Quod Orbis

Continuous Controls Monitoring

The Quod Orbis CCM solution automatically monitors your controls so you don’t have to, providing an unprecedented level of tangible and visible business protection. Dramatically reduces your business risk and enhances your security posture. Security compliance and KPI automation for huge time and cost savings. Gartner-recognised risk management technology.

Features

• Control Identification using AI, quantitative and proven methodologies
• Organisational Compliance
• Automate and measure controls and maturity in key areas
• Monitor and Continuously reduce risk
• Cyber Asset Attack Surface Management (CAASM)
• IT and Cyber KPI/KRI tracking

Benefits

• Improve and continually assess effectiveness of controls against defined objectives
• Fully automated asset visibility
• Managed platform for reduced TCO
• Continuous compliance for any framework
• Enables quantative cyber risk management
• Connect direct to any technology source

£15,000 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ami.penolver@quodorbis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

764955441645282

Contact

Ami Penolver
02039622206
ami.penolver@quodorbis.com

Service scope

• Service constraints: None that we are aware of at this stage
• System requirements:
  • None
  • None

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Immediately (inc weekends)
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Support levels and costs depend on the customer requirement and the number of security controls that are being defined and monitored. This can range from 0 - 250 controls in line with our mandate to continually monitor and improve.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Every Quod Orbis Cyber Security Controls and Automation project is delivered using our team of service specialists. All the onboarding requirements are defined during the initial service workshop
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Once the contract ends Quod Orbis can provide all service data held on behalf of the client. All data held by Quod Orbis will be destroyed 30 days after the end of contract unless otherwise previously agreed.
• End-of-contract process: If required Quod Orbis can provide end of contract migration services at an additional cost. That is, costs that fall outside of the initial contract.

Using the service

• Web browser interface: Yes
• Using the web interface: Web interface provides full functionality.
• Web interface accessibility standard: WCAG 2.1 AAA
• Web interface accessibility testing: None at this stage
• API: No
• Command line interface: No

Scaling

• Scaling available: Yes
• Scaling type: Automatic
• Independence of resources: Each customer is provided their own dedicated environment, the service is not multi-tenanted and has agreed SLA's as part of the contract.
• Usage notifications: Yes
• Usage reporting: Email

Analytics

• Infrastructure or application metrics: Yes
• Metrics types:
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

• Backup and recovery: Yes
• What’s backed up:
  • Virtual machines
  • Data
  • Databases
• Backup controls: Part of the service not user controlled.
• Datacentre setup: Multiple datacentres with disaster recovery
• Scheduling backups: Supplier controls the whole backup schedule
• Backup recovery: Users contact the support team

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: SLA's are contract specific based on customer requirements along with any form of refund where missed.
• Approach to resilience: Available on request
• Outage reporting: For any outages we will email and SMS any service administrators

Identity and authentication

• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
• Access restrictions in management interfaces and support channels: Management interfaces only accessible to Quod Orbis using IP whitelisting and secure authentication.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
• Devices users manage the service through: Dedicated device on a segregated network (providers own provision)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Cyber Essentials Plus
  • Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: We have aligned our ISMS to ISO/IEC 271001. We are a new company and we are working towards accreditation
• Information security policies and processes: Quod Orbis is working towards ISO 27001 and is developing a full information system

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The Quod Orbis portal provides a full ticketed change management system. All changes are logged and available for viewing in the portal. Before any change is implemented a security risk assessment is performed.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Quod Orbis has a three stage Vulnerability Management process.; ; 1. Continuous automated vulnerability assessment by a 3rd party service; 2. Quarterly vulnerability testing by Quod Orbis internal team; 3. Annual testing by accredited organisation
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our protective monitoring processes are based and run in accordance with the service and customer requirements.; ; The Quod Orbis service is monitored 24x7 for potential service compromises and breaches. If such an occurrence would happen we will notify the client or clients immediately we are aware of the impact identify potential compromises.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a number of pre-defined process for common events and ones specific to the Quod Orbis service. If a user were to need to report an event we have three methods: Portal, email or for urgent events telephone. We provide incident report reports via the Quod Orbis portal.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

• Virtualisation technology used to keep applications and users sharing the same infrastructure apart: Yes
• Who implements virtualisation: Third-party
• Third-party virtualisation provider: AWS
• How shared infrastructure is kept separate: The underlying virtualisation technology deployed by our cloud provider ensures the separation of client instances.

Energy efficiency

• Energy-efficient datacentres: Yes
• Description of energy efficient datacentres: AWS Datacentres that adhere to the code of conduct. ; See AWS documentation for details.

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  Quod Orbis CCM reduces laborious and protracted audit and compliance procedures for assurance teams and first line control operators. Enabling faster, easier organisational awareness and compliance.; ; Continuous compliance and assurance serves to promote companywide wellbeing, with huge savings for your business in time, effort, cost(s) and significantly increased cyber resilience and peace of mind.; ; CCM plays a critical role in wellbeing through: ; Reduced manual efforts; Proactive issue identification ; Enhance security posture; Increased transparency and accountability; Staff education and empowerment; Cultural improvements; ; Reduced workload for compliance tasks reduces the burden on employees who would otherwise have to complete checks manually, promoting psychological well-being and productivity of the workforce.

Pricing

• Price: £15,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ami.penolver@quodorbis.com. Tell them what format you need. It will help if you say what assistive technology you use.