Core to Cloud Ltd

Crisis Simulation Service

Improve your organisation's resilience and ability to respond to cyberattack incidents and threats through the delivery of a series of crisis simulation exercises. The exercises are gamified with organisation relevant, interactive questions on a web interface. Full reports are shared to highlight performance and areas of improvement.

Features

• Real-world scenarios or customised to your organisation
• Reports that compare responses with benchmarks
• Insights and findings with actionable outcomes
• Can be delivered either remotely or onsite
• Applies to any job role or level of seniority
• Uses standard web browsers. No app required
• Delivered by cyber industry experts
• Gamified and interactive exercises

Benefits

• Reduces financial impacts of cyberattacks
• Reduces reputational impact of cyberattacks
• Improves communication flow across organisation
• Enables better informed decision making
• Investments can be prioritised for better ROI
• Hardens the organisation to reduce the risk of attacks
• Organisations understand their current state of readiness
• Attacks dealt with more efficiently
• Allows improvements to 3rd parties to be made
• Provides evidence to validate processes and procedures

£25,080 to £53,077 an instance

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark@coretocloud.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

898981874714053

Contact

Mark Liddle
07495928634
mark@coretocloud.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: There are currently no specific service constraints other than the users of the service should have access to a laptop, tablet or mobile with a standard web browser and access to a network connection.
• System requirements:
  • Laptop with any up to date browser
  • Tablet with any up to date browser
  • Smartphone with any up to date browser
  • A valid network connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Standard - Next Business day: Extended - 4 hours
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Next business day.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: The service document will describe the format of the service delivery, what to expect, how to prepare, location and timing, and the device requirements, network connectivity and browser type.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats:
  • Microsoft Word
  • Microsoft PowerPoint
• End-of-contract data extraction: Once the simulation service has been completed, the customer can request the raw data and results which will be provided in CSV format
• End-of-contract process: Once the contract has ended, the customer can request all data.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The service operates on any valid web browser on laptops, tablets and smartphones There are no differences in how the uses access the service.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The service interface is via a web browser on the users' devices. There is no installation of any software or agents required.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Creating a design system for all of our components, so that each of them is documented from an accessibility perspective and can be implemented quickly.; Investigating how we could improve the accessibility of our labs and reports.; Improving our internal processes to make sure that accessibility is checked at every stage so that any potential issue can be found and solved early on.; Planning ways to involve the whole organisation around the importance of accessibility.; Creating an internal resource repository which aims to make accessibility well integrated and as easy as possible to apply in each area.; Planning to improve our research sessions to involve more disabled users to test the platform at different stages of the development process.
• API: No
• Customisation available: Yes
• Description of customisation: The service can be customised to meet the specific requirements of a customer. The crisis simulation scenarios can be offered as either ones that have been developed already and fit with the clients' needs, or bespoke to their specific business/organisational priorities or situation. Core to Cloud will conduct a consultative session with the customer to define the particular scenarios and then these are created in the platform. Its not possible for the customer to access the platform to carry out this customisation.

Scaling

• Independence of resources: Each customer is provided with their own tenant, unless they are in an NHS trust, where they will use the group tenant. The system has sufficient resources to scale.

Analytics

• Service usage metrics: Yes
• Metrics types: These are the performance metrics created by the responses provided as part of the simulation reports.
• Reporting types:
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: The data is the report provided to the customer.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: Other

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The service is designed to be available 24 hours a day, 7 days a; week, 365 days a year.; We use reasonable commercial endeavours to operate a target minimum; service availability of 99.5% uptime.; We do not offer refunds or service credits if the availability is below the stated level.
• Approach to resilience: Available upon request
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Identity Access Management permissions are enforced according to their role.; Organisation Admin; Licence Manager; Team Admin; Workforce Manager; Crisis Sim Manager; Team Sim Manager; User
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Approachable
• ISO/IEC 27001 accreditation date: 17/08/2021
• What the ISO/IEC 27001 doesn’t cover: Not applicable, as everything covered.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Core to Cloud is ISO27001 certified and its security polices follow the guidelines et out on the standard. The Chief Operating Officer is accountable for the creation and adherence to security policies and the Chief Technology Officer responsible for the on-going security audits and governance.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Each change of asset requires the following documents:; ; Change Request and Risk Assessment, providing details of the proposed change, justification for the change, and authorisation, and details of the potential threats, vulnerabilities, risks and control measures; ; Testing of operational software must be undertaken in a separate testing environment prior to being applied to the operational system.; ; All test environment users must use different logon profiles to those used in the operational system.; ; Only information that can be made public without causing damage to the organisation should be copied and used in the test environment.; ; Asset and risk register updated
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The protection from Malware Policy is a sub policy within the Information Security Policy v2.0 which is help and maintained within the ISMS.; ; This sub-policy specifies the controls that need to be applied to all computer systems and the mobile devices that can connect to the company’s information processing facilities to protect them against malware threats from sources such as viruses and spyware applications.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The monitoring of security threats is contained within the Information Security Policy v2.0 which is part of our ISO 27001 Accreditation. This is part of the core policy and states; ; Regular monitoring of security threats and the testing/auditing of the effectiveness of control measures; This monitoring takes several forms such as software which looks for an alerts to anomalies, Log alerting through a central SIEM and reviews by our Security Operations Team.
• Incident management type: Supplier-defined controls
• Incident management approach: The type of communication will depend on the type, scope and scale of the incident. As a minimum, your administrator will receive an email informing them, to the extent available, of the nature of the breach and what actions Immersive Labs are taking to resolve the situation.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Core to Cloud strives to be a leader in environmental sustainability and believes that a successful future for our business and our customers depends on the sustainability of the environment, communities and economies in which we operate.; ; Environmental Commitments:; • Core to Cloud will protect the environment, including preventing pollution, through responsible management of our operations;; • Will give appropriate weight to this environmental policy when making future planning and investment decisions;; • Will reduce resource consumption, waste and pollution in our operations;; ; Compliance:; ; • Core to Cloud will comply with, or exceed, our environmental obligations, including taking a positive approach regarding environmental legislation that affects our business.

  Equal opportunity

  It is our policy that all employment decisions are based on merit and the legitimate; needs of the organisation. Core to Cloud does not discriminate on the basis of race,; colour or nationality, ethnic or national origins, sex, gender reassignment, sexual; orientation, marital or civil partner status, pregnancy or maternity, disability, religion or; belief, age or any other ground on which it is or becomes unlawful to discriminate under; the laws of England, Wales and Scotland.; Our intention is to enable all of our staff to work in an environment which allows them to; fulfil their full potential without fear of discrimination, harassment or victimisation. Core; to Cloud’s commitment to equal opportunities extends to all aspects of the working; relationship including:; • Recruitment and selection procedures; • Terms of employment, including pay, conditions and benefits; • Training, appraisals, career development and promotion; • Work practices, conduct issues, allocation of tasks, discipline, and grievances.; • Work related social events; and; • Termination of employment and matters after termination, including references

  Wellbeing

  Giving back to our local communities is an important part of who we are as a company. Thanks to our team's amazing efforts in 2022 alone we were able to donate an incredible £5,000 to Brighter Futures in aid of breast cancer awareness.

Pricing

• Price: £25,080 to £53,077 an instance
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark@coretocloud.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.