Experienced Management Consultants Limited

Security By Design

Security by Design helps ensure organisations keep information and other assets secure by design and by default.
We specify, design, plan and implement how security runs as a "golden thread" through the organisation and its service solutions.
We have led creation of pan-government tier-2 services, the implementation of micro-segmentation etc.

Features

• Explicitly identifies and manages security Commitments and Obligations
• Security Risk Appetite and Posture
• Data Journeys: how, by whom and where data is handled
• Supports clear segmentation and micro-segmentation
• Information/Data Handling Model: how information should be handled
• Security Architecture for Business & Technology at Enterprise and Solutions
• Security Service Catalogue: defines what all types of security do
• Security User Stories for whole organisation or programme(s)
• Integrates standards & frameworks: SPF, NIST, ISO27001, SABSA, CIS, ISACA
• Threat and Risk Identification and Assessment

Benefits

• Increases security of new solutions by default and by design
• Avoids the risks of piecemeal security design
• Clear specification of IDAM, Protective Monitoring, CASB and DLP solutions
• Decreases Information Security Risk
• Segmentation and microsegmentation meets variable Threats, Risk Appetites and Postures
• Enables meeting of security obligations: data-sharing agreements, GDPR etc
• Allows business, IT and security people to talk together
• Reduces deployment times
• Focuses and minimises the need for security architects
• Supports Security Transformation

£492 a unit a day

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@xmcs.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

563596250622204

Contact

Duncan Hare
+44 (0) 20 7084 5760
enquiries@xmcs.co.uk

Planning

• Planning service: Yes
• How the planning service works: Security as a Service uses a component-based Service Oriented Business Architecture (SOBA) to define security obligations and aims (External Commitments) and to link these to the organisation's Services and their Value Chains (and data journeys), Controls, Enablers (People, Technology, Locations, Finance) and Internal Commitment (Organisation/Contracts/Culture etc). It identifies how security services do/should interlock with other internal services to support BOTH value creation and security obligations. It identifies the dependencies between services, allowing design for inter-operability, sharing and reuse and use of open standards. Cloud services are clearly defined and their functional and architectural design dependencies (including being secure by design) are made clear within these overall solutions.; This supports the definition of clear work-streams with defined project/programme integration dependencies. This allows Agile delivery to be used to full effect with clearly defined and linked benefits, scope, quality, time (including critical path) and cost which can be refined through iterative cycles of planning. It strongly supports coherent sourcing strategies and the use of common government solutions and sourcing routes.; The Artefacts work at detailed technical and at executive level, supporting strong buy-in and momentum. It is in line with the Technology Code of Practice, the Security Policy Framework and other norms.
• Planning service works with specific services: No

Training

• Training service provided: No

Setup and migration

• Setup or migration service available: Yes
• How the setup or migration service works: Security can be and often is a factor which impedes the use of commoditised services such as Cloud-based services.; Security-by-Design specifically supports the migration to and between Cloud services. Its component-based Service Oriented Business Architecture (SOBA) maps legacy services and technology to create a model of the organisation's service architecture, including the dependencies and interfaces between internal services. Functional and Architectural alignment needs are clearly distinguished into ‘Vertical’ and ‘Horizontal’ service requirements respectively and this allows new/replacement services to be specified and integrated.; Security-by-Design ensures that Security is striped “horizontally” through the organisation’s enterprise architecture at both a business and a technology level and “vertically” flowed down from the organisation’s external commitments related to security (e.g. data-sharing agreements, GDPR etc). When Cloud services are implemented or replaced, these two dimensions ensure that Security needs are easily specified and tested for.
• Setup or migration service is for specific cloud services: No

Quality assurance and performance testing

• Quality assurance and performance testing service: Yes
• How the quality assurance and performance testing works: Security-by-Design specifically supports Quality Assurance and Performance Testing. Its component-based Service Oriented Business Architecture (SOBA) drives out clear statements on the Inputs, Outputs and Performance of all components of a business solution and the relationships between them including:; • External Commitments (including Customer promises and Security-related promises); • Value Chains and Functions within them; • Controls, including security; • People; • Technology, including Applications (SaaS or otherwise), Infrastructure (IaaS or otherwise) etc; • Locations; • Finance; • Internal Commitment (Organisation, Contracts, Culture etc); Security-by-Design uses a Security Service Catalogue and Security User Stories (integrated with the catalogue) to identify and specify the organisation’s security services. This all massively helps clients to develop and execute highly coherent, integrated Quality Assurance and Performance Testing strategies, plans, teams and environments for their Security solutions.

