2T Security Ltd

RiskTree

RiskTree is a structured approach for risk management. Based around the well-established concept of attack trees, RiskTree provides a systematic way of capturing and prioritizing the risks to your business and systems. It presents its results in an easy-to-understand format that integrates well with existing business processes.

Features

• Systematic, methodical approach to identifying, analysing, and prioritising risks automatically
• Model potential controls to assess their effectiveness
• Cross-browser compatible, with no need for plug-ins or extensions
• Allows countermeasures/controls to be applied, and shows residual risks
• Data can be transferred into RiskWiki (based on Confluence)
• Threat information can be overlaid onto the risk tree
• Data can be exported in JSON, XML, and CSV formats
• Generates reports and data visualizations for multiple trees at once
• Tag risks to provide additional layers of data
• Risk Register can be automatically generated in MS Excel

Benefits

• Easy-to-use tool for designing risk trees (attack trees)
• We communicate risk in business language to Board-level stakeholders
• Report explains findings clearly, without hiding behind jargon
• Data import into 3rd party tools to create beautiful graphics
• Results can be customized by end users
• Data sanitised on client-side; nothing sensitive sent outside your network
• Works effectively with agile methods for project delivery
• Automatic creation of risk reports
• Map your countermeasures into built-in control sets
• ISO27001, MITRE ATT&CK®, NIST, Cloud Security Principles and CAF compatible

£6,000 to £25,000 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tony.badsey-ellis@2t-security.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

644072446734437

Contact

Antony Badsey-Ellis
07711 037701
tony.badsey-ellis@2t-security.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: The RiskTree software will work on Mozilla Firefox, Google Chrome, MS Edge, and Apple Safari browsers. RiskTree is not optimized for tablets, and will not work on smartphone devices.
• System requirements:
  • Internet-connected computer running modern browser
  • Javascript enabled in the browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We aim to respond within two working days.
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Support is via e-mail, following training of customer staff in the RiskTree process and software. We will acknowledge e-mails within 2 working days, and will endeavour to provide a fix within a further 2 working days. This is included in the cost of the RiskTree subscription model.; Custom enhancements and modifications can be made. The cost will depend on whether the changes will be useful to other customers, and the effort involved in creating and deploying them.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: We will provide training to a customer's IA/security staff in how the RiskTree process works. This includes the management of the Risk Discovery Workshops, the use of the RiskTree software, and the creation and management of the output. This typically involves between 3 and 15 days' consultancy, depending on the size and nature of the organization.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: We do not store any customer data within our service; we only handle transient data for the purposes of risk calculation. Customers store all of their data in XML and JSON files that are created locally. This ensures that sensitive data never leave the customer's control.
• End-of-contract process: A RiskTree engagement will include a number of consultancy days, for training client staff, as well as a subscription to the RiskTree software. The subscription is annual. We encourage customers to create a call-off contract so that they have the ability to engage us on an ad hoc basis for particularly complex risk assessments, or where an independent facilitator might be required.; If a customer chooses not to renew their subscription they will no longer be able to use the RiskTree software, or recalculate risks from existing data files that they hold.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: The number of risk levels, and their associated names and colours can be set by the user. Risk tolerances can be configured, and users can set typefaces and colours used by the system generally.; Custom tag libraries can be created to represent client-specific entities, such as risk owners, system assets, or security frameworks.

Scaling

• Independence of resources: The system is hosted on Amazon Web Services, and is therefore designed to scale. The processing a a customer's risk file is quick, and therefore the load on the service is low.

