RAZOR THORN SECURITY LTD

Third Party Risk Management - Black Kite

Black Kite is a security risk ratings service that leverages open source intelligence gathered from the internet to provide security insights without the use of confidential data.

Features

• Third party risk monitoring in real time.
• Technical Financial and compliance rating.
• Ransomware susceptibility score.
• Continuous risk monitoring of your cyber posture.

Benefits

• Understand Risk Across entire vendor ecosystem.
• Streamline risk communication with executives and vendors.
• Streamline assessments & due diligence with risk based automation.
• Reduce Internal and external accepted risk.
• Quantify third party cyber risk in terms of business outcomes.
• Provide early warning detection of susceptibility to ransomware.
• Alert on latest zero-day exposure across entire ecosystems of vendors.
• Reduce operational overhead from mapping questionnaires.

£150 a licence

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sophia.durham@razorthorn.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

515438401337064

Contact

Sophia Durham
+447470334993
sophia.durham@razorthorn.com

Service scope

• Service constraints: No.
• System requirements: None applicable, platform is web-based SaaS.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Dependent on severity of issue. Severity 1 - 60 minutes, Severity 2 - 4 hours, Severity 3 -8 hours, Severity 4 - 24 hours. Response times are measured from the time Customer has spoken with or left a voicemail for a Black Kite Customer support contact specifying the nature of the Customer’s problem.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: None historically.
• Onsite support: No
• Support levels: Black Kite has a Help Site, documentations, and a self-guided walkthrough within the platform. Issues raised in our support channel are responded to within 24-48 hours and resolve within 1-5 business days. This comes at no additional cost to the end user.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The Black Kite customer success team will assist in initial platform setup, and provides live training in addition to the demo videos and tutorials found within the help centre.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats: Word.
• End-of-contract data extraction: Customer data will be deleted or returned within 30 days of request for deletion or return. More information can be found at https://blackkite.com/privacy-policy
• End-of-contract process: At the end of the contract, the customer tenant will be deactivated, but remain in a state where it can be restored in the event of customer return. If the customer requests data deletion, the tenant will be deleted entirely along with any associated data.

Using the service

• Web browser interface: Yes
• Using the web interface: Users can inventory their vendor relationships, catalog risk tiers, configure notifications, modify dashboard elements, analyse control attestations, calibrate data dependencies for risk modelling, add/remove/edit users, generate reports, integrate with other tools, classify finding statuses, invite vendors to the platform, and generally research their vendor/ecosystem cyber security posture. Users cannot send questionnaires, change the severity level of findings, mass-remediate findings. This list is not exhaustive.
• Web interface accessibility standard: WCAG 2.1 A
• Web interface accessibility testing: Black Kite has generated a VPAT/tested against WCAG 2.1 A and AA. The Black Kite platform leverages visual images and graphics that cannot be meaningfully translated to text for the vision impaired.
• API: Yes
• What users can and can't do using the API: Black Kite API is available via a convenient SwaggerUI.
• API automation tools: Other
• Other API automation tools: Open API v3 compatible tools.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Black Kite is based off Google Cloud using a high availability setup and can scale at a global level.
• Usage notifications: Yes
• Usage reporting:
  • Email
  • Other
• Other usage reporting: Phone.

Analytics

• Infrastructure or application metrics: No

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Black Kite

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • User information - (Email and Names).
  • Compliance engine mappings.
  • List of vendors and configurations for monitored vendors.
  • User logs.
  • Workflow engine configurations.
• Backup controls: The entire Black Kite system is backed up daily, including tenant data. As the platform is SaaS, there is no option to exclude data from backups.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Black Kite guarantees a 99.5% uptime, inheriting Google Cloud's guarantee. The platform undergoes maintenance every two weeks, but does not go offline for maintenance.
• Approach to resilience: Black Kite is configured across two service zones, with the secondary site in a mirrored state.
• Outage reporting: Direct customer communication via email.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Role based access controls, access restriction via IP whitelisting/VPN, quarterly access reviews.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
• Devices users manage the service through: Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 10/09/2021
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: N/A
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC 2 Type Two
  • SSAE-18

