MTI Technology Ltd

MTI Managed Privileged Access Management (PAM)

A fully Managed Privileged Access Management (PAM) solution to Discover, Manage, Protect and Monitor the use of Privileged account passwords for internal staff and remote third parties. PAM provides both control and visibility into who uses privileged accounts, when they can use them and their activities during recorded sessions.

Features

• Control Access to Privileged Accounts
• Prevent Theft, Disclosure and Sharing of Privileged Passwords
• Simplify and Regulate Privileged Access through one location
• Enforcing Central Password Security Policies and Password Changes
• Automated Discovery and Onboarding of Privileged Credentials
• Approval and Workflow Controls
• Forcing all Access via a PAM Proxy
• Monitoring, Analysing and Recording Sessions
• VPN-Less Remote Access for Employees and Third Parties
• Multi-Factor Authentication (MFA)

Benefits

• Provides centralized tracking of privileged access, automatically provisioning users
• Isolates privileged account credentials, reducing misuse or theft
• Allows centralized management of all privileged accounts
• Improved Productivity
• Enhanced Security
• Prevent Privileged Account Attacks
• Supports Compliance with Security Standards and Cyber Insurance Policies
• Reduce risk of successful cyber attacks
• Supports rapid credential rotation as part of incident response
• Helps to more easily separate authorised Admin Activity from Unauthorised

£905 a user a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid@mti.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

858780830832587

Contact

Darren Moyes
01483520200
bid@mti.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: MTI's Integrated Cyber Threat Defense including: Emergency Forensic Incident Response, Dark Web Monitoring, Data Leakage Detection, Privilege Access Management, MDR and XDR, Offensive Cyber Security Services (Red Teaming, CHECK/CREST/CyberScheme Penetration Testing), and Cyber Security Advisory Services (Gap Analysis, Policy, Process, Procedure, Cyber Strategy, Technical Controls, Implementation Consultancy and Technical Remediation.)
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: N/A
• System requirements:
  • Customer Supplied Windows Servers for on-premises components
  • Privileged Session Manager (PSM) requires RDS CAL License

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Priority 1 15 minutes Target Response 24x7x465. ; Priority 2 30 minutes Target Response. ; Priority 3 2 Hours Target Response (UK working hours only).
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: Testing done by Microsoft.
• Onsite support: Yes, at extra cost
• Support levels: We provide Full Managed Service with full incident management. We also provide "out of hours / weekends" to support customers with existing in-house, working-hours PAM support teams. We include the following nominated support staff in our Managed PAM service: - Transition Manager - Duty Manager - Service Delivery Manager - PAM Technical Lead Engineer - Client Director
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide a Full Managed PAM Service onboarding aligned to ITIL and ISO 20000 Service Management processes including: Service Design, Service Transition and Service Operation. We collaborate with the customer to first design the solution around the customer's requirements considering: privilege users groups; the systems and level of privilege they need to access hosts/applications, what the authentication requirements are, which thick client, web applications, RDP/SSH hosts they need to access and the session launching requirements are. We create relevant password complexity and rotation policies, and approval workflows to ensure only the right people get access to privileged credentials at the right time, for the required duration to access the right systems in a seamless manner. We providing piloting phase, roll out to production, user and operation guides, user education and informal training, and ongoing guidance and support.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats: Word
• End-of-contract data extraction: MTI will run relevant scripts and export functions to extract the PAM vault data to a repository under the customer's control.
• End-of-contract process: A designated representative from MTI will schedule a meeting or call with the customer to discuss the termination process, gather feedback, and address any concerns. Customer Success and Account Management teams will work with the customer to develop a transition plan, including timelines, responsibilities, and any necessary assistance or support from MTI. Technical Support will assist the customer in transferring their data, configuring new systems or services, and ensuring a smooth transition with minimal disruption to their operations. MTI will treat all customer information, data, and feedback obtained during the exit process with strict confidentiality and use it only for the purpose of improving services or addressing customer concerns. Technical Support will ensure the secure deletion or transfer of customer data in compliance with data protection regulations and contractual obligations.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: CyberArk offers mobile access through the CyberArk Mobile App on smartphones and tablets, but with some key differences compared to the desktop experience:; ; Similarities:; Access to Privileged Accounts: Users can access and manage privileged accounts stored in CyberArk Password Vault.; Multi-Factor Authentication (MFA): The mobile app supports MFA for secure logins, adding an extra layer of security.; Approval Workflows: Users can approve or reject password access requests initiated through workflows.; ; Limited Functionality: The mobile app offers a subset of features compared to the desktop PVWA client. Features like managing privileged session recordings or detailed auditing might not be available.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: RESTful Web API Interface.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: N/A
• API: No
• Customisation available: Yes
• Description of customisation: The primary customisation's of PAM solutions is developing custom integrations with 3rd party applications/systems for password rotation and password injection into sessions launched via the PAM proxy, that are not already supported by the Vendor in their marketplace of supported connection components. Such customizations are scoped and costed on a case by case basis; delivered by our professional services team, tested with the customer, piloted and then moved into production use.

