Blue Cube Security Ltd

Cynergy Educate

More than 80-% of Cyber Security incidents have a human component our Cynergy Educate solution has been designed to provide and maintain security awareness using the latest technology and artificial intelligence. Importantly the service seeks to grow your team security awareness and maintain them as a knowledgeable line of defence

Features

• Simulated Phishing fully customisable and track every user action
• Simulated SMiShing fully customisable and track every user action
• GCHQ Accredited Security Awareness Training Courses and Videos
• GCHQ Accredited Cyber & Compliance Knowledge Assessments
• Risk and Compliance Reporting Suite
• Outlook Plugin for staff to report phishing emails
• GCHQ accredited real-time training with SIEM & DLP integration
• Upload existing security awareness and compliance content

Benefits

• Assess staff awareness and susceptibility to phishing emails
• Assess staff awareness and susceptibility to SMS phishing text messages
• Assess gaps in staff cyber best practice and compliance knowledge
• Measure the effectiveness of security awareness training and company culture
• Reduce the cost of delivering manual security awareness by 44%
• Meet compliance obligations (GDPR, PCI-DSS, NY DFS, CCPA, POPI Act)
• Reduce human cyber risks by up 92% within 6-12 months

£2.18 to £13.71 a person a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at operations@bluecubesecurity.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

583592961458596

Contact

Operational Admin Support
0345 0943070
operations@bluecubesecurity.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Using the latest browser to access our platform and content.
• System requirements:
  • Use the latest browser when accessing the platform and content
  • Whitelist our email IP addresses to receive test phishing emails
  • Real-Time Training relies on SIEM, DLP or EDR solution
  • SPF record to send phishing emails as clients domain

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 1-2 hours during UK business hours Next business day on weekend and bank holidays,
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Web chat is accessed through the Support Portal. The support portal is a public facing website which contains access to our Online Help Desk,Web Chat and documentation such as setup guides, videos and forums.
• Web chat accessibility testing: Not Known / Not Tracked.
• Onsite support: Yes, at extra cost
• Support levels: Urgent System Down - The Platform is unavailable to All customers in All Regions Investigation Time 0-30 Min(s) Target Resolution time: 0-1 hour – we will assign as many engineers and/or support staff as needed 24/7 until the problem is resolved. High Functionality of the platform is compromised/certain functions are disabled but the main software remains operable. E.g. Customer is unable to login to the platform. Investigation Time 0-60 Min(s) Target Resolution time 0-1 day – we will assign as many engineers and/or support staff as needed along with the best workaround available. Medium A minor issue which does not affect the customer from performing a task, but rather causes an inconvenience. Investigation Time 0-6 Hour(s) It will be scheduled for the next regular deployment. If not, a correction will be typically provided within a week. Low An issue with negligible impact for the end-user experience/general information requests such as usage and configuration/request for a feature that is deemed non-critical Investigation Time 0-24 Hour(s) The resolution may be made at the discretion of the Provider.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Online Training is provided Demo videos are provided Online support site offers a system setup step by step guide.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: They request an extract of their data by sending an email to support; ; The data will be extracted in CSV or xlsx format
• End-of-contract process: The license to the portal will expire and access will no longer be possible. ; ; The portal will be deleted along with all client data within 1 month.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Some courses may not fully render on small form factor devices. Our courses and videos have been designed for mobile.
• Service interface: No
• API: Yes
• What users can and can't do using the API: We have a REST API that can integrate with HR systems to retrieve results of phishing, training and knowledge assessments into HR or LMS systems.
• API documentation: Yes
• API documentation formats: Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Customise phishing emails ; Customise phishing test instant feedback ; Customise cyber and policy knowledge assessments ; Customise training courses (additional fees apply) ; Customise real-time training to be triggered based on network defenses raising an alarm.

Scaling

• Independence of resources: Our platform automatically scales in response to usage requirements. being built in AZURE means we can scale up and down as required without any impact to any clients. The platform is geo-located in the EU and around the world for throughput, performance and fault tolerance.

Analytics

• Service usage metrics: Yes
• Metrics types: We record all user activity in phishing tests, training courses and videos, knowledge assessments and if staff report phishing emails to the security team. We see trend information as to has taken the training, who hasn't, by person, office, department, country or business entity. Same applies to knowledge assessments and the results of each question that is asked on the platform, We also record what system the user used when accessing phishing emails in additional what browser version, what IP address they had, what time of day and day of the week it is when they accessed the email.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Ninjio Vidoes and Intuition Compliance Training courses

