Khipu Networks Limited

Tenable One (Standard and Enterprise)

Tenable One enables you to gain visibility across your attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal business performance.
Enterprise option include tools for breach & attack mitigation and insight into the external attack surface.
Includes other Tenable point products.

Features

• Global Exposure View
• Centralised Asset Inventory
• Peer Benchmarking
• Risk-based Vulnerability Management
• OT / IoT Security
• Secure Active Directory
• Secure Cloud Infrastructure
• Automated Web Application Scanning
• External Attack Surface Management (Enterprise Only)
• Attack Path Analysis (Enterprise only)

Benefits

• Comprehensive visibility: gain a unified view
• Predict: anticipate the consequences of a cyber-attack
• Improve risk prioritisation
• Centralised and business aligned view of risk
• Flexible licensing
• Access to nearly all of Tenable's suite of products

£56.25 a user

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Sales-UK@khipu-networks.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

673738835434680

Contact

Sales Team
0345 272 0900
Sales-UK@khipu-networks.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Must be accessed via a web browser. System maintenance is automatic and included as part of the subscription.
• System requirements: Deployment guide available upon request

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: KHIPU delivers support packages with associated SLAs. The response time SLA is linked to the priority of the incident. Response times can vary from 30 minutes (Priority 1) to 4 hours (Priority 4), depending upon the severity of the support call logged. We can also offer bespoke support packages that allow the initial response time to be tailored to the environment if required. The initial response time does not differ based upon the time of day nor day of the week.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: KHIPU’s ethos is to provide outstanding technical and after sales support, both during and after a project implementation. To evidence this, we have a number of exceptional customer references should customers wish to speak with them. For all supplied solutions we provide maintenance and support services, with all of the proposed equipment being supported and maintained by KHIPU to the required level based upon the customers’ cover. The following is included within our available support/maintenance services: • Maintain Services is KHIPU's 'break fix' level of support. • Monitor Services offer “Pro-Active” monitoring and alerting via KHIPU's “KARMA” service. • Fully Managed Service, KHIPU assumes full responsibility for the running of your devices. • Co-Managed Service, KHIPU assists with the running of your devices. • KHIPU SOC Service offers a complete, detection and response service protecting your critical infrastructure from cyber-attacks. • All services are available 8am to 6pm Monday to Friday, or 24x7x365(366) • Telephone, Email, Secure Portal and Remote Access Support KHIPU would also assign a Technical Account Manager to every customer, who would be responsible for ensuring that SLA's are met in the event that customers call upon the agreed support service.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: For the delivery of the service, KHIPU follows our ‘Project Process’ which has the following primary stages: • Stage 1 – Service scope • Stage 2 – Assessment • Stage 3 – Report correlation. This process is KHIPU’s way of providing an effective service to implement your solution efficiently and to a high standard, in accordance with our ISO accreditations. Initially, we will set up a call to discuss the implementation of your service, what will take place, and any pre-requisites that need to be met. This will also provide end-users with the opportunity to speak to one of our fully qualified engineers who will discuss all aspects of the of the service and answer any questions that they may have. A set of project and technical documentation is then created, based upon the discussion. It is then circulated with the customer for their feedback and signature. From this point there is an agreed change control process for anything necessary which is under the control of both KHIPU and the customer.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Should a customer's account expire or terminate, Tenable will retain the data, as it was at the time of expiration, for no more than 180 days for customers to download their records accordingly. After that time, this data may be deleted and cannot be recovered.
• End-of-contract process: Should a customer's account expire or terminate, Tenable will retain the data, as it was at the time of expiration, for no more than 180 days for customers to download their records accordingly. After that time, this data may be deleted and cannot be recovered.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: User-friendly graphical interface with drill-down capabilities.
• Accessibility standards: None or don’t know
• Description of accessibility: Access to is through a web browser utilising TLS/SSL secure communication. Detailed accessibility response available: https://www.tenable.com/section-508-voluntary-product-accessibility
• Accessibility testing: Detailed accessibility response available: https://www.tenable.com/section-508-voluntary-product-accessibility
• API: Yes
• What users can and can't do using the API: Users can easily integrate and automate the sharing of capabilities and vulnerability data, or build on the platform, leveraging a fully documented API set and SDK. There is no extra cost to use these tools to maximize the value of your vulnerability data.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Each module within the platform is individually customisable according to each module’s own attributes. Additionally for Tenable One specific modules, multiple options for customisation exist including customised queries for risk scoring, SLA settings and cyber exposure score threshold for benchmarking, targeted asset reporting and monitoring.