Scaling

• Independence of resources: Through continual capacity monitoring and management, MTI ensure that the ratio of Staff per customer ensures they have sufficient time, skills and resilience to service all customers on a run and burst basis. Tracking resource consumption, we forward plan team hires in advance ensuring there is always sufficient skilled and experienced analysts available to deliver the service to agreed SLA's and KPI's.

Analytics

• Service usage metrics: Yes
• Metrics types: SLA compliance metrics backup and restore uptime and capacity
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: CyberArk

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: On receipt of an authorized request MTI will run relevant scripts and export functions to extract the PAM vault data to a repository under the customer's control.
• Data export formats:
  • CSV
  • Other
• Other data export formats: Vault data in proprietary format.
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: N/A
• Approach to resilience: Various hardware and software resiliency - details available on request
• Outage reporting: In the event a Service Outage occurs, alerts will be reported via email alerts, with hourly updates until the service is resumed. Details of any outages are recorded in the Monthly ITSM report for tracking and monitoring.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
• Access restrictions in management interfaces and support channels: Users require Valid credentials and Multi-Factor Authentication (MFA) to access CyberArk's management interface. Role-Based Access Control (RBAC): user permissions are allocated to specific roles based on principle of least privilege within CyberArk. Just-In-Time (JIT) Access: Limits access to management interfaces to specific timeframes and needs.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: International Information Security Management Standard
• ISO/IEC 27001 accreditation date: Initial Certification: 16 July 2013. Latest Issue: 24 June 2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • CyberArk Guardian
  • CyberArk Certified Delivery Engineer
  • CyberArk MSP
  • CyberArk Defender
  • CyberArk Sentry
  • ISO/IEC 20000 - Information technology — Service Management
  • ISO 22301 - Security and resilience, Business Continuity Management Systems
  • ISO 9001 - Quality Management Systems
  • CHECK Scheme Member
  • CREST Scheme Member

Security governance

• Named board-level person responsible for service security: No
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: MTI follow security policies and processes developed and maintained under our UKAS certified ISO/IEC 27001 - Information Security Management Systems (ISMS). Delivery of the SIEM/SOC service is also aligned to NIST SP800-61r2 for Computer Security Incident Handling Guide.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Configuration and change management processes are aligned to our ISO/IEC 20000 - Information technology — Service Management certification. ISO/IEC 20000 is the international standard for IT service management. It provides guidance for establishing, implementing, maintaining, and continually improving an effective IT Service Management System.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: As a CHECK, CREST, Cyber Scheme Certified penetration testing company, MTI have robust Vulnerability management processes in place. Threat Assessments: MTI carry out regular vulnerability assessments, and penetration testing. Vulnerabilities are rated and prioritised based on Criticality, Availability of Exploits and Potential Impact. Patch Deployment: where proven safe to do so, automatic patching and agent updates are configured. For critical systems, a risk assessment is conducted, with patches tested on non-critical hosts prior to deployment. Threat Sources: Numerous Security Advisories, Vendor Alerts, and Threat Intelligence feeds.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: MTI continuously monitor system logs, security platforms (Firewall, EDR, IPS, Proxy logs) and security events for anomalies (aligned with ISO27001 controls and NIST SP800-61R2 recommendations). MTI carry out proactive threat hunting based on threat intelligence, IoC's and IoA's. Upon detecting suspicious activity, we initiate automated containment procedures where available and notify the relevant security resolver personnel immediately for investigation, containment, eradication and recovery (aligned with incident response best practices). Response time depends on the severity of the incident with P1's investigated within 15 minutes and responded to within 30 minutes.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Pre-defined playbooks exist for frequent events, ensuring a swift response (in accordance with ISO27001). Users report incidents through designated channels (telephone call for P1's to MTI's Service Desk, with email, and ticketing system for lower priority issues). Upon receiving a report, a dedicated team investigates, determines severity, and implements necessary actions working with relevant internal or external resolvers. Incident reports are documented and shared with relevant parties (in line with NIST SP800-61R2) including, Details of the incident, Investigation procedures and results, Identification of key indicators of compromise (IoCs) or indicators of attack (IoAs), Remediation actions taken and lessons learned.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  MTI publishes an annual Quality & Environmental (Q&E) Policy statement, which is aligned to its ISO 9001 & ISO 14001 accreditations and the annual EcoVadis CSR review and accreditation. MTI’s Corporate & Social Responsibility policies integrate our business values and operations to meet our strategic objectives and the expectations of our customers, employees, investors, suppliers, the community and the environment. By putting our CSR into practice, we are committed to conducting ourselves responsibly and in an ethical manner, creating a positive and supportive working environment, supporting local communities, improving service levels to customers, acting fairly and collaboratively with suppliers and other third parties, to deliver solutions that support our environmental objectives. Our Environmental Management System, recognised by independent ISO 14001 Environmental Management certification, incorporates our Environmental Policies and Procedures.Demonstrating our commitment to protecting the environment and sustainability. We undergo regular independent audits to demonstrate our commitment to improvement. Our management review programme and CSR and Environmental Reporting, evaluate and demonstrate our environmental achievements, through measurement of impacts as a result of all business activities, monitoring of reduction targets, achievements against objectives & results from our activities, initiatives and environmental commitments. Our FY2022 focus includes; Zero-Carbon Society: we will strive to achieve zero emissions from our own business activities and encourage carbon neutrality within our supply chain. Through comprehensive energy conservation activities and the use of renewable energy, we aim to reducing our carbon footprint and impact on the environment through reduction of contributions to greenhouse gases (GHGs) and annual CO2 emissions, and support supplier commitments; •Partnering with Tier-1 suppliers who are committed to carbon neutrality, evidenced through annual environmental and sustainability assessment •Commitment form partners/product vendors to commit to supplying packaging with a minimum of 50% recycled content (80% Cardboard) or be entirely derived from sustainable sources.

