Softcat Limited

Axonius Cybersecurity Asset Management and SaaS Management

The Axonius Platform provides a comprehensive solution that unifies all digital assets — from devices to SaaS apps and software, user accounts, cloud assets, and more — so customers can easily and effectively control complexity across their entire IT environment.

Features

• Comprehensive Inventory of All Assets, Their Relationships and Dependencies
• Discover Coverage Gaps, Assess Vulnerabilities, and Prioritize Risk
• Automatically Validate and Enforce Policies, and Simplify Workflows Across Departments

Benefits

• Asset Discovery
• Endpoint, Cloud, Software, Policy Management
• Security Operations
• User Inventory
• Account Hygiene
• Zero Trust Reconciliation
• Saas Security Posture Management
• SaaS Spend Optimization
• SaaS App Inventory
• Shadow SaaS

£16,250 a unit

• Free trial available

Service documents

• Pricing document

  ODS

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at psitq@softcat.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

745040144906040

Contact

Charles Harrison
01628 403403
psitq@softcat.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: N/A
• System requirements:
  • https://docs.axonius.com/docs/system-deployment
  • https://docs.axonius.com/docs/installing-axonius-tunnel

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Issue response time within hours during regular business hours. See the following link for complete SLA details: https://www.axonius.com/service-levels-technical-support
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Axonius will provide remote support for the initial deployment, configuration, and integration of the platform in the customer environment or the transition of any POC deployment into a full production implementation. Axonius will provide an Account Management team throughout the subscription period.; ; Axonius leverages our ticketing platform for tracking and management of open issues, actions, custom questions and troubleshooting efforts, Axonius will leverage the existing tool sets, Axonius internal workflows and staff resources to meet the Axonius Software License Agreement SLA for Technical Support. See the following link for complete SLA details: https://www.axonius.com/service-levels-technical-support
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Training is included as part of the subscription as well as self-help modules (PPT and videos). Axonius also has a library of online training curricula for foundational knowledge. The documentation section of our online training curriculum includes numerous "how-to" videos. Please reference https://www.axonius.com/resources#training for an overview of training resources. Axonius will provide virtual training (via Zoom) as part of the Implementation Plan. Additional (remote) training will be available for new users based on regularly scheduled training held by Axonius' Technical Account Management (TAM) team and schedules for these trainings are available upon request. On-demand training can be scheduled with the TAM team as well to support customer-specific questions, concerns and/or additional support.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: For our standard policies and processes regarding Personal Data, including our role and obligations as a Data Processor and our commitments to GDPR and CCPA, please see our Data Processing Agreement:; https://www.axonius.com/data-processing-agreement
• End-of-contract process: Customers can ask to change the retention policy or to delete any data that is stored in the SSPM solution. All data will be deleted after contract termination. Specific requirements regarding data destruction verification can be handled during contract negotiations. Our commitments to these requirements are addressed in our Terms & Conditions at https://www.axonius.com/terms-conditions/

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Please review the Getting to Know the Axonius Interface documentation at https://docs.axonius.com/pl/docs/en/getting-to-know-the-axonius-interface?highlight=interface
• Accessibility standards: None or don’t know
• Description of accessibility: This is not applicable to the Axonius platform as our product is a web application with APIs and not a web service. The Axonius Platform is accessible through an HTTPS Web interface.
• Accessibility testing: Axonius platform follows WCAG 2.1 accessibility guidelines. Axonius tests for WCAG compliance as a part of our release and delivery process (CI/CD).
• API: Yes
• What users can and can't do using the API: An API is available for the Axonius platform as described in: https://docs.axonius.com/docs/api and https://docs.axonius.com/docs/adapters-list.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Features like custom tags and fields help users customize the metadata for their cyber asset inventory. Also, as part of Premium Support, customers have a dedicated Technical Account Manager who is tasked with developing new use cases and escalating feature requests internally to support customers' new business requirements.

Scaling

• Independence of resources: Axonius is scaled appropriately as the organization and demand grows. Our intention is to provide world-class support, so we always ensure our teams are sized appropriately to provide exceptional service.

Analytics

• Service usage metrics: Yes
• Metrics types: Any tracking of system performance metrics is monitored through the Axonius platform dashboard. The Axonius platform user interface provides a dashboard outlining system performance. For Axonius-hosted customers, system performance is monitored and maintained proactively.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Axonius

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Axonius is able to export data to many different destinations. The most common of which is a SIEM tool such as Splunk or QRadar, but it can also be exported to a CSV. Dashboards can be packaged into PDF reports that can be emailed out. These emailed reports can include the CSV data as an attachment if desired. All available data within Axonius is able to be exported. There is also a robust API available to help with other methods to get data out of Axonius.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: SQL, CSV, JSON, etc.

