Frazer-Nash Consultancy LTD

Cloud Security Elements Collaboration for Microsoft 365 - Anti-Virus AV for Office 365

VIMA provides WithSecure Elements Collaboration for M365 to:
Protect your business from advanced email threats
Easy deployment with the highest possible detection rate for business security, complements the email security capabilities of Office 365 to bring you a comprehensive protection against the most sophisticated phishing, malicious content, and targeted attacks.

Features

• Cloud centralised, configurable Security Management portal
• Seamless integration into existing O365 environment
• Users mailbox analysed for malware
• Real-time protection against malware
• Threat intelligence check using the SHA-256 checksum
• Quarantine management
• Report on the security status of the protected environment
• Cloud sandbox
• Policy based administration
• Real-time analytics & alerts of the environment

Benefits

• End to end email security for your end users
• Reduce the risk of attack
• 30+ Years of understanding malware attacks
• Holistic view of threats in the O365 environment
• Report on total amount of scanned & unsafe items
• Top targeted mailbox in-depth analytics
• Seamless deployment and integration into O365
• Real-time security alerts for live threats
• Add a new cloud security layer

£15.44 to £96.77 a licence

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ccs@fnc.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

661675895876716

Contact

Vicky Hannigan
01925404027
ccs@fnc.co.uk

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Microsoft Office 365
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: Management Portal requires internet connectivity

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support is available during normal business hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard support is available during normal business hours. VIMA can provide enhanced support as part of our G Cloud 13 Cloud support service. VIMA also provides a dedicated account manager and WithSecure certified support engineers.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: VIMA Group Ltd is a WithSecure Partner with a proven track record of deploying WithSecure into Central & Local Government, Education, 3rd Sector and Private sector.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: WithSecure is a security element and will only hold device data. This canbe extracted from the system and then deleted at the end of the contract.
• End-of-contract process: End-of-contract process:; 1) Deliberate end of the contract. WithSecure Elements Collaboration for M365 is a subscription service which can only be legally used when in contract. If the customer no longer requires the use of WithSecure Elements Collaboration for M365 then they must notify there WithSecure Account Manager so access to the portal can be retired. At this point, no further protection is offered by WithSecure, no new data will be entered/captured into WithSecure Elements Collaboration for M365 portal.; 2) Accidental end of the contract. In the event of a renewal being missed but the service still being desired, the customer should enter an immediate discussion with WithSecure Sales to discuss options around continued use of the service. WithSecure will not immediately close the portal as this would prevent legitimate mistakes from being corrected. Protection will continue to run for a short grace period, again to enable accidental lapse in contract to be rectified.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: WithSecure Cloud Protection for Microsoft Office 365 scans; harmful contents in file attachments found in Exchange; items to protect against viruses, trojans, ransomware,; and other advanced malware on a mobile device.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: Solution connects to the Microsoft 365 instance
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: WithSecure Elements Collaboration for M365 solution is hosted within AWS and utilises Elastic Scaling features to automatically adjust capability as scope demands. This is all done transparently to the user so no customer process is required.

Analytics

• Service usage metrics: Yes
• Metrics types: User and individual device behaviour; Real-time threat intelligence
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: WithSecure

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: User data is not held in WithSecure solutions. The only data retained is usernames and threat to the mailbox events. Report data can be exported in various formats on demand.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • HTML
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection between networks: Communication from the client to the Cloud is performed over HTTPS to secure the data and to enable the client to trust the server
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection within supplier network: All stored data is encrypted and all applications are secured and running on secured operating systems.

Availability and resilience

• Guaranteed availability: Every piece of data is stored in database clusters that is, at a minimum, triplicated. Event-driven clustered replication, with a replication factor of at least three, ensures two database instances in our cluster can fail and data will still remain available. Being event-driven, any database change is immediately pushed to all instances in the cluster, rather than changes being replicated on a schedule, making sure that even when an instance fails, the full dataset is available on failover instances.
• Approach to resilience: Each instance of a database is supported with its own storage volume which is snapshotted hourly. These instances are transient, with only the storage volumes persisting. This enables us to destroy database instances without fear of data loss thanks to the cluster replication factors. Vulnerabilities in database applications, operating systems can be rapidly addressed without data loss.
• Outage reporting: Real-time status information is available at https://www.withsecure.com/gb-en/whats-new/pressroom, registration can be done on this page to receive email alerts sent the WithSecure administrator.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: A number of pre-defined administrative roles can be assigned to admins that can restrict access data as well as restrict them from making changes to settings and configurations.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: QMS International Ltd
• ISO/IEC 27001 accreditation date: 26/08/2020
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Cyber Essential Plus (VIMA Group Ltd)
  • NIST Cyber Security Framework (WithSecure)
  • NYDFS Cybersecurity Regulation (WithSecure)
  • The EU Directive on Security of Network and Information Systems
  • Cyber Essentials (WithSecure)
  • Cyber Essentials Plus (WithSecure)