Analytics

• Service usage metrics: Yes
• Metrics types: The designated 'owner' of the subscription key (a member of the customer staff) can see usage of their subscription over the past 12 months, as well as usage by each user.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Less than once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Login/user details are held in an encrypted database.; We don't have any customer data at rest. Customer data is uploaded, processed, and returned to the customer's browser in one transaction. No data are ever stored or saved in our service.
• Data sanitisation process: No
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data files can be saved from the RiskTree software in XML and JSON formats. The XML format is compatible with various mind-mapping software applications, allowing trees to be redrawn in these application without any data conversion being necessary. Reports can be printed to PDF or hard copy directly from the browser, with media style sheets ensuring correct formatting.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • JSON
  • XML
• Data import formats: Other
• Other data import formats:
  • JSON
  • XML

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Service will be available between 07.00 and 18.00 on Monday to Friday (except Bank Holidays). Maintenance and update work will take place outside these hours, unless prior notice has been give, or for emergency updates.
• Approach to resilience: The service is hosted on Amazon Web Services. The main system runs locally in the browser, and is not dependent on the AWS service. Once logged in to the RiskTree site, all relevant files and the data created are all cached locally. Only at the point that the risks are calculated and prioritized is the AWS service called again.
• Outage reporting: Customers will be e-mailed in the event of an outage.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: The main administrative access is only permitted from our IP address, and no admin functions will work except from this account.; Administration of users on behalf of a client is currently managed centrally by 2T Security, but is planned to be delegated out to named client contacts.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Everyone who develops RiskTree is a trained security professional. RiskTree has been designed with security throughout its processes, most notably by not transmitting any sensitive data from a client's environment, and not storing any client data. Every change that is made is considered for its security impact.
• Information security policies and processes: N/A - RiskTree is a transient processor of non-sensitive data, and therefore there are no security policies that it needs to follow.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Code is tracked through from a development environment into test, and then into pre-production and live environments. Development takes place locally, and test, pre-production and live are hosted in AWS.; Since data only exist transiently in the system (they are received, processed, and returned as a single transaction), the security impact of any changes is minimal.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We monitor both the usage of the application, as well as vulnerabilities in the underlying platform through on-line security sources. We keep the versions of the OS and AWS software patched and up-to-date. Patches are typically deployed within 48 hours.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: We use Amazon CloudTrail to spot unauthorized access to the service at a system level. We use application logging to detect unauthorized application access. In the event of unauthorized access we can block the credentials or subscription key involved until we have resolved the incident.
• Incident management type: Undisclosed
• Incident management approach: Incident management in the traditional sense does not apply to RiskTree, as is it a transient service used on an ad hoc basis by clients, with no data storage. If the service is unavailable when clients need to use it then we will extend the subscription period by an equivalent amount. If the service is affected by an incident then we can quickly wipe the AWS instance and restore from our original source code.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  At 2T Security we are fully committed to continuously improving our environmental performance, examples of which include:; 1. We assist the development of Science, Technology Engineering, and Maths (STEM) at a grassroots level and are proud to sponsor Harrington Sixth Form School who take part in the GreenPower racing series. This supports our wider sustainability aims to use renewable energy sources.; 2. Where practical, travelling via the least impactful method for a given journey e.g., rail versus flying, public transport versus car.; 3. Using ecologically friendly solutions to meet our business needs.; 4. Managing waste generated from our business operations according to the principles of reduction, re-use, and recycling.; 5. Purchasing office consumables that are from a sustainable source, reducing the reliance on single-use items, and by recycling all paper products, ink, or toner cartridges.; 6. Becoming a net producer of sustainable energy, and supplement by only purchasing energy from “green” providers.; 7. Leased or owned company cars must have zero emissions.; 8. Working with suppliers who share our environmental aims.; 9. Measuring and making public our energy consumption, generation, and environmental impact, reviewing results, and looking at how we can improve.; 10. Complying, as a minimum, with all relevant environmental legislation as well as other environmental requirements.; 11. We refine our Social Value Method Statement and associated Action Plan on a regular basis.

