NCC GROUP SECURITY SERVICES LIMITED

Cloud Security – Threat Profiling

NCC Group provides a structured review of your key assets, unique threats to them and likely means of compromise. Comprising a review of your cloud environments’ security design, architecture, configuration and governance, we produce detailed threat profiles addressing your operational fingerprint to enable tactical and strategic evolution of your posture.

Features

• Produce a detailed threat profile of Key assets to protect
• Identify threat actors, use cases, highlight threat surfaces, attack vectors
• Review policies, standards, technical designs, use/test cases and user stories
• Workshops and interviews - understand key processes and procedures
• Structured standards and or policy Framework approach
• Thorough technical & Governance appendices detailing all identified deficiencies
• A prioritised remediation road map addressing strategic and tactical issues
• Detail deficiencies in controls and potential outcomes of a cyber-breach
• Executive level summary of business risk and means to address
• Post-assessment briefing offered to discuss findings and recommended next steps

Benefits

• Threat-profile provides foundation for formal modelling and lists attack vectors
• Highlighted weaknesses in systems and processes tailored to different audiences
• Identify significant threats to Confidentiality, Integrity, and Availability of assets
• Address important design considerations and proficiency of current controls
• Identify Pertinent threat actors and likely means of realising threats
• Cross sector experience to share comparable results
• Support prioritisation decisions with actionable intelligence, improve cloud security posture
• Access to world-class threat management tools and Governance practices
• Reflecting Business and ICT Strategies
• Manage fast paced threat evolution unique to your operations

£750 to £3,000 a person a day

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@nccgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

666440802172513

Contact

Karen Fryatt
07717800461
tenders@nccgroup.com

Planning

• Planning service: Yes
• How the planning service works: The NCC Group set of cloud services provide a comprehensive review of an organisations cloud security maturity against both UK Government and internationally recognised frameworks and standards. ; ; We provide independent assurance, confidence and peace of mind that your cloud security strategy and roadmap is heading in the right direction, in line with your business goals and objectives. NCC Group cloud consulting services also provide your organisation with assurance that it is adequately prepared and has the necessary practices in place for cloud resilience.; ; After setting the context and understanding your organisation, we review your threat landscape and critical assets and perform a controls based assessment. This could involve Cloud Security Assessment Review, Cloud Security Architecture Design, Security Migration Readiness and Cloud Threat Modelling and Profiling; or it can deal with organisational development in Cloud Security Strategy and in developing a Cloud Centre of Excellence (CCoE) or indeed all of these.; ; NCC Group services are developed against appropriate frameworks including the Cloud Security Alliance (CSA) 27 Core Pillars criteria, National Cyber Security Council (NCSC) Cloud Security Principles and National Institute of Standard and Technology (NIST), Center for Internet Security (CIS) as well as Specific Cloud Service Provider security best practices.
• Planning service works with specific services: Yes
• Hosting or software services the planning service works with:
  • Microsoft Azure
  • Amazon Web Services (AWS)
  • Google Cloud Platform

Training

• Training service provided: No

Setup and migration

• Setup or migration service available: Yes
• How the setup or migration service works: NCC Group employs experienced cloud experts to help you to build a secure migration and development readiness plan and to ensure that critical data is collected prior to initiating any new deployment. We review any vendor specific elements, the dependencies on other applications and the applicable secure migration paths needed.; ; We work with you to stage your migration using cloud readiness analysis and secure development patterns based on our proven approach which includes application code analysis and migration best practices. For TO-BE Cloud development we advise on the necessary application changes and the service integration tools to use. This ensures that your applications are compliant with any existing or new build security, identity and access management, storage and central logging services.; ; We take actions to modernise and prepare your applications for cloud via modifying or re-writing code and in using Rehost, Refactor, Revise, Rebuild or Replace strategies. NCC Group also plans and designs multi-cloud strategies and develops procurement planning to enable workload portability and interoperability. We review potential lock-in across all levels i.e. data, architecture, technology, application and workforce skill levels as well as the trade-offs involved in single to multi provider spectrum strategies.
• Setup or migration service is for specific cloud services: Yes
• List of supported services:
  • Microsoft Azure
  • Amazon Web Services (AWS)
  • Google Cloud Platform

Quality assurance and performance testing

• Quality assurance and performance testing service: No

Security testing

• Security services: Yes
• Security services type:
  • Security strategy
  • Security risk management
  • Security design
  • Cyber security consultancy
  • Security testing
  • Security incident management
  • Security audit services
• Certified security testers: Yes
• Security testing certifications:
  • GBEST
  • CHECK
  • CREST
  • Tigerscheme
  • Cyber Scheme

Ongoing support

• Ongoing support service: No

Service scope

• Service constraints: No

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 9 to 5 (UK time), Monday to Friday
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Support levels: Please see details on the service levels within the service definition document.