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: SLAs are defined here: https://www.axonius.com/service-levels-technical-support
• Approach to resilience: Axonius SaaS deployments are hosted in AWS data centers. For its SaaS products, Axonius relies on AWS data center controls as seen at https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf.; For our headquarters location, there is no data stored in our New York office since all information is processed in SaaS solutions and our employees primarily operate remotely. The office is secured in order to prevent theft of or damage to equipment and not to secure information processing separately from how remote workers secure information processing. We do, however, have physical and environmental controls in place for the office as validated by our current ISO 27001 Information Security Management System (ISMS) certification. Please visit the Axonius Trust Center https://trust.axonius.com for our ISO certificate.; For on-premise and private cloud deployments of the Axonius Platform, the customer determines the data center and infrastructure that houses their deployment and scoped data.
• Outage reporting: Axonius will use the Axonius website and social media presence in the case of disruptive events that require broadly-visible public communications to Axonius customers. In addition, Customer Support will decide when customers need to be notified individually concerning any issues that directly impact their deployment of the instance.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: The Axonius platform supports the use of SAML and LDAP authentication standards for Single Sign-On (SSO)as described here: https://docs.axonius.com/docs/identity-providers-settings; ; There is also an option for configuring mutual TLS, as described here: https://docs.axonius.com/docs/mutual-tls. This is an additional layer on top of standard authentication, for which we recommend setting up a SAML or LDAP-compliant provider as described here: https://docs.axonius.com/docs/identity-providers-settings.
• Access restrictions in management interfaces and support channels: Axonius security policies require separate accounts for development and production activities, and access is provided based on business needs and limited to least privilege. We apply role-based provisioning upon account creation, deprovisioning upon termination, and provisioning/deprovisioning upon change of role. In addition, we follow zero trust principles whenever practical for employee access, including SSO, MFA, and encrypted web sessions. For users with privileged access, we apply additional security controls, including hardware-based MFA devices and additional SSO restrictions.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Other
• Description of management access authentication: For the Axonius platform, the customer manages access within their instance as described at https://docs.axonius.com/docs/role-based-access-control-rbac-management; ; Axonius supports multiple enterprise password managers, as described here: https://docs.axonius.com/docs/managing-external-passwords?highlight=enterprise%20password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: https://trust.axonius.com
• ISO/IEC 27001 accreditation date: https://trust.axonius.com
• What the ISO/IEC 27001 doesn’t cover: Please visit the Axonius Trust Center (https://trust.axonius.com) for our ISO certificate
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC 2 Type II
  • HIPAA Type 1

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: ISO 27001 Information Security Management System (ISMS) certificate and our sanitized Statement of Applicability (SoA); SOC 2, Type II examination report in the Trust Services Criteria category of Security; HIPAA, Type 1 examination report ; HIPAA Security Rule and Breach Notification Rule applicable to HIPAA business associates
• Information security policies and processes: As part of our ISO continual improvement program, we monitor and update our information security policies and procedures when needed to improve our information security management. Our information security policies and procedures are reviewed by our CISO, Senior Director of Security, and Director of Cybersecurity Assurance and updated at least annually and whenever a significant change occurs. In addition, the policies and procedures are reviewed by third-party assessors at least annually for our current ISO 27001 certification. The policies provide employees and other applicable parties with information on what they must adhere to while engaging in Axonius business activities. Axonius may access, review, monitor, and use (to the fullest extent permitted by applicable privacy and other laws) any data or information that employees, contractors, volunteers, and other parties directly or indirectly view, create, upload, download, and store using Axonius information systems.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Axonius has a formal Change Management Policy that provides direction for managing changes to Axonius systems and products, including planning, documenting, reviewing, testing, and receiving final approval before being released. As part of our formal Secure Development Lifecycle process, we work with our application security team to complete security reviews and vulnerability scanning. We segregate development and production environments and require peer review and approval by the team's senior leadership before changes are implemented into the production environment. Key Axonius personnel are allowed to both approve and implement a change when required for Axonius business operations; their activity is monitored.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Identifying and remediating risks is a part of our ongoing efforts to include security in our secure development processes. In addition, Axonius has a documented, formalized plan for incident response and reporting, maintained by our CISO and Security Team and reviewed at least annually. For SaaS deployments of the Axonius Platform and on-prem deployments where remote support is enabled, we patch the cloud environment for the customer's instance on a weekly basis and update the customer's system via our releases. We include security reviews in our Secure Development Lifecycle and conduct third party application penetration tests at least annually.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: For our SaaS products and for Axonius corporate resources, Axonius utilizes a modern EPP and EDR solution to protect its corporate endpoints. Axonius also utilizes industry best practices within cloud environments, including firewalls, intrusion detection, and central logging of all cloud environment activities. For on-prem and private cloud deployments of the Axonius platform, the customer is responsible for monitoring for malicious activity within their environment. We do not share our plans or policies with customers; however, more information about incident is available here: https://www.axonius.com/data-processing-addendum; https://www.axonius.com/security
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Axonius has a documented, formalized plan for incident response and reporting, maintained by our CISO and Security Team and reviewed at least annually. The plan details the steps we take to identify, evaluate, and address security incidents, including coordination with Axonius teams and third parties when needed.; We do not share our plans or policies with customers; however, more information about incident is available here:; https://www.axonius.com/data-processing-addendum; https://www.axonius.com/security

