BEYOND HOLDINGS LIMITED trading as Evouchers/Wonde

Secure Schools Online Cyber Security Auditing and Testing Platform

Secure Schools (part of Wonde Ltd) Online Cyber Security Auditing and Testing Platform enables schools and academy trusts to perform an independent review and assurance of their cyber risk.

Features

• Aligned with DfE and ESFA guidance
• Aligned with Cyber Essentials
• Overview dashboard
• Multi Academy Trust level access
• Internal audit of intentions, strategy and documentation
• Vulnerability assessments
• Technology or support provider access
• Customer support

Benefits

• Self-assessed review of cyber security risks
• Generate cyber security risk and compliance reports
• Demonstrate Cyber Essentials readiness
• Prepare for Cyber Essentials certification
• Prepare for Cyber Essentials Plus certification
• Provide assurance to school and trust boards
• Provide assurance to interested parties and regulators
• Provide IT teams with risk and compliance reports
• Perform cyber security due diligence

£299 to £859 an instance

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@wonde.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

482241464210139

Contact

Neil Roach
+44 1638 438094
tenders@wonde.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: No specific constraints at this time.
• System requirements:
  • Access to the internet
  • Supported web browser
  • Supported Operating system
  • Desktop device running Windows or macOS
  • Mobile device running Android or iOS

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 24 hours Monday to Friday
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Email or online ticketing support is included within the Secure Schools (part of Wonde Ltd) Online Cyber Security Auditing and Testing Platform service, with the use of telephone and video conferencing utilised where there is a technical requirement.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Secure Schools provides comprehensive documentation educating how users get started with the service. Documentation can be accessed through the Secure Schools Knowledgebase (https://help.secureschools.com/hc/en-gb). Telephone, email and web chat support is available from the Secure Schools support team if further support is required.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Data can be exported from the Secure Schools Cyber Security Auditing and Testing Platform at any time. Users are advised that they can export their data before a contract ends. Data is retained for the duration that the school is within contract and actively using the Secure Schools platform. Early deletion of data can be requested directly on the Secure Schools platform. Deleted data is held within backup to allow restoration to its original state if deleted in error. Following this period of backup, data is permanently deleted from our database.
• End-of-contract process: All end-of contract activities are included within the price of the contract. Customers will already have access to all data to be extracted download or export requests can be made for data extraction. Data is retained for the duration that the school is within contract and actively using the Secure Schools platform. Early deletion of data can be requested directly on the Secure Schools platform. Deleted data is held within backup to allow restoration to its original state if deleted in error. Following this period of backup, data is permanently deleted from our database. Customers should remove the Secure Schools software from devices once the contract has ended.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • MacOS
  • Windows
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Secure Schools (part of Wonde Ltd) Online Cyber Security Auditing and Testing Platform is accessed via web user interface, or mobile app, which allows authorised users to view the status and outcomes of school cyber security risk and compliance in policy, user behaviours and device configuration reviews. Access to restricted components of the interface is determined by the user's role.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: WAVE is a web accessibility evaluation tool, that provides visual feedback about the accessibility of our web content. For more detailed design checks, Secure Schools also use AXE guided (semi-automated) testing for accessibility checks of all our design changes.
• API: No
• Customisation available: No

Scaling

• Independence of resources: We use Microsoft Azure Infrastructure-as-a-Service and Microsoft Azure Platform-as-a-Service resources to host our services. As demand on our resources increases, or temporarily spikes, the resources temporarily; and automatically expand.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Schools can download their instance's data by using the 'export' button, or request an export of data by raising a support ticket.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Microsoft Office File Formats
• Data import formats:
  • CSV
  • Other
• Other data import formats: Microsoft Office File Formats

