Somerford Associates Limited

SecurityScorecard - Cybersecurity Risk Ratings Platform

SecurityScorecard is a comprehensive cyber security risk ratings platform that continuously monitors the cyber security health of organisations to inform cyber security risk management.

SecurityScorecard identifies public facing vulnerabilities that create a security risk. Use cases include self monitoring, peer bench-marking, third party risk management and cyber insurance.

Features

• Instantly identifies vulnerabilities, active exploits and advanced threats
• Protects your business and strengthens your security posture
• Gives insight into what a hacker sees
• View the security posture of your vendors and partners
• Provides and maintains compliance with regulations and standards
• Insight into Cyberhealth of potential mergers or acquisitions
• Streamline cybersecurity compliance and due diligence using Atlas
• Machine learning enables validation of vendor responses in near real-time
• Peer Benchmarking

Benefits

• Simple and easy to use interface
• Monitor all your partners and/or vendors from a single platform
• Aids collaboration with vendors to improve their security posture
• Streamline and improve your vendor risk management programme
• Largest database of scored companies provides detailed risk analytics
• Passive, non intrusive and continuous security assessment
• Reduce cyber insurance premiums

£500 to £2,000 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

852741820540774

Contact

Penny Harrison
07897075103
penny.harrison@somerfordassociates.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: SecurityScorecard have developed a Splunk App which will allow you to extend your existing Splunk service.
• Cloud deployment model: Public cloud
• Service constraints: None
• System requirements: None, solution is cloud hosted by SecurityScorecard

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Mon-Fri 9am-5:30pm excl bank holidays customers receive an initial response within one business hour
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: We provide support from priority 1 to priority 4 cases on any existing configuration or part of the platform that is in total or partial failure as well as not working as expected. We also provide configuration guidance and recommendations for use cases. Each customer receives their own Account Manager who works closely with Support and ensures that cases can be followed up. Somerfords Support desk is available as a value added service in addition to the maintenance and support purchased alongside the license.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: You can request a free assessment of your own company. ; Once you have purchased relevant licences SecurityScorecard can be accessed via the browser by logging on with your personal credentials. Online Training can be provided.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: No proprietary information is stored. Users can extract Summary, Issues and Detailed reports on the companies they are monitoring
• End-of-contract process: At the end of the contract access to the platform will cease.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: SecurityScorecard collect terabytes of data on 1m+ of entities worldwide. Their forward-based threat intelligence capabilities are powered by a proprietary sensor network that spans the globe.; ; Their data science and machine learning capabilities transform that telemetry into intelligence that can be used to identify risks and prevent exploits. Through API Connectors, they make this data consumable by technology companies, insurers, rating agencies, security teams, and more.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: No
• Customisation available: No

Scaling

• Independence of resources: SecurityScorecard are continually monitoring and enhancing their platform to provide the highest levels of service to their customers

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: SecurityScorecard

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data can be exported as .csv or .pdf
• Data export formats:
  • CSV
  • Other
• Other data export formats: Pdf
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Service Provider’s goal is to achieve 99.9% Availability of the Services for its customers. If uptime for the Services is less than 98.0% for a given month of the Term, then Service Provider shall issue Customer a service credit (“Service Credit”) in accordance with the schedule below, with the credit being calculated based on the fees for month of the affected Services. “Availability” is defined as the 24/7 access to the web interface to the SecurityScorecard SaaS platform being accessible and users can log-in to the system. Availability excludes issues due to internet and/or connectivity.
• Approach to resilience: Resilience has been built into the design of SecurityScorecard's cloud based offering with failover and dynamic resource allocation available and utilised
• Outage reporting: SecurityScorecard may perform any standard maintenance, upgrades, replacement of hardware or software or any other like activity that may result in unavailability (collectively, “Scheduled Maintenance”). SecurityScorecard shall notify Customer in advance of any anticipated Scheduled Maintenance, and provide the date, time and expected duration. Such notice will be provided by email or web notification. Scheduled Maintenance shall not be included in the Uptime Commitment calculation.; SecurityScorecard may also perform any maintenance reasonably necessary to fix critical Service functionality, security or other vulnerabilities or material defects that may substantially impair the usability or performance of the Services, to the extent such maintenance cannot reasonable be performed during the Scheduled Maintenance window (“Emergency Maintenance”). SecurityScorecard shall notify Customer at least 24 hours’ notice (or at least as much notice as is reasonably possible, where 24 hours is not commercially reasonable) of any Emergency Maintenance, including its date, time and expected duration. Such notice will be provided by email or web notification.

