BOM Group Ltd

Software as a Service and Security as a Service (SaaS)

Whether it be network/Application monitoring or securing physical or data assets in hybrid environments, BOM has the knowledge and partners to ensure the buyer leverages the most suitable tool(s) to suit their needs. Technical architects can advise on which software/hardware is fit for purpose based on the buyers requirements.

Features

• Support and advice on cloud software tool selection
• Vendor liaison

Benefits

• Advises on the right fit and build of software needs
• Works with the buyer to source cloud software

£0.10 to £3,693,361 a unit

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.trump@bom.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

957229391655875

Contact

David Trump
07769672111
david.trump@bom.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Private cloud
  • Hybrid cloud
• Service constraints: N/A
• System requirements:
  • Cost-effective: Eliminates additional IT infrastructure for Onboarding system support
  • Accessibility: Use on any web-enabled device with modern internet browsers
  • Browser Compatibility: Supports Internet Explorer, Edge, Chrome, Safari
  • Mobile Availability: Native apps for Android and iOS devices provided

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Dependant on specific agreed SLA's
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Access to dedicated senior technical engineer and bespoke support levels per customer
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: A statement of works will be conducted to determine the level of support needed by the buyer. Services include:; - Planning; - Staging; - Deploying; - Configuring; - Managing
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: All venders allow data extraction or deletion at the end of the contract. This is vendor specific, but documentation can be provided when asked.
• End-of-contract process: The customer notifies they wish to terminate the account.; The vendor notifies the customer of a 30-day notice period. During this period the account is accessible as usual and is fully productive.; The customer is notified that they can export data.; At the end of the 30-day notice period, access is blocked to the account but continues backing up data. The customer can cancel the request to terminate the account and the account becomes fully active again with no data loss.; At the end of the grace period, the deletion of all services for the customer account is enforced.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Most service interfaces are though HTML to access the vendor GUI and admin centre. The admin can make needed changes through the platform.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: All vendor services offer rest API's to connect to needed resources. If an API does not have out of the box scripting, a bespoke API can be created (at an additional charge).
• API documentation: No
• API sandbox or test environment: No
• Customisation available: No

Scaling

• Independence of resources: Monitoring tools are used within the platforms to report and highlight high demands. Buyers can take steps, with advice and support from the technical architects to increase capacity.

Analytics

• Service usage metrics: Yes
• Metrics types: Dashboards are set up for individual user to report on the metrics they are interested.
• Reporting types:
  • API access
  • Real-time dashboards

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: Microsoft, Fortinet, Appgate, Veeam, Qualys, KnowBe4, Mimecast

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: CVS or zip files
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: All vendors very, however, most commitment to service availability through a financially backed 99.9% uptime Service Level Agreement (SLA).; ; The monthly uptime percentage for a calendar month is calculated using the formula where downtime is measured in user-minutes; that is, for each month, downtime is the sum of the length (in minutes) of each incident that occurs during that month, multiplied by the number of users impacted by that incident. Downtime does not include scheduled downtime, the unavailability of service add-on features, the inability to access the service due to your modifications of the service, or periods where the scale unit capacity is exceeded.
• Approach to resilience: All vendors approach differs, however, co-locations where software and/or data is stored is the common approach.; ; All vendors have been vetted to ensure strict security practices are used and demonstrated through SOC2 reports. All vendors have achieved at least ISO 27001.; ; Datacentre resilient setup can be provided on request.
• Outage reporting: A range of outage reporting is conducted but varies between vendor. As a minimum Email alerts and mobile push notifications and API integration into ITSM tools.; ; Details on individual vendor outage reporting on request.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: Using Microsoft Entra, Modern Work allows you to create or update dynamic groups based on defined rules. These groups automatically adjust their membership based on specified criteria. You can implement multifactor authentication and control device access based on group, team, or site sensitivity, as well as use sensitivity labels.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI
• ISO/IEC 27001 accreditation date: 14/02/2024
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: An Information Security Policy is in place and being adhered. The policy is reviewed at least annually, inline with the ISO 27001 framework.; ; Processes which govern internal change is governed by the Access Control and Change Management process.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: All changes are governed by an internal change procedure. All changes are captured through the ticketing system, which follows the ITIL principles and must go through technical and management sign off.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: All vendors
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: All vendors have a security teams who actively monitor their proprietary software for vulnerabilities, threats or compromise. When a risk is located incident response is enacted immediately.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: All vendors SOC teams have pre defined playbooks to deal with common events and tactics. In the event of a major breach, incident responders are engaged. Users can report incidents directly to BOM or to the vendor with a full report being produced to its impact.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Wellbeing

  Fighting climate change

  By adopting cloud-based SaaS products, organisations can remove on-premises infrastructure and reduce their carbon footprint.

  Covid-19 recovery

  Advanced security management helps organisations better protect themselves against increasing cyber threats, giving peace of mind and reducing risk - to support long-term success from attacks that could case reputational and costly damage.

  Wellbeing

  Through automations and system integration, staff benefit from reduced time-consuming manual tasks and their time can be better spent on beneficial activities that bring better work satisfaction. With enhanced security protection, staff also have greater peace of mind and less workplace stress.

Pricing

• Price: £0.10 to £3,693,361 a unit
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david.trump@bom.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.