Six Degrees Technology Group Limited

Managed Extended Detection and Response MXDR SOC Service

Managed Extended Detection and Response (MXDR) Service based on GPG 13, 24/7/365 cyber security SOC monitoring providing human analysis and triage, covering endpoints, servers, on-premise infrastructures, Office 365, identities, cloud applications and cloud workloads. PSN Service Provider and ISO27001 Compliant. Includes integration with industry leading Threat Intelligence provider Recorded Future.

Features

• Human SOC Analysts Monitoring and Triage 24/7
• Built using GPG13, CE+, CIS and NIST controls
• UK On-shore staff and operating facilities Only
• Proactive detection and extended response capabilities
• Includes SIEM, Threat Protection, Threat detection, Threat Intelligence
• BPSS and SC Cleared Staff
• PSN Service Provider (PSNSP SRV_0220) accredited
• Includes Advanced Threat and Malware intelligence

Benefits

• Can be deployed for Cloud and On-premise Infrastructure
• Options for regular service reviews and reporting
• Fully utilise existing capability within integrated Microsoft security tools
• Built around leading security tools
• Personal interaction between SOC analysts and client
• Flexible and scalable solution - add devices as required
• Full visibility on existing devices, services, software and platforms
• Pre-determined response actions to protect your most critical assets

£3.50 to £55.00 a device a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Publicsector.sales@6dg.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

664520946534948

Contact

Six Degrees' Public Sector team
08000128060
Publicsector.sales@6dg.co.uk

Service scope

• Service constraints: Systems and services that do not have native API and detection rules available may require additional development. Response actions extend across the Microsoft XDR Defender suite, including, but not limited to Defender for Endpoint, Server, Cloud, Identity, Office365 and Cloud Applications. The service will generate an Azure usage and storage cost that is variable according to your infrastructure configuration and log retention requirements.
• System requirements:
  • Cloud based Solution
  • Azure CSP created or utilised
  • Appropriate Microsoft Defender Licensing is required
  • Appropriate permissions and access requirements via Lighthouse

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Dependant on incident/request and priority level - please see attached Service Description for details.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Please see attached Service Description for support levels.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: The Six Degrees Managed Service engagement process comprises of 6 distinct phases as outlined below: Pre-sales: sets the expectation of any engagement. Implementation Planning: manages final designs and the overall plan. Deployment: focuses on the initial installation of the client side technology. Configuration: manages the client and Six Degrees technology integration. Tuning: ensures the technical solution is performing optimally. Full Service Operation: manages the delivery of the service through to contract closure
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: The technical solution is owned by Six Degrees and is used to deliver the managed service. At termination of a managed service means that all components of the technology will be shutdown. All raw log data collected inside the SIEM can be exported in a compressed file and provided to the client. It is the clients responsibility to handle the compressed log file according to data classification and handling guidelines. Virtual images and all backups are to be deleted with written confirmation from the client this has been actioned. The continued use of any of the components, as they were provided and configured for the service will be in breach of any licencing agreements outside of a managed service contract. Any information collected by Six Degrees during the implementation or running of the service will be securely deleted in accordance with NCSC secure destruction guidelines and written confirmation from Six Degrees that all information has been destroyed will be issued.
• End-of-contract process: The client will need to give termination notice, as the solution and its configuration is owned by Six Degrees and is used to deliver the managed service, the termination of a managed service means that all components configured and purposed for the delivery of the service will be shutdown.

Using the service

• Web browser interface: No
• API: No
• Command line interface: No

Scaling

• Scaling available: No
• Independence of resources: Each client will has their own instance of the technology platform created. Each instance has its own, scalable resources to assure it is not impacted by other service users.
• Usage notifications: Yes
• Usage reporting: Other
• Other usage reporting: The SDM or SOC team will alert you if you are approaching a limitation of the service.

Analytics

• Infrastructure or application metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Hardware containing data is completely destroyed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: No

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: 99.9% as a minimum - please see further SOWs for all SLAs and service credits
• Approach to resilience: Six Degrees run two data centres, which are fully resilient and tested regularly in our BCP plan. In addition, Six Degrees have a fail-over SOC that is instigated in the event that SOC Alpha is physically or technically unavailable.
• Outage reporting: Outages to the service are reported to the client immediately by telephone communication, due to the nature of the service and reviewed at the service meetings as part of standard reporting.