Security testing

• Security services: Yes
• Security services type:
  • Security strategy
  • Security risk management
  • Security design
  • Cyber security consultancy

Ongoing support

• Ongoing support service: No

Service scope

• Service constraints: None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 24 hours
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Support levels: As a Cloud Support service, the level of support is inherently planned into the call-off agreement during the ordering process, based on the pace and intensity of the Client programme's we are supporting. Support for exception handling and escalation is typically provided on a 24 x 7 basis

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  At XMCS, we work in an environmentally responsible manner and are continuously looking to find new ways to reduce our carbon footprint and other environmental impacts. Our CEO has masters degree in environmental management and we are committed to:; 1. Conducting our operations in compliance with environmental regulations.; 2. Integrating environmental considerations and objectives into all our business decisions.; 3. Behaving at all times in an environmentally friendly manner.; 4. Encouraging awareness among our suppliers, partners, clients and people, of all opportunities to improve environmental protection.; 5. Separating and recycling as many materials as is practicable.; 6. Working with our clients to think about how their businesses affect the environment and throughout our business, will provide professional advice that is consistent with this aim.; 7. Using energy/natural resources in minimal amounts.; 8. Encouraging the use of travel options that have a minimal impact on the environment. ; This policy is reflected in:; 1. Our internal culture, as reinforced through our corporate value statements.; 2. Our performance management framework.; 3. Our terms of employment.; 4. Our supply chain assurance processes and supplier contracts.; As a result we, for example:; 1. Decline to work with suppliers who do not share our values in this respect and whose processes do not meet our low carbon standards; 2. Actively avoid working for clients who we believe do not work in an environmentally responsible manner; 3. Choose low carbon modes of travel; 4. Keep our offices at a lower than usual temperature.

  Covid-19 recovery

  XMCS is a small supplier, so has limited scope to make a difference to the Covid-19 recovery. Nevertheless, we look to ensure that, where possible, our supply chain decisions (in terms both of the sub-contractors who help us to deliver our services, and the investments we make in equipment and infrastructure) favour areas of the country most badly affected by Covid.

  Tackling economic inequality

  XMCS is a small supplier, so has limited scope to make a difference to Economic inequality recovery. Nevertheless, we look to ensure that, where possible, our supply chain decisions (in terms both of the partners who help us to deliver our services, and the investments we make in equipment and infrastructure) favour areas of the country or of the world most in need of levelling-up.

  Equal opportunity

  XMCS is an equal opportunities employer and we extend this to our sub-contractors. As such, we operate meritocratically, choosing the right person for each role and making no distinctions between people based on sex, disability, colour, perceived race (“race” being a social construct), sexuality, gender reassignment or any other attribute about which individuals have no choice.; That said, we are alert to the fact that other parts of society do, unfortunately, make such distinctions and treat individuals based on the attributes of a perceived group; and this has led to some individuals being disadvantaged. Where this appears to have been the case, or may have been, we look to make allowances through our meritocratic process by taking account of the additional achievement which the individual may have demonstrated in having to deal with such challenges.

  Wellbeing

  We care passionately about the wellbeing of our people and we extend this to our sub-contractors. We believe that individual wellbeing is fundamental to the wellbeing and cohesion of society and also, of course, to the sustainable delivery of any service. As a result, we are constantly alert to wellbeing issues and take proactive steps to elicit from people their true state of wellbeing and to address any issues which arise. We put wellbeing before profit and have often foregone profit in order to provide individuals with time/space to recover their sense of wellbeing.; We are a prompt payer of sub-contractors and frequently pay small sub-contractors on request and well ahead of any payment due to them, if that helps to alleviate a personal challenge they have told us about.; We have developed our own “wellbeing by design” operating model to ensure that we understand and optimise those aspects of our business that impact people’s wellbeing.

Pricing

• Price: £492 a unit a day
• Discount for educational organisations: Yes

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@xmcs.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.