Cantium Business Solutions

EIS (Cantium) Tenable Licensing

Tenable provides the most accurate information about dynamic assets and vulnerabilities in ever-changing environments. EIS (the trading arm of Cantium) goes beyond providing licenses; offering consultancy services ensuring organisations procure the most suitable licenses for their requirements. EIS provides support throughout the entire process, including design, implementation and ongoing management.

Features

• Customer-Friendly Elastic Asset Licensing
• Comprehensive Assessment Options
• Accurate Asset-Based Vulnerability Tracking
• Vulnerability Prioritisation Based on Actual Risk
• Simplified Vulnerability Management
• Automated Cloud Visibility
• Pre-Built Integrations and a Documented API and Integrated SDK
• SLA with Uptime Guarantee
• Backed by Tenable Research

Benefits

• Eliminate Blind Spots Provides: 32% greater vulnerability coverage than competitors
• Boost Productivity: Run initial assessments in less than 5 minutes
• Prioritise Cyber Risks: Reduce vulnerabilities by up to 97%
• Automate Processes: Import third-party data, automate scans, share data
• Maximise ROI: Eliminate double- or triple-counting of assets

£0.01 a unit

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@eis.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

898992128306907

Contact

EIS Bids
03301650000
bids@eis.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Accessed via a web browser.
• System requirements: See Service Definition

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: P1 - Complete loss of service; Target Response 20 Minutes; Target Resolution 6 Hours.; P2 - Critical Support Incident, Service Affecting over 50% users down; Target Response 1 Hour; Target Resolution 10 Hours.; P3 - Urgent support incident, service affecting more than 1-50% of users; Target Response 1 Working Day; Target Resolution 3 Working Days.; P4 - Support incident, single user down; Target Response 1 Working Day; Target Resolution 4 Working Days; P5 - Non-service affecting fault; Target Response 2 Working Days; Target Resolution 5 Working Days
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Webchat is accessible via an online client embedded in our website. Existing customer need to log into their dedicated user area and can access the webchat feature via a dedicated link. This opens a new window within their browser and instigates a live webchat with the next available operative. Messaging is text based and supports the transfer of files and information via the secure channel. A full audit of the live chat history and transcript is available to the user in their dedicated user area for future reference.
• Web chat accessibility testing: Webchat testing with assistive technology users has not been undertaken to date.
• Onsite support: Yes, at extra cost
• Support levels: Advanced, Premier and Elite. Advanced support is included with your subscription cost and users can upgrade to additional plans.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: There are a range of support and training options provided to help new users. These range from FOC on-demand training and ILT through to professional services onsite; online support portal and customers community forums are also available for knowledge sharing.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • CSV
  • XML
• End-of-contract data extraction: Should a customer's account expire or terminate, Tenable will retain the data, as it was at the time of expiration, for no more than 180 days for customers to download their records accordingly. After that time, this data may be deleted and cannot be recovered.
• End-of-contract process: Should a customer's account expire or terminate, Tenable will retain the data, as it was at the time of expiration, for no more than 180 days for customers to download their records accordingly. After that time, this data may be deleted and cannot be recovered.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: User-friendly graphical interface with drill-down capabilities.
• Accessibility standards: None or don’t know
• Description of accessibility: Access is through a web browser utilising TLS/SSL secure communication.
• Accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: Users can easily integrate and automate the sharing of capabilities and vulnerability data, or build on the platform, leveraging a fully documented API set and SDK. There is no extra cost to use these tools to maximise the value of your vulnerability data.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Various customisations are available, dependent on the product selected. Details available on request.

Scaling

• Independence of resources: Tenable commits to provide 99.95% average uptime with respect to the Cloud Services during each calendar month of the subscription term. Tenable utilises AWS autoscaling to provide expansion of the service as required.

Analytics

• Service usage metrics: Yes
• Metrics types: Licence usage.

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Tenable

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: Tenable uses state-of-the-art container technology to create and segregate customer environments. All customer accounts, vulnerability data and user settings are contained within a container uniquely allocated to each specific customer. Data contained within one container cannot leak or otherwise be intermingled with another container, thus ensuring the privacy, security and independence of each customer environment.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Via the console or via API calls.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: None

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: All customer data is marked with a "container ID", which corresponds to a single customer subscription. This container ID assures that access to a customer’s data is limited to only that customer. All data is encrypted at all times; at rest and in-transit.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: All customer data in motion is encrypted using TLS v1.2 with a 4096-bit key. This includes browser, API and intra-application communication.