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Dedicated end points, with 2FA, Isolated VPN connectivity and RBAC.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Other
• Description of management access authentication: The client is also provided a PIN number that is exchanged with the SOC analysts if the client need to call for further information.
• Devices users manage the service through:
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: LRQA
• ISO/IEC 27001 accreditation date: 03/10/2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: IT Governance
• PCI DSS accreditation date: 08/11/2023
• What the PCI DSS doesn’t cover: Only the physical and environmental security at the data centres we use in our operations were included in this assessment. The relates to the provision of the secure physical environment for the Colocation Services that Six Degrees provides to its clients. All other services provided by Six Degrees, internal systems supporting business operations or for other clients are specifically excluded from this assessment.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO22301
  • ISO9001
  • SOC 1 Type 2
  • SOC 2 Type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: PSN Service Provider and PASF
• Information security policies and processes: PSN and ISO 27001 accredited, the Service follows Cyber Security Policies. We have a Information Security Management System for incidents and have a WIKI that has all the published policies and procedure. We have an appointed Information Security Officer - scheduled regular audits and quarterly staff training. We are a security organisation and therefore security is embedded in our culture.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Change Management within Six Degrees is run by a change control board run by our CTO. Only those changes that conform to the Change Management process described in our policy document are authorised for implementation. Within these standards are the rules of conduct relating to: 1) Change Entry 2) Change Review 3) Testing 4) Change Approval 5) Change Announcement 6) Change Management Meeting 7) Implementation 8) Report and Control
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Emergency patches will be deployed by relevant Six Degrees SOC Staff delegates. They should be deployed within 8 hours of availability. As Emergency patches pose an imminent threat to the network, the release may proceed testing. Critical security patches should be deployed within 3 business days of the time the vendor makes them available. Non-critical security and other patches may be applied monthly.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Although GPG13 is now a legacy document, it remains a guideline to be utilised. As such Six Degrees monitor its our own infrastructure in line with this standard.
• Incident management type: Supplier-defined controls
• Incident management approach: As an ISO27001 accredited company, Six Degrees must maintain a detailed Incident Handling Policy and suite of procedures to ensure that we have a comprehensive and repeatable risk assessment process. Incidents are reported to the Information Security Officer as per policy and our Information Security Management System.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: No

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: Six Degrees use the ARK data centres in Spring Park, Corsham, and Cody Park, Farnborough, for its public sector cloud services. ARK are Participants of the EU Code of Conduct for Data Centre Energy Efficiency for SQ17, P1, and A9. Through selecting ARK this choice demonstrates to our clients a commitment to reduce energy and make cost-savings during Business As Usual. Working with ARK, clients can save more than £1.1 million and 6,000 tonnes of carbon annually based on a 1MW load, compared with an average data centre facility – lowering the Total Cost of Ownership across the Industry. Situated within secure compounds and boundaries, each Ark protects to Business Impact Level 3 (BIL3) as a minimum, without compromising availability, sustainability or price point. Ark currently has two dedicated data centre campuses spread across 74 acres in Wiltshire and Hampshire, with access to 160MVA of diverse power.

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We have an established environmental committee that is specifically focussed on ensuring that we apply an approach of continuous improvement in relation to environmental compliance and good practice. As part of our environmental commitments, we are aligned to ISO 14001(Environmental Management) and have a published Carbon Reduction Plan on our website, which was measured and recorded in accordance with GHG Protocols and Procurement Policy Note 06/21. ; ; We will be reviewing our footprint on an annual basis and carrying out actions identified to reduce our footprint. We are committed to achieving Net Zero by 2050 at the latest. During this time, targets will be set for the remaining period to ensure Net Zero will be achieved by our target date. We are aiming to reduce our absolute carbon emissions by at least 90% from our baseline year or achieve (and maintain) a carbon intensity metric of <1 tonne CO2e per employee, whichever comes soonest. This is in line with science-based Net Zero targets. ; ; Our largest environmental burden is the use of power in our datacentres. We use technology designed specifically to manage power consumption. We are very proud to have switched our data centres fully to use green and renewable energy. ; ; Our focus on environmental performance as a supplier under this framework will benefit you as you strive to achieve your own Net Zero targets. ; ; As a leading Microsoft partner, we can work with Microsoft to help you understand the carbon footprint for your existing estates, and how a transition to hybrid/public cloud could help reduce it. As part of any agreement under this framework we can also engage with your local communities to promote environmental awareness or engage in projects that benefit the environment.

