Security Awareness and Training Program

The majority of cyber-attacks and attack-chains start with, or include, a component that exploits the 'human element'. A sound Security Awareness and Training Program is a critical step in reducing risk to the institution and thwarting threats associated with social engineering.

The DeepSeas Awareness and Training Program is a standards-driven program that trains end-users on the tactics and techniques threat actors are leveraging to exploit networks and gain a foothold. 

The objectives of this initiative are as follows:

1. Provide the Client with an auditable Security Awareness and Training Program.
2. Minimize the security risk associated with social engineering by increasing end-users' ability to identify and report suspected threats.
3. Provide the Client with metrics associated with the Security Awareness and Training Program.

This Security Awareness Program has been developed based on the following standards:

• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-50 Building an Information Technology Security Awareness and Training Program

This project consists of the following functions:

1. PLANNING
   1. Schedule Development
   2. Onboarding into Client's KnowBe4 platform
2. AWARENESS PROGRAM PLAN DEVELOPMENT
   1. DeepSeas to collaborate with Client stakeholders to develop documentation that defines the standards for the Client's security awareness program and reasonable target metrics.
   2. Frequency for phishing assessments and end-user security training to be defined in the Awareness Program Plan.
      1. DeepSeas will conduct working sessions for the duration and frequency defined in the scope. 
         1. DeepSeas will develop information security standards with Client during working sessions, as defined in scope.
         2. The Client will provide redlines to draft documents produced by DeepSeas in advance of planned working sessions. 
         3. DeepSeas to address Client redlines in interactive working sessions with the Client. 
3. KNOWBE4 SECURITY AWARENESS TRAINING PLATFORM
   1. This service includes end-user subscriptions to KnowBe4 KMSAT platform.
4. SECURITY AWARENESS PLATFORM CONFIGURATION
   1. DeepSeas to configure security awareness platform according to standards defined in the Program Plan.
5. SECURITY AWARENESS TRAINING
   1. DeepSeas to enroll end-users in regular security awareness training.
   2. DeepSeas to enroll end-users in regular security knowledge testing.
   3. DeepSeas to provide Client with updates via regularly delivered status reports.
6. PHISHING ASSESSMENTS
   1. DeepSeas to enroll end-users in regular phishing simulations.
   2. DeepSeas to enroll users that fail phishing tests in remedial training.
   3. DeepSeas to provide status reports on a regular frequency (defined in scope).
7. ANNUAL SECURITY AWARENESS AND TRAINING PROGRAM REPORT
   1. DeepSeas to provide an annual report that describes the state of the Client's Security Awareness Program.

The deliverables for this initiative are as follows:

1. MONTHLY PROGRAM STATUS UPDATES - DeepSeas to email Client stakeholders with insights pertaining to the Awareness Program. Status updates will include phishing results, list of end-users that failed phishing tests, any outstanding training that is required to be taken by end users, and any recommendations on ways to mitigate risk.
2. ANNUAL SECURITY AWARENESS AND TRAINING PROGRAM REPORT - DeepSeas will deliver an annual report that details the activities of the security awareness program highlighting security awareness metrics and opportunities for improvement.

The service described in this Statement of Work will be delivered by DeepSeas according to the following assumptions, which will govern all work, deliverables, and interactions: 

1. The client must have active subscriptions to KnowBe4 awareness platform over the duration of this service.
2. DeepSeas Change Order process will be followed if the client's standards and frequencies for phishing assessments or awareness training exceed what is scoped.
3. DeepSeas will not troubleshoot any tool related configurations or issues; Client is responsible for working with KnowBe4 Support team.
4. This solution does not include any custom phishing campaigns or training content; DeepSeas to leverage content made available within the KnowBe4 platform to deliver this service;
5. DeepSeas will not train end-users on internal security policies.
6. Scope of training assigned is limited to cyber awareness trainings as will be defined in the Security Awareness Plan and does not include other training topics or mandatory trainings required by Client.
7. Awareness Program Plan documentation to go through no more than two (2) development iterations by DeepSeas.
8. Plan Development will be led by the client's vCISO if vCISO Strategy & Governance is purchased.

Client is responsible for the following, in accordance with agreed upon timelines and expectations established as part of this engagement.

1. The client must provide administrative access within KnowBe4 platform to DeepSeas.
2. The client is responsible for executing any disciplinary actions to end users who fail training or phishing tests, or neglect to complete training. DeepSeas will not be responsible for disciplining employees.
3. The client must configure the KnowBe4 "Phish Alert" button for metrics on reporting.
4. The client is responsible for the approval, implementation, and distribution of the Security Awareness Plan.
5. The client is responsible for providing a list of awareness/cyber topics that end-users will be assigned. If Client does not provide a list of topics, topics and training modules will be chosen at the discretion of DeepSeas.
6. The client is responsible for posting any security awareness posters around campus.
7. Client is responsible for integrations of KnowBe4 into Client's environment, such as AD or SCIM Integration