Identity and authentication

• User authentication needed: Yes
• User authentication: Other
• Other user authentication: SAML
• Access restrictions in management interfaces and support channels: Users are assigned access levels within SecurityScorecard. A user can either be Read Only, User or Admin
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
• Description of management access authentication: SAML

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • C2M2
  • BSIMM

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO 27001 certification; SOC2

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: SecurityScorecard adhere to industry good practise in terms of configuration and change management processes.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: SecurityScorecard not only provide security posture monitoring of thousands of companies worldwide but also use their own technology to monitor their own security posture.; Regular internal vulnerability scanning is run and endpoint protection deployed
• Protective monitoring type: Undisclosed
• Protective monitoring approach: An automated or manually reported alert is sent. Once the incident has been acknowledged the first responder is responsible to triage the issue. ; For product related issues, there is a reference chart of team owners. ; For infrastructure related issues the incident will be escalated to either Infrastructure Services Team or the Site Reliability Engineering Team ; For security related incidents a conference bridge is opened and all members of the SecOps team attend. ; The IRT engineer continues to provide the high level updates to stakeholders.; Once the incident is closed, the various parties work together to author the post mortem document.
• Incident management type: Undisclosed
• Incident management approach: Industry standard incident management processes are in place

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  As an organisation that works closely with the public sector, Somerford is keen to demonstrate our commitment to supporting the achievement of the Net Zero target of greenhouse gas emissions by 2050.; ; Management and staff at Somerford have been conscious of our impact upon the environment even before the Climate Change Act was introduced, and we’ve adopted environmentally friendly practices as the business has grown. Consequently, Somerford ‘s business already has a reasonably low carbon footprint, and will continue to strive for further reductions wherever possible because this is beneficial for our business, our stakeholders and the environment.; ; We will use our influence as a value added reseller of leading edge software products and supporting professional services to select supplier-partners whose own carbon reduction philosophy and plans are aligned with ours, and who can show commitment to the Net Zero target. In practical terms, this means we participate in a carbon-net-zero supply chain in the delivery of the solutions from our supplier-partners to our customers.; ; For further details, please see our Carbon Reduction Plan online at https://www.somerfordassociates.com/carbon-reduction-policy-and-plan/
• Covid-19 recovery:

  Covid-19 recovery

  During the Covid-19 pandemic, our robust business continuity measures, prudent fiscal policy, and the benefits of a highly flexible team, meant we were well prepared for the difficulties ahead. ; ; Staff wellbeing has been at the forefront of our Covid-19 recovery plans, taking care of their physical and mental health, including;; ; * home working to avoid unnecessary exposure to the virus; * providing safe office space where staff personal circumstances dictated; * regular contact, albeit remotely, to prevent isolation; * organised e-based social events to maintain interaction; ; ; As a result we have been able to:; ; * give uninterrupted service to our customers; * move our staff to home working; * avoid compulsory redundancies and minimised furlough; * in 2020, gain an 11% increase in revenues; * continue to grow the workforce by over 10% in the same year; * take on new partners to enhance our solutions portfolio; * invest in staff education to meet future customer needs. ; ; Changes in business practices due to Covid-19 have shown that flexible work patterns can be very effective, and we’re unlikely to fully return to our previous style of working. ; ; Our solutions have also helped customers to cope with their changing work patterns too - supporting their Covid recovery by providing the infrastructure, tooling and monitoring to support their own remote, flexible and sustainable ways of working.
• Tackling economic inequality:

  Tackling economic inequality

  Somerford is a healthily growing business, and actively strives to create employment opportunities that are inclusive of all socio-economic groups. For example:; ; * In the past 5 years, 20% of our staff entered our employment from leaving school, college or university;; * We have supported 12 apprenticeships;; * We run an internal academy scheme to build a broad range of technical skills in those who have the inherent skills, attitude and capability to become our next generation of experts;; * We actively participate in the Armed Forces Covenant Scheme and help to redeploy and reskill leavers from the Armed Forces. So far, 16 staff have joined us in this way;; * The ethnic mix of our staff is more diverse than that of our local community.; ; Strong technical skills are key to the delivery of services to our customers, so we’ve invested heavily in staff training - in 2020 alone, staff successfully completed over 100 technical courses.
• Equal opportunity:

  Equal opportunity

  Somerford is an equal opportunities employer and does not discriminate on the grounds of gender, sexual orientation, marital or civil partner status, pregnancy or maternity, gender reassignment, race, colour, nationality, ethnic or national origin, religion or belief or age.; ; We do not discriminate on the grounds of disability. We take particular care to respect the rights of those with disabilities, throughout all stages of recruitment and employment. We make reasonable adjustments to ensure those with disabilities are not disadvantaged in the workplace, eg. adjusting working hours or providing special equipment to help to do their job.
• Wellbeing:

  Wellbeing

  Somerford is committed to promoting and supporting the wellbeing of all of its staff. We aim to create a culture which focuses on prevention of issues in the workplace that can adversely affect staff health and wellbeing, and where issues are identified, they are managed promptly before they can have a detrimental impact.; ; This includes:; * providing staff with clarity and purpose regarding their job role;; * ensuring staff have the capability, training, support and encouragement to conduct their role confidently and effectively;; * providing a physical working environment that is suitable for the work to be carried out effectively;; * encouraging staff to maintain a sensible work-life balance;; * minimising the stressful impacts of work;; * ensuring bullying and harassment have no place in the working environment;; * managing sickness and absence effectively;; * considering requests for career breaks and sabbaticals;; * providing medical assistance to staff;; * encouraging employee fitness;; * promoting dignity at work.

Pricing

• Price: £500 to £2,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Instant SecurityScorecard provides a free limited summary view into the security posture of your organisation that can be accessed every 30 days.
• Link to free trial: https://instant.securityscorecard.com/?custom_source=ssc_fp_free_score_button

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.