Orpheus Cyber

Third Party Risk Management

Orpheus' platform delivers continuous monitoring of cyber risk in your Third Parties and Supply Chain. We use accredited Threat Intelligence and award-winning Machine Learning to continuously monitor and assess each of your Third Parties' cyber risk. We alert you to severe vulnerabilities in your supply chain likely to be exploited.

Features

• Understand true cyber risk in the supply chain quickly
• Utilise threat intelligence to prioritize problem suppliers
• Understand critical vulnerabilities in your supply chain

Benefits

• Save time and resource by not chasing suppliers for answers
• Get answers about supply chain risk quickly

£20,000 to £60,000 a licence

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at oliver.church@orpheus-cyber.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

800781119540818

Contact

Oliver Church
07734603630
oliver.church@orpheus-cyber.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Vulnerability Scanning Technology
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 1 to 2 hours, during 9:30 to 6pm from Monday to Friday. However, during weekends, additional out of hours supports can be slower.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: All customers are given access to email support and a dedicated customer success manager and commercial account manager who provides technical support to customers for training and onboarding, and for also troubleshooting any issues that may occur.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Customers are given full onboarding training, including unlimited sessions with our customer success team (online) in order to complete training with the platform.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Customers have a period of 1 month to extract their data when their contract ends. The data can be obtained by contacting their customer success manager.
• End-of-contract process: The customer will be able to contact their customer success manager to obtain any data and also be given the option to take their last cyber risk rating report from the platform.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: No differences.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: Users can access our third party cyber risk rating data, utilising a variety of different data points. Each API can be bespoke depending specifically on the customer's use case.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Customers can customise our service be specifically choosing what our software passively scans including which third parties, remove false positives in order to fine tune the platform to work specifically for their environment.

Scaling

• Independence of resources: Orpheus has autoscaling cloud architecture.

Analytics

• Service usage metrics: Yes
• Metrics types: Customers can be provided with metrics specifically with how the attack surface has changed over time including number of open ports, critical vulnerabilities, expired certs, exposed database instances, email security issues and cyber risk ratings.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Inside the platform, there are a number of widgets, where customers can export to .csv or PDF in order to export their data.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Guaranteed SLA Uptime of 97% of Core Hours
• Approach to resilience: Available on Request
• Outage reporting: Email Alerts are sent to customers by our support team.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Orpheus employees are only given access to areas of the management interfaces when needed and required to have so. This follows the principle of least privilege.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials Plus
• Information security policies and processes: Orpheus has a senior Director responsible for its information security programme, supported by its COO and CTO and other team members.; In addition, as a company that is compliant with the ISO27001 Standard, ; ; Orpheus maintains an information security programme that is suitable for maintaining the security and confidentiality of your data. Policies are introduced during induction and refresher training is conducted on a regular basis. This includes policies for:; • Identifying and protecting against threats; ; • Preventing unauthorised access;; • Ensuring the proper disposal of your data. If your data is required to be permanently deleted from any storage media owned or operated by Orpheus, data will be disposed of in a manner meeting forensic industry standards such as the NIST SP800‐88 Guidelines for Media Sanitization;; • Background checks to be conducted on all personnel and in addition some personnel receive government security vetting depending on the client contract.; ; As a Cyber Essentials Plus certified company, Orpheus is audited annually on its technical measures and vulnerability management approach, and additionally on an ongoing basis Orpheus deploys its own proprietary technologies developed as a leading cyber security company to manage threats, attack surface and third-party cyber risks.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We take a risk-based approach to change and configuration management in order to understand the potential security impact. This may involved establish a change assessment board to consider the change or configuration requirement, threat and potential impact of it not being done and of it being done incorrectly. Following which a plan of approach is developed and agreed.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Orpheus has our own product for risk-based vulnerability management, which we sell commercially. As a highly accredited threat intelligence company (including by the FCA and the Bank of England) we have a leading understanding of threats which we link to vulnerabilities using skilled analysts and Machine Learning. This drives a threat-led approach to vulnerability management that means we focus on mitigating the highest risk vulnerabilities we face.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Our approach to protective monitoring includes a defence in depth approach utlising a number of technologies and focus areas as follows:; Application Whitelisting; Custom Threat Intelligence ; Database Encryption ; Data Loss Prevention ; DDOS mitigation ; DMARC ; Email Filtering ; Employee Awareness Training; Endpoint Protection; Incident Response Plan; Intrusion Detection System; Penetration Tests; Perimeter Firewalls; Vulnerability Scans ; Web Content Filtering
• Incident management type: Supplier-defined controls
• Incident management approach: We have an incident response plan which is updated regulalry to take into account the most relevant threats likely to impact our organisation. Our incident response plan specifies immediate actions for common events.; Users report incidents to a dedicated contact and we provide incident reports using an established template form.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Please enquire with Orpheus internally.
• Covid-19 recovery:

  Covid-19 recovery

  Please enquire with Orpheus internally.
• Tackling economic inequality:

  Tackling economic inequality

  Please enquire with Orpheus internally.
• Equal opportunity:

  Equal opportunity

  Please enquire with Orpheus internally.
• Wellbeing:

  Wellbeing

  Please enquire with Orpheus internally.

Pricing

• Price: £20,000 to £60,000 a licence
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A 2 week period to test all the features of the Attack surface monitoring module of the platform.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at oliver.church@orpheus-cyber.com. Tell them what format you need. It will help if you say what assistive technology you use.