Somerford Associates Limited

mnemonic - Penetration Testing

Applications, systems, networks and people form the technological foundation for any business. By having security experts test this foundation they will identify risks, isolate vulnerabilities and prioritize remediation before exposures can be exploited by attackers.

Features

  • Application security
  • Web application and APIs
  • Cloud security testing (AWS, Azure, Google Cloud)
  • Infrastructure security
  • Red-team exercises, including TIBER (Threat-Intelligence Based Ethical Red Teaming)
  • Internet of Things (IoT) and smart devices
  • ICS, SCADA, and OT assessments

Benefits

  • Identify and understand your organisation’s vulnerabilities and problem areas
  • Practical advice on recommended remediation
  • Receive thorough documentation of the security assurance activities
  • Penetration Testing specialists with deep industry expertise
  • Penetration testing enables more accurate and informed risk-based decision making
  • Highly experienced Penetration Testing consultants

Pricing

£185 to £370 a unit an hour

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

7 0 1 2 4 2 4 9 6 9 1 3 1 2 7

Contact

Somerford Associates Limited Penny Harrison
Telephone: 07897075103
Email: penny.harrison@somerfordassociates.com

Planning

Planning service
Yes
How the planning service works
Penetration testing serves primarily as quality assurance. It should provide increased knowledge and understanding, and it helps to make informed choices to manage technical risk both in a short and long-term perspective.

This happens in multiple ways. The immediate impact of doing a security test, is discovery of as many vulnerabilities and potential weaknesses as possible, verification of potential impacts, and initial prioritisation. This makes it possible to prioritise and handle these defects in the short term, or establish compensating controls. Testing will typically identify both "quick wins", and more strategic improvement needs.

While security testing can never eliminate all bugs, actively looking for security flaws and vulnerabilities helps increase software quality and decreases the likelihood of critical bugs going undetected or being discovered by someone else.

We begin the security test with an initial meeting to plan the assessment in detail and coordinate initial activities. The goal of the startup meeting is that all formalities are handled, that both sides get all the information needed to proceed with the project, and that the penetration testers gets an optimal understanding of the goals and needs of the customer.
Planning service works with specific services
No

Training

Training service provided
No

Setup and migration

Setup or migration service available
No

Quality assurance and performance testing

Quality assurance and performance testing service
Yes
How the quality assurance and performance testing works
Mnemonic’s security tests combine open standards and industry best practices with our own experience, tools, and methodology. We utilize the whole breadth of mnemonic’s security offering by including relevant expertise from other parts of our organization, such as our security operations center, threat intelligence analysts, product experts, and the R&D team. This gives our offensive team a unique advantage, and enables us to go deeper and provide the best possible advice.

The main output of the activity is a structured written report, which can be used either as-is or in part for both internal and external stakeholders, auditors, et cetera. Having a process for regularly testing, assessing, and evaluating technical and organizational security measures is also a requirement under GDPR (Article 32), and the regular security test reports will help document that this is being met.

Finally, an output of security testing is mnemonic's recommendations and advice on how to improve the security of the system, based on our observations during the test. This builds on both our knowledge of relevant industry practices and standards, and not least how similar risks have been reduced or mitigated by others.

Security testing

Security services
Yes
Security services type
  • Security strategy
  • Security risk management
  • Cyber security consultancy
  • Security testing
Certified security testers
Yes
Security testing certifications
  • CREST
  • Other
Other security testing certifications
SANS

Ongoing support

Ongoing support service
No

Service scope

Service constraints
N/A

User support

Email or online ticketing support
Email or online ticketing
Support response times
Mon-Fri 9am-5:30pm excl bank holidays customers receive an initial response within one business hour
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Support levels
We provide support from priority 1 to priority 4 cases on any existing configuration or part of the platform that is in total or partial failure as well as not working as expected. We also provide configuration guidance and recommendations for use cases. Each customer receives their own Account Manager who works closely with Support and ensures that cases can be followed up. Somerfords Support desk is available as a value added service in addition to the maintenance and support purchased alongside the license.

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Mnemonic

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
DNV GL - Business Assurance
ISO/IEC 27001 accreditation date
31/05/2005
What the ISO/IEC 27001 doesn’t cover
The certificate is valid for the following scope: Security solutions sales, support and system integration. Security solutions consulting. Managed security services. Risk-based vulnerability analysis, penetration testing, security audit of applications, networks and security systems. In accordance with Statement of Applicability version 128, 2019-03-18
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
SRC - Security Research and Consulting, GmbH
PCI DSS accreditation date
June 2018
What the PCI DSS doesn’t cover
N/A
Cyber essentials
No
Cyber essentials plus
No
Other security certifications
Yes
Any other security certifications
  • ISO 9001:2015
  • NSM quality scheme for incident handling
  • SOC 2 - SOC for Service Organizations

Social Value

Fighting climate change

Fighting climate change

As an organisation that works closely with the public sector, Somerford is keen to demonstrate our commitment to supporting the achievement of the Net Zero target of greenhouse gas emissions by 2050.

