Barrier Networks

Occamsec InCenter Penetration Testing, Threat Hunting Platform.

Incenter SaaS platform : continuous penetration-testing, automation and human testers, continually test for vulnerabilities in applications, infrastructure and software.
Penetration-Testing: Ethical hacker team providing penetration testing to find vulnerabilities and risk.
Threat Hunting: Consulting looking for IOC within organisation.
"Teaming": Assessing attack vectors (Red), Defensive team (Blue) and mix (Purple)

Features

• Dashboard to view ongoing security testing
• Vulnerability details
• Remediation Recommendations
• Real-time reporting
• Business risk overview
• Attack chain walkthroughs
• Retesting included

Benefits

• Continuous visibility of vulnerabilities and risk
• Improves efficiency of security operations
• Saves time on vulnerability management
• Prioritizes what to fix first
• Reduces security operations budget

£120 a device a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@barriernetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

500930897951126

Contact

Iain Slater
0141 356 0101
info@barriernetworks.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: N/a
• System requirements: N/a

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 2 hours 7 days /week
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Via Occamsec website
• Web chat accessibility testing: N/a
• Onsite support: Yes, at extra cost
• Support levels: 24x7x365 support at no extra cost to all clients. A dedicated account manager, technical account manager and PM are aligned.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Onboarding is easy and simple with online training provided.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Users are able to download data to CSV, PDF, and JSON.
• End-of-contract process: A one year service cost will enable Incenter to run all year with the pre-agreed scope of assets to be tested on the platform. Additional 'deep dive' penetration testing can be arranged ad-hoc at reduced day rate.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Customizable GUI for C level/engineer/developer levels
• Accessibility standards: None or don’t know
• Description of accessibility: Users access the platform via URL. They can login with Incenter credentials or existing SSO credentials. Permsission levels can be set by client for varying users.
• Accessibility testing: None
• API: Yes
• What users can and can't do using the API: We can provide documentation on how to use the API service after account setup. Changes can be made with calls to specific endpoints. Limitations are based on user permission levels.
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The GUI can be customized based on user role to see one project/multiple projects/all security testing information.

Scaling

• Independence of resources: Incenter is on a cloud platform with capacity to ensure no user actvity can impact another user or organisation.

Analytics

• Service usage metrics: Yes
• Metrics types: Frequency of tests/scans, duration of tests, outcomes of testing
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Occamsec

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Users are able to download data to CSV, PDF, and JSON at any time with varying data points specified.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: Other
• Other data import formats: N/a

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: We strive to provide 100% uptime. In the event of anticipated downtime, we provide 24 hours notification or greater to users. In the rare event of unexpected downtime, we strive to minimise downtime to less than 1 hour return to availability.
• Approach to resilience: Available on request
• Outage reporting: Email alerts and maintenance page display to users.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Users can login using username and password or a Single Sign on Process. Users are also able to setup Multi-Factor authentication for login as well.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: CREST

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: N/a
• Information security policies and processes: Our Information Security policies follow the core tenants of the ISO27000 series. There are data encryption, data classification, antivirus, acceptable use, and other appropriate policies and procedures to guide employee interaction with company and client data.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Any changes to our system are reviewed by leadership and evaluated for potential security implications. For any software development changes, these are reviewed as part of the software development lifecycle process and evaluated for any gaps in implementation. Furthermore, our company infrastrucutre has regular security testing performed against it.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our internal penetration testing team performs regular penetration tests against our company infrastructure and the Incenter platform. This includes external network testing, internal network testing, and authenticated web application testing. Any identified vulnerabiliites are reported to our Infrastructure team for immedaite resolution. Our penetration testing team are constantly review threat information both from public sources and our own internal threat intelligence team.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: "• Alerting Systems: We leverage the built-in alerting mechanisms provided by our cloud-based solutions. These systems are configured to detect/report unusual or potentially malicious activity.; • End User Protection: While end-point protection is required for all staff, it is not centrally managed. However, the requirements for endpoint security are clearly defined and communicated to all users to ensure a consistent level of security is maintained.; • Incident Handling Procedures: When a threat is identified, our team initiates an incident response procedure to address the detected issue, ensuring that appropriate measures are taken through to resolution."
• Incident management type: Supplier-defined controls
• Incident management approach: We have an existing security incident policy that we follow for any suspected security incidents. Users can report suspected incidents using several in and out of band means. Reported incidents are investigated by the most approrpiate members of the in-house team. Findings and recommendations are documented in internal documentation.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  • To create an environment in which individual differences and the contributions of all our staff are recognised and valued.; • Every employee is entitled to a working environment that promotes dignity and respect to all. No form of intimidation, bullying or harassment will be tolerated.; • Training, development and progression opportunities are available to all staff.; • To promote equality in the workplace which we believe is good management practice and makes sound business sense.; • We will review all our employment practices and procedures to ensure fairness.; • Breaches of our Equality Policy will be regarded as misconduct and could lead to disciplinary proceedings.; • This policy is fully supported by Senior Management.; • The policy will be monitored and reviewed regularly.

  Wellbeing

  • We promote an open, supportive company culture where employees look out for one another and feel comfortable discussing any difficulties. Mental health is valued equally to physical health.; • Employees have access to confidential counselling, therapy, and other mental health resources through our employee assistance program.; • We encourage taking time off when needed for mental health days in addition to sick days. Employees are trusted to manage their time off responsibly.; • Training is provided to managers on recognizing signs of burnout, ; work overload, and other mental health concerns. Managers work to ; proactively address issues and reduce employee stress.; • Employee workloads and schedules are designed to be reasonable ; and sustainable. ; • Wellness initiatives like meditation breaks, stress management ; workshops, mindfulness programs, and social events are offered ; throughout the year.

Pricing

• Price: £120 a device a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Free trial / Proof of Concept can run for 1 month and includes all service features and benefits

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@barriernetworks.com. Tell them what format you need. It will help if you say what assistive technology you use.