Source Code Control Ltd

Cybersecurity External Threat Scanning

The Source Code Control External Threat Scanning Service is a SaaS based service which scans an organisation’s domains from the outside and reports on vulnerabilities

Features

• Scans a IT domain from the outside
• Scans the darkweb and other resources for keywords
• Looks for entry pathways into the organisation
• Checks certificates
• Proactively warns about issues through alerts and a dashboard

Benefits

• Provides protection for the organisation
• Saves administrators a huge amount of time looking for problems
• Scans hard to reach areas
• Automatic alerting
• Creates a security 'to-do' list to improve protection

£10,950 to £10,950 a unit a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at G-Cloud@sourcecodecontrol.co. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

999207902325276

Contact

Paul McAdam
+44 118 328 2962
G-Cloud@sourcecodecontrol.co

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: It is an implementation and guidance on a software service provided by Cyfirma
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: The buyer must provide keywords and domain names
• System requirements: SaaS service - domain name and keywords are required

User support

• Email or online ticketing support: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: N
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Customer will be provided a requsition form from Cyfirma requesting company name, contact person, email of users that has access to DeTect. Once the access is created and the company domain name is added to the search, the customer will receive access to the service.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: N
• End-of-contract process: The customer acknowledges that it has purchased the Services for the Minimum Period and any Renewal Term(s), as defined in the Certificate or Order Summary. ; The term of Agreement will be 1 year. However, the Client shall have option to revisit on pricing terms at the end of each year by providing 30 days prior notice before end of the first year.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: No

Scaling

• Independence of resources: Vendor specific requirements

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Managed by a third party cyber security company
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: We export data in PDF's from the tool.
• Data export formats: Other
• Data import formats: Other

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: None / not really applicable - this is not a time critical system
• Approach to resilience: Available on request
• Outage reporting: Email alerts for service owners and access page updates

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: Any access controls used to authenticate and control access to data/services is through authentication that can be optionally be extended by IP white-listing.
• Access restrictions in management interfaces and support channels: Administrative HTTPS and SSH traffic to the management interface and support channels can be restricted to specific IP ranges.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Description of management access authentication: Authentication of management access to the service can optionally be done through IP white-listing.

Audit information for users

• Access to user activity audit information: No audit information available
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: N
• Information security policies and processes: Na

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The service is hosted in AWS environment. The infrastructure is spread across multiple Availability Zone (AZ) is in Mumbai and Japan. The switch is automatic in case the primary AZ goes down. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) will be 30 minutes. That is, both the maximum acceptable delay between the interruption of service and restoration of service and also the maximum acceptable amount of time since the last data recovery point is 30 minutes. In case the entire region of AWS Japan goes down, then the RPO and RTO of AWS will apply.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Recovery Time Objective (RTO) and Recovery Point Objective (RPO) will be 30 minutes. That is, both the maximum acceptable delay between the interruption of service and restoration of service and also the maximum acceptable amount of time since the last data recovery point is 30 minutes. In case the entire region of AWS Japan goes down, then the RPO and RTO of AWS will apply.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Supplier-defined controls
• Incident management type: Supplier-defined controls
• Incident management approach: Incident reported to SCC team. SCC team escalate to vendor. SCC team works with the vendor to resolve the issue.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Source Code Control has a successful cycle to work scheme. We have also encouraged the leasing of electric cars where a vehicle is required. We also have off-set our own carbon position from 2022 onwards. Where possible, we provide pricing in our assessments in both carbon and financial terms. We are making our carbon offset purchasing capability available to the market. This will encourage IT managers to off-set their IT devices. Source Code Control aims to be a thought leader in carbon offsetting for calculating the data center and other IT devices. In the short term, we aim to off-set our carbon footprint from 2022 onwards. In all areas, we aim to reduce our footprint e.g. cycle to work; electric vehicles.
• Covid-19 recovery:

  Covid-19 recovery

  Source Code Control requested no furlough assistance or support loans during Covid19. The company expanded and employed additional people enabling them to work from home. We have encouraged vaccination and paid for all staff to receive ‘flu vaccines in addition to the Covid vaccines. Our main strategy has been to enable all employees to work in a hybrid manner – either from home or in the office – their choice. This has taken significant investment in technology and furniture at our expense. No grants or loans have been taken. The company has moved to a bigger office to enable social distancing. The company has also upgraded laptops and invested in screens, software, desks and chairs for hybrid working at home.
• Tackling economic inequality:

  Tackling economic inequality

  Source Code Control recruits staff on the basis of personality and ability to learn rather than experience. Our staff consist of people from various backgrounds and we have brought them into the higher paying IT sector with training, skilling and qualifications funded by the company. All staff are encouraged to learn. The learning mindset is one of 3 key characteristics we look for in all recruits. Our staff are then given the opportunity to gain additional qualifications – recent examples among our female staff for example – CISMA; PRINCE2; Microsoft qualifications; AWS qualifications. Source Code Control influences other organisations by setting an example. We have >50% female staff and we encourage learning, qualifications and empowerment.
• Equal opportunity:

  Equal opportunity

  The company has an equality, diversity and inclusion policy which encourages diversity in leadership and throughout the organisation. The company has a Corporate Social Responsibility policy which enables the contribution of time, money or resources to support causes which are approved by a staff committee. The company has a zero-tolerance approach to any form of prejudice, bias or exclusion based on ANY personal characteristics or group membership. Any discrimination, whether direct, indirect, associative or perceptive, against employees or other workers because of any protected characteristic, will be considered gross misconduct and will lead to disciplinary action which could include dismissal. Any employees with concerns relating to modern-slavery are encouraged to report the issue to a director who would take immediate action. The company has a zero-tolerance approach to any form of prejudice, bias or exclusion based on ANY personal characteristics or group membership.
• Wellbeing:

  Wellbeing

  Source Code Control provides all staff with Health Insurance. We also gently encourage participation in sport and mental health initiatives run by Sport in Mind where one of the company directors is a trustee. Source Code Control is a sponsor of Sport in Mind both in financial terms, but also in terms of time of senior staff members. The company has encouraged participation by other organisations in our supply chain e,g, Microsoft. The largest commitment to the community by Source Code Control is our close collaboration with charity Sport in Mind which aims to “ Transform the lives and mental health of children and adults through sport and physical activity”

Pricing

• Price: £10,950 to £10,950 a unit a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: For annual year subscription we offer a 14 days free-trial.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at G-Cloud@sourcecodecontrol.co. Tell them what format you need. It will help if you say what assistive technology you use.