Management and staff at Somerford have been conscious of our impact upon the environment even before the Climate Change Act was introduced, and we’ve adopted environmentally friendly practices as the business has grown. Consequently, Somerford ‘s business already has a reasonably low carbon footprint, and will continue to strive for further reductions wherever possible because this is beneficial for our business, our stakeholders and the environment.

We will use our influence as a value added reseller of leading edge software products and supporting professional services to select supplier-partners whose own carbon reduction philosophy and plans are aligned with ours, and who can show commitment to the Net Zero target. In practical terms, this means we participate in a carbon-net-zero supply chain in the delivery of the solutions from our supplier-partners to our customers.

For further details, please see our Carbon Reduction Plan online at https://www.somerfordassociates.com/carbon-reduction-policy-and-plan/
Covid-19 recovery

Covid-19 recovery

During the Covid-19 pandemic, our robust business continuity measures, prudent fiscal policy, and the benefits of a highly flexible team, meant we were well prepared for the difficulties ahead.

Staff wellbeing has been at the forefront of our Covid-19 recovery plans, taking care of their physical and mental health, including;

* home working to avoid unnecessary exposure to the virus
* providing safe office space where staff personal circumstances dictated
* regular contact, albeit remotely, to prevent isolation
* organised e-based social events to maintain interaction;

As a result we have been able to:

* give uninterrupted service to our customers
* move our staff to home working
* avoid compulsory redundancies and minimised furlough
* in 2020, gain an 11% increase in revenues
* continue to grow the workforce by over 10% in the same year
* take on new partners to enhance our solutions portfolio
* invest in staff education to meet future customer needs.

Changes in business practices due to Covid-19 have shown that flexible work patterns can be very effective, and we’re unlikely to fully return to our previous style of working.

Our solutions have also helped customers to cope with their changing work patterns too - supporting their Covid recovery by providing the infrastructure, tooling and monitoring to support their own remote, flexible and sustainable ways of working.
Tackling economic inequality

Tackling economic inequality

Somerford is a healthily growing business, and actively strives to create employment opportunities that are inclusive of all socio-economic groups. For example:

* In the past 5 years, 20% of our staff entered our employment from leaving school, college or university;
* We have supported 12 apprenticeships;
* We run an internal academy scheme to build a broad range of technical skills in those who have the inherent skills, attitude and capability to become our next generation of experts;
* We actively participate in the Armed Forces Covenant Scheme and help to redeploy and reskill leavers from the Armed Forces. So far, 16 staff have joined us in this way;
* The ethnic mix of our staff is more diverse than that of our local community.

Strong technical skills are key to the delivery of services to our customers, so we’ve invested heavily in staff training - in 2020 alone, staff successfully completed over 100 technical courses.
Equal opportunity

Equal opportunity

Somerford is an equal opportunities employer and does not discriminate on the grounds of gender, sexual orientation, marital or civil partner status, pregnancy or maternity, gender reassignment, race, colour, nationality, ethnic or national origin, religion or belief or age.

We do not discriminate on the grounds of disability. We take particular care to respect the rights of those with disabilities, throughout all stages of recruitment and employment. We make reasonable adjustments to ensure those with disabilities are not disadvantaged in the workplace, eg. adjusting working hours or providing special equipment to help to do their job.
Wellbeing

Wellbeing

Somerford is committed to promoting and supporting the wellbeing of all of its staff. We aim to create a culture which focuses on prevention of issues in the workplace that can adversely affect staff health and wellbeing, and where issues are identified, they are managed promptly before they can have a detrimental impact.

This includes:
* providing staff with clarity and purpose regarding their job role;
* ensuring staff have the capability, training, support and encouragement to conduct their role confidently and effectively;
* providing a physical working environment that is suitable for the work to be carried out effectively;
* encouraging staff to maintain a sensible work-life balance;
* minimising the stressful impacts of work;
* ensuring bullying and harassment have no place in the working environment;
* managing sickness and absence effectively;
* considering requests for career breaks and sabbaticals;
* providing medical assistance to staff;
* encouraging employee fitness;
* promoting dignity at work.

Pricing

Price
£185 to £370 a unit an hour
Discount for educational organisations
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.