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: LRQA
• ISO/IEC 27001 accreditation date: 08/12/2021
• What the ISO/IEC 27001 doesn’t cover: None - All requirements of the ISO27001 certification is covered across all of our UK sites, services and personnel
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO 9001:2015
  • Cyber Incident Response (CIR)
  • PCI Approved Scan Vendors/PCI Qualified Security Assessor

Social Value

• Fighting climate change:

  Fighting climate change

  As well as our own ambition to reduce our carbon footprint, working with our customers and suppliers we aim to contribute to reduce global greenhouse gas emissions through continuing to develop remote solutions for our customers.; In this financial year (ending 31 May 2022), our aim is to reduce carbon intensity to minimise the impact of our operations on the environment. We will be reporting against Task Force on Climate-Related Financial Disclosures (TCFD) recommendations at the end of this financial year – partnering with Willis Towers Watson to further develop our approach to identifying and assessing climate change risk, which will support the development of a robust strategy and enable reporting against the TCFD in 2022.; This is a priority area for us to focus on in this new financial year. Building on the new and successful ways of working created by the pandemic we will engage in conversation with our customers to explore how we can work together to reduce the impact on the environment through reducing non-essential travel.; As our office environments come back to life, we are investing in education programmes to reduce our physical impact – from flexible working and minimising printing, to increasing recycling. And we will continue to review our physical office requirements to ensure we only use what we need.; We’ll design solutions for the future, driving efficiency into our design and delivery building on the momentum created by the pandemic. For example, our Firebase appliance, which was developed by our consultants in 2018 was designed to enable remote security testing. Roll on a pandemic and that early prototype enabled us to reduce our travel impact by circa 500-600 thousand miles between 1 April 2020 and 31 May 2021.
• Covid-19 recovery:

  Covid-19 recovery

  We play a significant role in attracting and training of new talent, having one of the cyber industry’s most effective training programmes. We aim to help create a cyber specialist community, which is representative of the society we live and work in. Initiatives this financial year in the UK to support this include:; • Partnership with CAPSLOCK – to support retraining of people into cyber security, with 3 recruits within the last 12 months; • Partnership with Uptree – investing in the next generation of cyber talent. We have previously delivered a cyber careers awareness day for 30+ students, with further days planned this year.; • Sponsorship of Scotland’s Empowering Women in Cyber Leadership programme; • 2021 Junior Cyber Security Programme - Junior Security Consultant programme 2021 (nccgroup.com) where we have welcomed 70 Junior Security Consultants in the last 12 months through our UK/APAC Next Generation Talent programme, with 48 in the UK. ; We’ll design solutions for the future, driving efficiency into our design and delivery building on the momentum created by the pandemic. For example, our Firebase appliance, which was developed by our consultants in 2018 was designed to enable remote security testing. Roll on a pandemic and that early prototype enabled us to reduce our travel impact by circa 500-600 thousand miles between 1 April 2020 and 31 May 2021.; Additional Covid-19 action: ; • Made provision for longer-term working from home with physical and mental wellbeing programmes put in place ; • Created a system to support colleagues with urgent needs to access alternative places to work where home working was not conducive to a positive working environment; • Continued successful delivery through remote working and maintained a “working together” approach to match our customers’ challenging needs through the impact of local restricted working practices
• Tackling economic inequality:

  Tackling economic inequality

  We play an active role supporting regional ecosystems, including the UK cyber clusters identified in the UK Government’s recent Levelling Up White Paper. For example, in Greater Manchester we have supported the GM Cyber Resilience Centre and engaged with Manchester’s investment promotion agency MIDAS. And, in the Cyber Valley (Cheltenham), we are an active member of the CyNam networking and collaboration community, supporting joint CyberFirst Schools-CyNam initiatives like the CyberTV channel for aspiring cyber professionals. We’re also supporting the UK’s start-up ecosystem, including through partnerships with Ashurst Fintech Legal Labs, where we share our specialist cyber security knowledge by identifying, feeding back on and inputting into prospective start-up and scale-up businesses operating in technology and financial services. FinTech Scotland - NCC Group partners with FinTech Scotland to further enhance cyber resilience across the sector.; To develop the pipeline of next generation cyber consultants we engage with local schools, colleges and universities to help open opportunities for careers in cyber security for all. We hire talent that is representative of society providing an internal training programme that supports return-to-work, career change, Service leavers and others to develop cyber skills based on aptitude not pre-existing skills. We then invest in our team by supporting personal research and continuous skills development into their scheduled work. We also pay for their attendance at international tier 1 security conferences to present their research. We hold regular tech-talks to cross fertilize ideas, knowledge and experience and provide regular shadowing and mentoring opportunities. ; We created a Women’s International Network to complement a positive environment for women in the workplace while actively supporting colleague resource groups providing equality, diversity, inclusion, support and advice as mentioned above that helps us ensure that we are an attractive and fair employer for all.
• Equal opportunity:

  Equal opportunity

  We want to create an environment where all colleagues feel psychologically, emotionally, and physically safe to be authentic, representative of the world they live in, share their personal experiences and have equal opportunity to achieve.; Our I&D plan underpins our growth strategy and in FY21 was focused on four areas that were identified as being important to our colleagues: Gender; LGBTQIA+; Neurodiversity; and Race and ethnicity. A fifth resource group is being established this year to cover Accessibility.; At the heart of our commitment to I&D is our NCC Conversations programme, which we launched in Aug-20. Our colleague resource groups are supported to produce relevant content, from blogs to panel sessions and resources, linking in with societal events of interest, to support our ongoing awareness and education for colleagues. ; As well as building learning into our annual I&D training. Manager Essentials training, partnering with organisations to develop future pathways for diverse talent to enter the industry, reviewing colleague policies, and improving how we recruit new talent and invest in career development.; In our last financial year (up to 31 May 2021) we hired over 200 front-line technical specialists, which increased our global net headcount by 8.1%. Twenty-nine per cent of all hires in our last financial year (where gender was disclosed) were female, with an increase of 43.5% on actual female hires compared to our previous financial year (FY2020). This financial year we commit to achieving the same or better through our targeted efforts.; We have been on a mission to create a more inclusive global organisation. We recognise that the programmes and initiatives we have in place today (and want to create in the future) will take time to embed and have an impact on the demographics of our organisation.
• Wellbeing:

  Wellbeing

  We will be signing up to the UN Global Compact, but currently partner with: ; • Business in the Community ; • This Can Happen – Mental Wellbeing in the Workplace ; Some of the initiatives to support our own colleagues during the pandemic (and now part of our colleague offering going forward) include:; • Trained over 100 people managers in mental health awareness; • Developed a wellbeing resource for colleagues and managers, supplemented by employee assistance programmes in each of our local geographies; • Trained a global network of over 60 Mental Health First Aiders (external validated training) to provide support for colleagues; • Delivered homeworking kit to all colleagues globally, and provided a safe working environment for any colleague who needed respite from homeworking (unsuitable home environment or any mental wellbeing issues); Duty of care, based on a permit to work scheme, that assesses safety (health and wellbeing) before customer related travel or onsite work is undertaken. This helps to ensure we mitigate any risk of Covid infection, and any other related risks associated with the onsite requirement.; Our teams have worked hard to provide mutual support with a particular focus on mental health and wellbeing. We have 61 trained Mental Health First Aiders. Over 100 of our people managers have received training in mental health awareness, and a full wellbeing programme for colleagues is supplemented by employee assistance programmes in our local geographies. All of these efforts continue to help our teams through these difficult times and will provide a legacy of ongoing benefit in the future.; In addition, we continue to invest in developing not only our mental health first aid network and resources, but we are now looking to implement our broader wellbeing strategy, partnering again with This Can Happen.

Pricing

• Price: £750 to £3,000 a person a day
• Discount for educational organisations: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@nccgroup.com. Tell them what format you need. It will help if you say what assistive technology you use.