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: WithSecure regularly undergoes SOC Type 1 auditing and can provide access to the report under NDA. SOC Type 2 auditing is currently in progress.; WithSecure has obtained Cyber Security Essentials certification.; EITEC Ltd has obtained Cyber Security Essentials Plus certification.
• Information security policies and processes: WithSecure's global security team monitor all logging data from WithSecure technology and its related services24/7/365. WithSecure has forensic team in the event of a data breach for rapid incident response.; WithSecure regularly undergoes SOC Type 1 auditing and can provide access to there port under NDA. SOC Type 2 auditing is currently in progress.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Notifications, alerts and Change Management will be provided directly from WithSecure through their cloud system.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: The WithSecure senior management team has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various officers of WithSecure have day-to-day operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: WithSecure utilises, within their system a product called - Process Monitor. This is a free tool from Windows Sys internals, which is part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows operating system. Process Monitor is useful for troubleshooting issues when we need to identify the files or registry keys an application is accessing.
• Incident management type: Supplier-defined controls
• Incident management approach: Incident management approach Automated Incident Response; Security information is shared and acted on automatically across the system. It isolates infected mailbox before the threat can spread, slashing incident response time by 99.9%.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  We fight climate change aiming to reduce our Carbon Footprint to zero by 2040. For each contract awarded under the Framework, we will offer a timed action plan to deliver Social Value commitments requested by the Buyer, including:; - Employing local people and retaining small offices scaled for flexible working, enabling us to operate with a small carbon footprint.; - Increasing environmental awareness, enhancement and protection initiatives in corporate policy to influence staff, clients and suppliers by the number of policies that reconnect work and home communities with the local environment.; - Engaging proactively to promote and sponsor initiatives with local environmental groups and supporting national and international action days and weeks, promoting them through attendance and sponsorships. ; - Codesigning and creating Green Spaces initiatives in partnership with client and local environmental groups; - Training and educating through website links to Webinars and fact sheets to influence attitudes, and producing guides on reducing GHG, waste & business travel, efficient resource use, hybrid working, car sharing, and public transport use; - Providing paid volunteering days to encourage our staff to undertake environmental protection and improvement activities.; We will influence staff, suppliers, customers and local communities using technology and effective diary management to reduce business travel. We will advocate hybrid working, start meetings with environmental moments and invite participation in environmental protection initiatives, explaining benefits and expected outcomes, and building targets into supplier subcontracts. Our competence is evidenced by current initiatives that include carbon zero strategies, salary sacrifice enabled electric vehicle leasing schemes, a truly remote-enabled workforce, and travel policy advocating public transport. Our understanding and insight are informed by outreach activities, sustainability working groups, participating in the Team Defence Sustainability Conference.
• Tackling economic inequality:

  Tackling economic inequality

  We will offer opportunities for entrepreneurship and business creation to other SMEs, and small and micro businesses. We will do this operating under fair, accessible, and collaborative agreements under ISO44001 principles. For each contract awarded under the Framework, we will offer a timed action plan to deliver Social Value commitments requested by the Buyer, including:; - Engaging suppliers through Local Economic Partnerships, Academia, Defence Suppliers Forum and TechUK Small Business Forum, and charitable and voluntary organisations. We will measure our effectiveness through the number of new suppliers we engage and the number of events for small businesses we host or attend.; - Providing training, education and mentoring for new businesses and people who face barriers to employment, addressing known skills shortages in our industry through work placements and apprenticeships. We will provide webinars and fact sheets describing steps individuals and small business can take to overcome barriers to work. ; - Providing paid volunteering days to our staff who provide advice and support to help businesses grow and become self-sufficient.; - Creating fair and responsible relationships, and encouraging supply chain diversity using inclusive, non-discriminatory working methods and technologies. We will adhere to the Prompt Payment Code and implement special payment and contract terms for Small Businesses to aid cashflow and strive to improve their satisfaction ratings of doing business with us. ; We will influence our staff, suppliers, customers and local communities through understanding that effective collaboration offers more flexible workforce capacity. We demonstrate our competence working as a collaborative SME company, using a ‘one team ethos’. Our insight is informed through understanding the issues and barriers, and then acting on this to apply fair, non-discriminatory and accessible measures for our suppliers to ‘bridge the gap’ to Government contracts.
• Equal opportunity:

  Equal opportunity

  We promote equal opportunity in our workforce and supply chain through a People Strategy and Diversity, Equality, and Inclusion Strategy. For each contract awarded under the Framework, we will offer a timed action plan to deliver Social Value commitments requested by the Buyer, including:; - Striving to achieve a diverse workforce, employing people from all walks of life, with staff who feel they are accepted for who they are, and VIMA is a safe place to work. Providing fair recruitment, promotion, support and benefit initiatives to everyone, ensuring no-one is discriminated against. This this includes not just being open to candidates from any background, ethnicity, gender or sexual orientation, but actively trying to attract a diverse mix of candidates.; - Training, educating and mentoring to provide learning opportunities for all staff and particularly our Diversity, Equality, and Inclusion champions; - Providing paid volunteering days to our staff who provide advice and support to help promote Diversity, Equality, and Inclusion in the workplace and with our suppliers and Buyers, and in the local communities we work in.; - Maintaining a proactive strategy and monitoring the risks of Modern Slavery in the workplace.; We will influence staff, suppliers, Buyers and local communities by starting meetings with Diversity, Equality, and Inclusion moments, taking time to talk and understand different perspectives, customs and norms. We signpost information and resources to read, use and share through a DE&I portal. Our understanding is informed through findings from people surveys, and discovery work of our DE&I committee. Our competence and insight is evidenced in our current DE&I strategy and working practices. Effectiveness is evident in the diversity of our workforce with over 40% of our workforce being female. We routinely develop and implement special working measures for individuals with health and wellbeing needs.
• Wellbeing:

  Wellbeing

  Mental and physical health and wellbeing are the foundation of our ‘people-first’ culture, advocated from Board-level down. For each contract awarded under the Framework, we will offer a timed action plan to deliver Social Value commitments requested by the Buyer, including:; - Engaging staff, suppliers and Buyers through awareness events, ‘gamified’ wellbeing activities and competitions, awareness days, drop-in sessions and promotional events such as for Mental Health Awareness week. We conduct wellbeing surveys to detect and remedy any adverse workplace wellbeing trends.; - Implementing physical and Mental Health and wellbeing improvements in the workplace, adopting the 6 standards in the Mental Health at Work commitment, and encouraging our suppliers to do the same. ; - Codesigning and creating work schedules for people with additional needs such as neurodiversity, incorporating the use of accessible tools and systems in the workplace above legislated requirements.; - Training, educating and mentoring Line Managers to raise awareness of wellbeing issues, producing fact sheets and increasing the number of trained Mental Health First Aiders in our workplaces.; - Providing paid volunteering days to our staff who provide wellbeing advice and support to colleagues, Buyer staff and other businesses.; We will influence staff, suppliers, Buyers and local communities by starting meetings with safety/wellbeing moments, taking time to talk and relax. We signpost information and resources to read, use and share through a wellbeing portal. Our understanding is informed through findings from people surveys, and discovery work of our wellbeing committee. Our competence and insight is evidenced in current health and wellbeing strategies and practices as Mindful Employers, and an Employee Assistance Programme available 24/7. Effectiveness is evident in low incidence of stress and health-related absences and higher than industry norm retention rates. We routinely develop and implement special working measures for individuals with health and wellbeing needs.

Pricing

• Price: £15.44 to £96.77 a licence
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: The link to the trial below allows potential buyers to try the full version of the service for 30 days.
• Link to free trial: https://www.withsecure.com/gb-en/solutions/software-and-services/elements-collaboration-protection

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ccs@fnc.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.