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Secure Schools (part of Wonde Ltd) provides a 99.95% service availability. The Secure Schools SaaS platform is a cloud-based service utilising high-spec, high-capacity, fully-flexible cloud hosting services form Amazon Web Services. Any demand peaks placed on the service automatically triggers a temporary expansion of our data processing capacity, ensuring no disruption to service users. Service levels shall be agreed by us and service credits may be available under certain conditions.
• Approach to resilience: We follow the AWS Well Architected Framework. More details of the infrastructure available on request.
• Outage reporting: Any extended/major system outages are communicated via the online dashboard and email alerts to users.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: All users require a unique ID. Users can log in using SSO, or through the use of a login link sent directly to the users email. Management interfaces and Support Channel access is restricted to internal staff only and roles are in place to restrict users to only actions required for their job.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BM Trada
• ISO/IEC 27001 accreditation date: 20/10/2023
• What the ISO/IEC 27001 doesn’t cover: Our SOA excludes physical media and outsourcing development. We do not outsource development, and physical media is technically blocked within our infrastructure.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: IASME Cyber Assurance L2 Audited

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: IASME Cyber Assurance L2, IASME Cyber Essentials Plus
• Information security policies and processes: Our security governance framework ensures that there are opportunities for security information, analysis, and decisions throughout the organisation at all levels. This enables us to obtain assurance that our security risks are understood, appropriately managed, and in line with business requirements. We have a dedicated internal security team who are responsible for designing and implementing policies determined necessary by our risk process. Policies are approved by the appropriate board member. We have documented internal information security policies and processes that are regularly audited internally and as part of our ISO27001 certification Policy compliance is enforced by technical control points where possible. We maintain a central Information Security Policy that all staff are provided with and required to read and agree to.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Secure Schools' (part of Wonde Ltd) configuration and change management approach utilises the policies, processes and controls stipulated under the ISO 27001 Information Security Management framework, against which Wonde are independently audited and certified annually. We have a documented Change Control process. This process requires that changes are prioritised in terms of benefits, urgency, effort required, and potential impact on operations. Following assessment, a change control process is put in place to ensure that changes proposed are reviewed, authorised, tested, implemented, and released in a controlled manner.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Secure Schools' vulnerability management approach utilises the policies, processes and controls stipulated under the ISO 27001 Information Security Management framework, against which Wonde are independently audited and certified annually. We are currently using Amazon Inspector for all production cloud workloads. An internal Vulnerability Management process is followed to assess vulnerability findings, and report these to the relevant team for remediation. SLOs are defined for vulnerability findings, depending on the CVSS score and other contextual information.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Secure Schools' (part of Wonde Ltd) protective monitoring approach utilises the policies, processes and controls stipulated under the ISO 27001 Information Security Management framework, against which Wonde are independently audited and certified annually.
• Incident management type: Supplier-defined controls
• Incident management approach: We have an internal incident management process which is communicated to all staff and provided on our company intranet. We have an internal incident reporting channel, where all forms of suspected incidents are reported. All incidents are then assessed by our Info Sec and Development Teams, following assessment, all incidents are assigned to an incident manager and a relevant ticket is created. Upon incident resolution, a post-mortem is held to document findings and methods to prevent future recurrence.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Secure Schools is part of Wonde Ltd, which demonstrates a steadfast commitment to combatting climate change and reducing carbon emissions through various initiatives. At the forefront of our efforts is the sustainable provision of goods and services, coupled with investments in low carbon digital innovation.; ; Our commitment extends to our office infrastructure, which operates solely on renewable energy sources, while our business travel is powered by electric vehicles, effectively mitigating our carbon footprint. Moreover, we have implemented a green procurement system, collaborating with suppliers to ensure that products are sourced sustainably and are recyclable, further contributing to environmental preservation. ; ; Aligned with governmental objectives to achieve ‘Net Zero’ carbon emissions by 2050, Wonde actively pursues our own in-house Net Zero journey. Our comprehensive Carbon Reduction Plan is readily accessible on all our websites, providing transparency and accountability. This plan outlines our strategies, targets, and actions to reduce carbon emissions across our operations. For detailed insights into our carbon reduction endeavours, stakeholders can access our Carbon Reduction Plan at www.wonde.com/wp-content/uploads/Wonde-Carbon-Reduction-Plan-v2023.pdf. ; ; Through these concerted efforts, Wonde remains steadfast in our commitment to sustainability and environmental stewardship, striving to make a positive impact on the planet for future generations.

