Diegesis Limited

Shadow Data Security Posture Management Monitoring

Guardium Insights DSPM allows you uncover hidden data, analyse data flows and identify data security vulnerabilities. Get a 360 degree view of all your sensitive data in cloud by discovering shadow data, analysing flow of data and uncovering posture vulnerabilities.

Features

• Identification of data vulnerabilities.
• Automation of data mapping and classification.
• Uncover and help remediate vulnerabilities in underlying data stores.
• You can analyse the flow of your data.
• Allows you to discover your shadow data.
• Uncover and remediate vulnerabilities in underlying data stores.
• Compliance audit trail.

Benefits

• Ability to eliminate your exposed data.
• Prevent data leakage.
• Monitoring of data transactions.
• Reduce your 3rd party exposure.
• Continuous monitoring.
• Visibility of your data in a centralised dashbord.
• Reduced threat of a data breach.
• Quick and easy deployment, no agents needed.

£270 a user

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nick.denning@diegesis.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

784095556547640

Contact

Nicholas Denning
07710 338072
nick.denning@diegesis.co.uk

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: IBM Guardium Insights is the specific underlying product that this service extends. This service is also an extension to our G-Cloud CSPM service.
• Cloud deployment model: Public cloud
• Service constraints: There is a commercial "constraint". The product is priced by the number of users and data stores with a minimum charge of 2 data stores so is more complex that just per user.
• System requirements:
  • A minimum of two data stores in the cloud.
  • Subscription licenses from IBM for Insights

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We will respond to all calls within 4 hours during the working day and to urgent issues within 2 hours on a best endeavours basis. Out of working hours we will respond to P1 on a best endeavours basis.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: There is a single support offering for users of the core product. Internally this comprises Level 1, respond to user enquires of the system in normal operation; Level 2, addressing issue investigation; and Level 3, addressing bugs identified through Level 1 or Level 2 support. The primary mechanism for providing support is through an Atlassian support desk instance.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: You can set up your account yourself or our support desk is happy to set up on your behalf. There is also documentation available online should you require assistance.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: There is utility which enables users to extract their data in the form of a csv file which is re-loadable into another instance of the service at a later date.
• End-of-contract process: At the end of the contract all users have their access terminated, with the organisational account disabled. The service doesn't store the data in the files, it stores the metadata about the files, which is read live from your environment. When access is terminated the services are unable to extract data about your datastores.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The solution has been designed to be used on mobile. However, the majority of the development and testing endeavours are focused on desktop browser usage,
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Yes. The service is accessed via the browser as previously identified.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: WCAG self reporting tool "WCAG-EM Report Tool", "axe DevTools" and "Chrome Screen Reader".
• API: Yes
• What users can and can't do using the API: Currently the API is not public and external uncontrolled access through this API is not yet allowed. We hope to be able to share it soon. The purpose of the API is to facilitate integration with third party technology products that generate data relevant to the platform.
• API documentation: No
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: We cannot guarantee this because the service runs on a shared IBM platform which therefore has at any one time a set level of compute resource. However, the IBM servers are well resourced so service outages would be unlikely as they're prepared for scaling based off demand.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: IBM

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: A system administrator can export their data at any time, for example as a backup. This data can be exported as a csv file.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The actual service is provided by IBM and the SLA for this service is available in IBM Standard terms and conditions.
• Approach to resilience: Our UK service is provided within the AWS London data centre, and we follow industry best practices for provisioning secure resources on the cloud through AWS. We have no single point of failure. We replicate the primary database to a secondary in real time and can roll over to that secondary database in the event of a failure of the primary. We also store regular backups on AWS S3 encrypted storage. We can start up multiple web server / application server pairs to meet demand and to horizontally scale and can rapidly fail over if any pair becomes unavailable.
• Outage reporting: We provide a public dashboard which we start up if there is an outage. We publish by email planned future outages. There isn't currently an API available but there will be.

Identity and authentication

• User authentication needed: No
• Access restrictions in management interfaces and support channels: On a user-facing level the ser
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • IASME Cyber Assurance Level 1
  • IASME Cyber Assurance Level 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials.
• Information security policies and processes: We comply with the following standards: Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance Level 1 and IASME Cyber Assurance Level 2. We use our own service to implement these policies and monitor compliance.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All the components of our service are software components running as cloud resource across various AWS-supplied services.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We use Qualys to regularly scan our internal development network, our production network, our AWS product networks, and all company workstations. Any detected vulnerabilities are assessed against CVSS criteria, prioritised, and patched at the earliest opportunity within a defined order of priority. We have an RMM agent deployed to all laptops as a secondary layer providing asset monitoring and automatic patch management. We apply all patches on a weekly basis to all development and production machines.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We monitor system load and performances using the AWS console. We monitor user activity by analysing the user service access logs and looking for strange and inconsistent usage such as excessive operations of a particular type. Where possible, we deploy vulnerability scanning agents and RMM agents for real-time monitoring of potential compromises. We also conduct a weekly network scan for systems to which these agents cannot be deployed. We schedule annual penetration testing. All incidents are responded to at the earliest opportunity. We comply with the following standards: CE, CE PLUS, IASME Cyber Assurance L1 and IASME Cyber assurance L2.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a predefined incident management policy and specified general workflows for managing incidents. We have specific processes for common/ well-defined incidents. Users can report incidents by raising an alert through our company solution or internal help desk. All workflows related to an incident are recorded in the system and can be reported upon. Incident reports are generated on a case-by-case basis and shared with relevant personnel on a need-to-know basis.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  Our solution is compliant with WCAG 2.1AA and hence available to disabled users. We recruit highly able people. On occasions during our recruitment process we identify people that have challenges and where we're able to support them we ensure that they aren't excluded from our recruitment process as a consequence of any issue that they may have.

  Wellbeing

  We have a strong mentoring and buddy system underpinned by wellbeing policies to ensure that our staff feel safe and supported at work. We carry out regular briefing to ensure that all staff are aware of how to identify potential issues and how to escalate them to management in an appropriate manner that respects individual privacy while providing the appropriate level of support to the individual.

Pricing

• Price: £270 a user
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: The free version of the platform grants users full access. Access to the free version of the platform is only available for 30 days.
• Link to free trial: https://register.saas.ibm.com/gi/dspm/trial

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at nick.denning@diegesis.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.