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SSAE-18 (SOC 2). Black Kite is also currently aligning with ISO 27001 but has not yet undergone an audit for this.
• Information security policies and processes: Black Kite has an information security policy suite covering: Operations security, data security/encryption, physical security, security training, asset management, access control, personnel security, risk management, third party management, contingency planning (BC/DR), incident response, and secure development.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We have a change management and software development policy aligned to NIST. Changes are peer reviewed, tested by QA, and have automated scans run prior to promotion to production.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Internal vulnerability scans are performed on a constant basis, with external scans performed monthly. Vulnerabilities are patched in the timeframes defined in our vulnerability management policy.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Black Kite uses a combination of SIEM tools, application logs, and manual scanning to identify potential compromises. Black Kite has a formal incident response plan which is tested annually.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Black Kite has a playbook for common events. Incidents are reported through a Slack Channel, where events are automatically opened based off defined criteria. AAR reports are generated post-event, customers will be notified within 24 hours of a customer-impacted breach.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Supplier
• Virtualisation technologies used: Other
• Other virtualisation technology used: Virtualisation technology is configured by Black Kite but VMs and PaaS are provided by Google Cloud Platform (GCP).
• How shared infrastructure is kept separate: N/A

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: https://cloud.google.com/security/compliance/eu-cloud-code-of-conduct

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Razorthorn is dedicated to combating climate change and has set a bold target of achieving Net Zero emissions by 2025. To fulfil this commitment, we prioritise tangible reductions in emissions through collaborative efforts with key suppliers and empowering our team to make climate-conscious travel decisions.; ; As a socially responsible business, Razorthorn upholds the highest standards of ethics and professionalism. Our efforts fall into two main categories: compliance and proactiveness. Compliance entails adhering to legal obligations and community values, while proactiveness involves initiatives to promote human rights, support communities, and safeguard the environment.; In addition to meeting legal requirements, we actively engage in environmental protection initiatives such as recycling, energy conservation, and adoption of eco-friendly technologies. We are in the process of aligning our operations with ISO 14001 standards for Environmental Management to continually improve our environmental performance.; Razorthorn is committed to delivering further environmental benefits, including striving towards net zero greenhouse gas emissions, as part of our ongoing contract performance.

  Covid-19 recovery

  Razorthorn's mission is to enhance workplace conditions for COVID-19 recovery, emphasising social distancing, remote work, and sustainable travel. Our G Cloud 14 services aid organisations in managing and rebounding from COVID-19 impacts, promoting remote service delivery to mitigate transmission risks. We support remote work and enforce social distancing in offices, with travel following the most recent COVID-19 guidelines.

  Tackling economic inequality

  Razorthorn actively tackles economic inequality by strengthening supply chains and managing cyber security risks in contracts. We promote innovation in supply chains for cost-effective, high-quality goods. Our social responsibility drives us to support local charities, nurture future security professionals, and address regional inequality through inclusive recruitment and skill development initiatives.

  Equal opportunity

  Razorthorn is dedicated to detecting, managing, and mitigating modern slavery risks within contract delivery and supply chains. We actively combat employment, skills, and pay disparities within our workforce. Our firm adheres to rigorous 'Equal Opportunity' and 'Equality and Diversity' policies, ensuring fair treatment across all engagements.

  Wellbeing

  Razorthorn is deeply committed to safeguarding and promoting the physical and mental health and well-being of our workforce. Our support begins with the initial recruitment process and extends throughout every working day within the organisation. For team members facing challenges such as disabilities, mental health conditions, or caring responsibilities, we have an established network that offers a supportive environment to connect with peers, seek advice, and share experiences.

Pricing

• Price: £150 a licence
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sophia.durham@razorthorn.com. Tell them what format you need. It will help if you say what assistive technology you use.