COC00N CYBER LIMITED

Core coc00n Device Protection

Core coc00n provides highly secure devices without compromising usability. It employs familiar, off-the-shelf hardware such as Apple and Windows devices to ensure that while users benefit from high-level security, the learning curve associated with new or unfamiliar technology is minimized, allowing for a seamless integration into their daily lives.

Features

• Mobile Device Management
• Always-on Virtual Private Network (AoVPN)
• DNS Filtering
• Email Protection
• Secure Communication Service
• Real Time Monitoring
• Application to view real-time protection reporting
• Expert Cyber Security Expert Support

Benefits

• Constant device protection
• Complete data privacy
• Secure browsing
• Email protection & security
• Cyber Concierge

£200 to £650 a device a month

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at harry@coc00n.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

655304211046210

Contact

Harry Gough
07507786984
harry@coc00n.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None.
• System requirements: Owns a mobile device.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 4 hours, 8 to 6 (UK time), Monday to Friday
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Users can only access the webchat through the coc00n application. Users can use the webchat to ask for general cyber support or query service specific issues.
• Web chat accessibility testing: None.
• Onsite support: Onsite support
• Support levels: Cyber Concierge - included free of charge.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Clients are onboarded in person by a cyber security expert. The enrolment includes training on how to use your device, setting the user up with security across their existing accounts and training on how to stay secure online.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The users will receive a final report of the protection statistics. If the user wishes for their personal data to be removed from our internal system they can request this. There is no further user data present to extract.
• End-of-contract process: At the end of the contract the client may renew or end the service. This will result in the device being unenrolled from the platform. ; Included in the contract price is the enrolment cost for devices and the subscription fee to the service.

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: There is no difference, users will notice no difference in usability with protections in place.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: The service interface is the coc00n application delivered to devices when they are enrolled onto the platform.
• Accessibility standards: None or don’t know
• Description of accessibility: This allows users to view real time reporting of the protections provided and perform actions such as requesting emails be released from quarantine.
• Accessibility testing: None.
• API: No
• Customisation available: Yes
• Description of customisation: Users are able to customise: The domain the coc00n email protections are applied to, this is done by the primary contact at point of enrolment. The type of device(s) they wish to enrol, this is done by the primary contact at point of enrolment.

Scaling

• Independence of resources: All service components are scalable to ensure no users experience is impacted by high-usage. The service also scales globally to ensure users are not impacted when operating from countries outside the UK.

Analytics

• Service usage metrics: Yes
• Metrics types: Clients are able to see all statistics related to the suite of protections, these include: Domains blocked (Number safe, number blocked), emails rejected (Number delivered, number blocked), device security information (for all devices under one user and their OS versions).
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Users can request their protection statistics be delivered in a report format. ; All other held information can be provided upon request.; Requests can be submitted through the support email address or the chat function in the coc00n application.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: No data input required.

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
• Other protection within supplier network: We make use of cloud providers such as M365 to store and process our own data and rely on their own data protection measures.

Availability and resilience

• Guaranteed availability: Availability 99.99% inline with the cloud services we make use of to provide the service. Any other support is provided on a best endeavours basis.
• Approach to resilience: We make use of major cloud providers to build and deliver services in a fully scalable manor. More information is available on request for each component of our solution.
• Outage reporting: Any outages are communicated through the client app.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: Users log in to the managed service on their device using Multi Factor Authentication.
• Access restrictions in management interfaces and support channels: Privileged Identity Management that is built into M365.; We also have separate administrator accounts for any staff that need them so they are not using their standard user for administrative tasks.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Other
• Description of management access authentication: Management access enforces Multi Factor Authentication. To perform additional function Privileged Identity Management is required, with multiple senior staff required to accept valid privilege escalation requests.