  Covid-19 recovery

  Secure Schools is part of Wonde Ltd. Wonde understand that supporting impacted individuals and strengthening communities is a vital requirement for national Covid-19 recovery. Our Stakeholder Managers work directly with local communities, establishing priorities and requirements before co-developing a targeted Covid-19 Recovery Plans for review, approval and implementation. Aligned to our Sustainability Development Goals, we leverage our innovative technological capabilities to develop low cost, high impact solutions that respond to local needs, can be rapidly implemented and widely adopted.

  Tackling economic inequality

  Secure Schools is part of Wonde Ltd, which is dedicated to addressing economic inequality through various initiatives and collaborations aimed at empowering individuals and communities. As advocates for fair wages, we steadfastly support the National Living Wage, ensuring that our employees receive compensation that exceeds the prescribed threshold by an average of 63%. Recognising the significance of bridging the digital divide, Wonde actively engages with local stakeholders in communities facing this challenge. ; ; Through partnerships and initiatives, we facilitate the provision of digital skills training and support, offering local competitions, workshops, and educational materials. Our involvement extends to programs such as Kickstart and NetMatters, as well as initiatives like the Cambridge Norwich Tech Corridor, where we contribute to fostering technological literacy and advancement. Moreover, Wonde actively collaborates with organisations like 'Get with the Programme,' a charity dedicated to enhancing tech education by partnering with schools and businesses to deliver enriching learning experiences for students. ; ; In our commitment to fostering inclusive employment opportunities, Wonde offers apprenticeships and local job placements. Through partnerships with 40 local authorities and participation in government apprenticeship schemes, we actively work to improve pathways to sustainable employment, particularly for ethnic minority and disadvantaged groups. By providing apprenticeships and work experience opportunities, we aim to empower individuals with the skills and resources needed to thrive in the workforce and contribute meaningfully to their communities. ; ; Wonde remains steadfast in our dedication to tackling economic inequality, striving to create a more equitable and inclusive society for all.

  Equal opportunity

  Secure Schools is part of Wonde Ltd, which implements an inclusive recruitment practice, in line with the Public Sector Equality Duty Act, hiring employees across a broad spectrum of backgrounds and experience representing the communities and customers we work with. Wonde have a 50/50 male-female ratio, employ four military spouses as part of our Armed Forces Covenant pledge and support 10 employees requiring additional workplace adjustment.Wonde strives to create a healthy, supported workforce; with staff and client wellbeing at the heart of everything we do.

  Wellbeing

  Secure Schools is part of Wonde Ltd. Wonde ensures the wellbeing of our clients by actively supporting, promoting and creating opportunities for social value within each contract that we undertake, regardless of geographic location. For example, Wonde works with Plymouth Children in Poverty (PCIP), part of the Plymouth Drake Foundation. ; ; Wonde also deliver unclaimed food vouchers to food banks; and have already delivered thousands of these (at our expense) to local food banks across our client areas. Wonde have also run our own unique local Covid Scholars program that rewards commitment to excellence in School/Community/Sport. ; ; The wellbeing of our staff is supported by numerous employee benefits, including (but not limited to): - 4 day working week for all employees - Company sponsored wellness retreats - Private healthcare and/or dental insurance - Free on-site gym, and wellbeing room - Flexible, hybrid and remote working - Shopping vouchers - Flexible working contracts - Training options for up-skilling

Pricing

• Price: £299 to £859 an instance
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: With a trial account on the Secure Schools cybersecurity platform, you can access education-specific cybersecurity policies, cybersecurity awareness courses, and education-specific phishing email templates for a 30 day period. During the trial, you can assign a training course, phishing simulation, or bespoke cybersecurity policy to a member of your school.
• Link to free trial: https://www.secureschools.com/en-gb/get-started

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@wonde.com. Tell them what format you need. It will help if you say what assistive technology you use.