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Softcat are dedicated to reducing our environmental impact and actively promoting sustainability. Our commitment to sustainability is a core aspect of our business strategy, driving us to innovate and lead in the creation of a more sustainable future for our company and the communities we serve. This commitment is embedded in our policies, operating procedures, and training programs.; ; We are proud to be the first FTSE 250 company to be awarded 5-star status in relation to the United Nations Sustainable Development Goals. ; ; We aim to achieve a Carbon Net-Zero Value Circle by 2040 by prioritising renewable energy, reducing natural resource use, minimising waste, and safeguarding biodiversity in compliance with environmental legislation.; ; At Softcat, we have taken significant steps towards securing renewable energy across our organisation, reducing our scope 1 & 2 emissions. We had the target of using 100% Renewable Energy across all our locations by 2024. We successfully delivered against this target ~2 years early.; ; In May 2023 we took delivery of 15 electric vehicles, replacing all existing fossil-fuelled company cars used by employees for business means. The implementation of the EV pool fleet will see a saving of over 80 tons of CO2e per year. A huge impact on our Net Zero targets.

  Tackling economic inequality

  As a value-add reseller, Softcat outsources the products, services, and solutions through our extensive network of partners, to best suit the needs of our broad client base. We always consider and promote SMEs and local providers where appropriate, particularly for the products and services we offer via the G Cloud framework.; ; We remain dedicated to improving employability and educational awareness across schools, colleges, and universities to help break down the barriers to joining technology organisations.; ; We work collaboratively with many schools that are close in proximity to our offices, to ensure we are actively supporting the community as well as schools from lower socio-economic backgrounds. ; ; We visit the schools to talk about the IT sector and the roles in our organisation, as well as promoting work-experience opportunities during the summer. In particular, we actively encourage students from diverse backgrounds to engage in work experience to appreciate the roles available in our sector.; ; For ambitious school and college leavers, a Softcat Apprenticeship is a great first step into the world of work, with 94% of our apprentices offered a permanent position at Softcat post apprenticeships, which goes to show the amazing opportunity available with us.; ; We were ranked 1st in IT & Consultancy, and 10th overall in by RateMyApprenticeship.com - Best 100 Apprenticeship Employers 2023-2024 list.; ; Softcat now also offer 12 month paid internships to University students looking to complete a year in industry as part of their undergraduate studies.

  Equal opportunity

  Our approach to diversity and inclusion is introduced first during our induction training, as part of our Softcat values, outlining responsibility to uphold our principles. This message is reinforced by our process and policies, networks, Allyship Training and Inclusion Awareness campaigns.; ; Softcat supports diversity and inclusion through various networks including:; - Supporting Women in Business (SWIB); - The Ethnic and Cultural Network; - The Pride Network; - The Family Network; - The Empowering Disability and Neurodiversity Network (EDN); - The Faith at Work Network; - Armed Forces & Veterans Network; These networks aim to create a supportive and inclusive work environment for all employees, regardless of gender, ethnicity, sexual orientation, disability, or family commitments.; ; Our allyship programme, Stronger Together, is a mixture of event and workshop-based training available to all staff. Programme topics include, bias, power, privilege, and being a greater ally. ; ; Inclusion Awareness campaigns include race, disability, sexual orientation, gender, faith, and caring responsibilities. These sessions highlight and celebrate minority groups, through panel sessions, Q&A sessions and training, providing an opportunity to discuss and understand ways to be more inclusive. ; ; Our efforts to improve diversity and inclusion have been incredibly successful. Since 2020, the number of female employees below management level has increased to 35%, and the number of ethnic minority employees rose to 17%.

  Wellbeing

  At Softcat, all employees are provided with access to our multidimensional wellbeing programme which includes flexible work arrangements, free nutritious breakfast, mental health support, employee benefits scheme, health and wellbeing week activities, and online workshops.; ; Giving back to the community is an innate part of who we are as a company. All Softcat employees are therefore given two volunteer days per year to support a charitable or community cause. ; ; Each of our 10 regional offices also support local charities through fundraising, donations and events. For example, our Manchester office has raised over £30,000 for the WeLoveMCR charity. This funding has supported young, disadvantaged Manchester citizens in gaining qualifications to broaden their work opportunities and supporting local groups in delivering indispensable services that enable community cohesion.

Pricing

• Price: £16,250 a unit
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Proof of concept (POC) engagements are available to any potential customer who wants to trial Axonius before procuring the solution. Prior to a POC engagement, a "Mutual Action Plan" document is outlined by Axonius and the customer. This document consists of use cases and success criteria for the POC.
• Link to free trial: https://www.axonius.com/free-trial

Service documents

• Pricing document

  ODS

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at psitq@softcat.com. Tell them what format you need. It will help if you say what assistive technology you use.