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We follow the NCSC's advice on security. Our CISO consumes material from authoritative sources and applies it to our company. Policies have been defined internally that map to the NCSC's advice and staff are accountable for following these policies. For example, a password policy is authored internally by our CISO that aligns with the NCSC's password guidance. Technical controls are put in place to enforce the correct user action. In the case of the password policy, restrictions are put in place as to the password length and complexity. Any incidents within the company are raised to the CISO.
• Information security policies and processes: The CISO is responsible for the sharing and actioning of policies. They are responsible for pushing necessary training to staff. Training is delivered to existing staff regularly and to new starters during the onboarding process. ; Any incidents within the company are raised to the CISO. These are assessed against existing policies.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All of our infrastructure is documented as code and stored in Git repositories. Making changes to this code requires a senior member of staffs sign off via our CI/CD tooling. A ticket should be created before any work commences and updates to the work will be documented in the ticket. The senior staff member is responsible for ensuring quality and security of code before changes are merged into the production branch. A full test environment for all services is also deployed to ensure there are no breaking changes.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We monitor code bases that we are dependent upon for security vulnerabilities and implement aggressive patching regimes to ensure we are not vulnerable to compromise. Where we are alerted to a vulnerability this is escalated quickly to senior management who have visibility of the security@coc00n.com mailbox. An investigation into the report will begin as soon as possible and a technical resource allocated to identify potential fixes. Depending on the complexity of the vulnerability and the information received we aim to patch as soon as possible.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We make use of audit and monitoring tools in the services that we utilise. For example, M365 exposes lots of audit logs that flow into the security portal and we monitor this for indicators of compromise. For our own product, logs are fed into Azure Log Analytic Workspaces where dashboards are created from. This gives our technical team oversight of the products and services to ensure their reliability and security.
• Incident management type: Supplier-defined controls
• Incident management approach: We have an internal repository of issues that our users have had in the past and this is available to any staff working on the concierge 'desk'. For these issues, there are documented fixes to ensure that client's have minimal downtime and hve a good experience of our solution. Client's make contact through the concierge and tickets are created from this. These tickets are then managed by the staff member on the concierge desk until resolution.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity

  Fighting climate change

  coc00n is committed to combating climate change by embedding sustainable practices into our operations and product offerings. Our environmental strategy includes: 1. Sustainable Practices: Optimizing energy use, utilizing green data centers, and promoting digital over physical mobility to minimize carbon emissions. 2. Quantitative Goals: Aiming for a 20% reduction in carbon emissions and a 30% decrease in energy usage by optimizing data center operations and adopting renewable energy over the next five years. 3. Timeline: Immediate commencement of incremental actions with full implementation expected within five years, assessed annually. 4. Measurement: Environmental impacts assessed using established tools, with external audits to ensure accuracy. 5. Reporting: Bi-annual environmental impact reports made public, detailing progress towards reduced carbon footprint and energy consumption. These measures reflect coc00n’s commitment to environmental stewardship and contribute significantly to broader climate change mitigation efforts.

  Equal opportunity

  coc00n is dedicated to enhancing equal employment opportunities, particularly for individuals with disabilities and underrepresented groups, aligning with the Social Value themes. We aim to actively promote inclusive job opportunities within the cybersecurity sector to reduce the employment gap for these groups. Our approach includes: 1. Implementation Strategy: Immediate initiatives to integrate inclusive hiring practices, internships, and professional development programs focused on high-tech roles. 2. Quantitative Goals: Increase the representation of disabled and minority groups in our workforce by 10% over the next two years, spanning all organizational levels. 3. Timeline: Quarterly adjustments and a 24-month timeline for full integration of these initiatives. 4. Measurement: Progress monitored through quarterly workforce diversity audits and participation rates in recruitment and internship programs, managed by our Social Value Champion. 5. Reporting: Annual diversity and inclusion reports detailing recruitment statistics, program effectiveness, and corrective actions taken as necessary. Through these targeted actions, coc00n actively fosters a more inclusive and diverse technology sector.

Pricing

• Price: £200 to £650 a device a month
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at harry@coc00n.com. Tell them what format you need. It will help if you say what assistive technology you use.