  Tackling economic inequality

  Six Degrees supports this theme in several ways. Firstly, by working with local communities to provide mentoring and job opportunities. We take pride in employing local people and offering new opportunities as they arise. We do this through our internal Talent Acquisition (TA) team, who are actively building richer and deeper contacts within the local community to raise aspirations of people from all backgrounds. ; ; We seek to encourage local people to work within the technology sector by removing barriers to entry, for example through behavioural interviewing with objective behaviours that actively seek to remove bias (unconscious or otherwise) in recruitment and individual development discussions. Our TA team partner with local universities, schools and colleges to support careers fairs and our subject matter experts provide talks on IT or cyber security to local students. ; ; We are also very passionate about our ‘Women in Tech’ group, which seeks to encourage women into IT through all sorts of activity, such as webinars, school visits and other events. We are continuously planning new events and initiatives under this scheme, which we could then offer to buyers and their community as part of engagements on this framework. ; ; Secondly, we will tackle economic inequality and the digital skills gap through creation of new skills & jobs in the high-growth cyber security sector. Our cyber apprenticeship programme, sponsored by our People Business Partner & Cyber Consultancy Director, provide skills and accreditations that enable our people to progress in cyber security or transition into that space. ; ; We also run in-person events, known as ‘Cyber University’, as an education scheme for our Buyers based on our extensive knowledge and experience in Cyber Security. Cyber University provides an open forum for customers to create new skills in Cyber Strategy, best practice approaches and the latest in Cyber Security.

  Equal opportunity

  We recognise that people are more likely to be engaged and productive if they are rewarded fairly and offered flexibility to help achieve a positive work life balance. We therefore pay at the Real Living Wage in all of our roles, and remain committed to our ongoing pay review process to ensure all our employees are fairly rewarded. Six Degrees also has a continuous focus on closing the gender pay gap in our company, with our latest report available on our website. ; ; We recognise that females are underrepresented in education, training and employment related to STEM. To combat this, we have introduced several strategies to bring new females into the organisation. These include our engagement with schools, colleges, and universities to raise the aspirations of females toward tech. Our goal of ensuring every recruitment shortlist contains as least one female, and our offer of a guaranteed interview for every shortlisted female. ; ; We have collaborated with the Employers Network for Equality & Inclusion (ENEI), achieving a bronze TIDE Award in our first two years of collaboration. Through our continued devotion to improving, we were awarded a silver status in 2023. Through this partnership we have focused our work around seven critical areas of inclusion – our workforce, our strategy and plan, leadership and accountability, recruitment and attraction, training and development, employment practices, and communication.; ; We have zero tolerance to slavery in any form, but by no means limited to, bonded labour, debt bondage, serfdom, forced labour, child slavery, marital slavery, sexual slavery and/or human trafficking. We expect all those in our supply chains to comply with our values and the Modern Slavery Act 2015, which is governed by our Supplier Management and Sustainable Procurement Policy.

  Wellbeing

  Supporting our workforce’s health and wellbeing is crucial to Six Degrees. We have established an employee network, known as the 360 Degrees Group, which is made up of people who are passionate about making a difference from across all different business units, with an Executive-level sponsor and SLT-level sponsors for each sub-group or initiative. The initiatives include: ; ; - Including Everyone, Everywhere: Our forum which focuses on diversity and inclusion: it’s about creating a Six Degrees where everyone feels able to bring their truest self to work.; ; - Healthy Minds, Healthy Lives: Our forum for mental health and general wellbeing. A healthy mind and body is at the core of being happy and productive at work and at home.; ; - For The Benefit of Others: There’s something that touches, motivates or inspires all of us; this is a forum which focuses on charity fundraising, on making a positive mark on the communities which Six Degrees touches, and on making this a greener place to work.; ; We operate a well-being calendar led by Healthy Minds, Healthy Lives and also have certified Mental Health First Aiders across the business, demonstrating our commitment to providing our workforce with wellbeing support. ; ; We have a significant focus on building awareness and promoting dialogue around health and wellbeing: our Women in Tech committee talks about female health, and for June (Men’s Health Awareness Month) they will be promoting awareness of men’s health, for example testicular and prostate cancers.; ; Under the 3rd initiative we actively encourage community engagement through numerous social value activities. These include collaborative and individual fundraising projects for our partnership with Macmillan as well as promoting events within communities. In 2019 we sponsored the Women in IT awards and have also sponsored a Tough Mudder charity event.

Pricing

• Price: £3.50 to £55.00 a device a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Publicsector.sales@6dg.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.