Availability and resilience

• Guaranteed availability: Tenable commits to provide 99.95% average uptime with respect to the Cloud Services during each calendar month of the subscription term.
• Approach to resilience: Tenable uses health and status data to detect and address potential issues in a timely manner, thereby maintaining SLA commitments. Tenable Cloud services are replicated both within and across AWS regions. Should both instances in a region fail (or the region suffers an outage in general), the regional-failover layer (usually using dynamic DNS) will instead direct traffic to the other three regions. Failover is closest-path to the traffic origin.
• Outage reporting: Tenable disaster recovery procedures have several levels and are designed to react to situations that may occur from anywhere between once in five years to once in 50 years. Depending on the scope of the disaster, the recovery procedures vary in time from 60 minutes to 24 hours.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: User accounts are assigned roles that dictate the level of access a user has. You can change the role of a user account at any time, as well as disable the account.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 03/04/2023
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Cantium employees undergo the required levels of vetting suitable for the role in which they undertake. All employees undergo a induction program which includes Information Governance training. All staff are also aware of the company’s data protection, information governance and GDPR policies which details all staffs responsibilities when handling information and must adhere to this at all times. E learning on Information governance and Data protection is available to all staff and is refreshed on an annual basis. Sub Contractor services are procured using procurement rules and require that sub-contractors adhere to at least the same standards of system and data management as Cantium requires of itself.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Not all systems require the same amount of development, testing and approval. Changes to some systems are routine and represent little or no risk. Therefore, to ensure reasonable processing time for routine maintenance and other low risk change requests and to ensure that more significant, higher impact changes receive the appropriate scrutiny and planning, the following types of changes have been established. These types have corresponding development, testing and implementation requirements as well as specific approvals necessary to process. Classification of Change Types:; Provisioning ; Configuration ; Maintenance/ Upkeep ; Development (existing); Development (new)
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Internal vulnerability assessments are conducted weekly. Vulnerability management assessments include, but are not limited to, workstations, servers, cloud instances, networks, labs, internet-facing services, Tenable products and third-party products.; ; Internal penetration tests are conducted quarterly. Tenable's internal penetration testing team performs assessments to identify risks that require mitigation. Our internal penetration testing methodologies follow the standards from NIST 800-115 and the PTES Technical Guidelines.; ; External 3rd party Penetration tests are also done annually for our cloud-based offerings and can be provided to customers, upon request, under an NDA agreement.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: All application logs, audit logs, syslog, and any other textual logs are captured and transmitted immediately to a 3rd party logging system. Additionally, all changes and actions taken in the AWS consoles are logged using CloudWatch. Alerts are generated when certain actions or conditions are met. Alerts are sent using our alerting and notification system.
• Incident management type: Supplier-defined controls
• Incident management approach: Notification will be made within 48 hours and not before the initial incident report, containing the basic facts, is completed. Notification will be sent to the data breach contact notification on file. Notification will be by email.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Cantium is an ISO 14001 accredited, cloud-first technology provider. We have set a net zero target of being carbon neutral by 2030 within our Carbon Reduction Policy, in line with our corporate strategy.; ; We strive to purchase goods/services that have a minimal impact upon the environment. Factors taken into consideration include sustainability of resource production, transportation, full life energy/raw material consumption, waste production and recycling percentage. Our buildings have also been upgraded to reduce energy and water use, with LED lighting, motion sensors, draught proofing, heating controls, insulation, smart meters and controls. One of our sites was recently part of a project to install an additional 1,300 solar panels on 5 of their buildings, these panels now generate the equivalent of 423 kilowatt at peak. ; ; To improve sustainability and energy efficiency, we continually review the most up to date ways of working. This includes considering environmental impact and sustainability as part of solution design. We aim to repurpose hardware rather than buy new. Energy efficiency is a key selection criterion for any devices, working with suppliers committed to reducing carbon and ecological footprint. We have extended our kit lifecycle from 5 to 7 years or, where possible, extended support agreements to reduce replacement of items for WEEE. As part of our relationship with our partner SWEEEP Kuusakoski, we have recycled over 1,000 pieces of unusable IT hardware which would otherwise have been destined for landfill. Instead of redundant ICT equipment being condemned to landfill, we actively participate in reissuing equipment to local communities and schools (subject to applicable security requirements). This not only serves as an environmental benefit but a societal one too. ; ; We take a virtual first approach to business interactions wherever possible, encouraging employees to engage through online platforms in the first instance, to reduce unnecessary business travel.