  Covid-19 recovery

  In response to the COVID-19 pandemic, MTI has implemented thorough in-house technology solutions allowing over 90% of our staff to be based at home, including the majority of our service delivery staff. This approach provides greater job opportunities across the region without the potential for geographically disadvantage, and ensures we have skilled staff locally across the UK to deliver our core services. Where MTI are delivering longer-term services to Buyers, MTI is committed to sourcing and utilising local suppliers to provide relevant elements of the service and would support running local supplier days to publicise the delivery and give opportunities for local company involvement. MTI recognises that the COVID-19 pandemic presents challenges for graduate employment and is offering employment opportunities for graduates in order to support local students to progress from higher education into jobs utilising their skills and knowledge.

  Tackling economic inequality

  MTI has invested significantly in developing in house skills and capabilities in order to provide high-class services across a wide range of technologies and disciplines, with emphasis on providing a wide range of professional and managed services. Our Internal Development Programmes and individual development plans ensure that all employees are offered opportunities for learning and development and provides skills training for new employees and existing employees to prepare them for promotions, transfers or new responsibilities. Our development programmes help our employees stretch their capabilities and those of the organisation, upskilling employees through investments in a wide range of skills and product training and development for staff and managers to broaden opportunities. Building a diverse and inclusive workplace has become an imperative part for the all-round growth and development of MTI. Therefore, our HR team takes tangible steps to create a workplace that is committed to diversity and inclusion, including providing career opportunities to support disadvantaged people into the workplace. MTI are registered to the Disability Confident scheme and have agreed to the Disability Confident commitments to provide interventions to increase employment opportunities and retention for people with a long- term health condition or disability to support these people into employment.

  Equal opportunity

  We recognise our obligations under the Equality Act 2010, Article 119 of the Treaty of Rome, The Race Relations Act, The Employment Equality (Sexual Orientation) Regulations 2003 and The Employment Equality (Religion or Beliefs) Regulations 2003, and The Codes of Practice published by the Equal Opportunities Commission, the Commission for Racial Equality and the European Commission; We are committed to the principle of equal opportunities in employment. We are opposed to any form of less favourable treatment or financial reward through direct or indirect discrimination, harassment, victimisation to our staff members or job applicants on the grounds of race, religious beliefs, political opinions, creed, colour, ethnic origin, nationality, marital/parental status, sex, sexual orientation, offending past, disability, age, caring responsibilities or social class. We extend protection under this Policy to our suppliers, customers, contractors, and others who are on our premises and in return expect all suppliers, customers, contractors and others to behave in the same way towards our members of staff. This policy is intended to assist the organisation to put this commitment into practice. Compliance with this policy should also ensure that employees do not commit unlawful acts of discrimination. Communicating this policy will be supported by appropriate training, and the effectiveness of this Policy will be monitored on an on-going basis. No form of intimidation, bullying or harassment will be tolerated. Implementation of this policy will be carried out where necessary by invoking the Disciplinary Procedure. Every employee is required to assist the organisation to meet its commitment to provide equal opportunities in employment and avoid unlawful discrimination.

  Wellbeing

  The organisation has developed an employee wellbeing policy to manage its obligations to maintain the mental health and wellbeing of all staff. It covers the organisation's commitment to employee health, the responsibilities of managers and others for maintaining psychological health, health promotion initiatives, communicating and training on health issues, the range of support available for the maintenance of mental health, and organisational commitment to handling individual issues.

Pricing

• Price: £905 a user a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bid@mti.com. Tell them what format you need. It will help if you say what assistive technology you use.