  Covid-19 recovery

  2T Security has worked closely with Test & Trace (now UKHSA) programme over the last 3 years, and we continue to take Covid-19 very seriously. We remain committed to the wider Covid-19 recovery and some examples of this include:; 1. SMEs were significantly impacted by Covid-19, and this is why we support local businesses and Small to Medium Enterprise (SMEs), where possible, preferring them to larger or global suppliers. ; 2. Align to the Prompt Payment Code, which ensures that SMEs are paid within 30 days of receipt of an invoice.; 3. Taking an approach that doesn't view supply chain partners just as vendors but as collaborators working towards the successful end delivery to customers, behaving responsibly and delivering with mutual respect.; 4. We refine our Social Value Method Statement and associated Action Plan on a regular basis.

  Tackling economic inequality

  At 2T Security we are fully committed to tacking economic inequality, examples of which include:; 1. Implementing strategies to benefit the lives and wellbeing of those affected by our activities within the localities and communities. We have demonstrated this by assisting the development of Science, Technology Engineering, and Maths (STEM) at a grass roots level. As such, we are proud to sponsor Harrington Sixth Form School who take part in the GreenPower racing series. GreenPower Education trust is a charity organisation seeking to kick start careers in engineering. This also supports our wider sustainability aims to use renewable energy sources.; 2. We ensure we offer fair rates of pay, above the national average and minimum requirements.; 3. Offering summer placements to university students, helping to inspire future generations.; 4. Promote workforce diversity by targeting harder-to-reach and under-represented groups and communities. ; 5. Provide accessible, entry-level employment and training opportunities for local people and develop future talent. ; 6. Promote Fairness, Inclusion, and Respect (FIR) principles.; 7. We refine our Social Value Method Statement and associated Action Plan on a regular basis.

  Equal opportunity

  At 2T Security we are fully committed to continuously improving equal opportunities, examples of which include:; 1. Providing opportunities for those disadvantaged, for example employing a Ukrainian refugee to assist us with our ISO27001 certification.; 2. Deliver with transparency, supporting knowledge sharing, improving visibility and efficiency.; 3. Value everyone’s voice, regardless of role or where they reside in the supply chain.; 4. Respect and welcome diversity, relishing difference, ensuring everyone is treated equally, underpinned by our equal opportunities and diversity policy.; 5. Collaborate with people who uphold the same social values, ethical business practices and environmental ambitions.; 6. An active participant in the CyberFirst scheme since 2019, providing experience to summer students and year-in-industry students, and recruiting graduates to support their professional cyber security journey.; 7. Proudly providing sponsorship of the CyberFirst Girls Competition 2024, supporting, and encouraging woman in Cyber careers.; 8. Our resources have experience with job coaching in the community, helping those less fortunate get back into work, something we hope to continue to build on.; 9. Providing training and qualification opportunities to our people, supporting future development and progression.; 10. Working with charities and making charitable donations, for example our recent support of Osprey Leadership foundation, who work to inspire and enable young conservation leaders.; 11. We refine our Social Value Method Statement and associated Action Plan on a regular basis.

  Wellbeing

  At 2T Security we take health and wellbeing very seriously, examples of which include:; 1. Taking an integrative approach that doesn't view supply chain partners just as vendors but as collaborators working towards the successful end delivery to customers, behaving responsibly and delivering with mutual respect.; 2. Strive to be entrepreneurial in spirit and help new organisations, as well as our people, flourish.; 3. We support a healthy work life balance, supporting our employees with families and their wellbeing, focusing on delivery outcomes above the hours spent at a desk.; 4. Look to reduce ill health and improve wellbeing, underpinned by our health and wellbeing policy.; 5. We refine our Social Value Method Statement and associated Action Plan on a regular basis.

Pricing

• Price: £6,000 to £25,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Trial accounts allow usage of the RiskTree software for a limited period of time. They do not allow any customization of risk bands, and certain software features are not enabled in trial accounts (use of tags, data visualizations, etc.). The size of RiskTree that will be processed is limited.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tony.badsey-ellis@2t-security.com. Tell them what format you need. It will help if you say what assistive technology you use.