  Covid-19 recovery

  We are committed to helping the communities we serve recover from the impacts of the COVID-19 pandemic. Our CSR Policy sets out our future strategic vision; ‘increasing opportunities, improving outcomes’, including, investing more time in volunteering within our local communities to engage with groups at a local level, expanding mentoring programmes and outreach work within the community.; ; Cantium currently pledge our support through:; • Encouraging our staff to play an active role in their communities, supporting and recognising the value of employee volunteering through one paid day’s leave every year for each employee to volunteer with a project of their choice.; • Selecting and promoting a ‘charity of the year’.; • Partnering with the Payroll Giving Scheme to allow employees to make donations to local or national charities directly from their gross pay.; • Organising two annual charity days to support i) national and ii) local charities, such as football tournaments, fun runs or bake sales. ; • Inviting staff to nominate charities of personal significance to them for review by a Cantium panel with a commitment to match the amount staff raise up to an agreed amount. ; • Our support for local charities and not-for-profit organisations also extends to sponsorship of events and equipment.; ; To promote local investment and growth, we also procure locally wherever possible, sourcing from SMEs (small to medium-sized enterprises) whenever feasible.; ; We appreciate the challenging economic times we are all still facing and ensure our employees are fully supported through financial advice, guidance and support to enable them to create a suitable work/ life balance. Our counselling service, Support Line, offers confidential advice to all Cantium staff on topics such as: stress at work, loss or bereavement, depression or anxiety, substance issues and worries concerning money or debt.

  Tackling economic inequality

  As a technology supplier in a constantly evolving digital world, we understand the importance of supporting society to improve digital skills shortages and tackle economic inequality.; ; Cantium is a socially inclusive business and we place great emphasis on equal economic opportunities for all, which is why we participate in apprenticeship schemes such as the DWP Kickstart Scheme, designed to create high-quality 6-month apprenticeship placements across the country for young people aged 16-24 on Universal Credit. As part of each placement, apprentices are provided with hands-on experience with a dedicated mentor to guide and support them through their learning and development. Our primary goal is to encourage skills development, with a view to offering permanent positions within the business to successful placements.; ; During the last iteration of the Kickstart scheme, 9 candidates were interviewed, resulting in 3 Kickstart placements. We are delighted that following these 3 placements, they have now taken permanent positions of employment with Cantium. ; ; To support further within the communities we serve, we have partnered with schools to deliver workshop sessions as part of a Digital Inclusion project within Kent and are open to extending further projects to customers through this framework. We also actively engage with higher education providers to offer placements and employment opportunities to graduate leavers.

  Equal opportunity

  As an ethical organisation, we promote inclusion, equality and diversity across every area of our business. Every new employee joining the company must complete mandatory diversity training, which is regularly refreshed every 2 years to ensure continued awareness.; ; Our staff are our greatest asset. Therefore, we take care to ensure we are recruiting and maintaining the best candidates, regardless of race, gender or disability.; ; Our detailed Inclusion and Diversity Policy sets out our standards which all employees must uphold. The principles of this policy are embedded in our People Strategy and all policies and procedures are regularly monitored and reviewed.; ; To accommodate the needs of our employees and tackle inequality in the workforce, flexible working is an embedded culture within our organisation. This ensures business needs are met and encourages more diversity in the workplace with our ethos that ‘work is not a place’.; ; We have affirmed our commitment to be disability aware throughout our organisation by becoming a Level 1 Disability Confident Committed Employer and working towards the Level 2 status which highlights how our processes, from recruitment through to ongoing support in the workplace, engage and embrace people with disabilities to help them reach their full potential. We have also pledged our support through the Armed Forces Covenant, which seeks to support ex-military personnel through access to training and work placements.

  Wellbeing

  Improving wellbeing, both internally for our employees and externally, through community engagement, is a core focus for Cantium. In a digitally-driven world, it is vital that we ensure people are supported, both from a physical and mental health perspective.; ; Promoting wellbeing to our customers and within the community starts with first ensuring our employees are supported and cared for. Our company culture is to nurture and support each other, creating an inclusive environment where each team member’s wellbeing is important. These values are embedded into our Wellbeing Policy and Wellbeing Action Plan, which are monitored and updated on a regular basis. To promote and uphold the vision within the policy, we have a network of nominated Wellbeing Champions and Mental Health First Aiders across every area of our business, committed to supporting other staff members and advocating wellbeing for all. Through our corporate intranet, Candoo, our employees have an extensive range of supportive tools and advisors within the wellbeing hub, home to information and ideas to engage, empower and enable staff to prioritise their wellbeing, to take care of themselves and encourage others to do the same.; ; For any staff seeking advise but wishing to remain anonymous, we have a dedicated employee assistance programme and support line to listen and provide guidance for those in need.; ; To ensure regular engagement, we run wellbeing campaigns throughout the year and arrange bi-annual staff surveys to monitor employee contentment. We also have a dedicated Mental Health Awareness week, where workshops and webinars are run across the week and employees are encouraged to take time to reflect on their own wellbeing.

Pricing

• Price: £0.01 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bids@eis.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.