, thereby ensuring all students have the opportunity to succeed. By doing so, ITHQ is committed to creating a more inclusive educational environment where every student, regardless of their socioeconomic status or background, can benefit from equal access to high-quality digital education.

Pricing

• Price: £9 to £30 a device a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidteam@ithq.pro. Tell them what format you need. It will help if you say what assistive technology you use.