Scaling

• Independence of resources: Tenable commits to provide 99.95% average uptime with respect to the Cloud Services during each calendar month of the subscription term. http://static.tenable.com/prod_docs/Service_Level_Commitment.pdf. Currently (April 2022) - Tenable Vulnerability Management utilises AWS autoscaling to provide expansion of the service as required.

Analytics

• Service usage metrics: Yes
• Metrics types: License usage. Further information: https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Settings/ViewLicenseInformation.htm

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Tenable

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Other
• Other data at rest protection approach: Tenable uses state-of-the-art container technology to create and segregate customer environments. All customer accounts, vulnerability data and user settings are contained within a container uniquely allocated to each specific customer. Data contained within one container cannot leak or otherwise be intermingled with another container, thus ensuring the privacy, security and independence of each customer environment. At rest all customer data collected are encrypted using AES-256 encryption.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Via the console or via API calls.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats: PDF

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: All customer data is marked with a "container ID", which corresponds to a single customer subscription. This container ID assures that access to a customer’s data is limited to only that customer. All data is encrypted at all times; at rest and in-transit
• Data protection within supplier network: Other
• Other protection within supplier network: Tenable uses state-of-the-art container technology to create and segregate customer environments. All customer accounts, vulnerability data and user settings are contained within a container uniquely allocated to each specific customer. Data contained within one container cannot leak or otherwise be intermingled with another container, thus ensuring the privacy, security and independence of each customer environment.

Availability and resilience

• Guaranteed availability: Tenable commits to provide 99.95% average uptime with respect to the Cloud Services during each calendar month of the subscription term. If in any calendar month this uptime commitment is not met by Tenable and Customer was negatively impacted, Tenable shall provide, as the sole and exclusive remedy for unavailability or performance degradation of the specific Tenable Cloud Services, a service credit.
• Approach to resilience: Tenable uses health and status data to detect and address potential issues in a timely manner, thereby maintaining SLA commitments. Tenable Cloud services are replicated both within and across AWS regions. Should both instances in a region fail (or the region suffers an outage in general), the regional-failover layer (usually using dynamic DNS) will instead direct traffic to the other three regions. Failover is closest-path to the traffic origin.
• Outage reporting: Tenable One disaster recovery procedures have several levels and are designed to react to situations that may occur from anywhere between once in five years to once in 50 years. Depending on the scope of the disaster, the recovery procedures vary in time from 60 minutes to 24 hours.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Username and password with optional 2-factor authentication. Multi-factor authentication is either supported by the SAML broker (such as Ping, Duo, etc.), or SMS one-time codes through the built-in integration with Twillo.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Lloyd's Register Quality Assurance
• ISO/IEC 27001 accreditation date: Original Approval: 6th May 2010, Current Expiry: 5th May 2025
• What the ISO/IEC 27001 doesn’t cover: All areas of KHIPU's business is covered under ISO27001 certification.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: KHIPU adhere to ISO policies and procedures. We are certified to ISO9001 (Quality Management), ISO27001 (Information Security Management), ISO14001 (Environmental Management) and ISO45001 (Occupational health and safety). Any potential breach or risk of security or process is highlighted to senior management including the board of directors immediately.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All changes to the configuration of the service are managed through an ITIL based Change Control Process. This looks at technical suitability, security risks and impact to service; the output from which is clearly communicated to the customer where the ultimate decision will be made to proceed or not. This takes into account any commercial considerations necessary and provides an audit trail, ensuring that all aspects of the change are considered.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We work closely with the manufacturers of the deployed services to ensure that any reported/disclosed vulnerabilities are patched during the next maintenance window. Should a major flaw occur, an emergency change process would be invoked to patch the service within 48 hours. In the event that multiple vulnerabilities become apparent, they will be addressed in severity order (highest first), until all are mitigated.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential compromises are detected via various means including monitoring tools, manual check, service degradation, reported issues and regular vulnerability assessments. In the event of a suspected compromise, they are acted upon with high priority until they are proven to be benign or corrective action is needed to be taken to mitigate the problem. Immediate responses are provided if an issue appears to be critical within the end users’ environment. These procedures are in line with our ISO27001 processes.
• Incident management type: Supplier-defined controls
• Incident management approach: As part of our support/managed service procedure, the customer is provided with full details of how to log a support call, including all logging methods and the required information for the servicedesk. Once the call has been logged, it is then managed by the team under the servicedesk based on severity (major issue = service affecting, minor issue = query). All service affecting calls are escalated accordingly to the 2nd/3rd line teams including the assigned account and technical manager. Escalations procedures are provided as part of the onboarding process.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  KHIPU is committed to monitoring and reducing our environmental footprint. We are an ISO14001 Environmental Management certified company and complete an internal audit annually which provide updated targets for our company and supply chain to aim for. We update our initiatives on our website: https://www.khipu-networks.com/khipu-is-green/. • Employees and our supply chain are made aware / reminded of their environmental impact. • We regularly review our products, services, and suppliers to ensure we are using the most suitable environmentally friendly options. KHIPU and our supply chains are committed to minimising impact to the environment from our solutions by reusing, recycling, and adopting processes that conserve raw material, energy, and water. The company is part of a movement called “techies go green” (https://www.techiesgogreen.com), aimed at increasing awareness and we are committed to decarbonising our businesses and making them green and verifiably sustainable. Where possible, we work with customers remotely to reduce travel costs and for each day an engineer installs / supports a customer remotely we plant 10 trees. Tracking of our progress is available here: (https://moretrees.eco/forest/khipu/).

