Cirro

Caveris ICAS (Information & Cyber Assurance Suite) SaaS

Cirro, with Caveris, offers continuous visibility of your cyber protection measures. Our service enables you to identify existing weaknesses, focus efforts on bolstering defences, reducing risks, and ensuring compliance. With our comprehensive monitoring, you can stay ahead of potential threats and safeguard your organisation's digital assets effectively

Features

• Execute & track security controls across the entire organisation
• Audit compliance with ISO27001 & similar standards
• Orchestration & automation of security workflow
• Automated technology compliance checks (on-prem and cloud)
• Consistent reporting & enforcement of security policies
• Monitor all Third-Parties through a Single Pane of Glass Dashboard.
• Continuous Visibility of your cyber protection measures
• Identify existing weaknesses in your cyber security measures
• Reduce risks, cyber threats and potential breaches, enhancing security posture
• Ensure compliance with relevant regulations and standards

Benefits

• Total visibility of information & cyber security enforcement
• Enforce a consistent, repeatable and predictable level of security
• Correct measures are run at the correct time and resource
• Single view of suppliers and associated compliance and risk
• Reduces the cost of achieving security compliance
• Provides order and structure to management of security issues
• Assigns ownership and accountability to security management
• Puts a consistent framework around security management
• Enables easier Audit review as security compliance is centralized
• Automate Third-Party Assessments, reducing costs and errors.

£2,000 to £30,000 a unit a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michaelo@cirro-solutions.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

897502787872240

Contact

Michael Owen
020 3418 0412
michaelo@cirro-solutions.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: None
• System requirements: Nothing specific

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 4hr response in normal business hours Monday to Friday (9am-5pm). Overnight and weekend reported issues are picked up the next business day.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Irst/second line support by telephone and email during normal business hours, included in the annual service charge. Complex issues will be escalated to Caveris by Cirro. Again, included in the annual service fee. On site support can be provided as required - please refer to our SFIA rate card
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Cirro and Caveris will instantiate an instance of the ICAS system for client use and provide login details to the client. An initial on-line training session of 3 days is included in the service fee. Additional training and support is available at additional cost, by quotation. User documentation is included.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: A data dump in CSV format is provided.
• End-of-contract process: Customer date is provided - further support at appropriate SFIA day rates

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: The API is used to interface directly with the data model. The UI leverages the API and is also exposed for customers to use for retrieval and insertion of data. The PCAM module (On-Premise Compliance Automation Manager) also uses an API to interface directly with the data model. In addition to the PCAM UI using the API, customers can also build PCAM integrations into 3rd party software tools. (i.e. to collect compliance data from the client infrastructure.)
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: We provide security control templates out of the box. These can be extended by the client, or by Caveris as required via the UI.

Scaling

• Independence of resources: We undertake regular capacity planning combined with knowledge of our system and how it performs as we grow we can assure customers that service won't be affect by increased demand.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Caveris

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Historical control instance data is stored in a blockchain.
• Data sanitisation process: No
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Not directly supported. Compliance data is held in a blockchain and is viewed via the browser login.
• Data export formats: Other
• Other data export formats: Not supported as the data is held in encrypted blockchain.
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The service is hosted on Azure or AWS. Typically 99.99% availability achieved
• Approach to resilience: BAsed on Azure or AWS architecture
• Outage reporting: Email Alert

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: We follow best practice from AWS/Microsoft as well as the National Cyber Security Centre to protect management and admin interfaces.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The ICAS system is used to monitor the reporting structure and to ensure policies are followed.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All Data stored in CMDB
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: All hardware is hardened and access is via a Bastion server.; ; Malware protection is maintained and updated frequently. All servers are patched swiftly.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Azure security has defined requirements for active monitoring. Service teams configure active monitoring tools in accordance with these requirements. Active monitoring tools include the Microsoft Monitoring Agent (MMA) and System Center Operations Manager. These tools are configured to provide time alerts to Azure security
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Both Cirro and Caveris have an extensive incident management service with automated responses to common events.; ; User can report events using email, call or portal and monthly incident reports are gerneated and shared with the client.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • NHS Network (N3)
  • Joint Academic Network (JANET)
  • Scottish Wide Area Network (SWAN)
  • Health and Social Care Network (HSCN)
  • Other
• Other public sector networks:
  • Data is collected from the Client network systems
  • By scripts under client control via an API
  • In other words, all networks that need security assurance

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Commitment to Reduce Carbon Footprint and Climate-Related Initiatives In alignment with our commitment to reducing our ecological impact, we are dedicated to collaborating with our customers and suppliers to contribute to environmentally sustainable initiatives that improve ecosystems and reduce ecological impact. Our primary objective is to minimise the environmental impact of our operations. Focus on Environmental Impact Reduction Our main focus is to engage in discussions with our customers to explore collaborative approaches for reducing the environmental impact, particularly by minimising non-essential travel, to reduce energy usage and wastage of time and materials, all of which have an impact on operational consumption. As we transition back to regular operations, we are focused on reducing our physical impact, including initiatives such as flexible working, minimising printing, and enhancing recycling efforts. We are committed to optimising our physical office requirements to ensure efficient resource utilisation. Future-Focused Solutions and Efficiency We are dedicated to designing future-oriented solutions that embed efficiency into our design and delivery processes. Leveraging the momentum generated by the pandemic, we aim to build on successful new working methods. At Cirro, we are continually looking to identify potential improvements in the way we work to improve our operational efficiencies which directly impact energy usage, travel or ecological impact. By championing these initiatives, we are steadfast in our commitment to not only reduce our own ecological impact but also to actively engage with our stakeholders to foster environmental sustainability and support initiatives that have a positive impact on our world.

  Equal opportunity

  Delivering Social Value Theme 4 and PPN 06/20 Model Award Criteria In the following section, we elaborate on our approach to fulfilling Social Value Theme 4 and the relevant PPN 06/20 Model Award Criteria Our strategy, aligned with WSP’s 2022-24 Inclusion & Diversity Strategy, encompasses the following initiatives: Skill Development for Underrepresented Groups We are committed to supporting the development of new skills that lead to recognised qualifications for underrepresented groups. Addressing Inequality in Employment, Skills, and Pay We will demonstrate a clear commitment to identifying and addressing inequality in employment, skills, and pay within the contract workforce. This includes implementing time-bound action plans to monitor the inclusion and progression of full-time equivalent (FTE) employees from underrepresented groups. Supporting In-Work Progression Our approach includes support for in-work progression, aiming to assist individuals from disadvantaged or minority groups in transitioning into higher-paid roles by developing new skills relevant to the contract. Real-World Equal Opportunity When recruiting, Cirro has a policy to ensure that all names, ages, race or gender details are removed from CVs, so we focus on interviewing and employing the most suitable person for the role.

  Wellbeing

  Wellbeing Initiatives In our commitment to prioritising the well-being of our teams, we are dedicated to supporting the health and well-being of our employees, contractors, suppliers and customers. Flexible Working Support We offer flexible working conditions to our staff. They have a clearly defined job description, they know what needs to be done and they have the flexibility they need to be able to do that whilst balancing home life, physical and mental health. Internal Support Cirro’s works typically in virtual teams, it’s important that we have ‘virtual’ tea breaks and have regular discussions. Cirro also keeps an eye on the level of output expectations and workloads of employees to ensure the right resourcing levels and workloads. During periods of high-intensity working, such as working on tenders, delivering projects or whatever it might be, Cirro ensure employees take time out once this is more practically possible to ensure employees can refresh and relax.

Pricing

• Price: £2,000 to £30,000 a unit a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Please contact Cirro

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michaelo@cirro-solutions.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.