INTEGRITY360 LIMITED

Symantec Policy Based Encryption Advanced

Symantec Policy Based Encryption (PBE) Advanced, powered by Echoworx, is a boundarybased
encrypted email service that will encrypt sensitive emails before they leave the
organization.

Features

• Multiple types of encryption available
• Custom Branding on encrypted emails, notification emails, inside web portal
• Policy-based custom encryption and policy-based alternate branding
• Multiple authentication options for recipients
• Encrypted Reply option for external recipients
• Integration with 3rd Party LDAP directories for certificate retrieval
• Outlook Add-In offer easy Encrypt Button to enterprise senders
• Message Recall (by the sender) for messages in web portal
• eStatement Encryption mode where only attachments are encrypted

Benefits

• Cloud-Based solution (no hardware requirements)
• 24x7 management of hosted services
• No impact/changes to internal email archive/backup or eDiscovery
• Multiple encryption methods ensure the best experience for the recipient
• Data Leakage Protection by automatically encrypting sensitive content
• Scanning email subject, email body, recipients, attachment names, attachment content
• Policies to catch any confidential data in the email
• Recipients can self-manage passwords/recover password without Administrator involvement
• Eliminate fax and paper mailings when email becomes secure option

£27.46 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidreviewboard@integrity360.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

566842589220923

Contact

Davide Poli
02083721000
bidreviewboard@integrity360.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Symantec Email Security.cloud Safeguard
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: Customer must also have Symantec Email Security.cloud Safeguard

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Dependant on severity
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: The Web Chat is accessible through the Support tab in the portal, under contact us, then click the appropriate link will open the web chat.
• Web chat accessibility testing: None
• Onsite support: Yes, at extra cost
• Support levels: The product will come with standard support included as part of the services and includes online support via our portal. In addition, if purchased directly from Symantec a remote cloud specialist will be assigned to provide an account management style support. If purchased through a 3rd party the remote cloud specialist is not provided and this would need to be provided by the third party. For large (+10,000 users) and complex estates there is the possibility to purchase Business Critical Services.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The service does not require any user interface. There are some simple configuration; options which are explained at the time of implementation
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: There is no data to extract.
• End-of-contract process: If the contract is not renewed the services are switched off.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All detection is carried out in a cloud environment so there is no difference in service; regardless of the endpoint being used.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: For administrators there is the ClientNet Portal, here the administrator can configure the service. For Users they can access the quarantine portal if the option is selected by the administrator
• Accessibility standards: None or don’t know
• Description of accessibility: Users cannot access the client net console, only the quarantine
• Accessibility testing: None
• API: No
• Customisation available: Yes
• Description of customisation: The service can be customised through logo and text support, making the service appear native to the customer

Scaling

• Independence of resources: Echoworx scales the service to ensure all incoming email volume is processed without; delay. When required, additional instances of the encryption engine and/or the secure web; portal can be deployed without any service interruption. With respect to external recipients; accessing the secure web portal, Echoworx uses a multi-version concurrency control; database to allow simultaneous access to data. File or database record deadlocks are; avoided by ensuring row locks are obtained in a consistent order

Analytics

• Service usage metrics: Yes
• Metrics types: All email flows through Symantec, and the policies for encryption are in Symantec Data Protection.; The service metrics are obtained from Symantec reports and Admin Console
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Symantec

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Other
• Other data at rest protection approach: Email in encrypted form at rest (this is different than encryption of all physical; media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Some encryption reports (such as the Policy Report) generated in the web-based; Administrative Consoles can be saved as a CSV file
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Available on request
• Approach to resilience: All services are redundant. Multiple instances of both the encryption engine and the secure; web portal are load-balanced and running in a single datacenter. Furthermore, the services are; replicated in a secondary datacentre for DR purposes.
• Outage reporting: The portal provides public updates and there are email and text alerts for any severe outages.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Authenticated access is required to access the administration consoles. Echoworx will; provision accounts (using provided customer email address(s)) and the user will choose a; secure password when they create their account. Access granted is role based such that; Echoworx Operations will see options and configuration that is not available to customer; administrators. There is also a special role with reduced access for credential management; (PGP keys, SMIME keys) and Reporting.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Lloyds Register
• ISO/IEC 27001 accreditation date: 23 May 2016
• What the ISO/IEC 27001 doesn’t cover: TBA
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC 2
  • WebTrust certified

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Echoworx is SOC2 and WebTrust certified. The datacentre however, is; ISO 27001
• Information security policies and processes: The service follows the security policies and standards that are outlined in; SOC2 and WebTrust. These can be provided upon request.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Change is managed at all levels through the design, software development, quality; assurance, deployment, and operational management of the services. Some examples: All; source code is versioned and tagged in a Version Control System. Change requests are; reviewed weekly by Product Management, Sales Engineering, Operations, and; Development. Change requests are assigned to the current or future release based on; severity and value to the solution. All production system changes, including config changes,; are documented and tracked in the ticketing system and reviewed by management . Before; any version of the software is deployed changes are approved by Symantec Product; Management.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Echoworx has a series of IDS, and IPS systems in place in their environment. Additionally,; routine vulnerability and penetration testing is performed on its services. Echoworx is; registered to receive updates via 3rd party mailing lists of almost all 3rd party tools used in; the environment. The committed response time for deploying a new security patch from a 3rd; party is 1-2 days for high severity / critical security patches. If the security patch is minor, or; does not affect the Echoworx solution, it may be released after it has been tested during the; next planned major release of software.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: For 3rd party compromises, the answer from Vulnerability management (slide 29) can be; repeated here. On the topic of application monitoring, the Operations team has system and; log file monitoring in place that will alert the team of any errors. Service degrading errors are; addressed immediately when possible with infrastructure changes, otherwise the issue is; escalated to the Product group for assessment and resolution via a software patch.
• Incident management type: Supplier-defined controls
• Incident management approach: Symantec’s internal Security Incident Response Plan documents repeatable, industry standard procedures for handling actual cyber threats when they arise. It also provides the necessary engagement and information-sharing processes to allow prompt coordination among all relevant stakeholders, and describes the reporting, communication, containment, investigation, and recovery mechanisms that exist to support a comprehensive end-to-end process flow from threat detection through remediation. The development and implementation of this forward-looking plan supports Symantec’s ultimate mission to its; customers, partners, shareholders, and employees as a trusted leader in information security risk management.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  To help us manage our environmental impacts, we employ robust environmental management practices and have implemented a global Environment and Sustainability Policy, which requires that we:; ; Ensure our products and operations comply with applicable environmental legislation and other related compliance obligations; Operate and continually improve an environmental management system that strives to align with our business practices and set objectives that enhance environmental performance; Conduct our operations in a manner that supports recycling, conservation of resources, prevention of pollution and protection of the environment; Responsibly manage the use of hazardous substances in our operations and products; Inform our suppliers, partners, and contractors of our environmental expectations and encourage them to adopt sound environmental management practices; Promote environmental stewardship and sustainability within our organization; Publicly communicate our environmental priorities and performance annually

Pricing

• Price: £27.46 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Yes, a free trial version is available. This service is an add-on to, and requires,; Symantec's Email Security.Cloud Safeguard

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidreviewboard@integrity360.com. Tell them what format you need. It will help if you say what assistive technology you use.