  Covid-19 recovery

  Our plans and processes provide mitigation against a wide range of potential incidents including the unforeseen events mentioned. The procedures have been regularly tested both theoretically and in real events. In 2017 we activated the plans as part of an office relocation, we had no loss of services or unexpected downtime. On the 9th March 2020, we activated our Pandemic Policy which was created during the original SARS threat. This was activated across our UK and South Africa offices in advance of the UK and SA Government lockdown. We successfully had 98% of staff working from home, 2% of staff worked in our UK office. The business managed to offer and operate the majority of our services remotely. We continued to provide on-site resources to customers running critical life supporting systems (i.e. Healthcare / Social Services). Since the removal of lockdown restrictions, we have moved to a hybrid operation where staff aim for a minimum of 3 days in the office, 2 working remotely. KHIPU invested in a new HQ building during 2021-2022 and modelled our offices to support the most flexible ways of working.

  Tackling economic inequality

  As a business we understand that we can make a difference in tackling economic inequality, with KHIPU being fortunate to operate in the Technical Business Sector which is a robust market. This allows the company to invest into our workforce, both in terms of relatively high salaries and also support services (pension contributions, healthcare, dental care, welfare support, regular health checks, training, team building, career options). We offer flexitime to the workforce, offer hybrid working, provide a very good maternity / paternity scheme, invest in apprentices, and also graduates and have workforce age from ~19 – 70 years of age. Over 40% of our senior staff identify as female and we support all of our staff in any way we can. Outside of our business, KHIPU invests into charitable causes, we have invested in building a computer laboratory in a township school in South Africa. We invest in youth sports and various health related charities.

  Equal opportunity

  KHIPU has a strong ethos on diversity and inclusion with our main objective being that our company and staff understands and promotes equality, diversity, and inclusivity internally and externally with suppliers and customers. We have not set any specific target; however, we have found that our organisation has organically grown in a manner fully supportive of our main objective for equality, diversity, and inclusivity. This organically grown culture exists across our UK and South Africa based offices, we also ask our supply chain to confirm their commitment to supporting our own objective in this manner.

  Wellbeing

  KHIPU has a very active “People Operations” department with representatives across our main offices in the UK and South Africa. They provide a wide range of help and support to all staff, including their families as appropriate. Our team have trained first aiders and also have received mental health awareness training. All staff have access to our internal support team and can also be referred to 3rd party experts (via our company-wide healthcare scheme). The company invests in an annual health check (optional but recommended for all staff) by a 3rd party company, this also offers advice on mental health, fitness, diet etc. The company has invested in excellent office facilities, both in terms of general office location and facilities within our offices. This allows staff multiple options for stress reduction, teamwork or relaxation as required. We suggest that all staff walk around and do not sit too long at their desks, offer stand-up desk workstations and we try to cater for any staff members working preferences.

Pricing

• Price: £56.25 a user
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Sales-UK@khipu-networks.com. Tell them what format you need. It will help if you say what assistive technology you use.