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: We will deliver the right level of support to accommodate the unique needs of your organization.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • IPsec or TLS VPN gateway
  • Other
• Other protection between networks: All communications between our clients and our frontend portal sites and to our backend services use symmetric cryptography and the https protocol. ; ; We implement Internet Protocol Security (IPsec) Content Security Policy (CSP) is a layer of security to detect/mitigate Cross-Site Scripting (XSS) and data injection attacks.; ; Anti-forgery tokens are used to prevent CSRF attacks CyberRiskAware utilises many levels of data security to ensure the integrity of our data storage: ; • Firewalls & rules ; • Secure credential management. ; • Data masking. ; • Encryption. ; • Proactive monitoring and auditing. ; ; We use recognised encryption algorithms like AES.
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Effective support of in-scope Support Services is a result of maintaining consistent service levels. 1.Support Service Availability We will provide online availability to our Services 99.8% (ninety-nine and eight-tenths percent) of the time in any calendar month 2. Service Credits Service Credits are a remedy for any non-performance or non-availability of our Services and/or Support Services under this SLA. “Maximum Available Minutes” is the average number of minutes per month, forty-four thousand (44,000) during a given annual subscription license period. Downtime: The total accumulated Minutes per month, during a given annual subscription license period, in which the Services are unavailable excluding any planned maintenance. A minute is considered unavailable for when there is no external connectivity between Blue Cube and Microsoft’s Internet gateway in Azure. Monthly Uptime Percentage: ; ; The Monthly Uptime Percentage is calculated using the following formula: ; ; Monthly Uptime % = (Maximum Available Minutes-Downtime)/(Maximum Available Minutes) x 100 Service level Credit = A * B Monthly UPTIME ; ; PERCENTAGE SERVICE CREDIT % (A) At Risk Amount per Month (B) <99.8% 10% 10% of (Annual Subscription fee / 12) <99% 25% 25% of (Annual Subscription fee / 12)
• Approach to resilience: Our platform is built entirely on the Microsoft AZURE cloud and leverages all aspects of the fault tolerance and resilience that Microsoft has implemented. Our platform is geo-dispersed, including multiple data centres in the EU and UK to comply with system performance and data security requirements. Detailed information can be provided upon request
• Outage reporting: We provide email alerts to designated points of content in each client organisation.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
  • Other
• Other user authentication: LDAP/ ADFS - Single-Sign on SAML 2.0
• Access restrictions in management interfaces and support channels: Authentication obtains unique user credentials and 2FA and validates those credentials. If credentials are valid, the entity that submitted the credentials is considered an authenticated identity. Once authenticated, the authorisation process determines what access that identity has to a given resource. Authorisation determines what a user can do based on assigned roles. Our portals are protected by firewalls that help secure the application from SQL injections and Cross-Site Scripting whilst also inspecting responses from back-end servers for Data Loss Prevention (DLP). Account Lockout locks out the user’s account if the user enters a wrong password, a specific number of times.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Description of management access authentication: LDAP/ADFS Single Sign-on SAML 2.0

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications: Platform and Content is GCHQ accredited by CIISec

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: All of our security controls have been designed and implemented in accordance with ISO27001 and NIST security frameworks. We are currently in the process of being formally ISO27001 certified in 2020.
• Information security policies and processes: Together, the CEO and CTO document and implement all security policies in all areas of the business based on the data we collect and systems we use. All policies are shared with staff and their acknowledgements are tracked on our training platform in addition to tracking all security awareness training to ensure all courses have been completed by all staff members. All staff through their training are aware of their information security roles, responsibilities and obligations. We regularly issue cyber policy and best practice knowledge assessments to assess if staff are aware of the contents in our policies and which processes to follow in the case of a security incident. ; ; Security Policies:- Information Security Policy Document Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security System Acquisition, Development and Maintenance Supplier Relationships Information Security Incident Management Information Security Aspects of Business Continuity Management Compliance

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: We have a mature Software Development Lifecycle in place, aligned with OWASP. All changes are registered, approved by the CTO and tracked in our ticketing system, from start through to completion. Each of our environments is segregated Dev, QA, Pre-Prod and Prod. As part of our ISMS, all risks are recorded and measured on an inherent and residual basis commensurate with the maturity of the controls that are in place tied to each aspect of the asset affected by a change.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We have daily vulnerability scans running against all of our underlying data stores and AZURE infrastructure that we have used to build our security awareness platform. All results are collected and analyzed by the CTO and the tech team in order to implement any required patch or upgrades upon raising a ticket which will be tracked and approved through to completion. How quick we deploy patches depends on the severity of the vulnerability, the availability of a solution and the impact assessment of when making the change to the system. Typically less than 24-48 hours for critical.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Every user and system activity is logged and continuously monitored for performance and security-related events. Our portals are protected by firewalls that help secure the application by inspecting inbound web traffic to block SQL injections, Cross-Site Scripting, malware uploads & application DDoS and other attacks. It also inspects the responses from the back-end web servers for Data Loss Prevention (DLP). Combined with the isolation and additional scaling provided by the App Environments, our system can withstand malicious requests and high-volume traffic. SQL Databases protect the data through comprehensive auditing and threat detection capabilities.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: The Security Incident Response Team (SIRT) is established to provide a quick, effective and orderly response to computer-related incidents such as system infections, network breach attempts and break-ins, system service interruptions, data theft, data manipulation and other events with serious information security implications. We have documented incident response plans for Business Continuity and Security incidents that are reported to the SIRT by staff or 3rd parties. In accordance with local compliance requirements we notify any affected party as required by law.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £2.18 to £13.71 a person a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Full service scope can be supplied.; ; Timescales subject to client requirement; ; Please request via our website:; ; http://www.bluecubesecurity.com/contact-usgcloud/
• Link to free trial: http://www.bluecubesecurity.com/contact-usgcloud/

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at operations@bluecubesecurity.com. Tell them what format you need. It will help if you say what assistive technology you use.