Redflags™ Real-time Security Awareness - Digital Marketplace (2024)

Service scope

Software add-on or extension: No
Cloud deployment model: Public cloud
Service constraints: No
System requirements: Client supports.Net Framework 3.5+ (Windows 7, 10)

User support

Email or online ticketing support

Email or online ticketing

Support response times

Direct support not required by users.
Support provided to IT / IT security Product Owners
48 hours

User can manage status and priority of support tickets

Phone support

Web chat support

Onsite support

Yes, at extra cost

Support levels

Customers can contact our support services via our help desk email address support@thinkcyber.co.uk.

Contact automatically creates a support ticket, which is then allocated to the relevant support team to progress.

ThinkCyber will aim to provide initial confirmation of receipt targeted within 60 minutes.

Feedback / query response targeted within 48 hours.

Support available to third parties

Yes

Onboarding and offboarding

Getting started

1) Onboarding kick off to agree scope of product use and any customisation requirements
2) Campaign and content design phase if procured
3) Issue installer for IT team review, deployment and connectivity configuration
4) Advice and guidance for managed roll out by IT team
5) Agree content go live
6) Commence measurement and reporting aspects of service

Service documentation

Yes

Documentation formats

PDF

End-of-contract data extraction

Reports on engagement are available on a monthly basis.
Full exports of raw engagement data can be issued on request.

End-of-contract process

Delivery and display of awareness content will cease at the end of the contract. Content can be continued on renewal.

Reports will remain available for 30 days at end of contract.

Customers are requested to uninstall the software application from client machines.

Using the service

Web browser interface

Yes

Supported browsers

Internet Explorer 11
Microsoft Edge
Firefox
Chrome

Application to install

Yes

Compatible operating systems

Windows

Designed for use on mobile devices

Service interface

Yes

User support accessibility

None or don’t know

Description of service interface

Reports are accessible from our Redflags Portal allowing client administrators to view staff engagement with Redflags™ stories and nudges, including dwell times, click throughs to more information and answers to any questions. Where users have been nudged for a specific behaviour, the number of nudges per user and their engagement with delivered content will be included in reports, offering a measure of risky behaviours.

Content is curated by ThinkCyber administrators to client requirements.

Accessibility standards

None or don’t know

Description of accessibility

Service interface used solely by client support teams. Uses standard email tooling.

Scaling

Independence of resources: Our service will scale if user demands exceed processing capacity.

Analytics

Service usage metrics: Yes
Metrics types: Across all of the RedFlags™ toolkit, your security awareness team gains visibility of engagement, dwell times on content, click-throughs and answers to questions per user and in aggregate. These are accessible through the Redflags™ portal.
Reporting types: Real-time dashboards

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: United Kingdom

European Economic Area (EEA)
User control over data storage and processing locations: No
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with CSA CCM v3.0

Physical access control, complying with SSAE-16 / ISAE 3402

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: In-house destruction process

Data importing and exporting

Data export approach: Reports on engagement are issued on a monthly basis.
Raw engagement data can be issued on request.
Data export formats: CSV
Data import formats: Other
Other data import formats: No data upload required

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)
Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability: Content is pushed down to clients removing dependencies on external services for delivery of the service.
Content servers reside in Amazon Web Services (AWS).
AWS use commercially reasonable efforts to make the Included Services each available for each AWS region with a Monthly Uptime Percentage of at least 99.99.
Approach to resilience: Available on request
Outage reporting: Email alerts

Identity and authentication

User authentication needed: Yes
User authentication: 2-factor authentication

Public key authentication (including by TLS client certificate)

Other
Other user authentication: Users access service through logging into corporate desktop. Application access to content secured via client certification authentication, and certificate pinning.
Reporting portal access requires 2FA.
Access restrictions in management interfaces and support channels: Access to management interfaces is restricted to individual (fully qualified) IP addresses.
Access restriction testing frequency: At least once a year
Management access authentication: 2-factor authentication

Other
Description of management access authentication: Management access is authenticated via username and (strong) password. Access to management interfaces is restricted to individual (fully qualified) IP addresses.
Access to server configurations requires 2FA

Audit information for users

Access to user activity audit information: You control when users can access audit information
How long user audit data is stored for: Between 6 months and 12 months
Access to supplier activity audit information: You control when users can access audit information
How long supplier audit data is stored for: Between 6 months and 12 months
How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification: No
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: Yes
Cyber essentials plus: Yes
Other security certifications: Yes
Any other security certifications: IASME Governance Standard

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: Other
Other security governance standards: Cyber Essentials.
IASME Governance Standard
Our governance processes align with the IASME governance standard.
Information security policies and processes: Information Security governance is owned at Company Board level. Our overall approach is driven by a combination of risk- and compliance-oriented factors.
We define our own information security policies and processes, aligned with Cyber Essentials and the IASME governance standard.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Tight control to smallest possible number of administrators who can change configuration.
All software products are stored and managed in a version control / software configuration management toolkit.
Deployments are run through a testing process before release.
Major changes/releases are agreed by a Change Advisory Board.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Proactive patch monitoring and rollout. Periodic vulnerability scanning/penetration testing, including on new releases. Remediation of all Critical/High/Medium vulnerabilities.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Monthly assessment of available log data to identify a defined set of anomalies.
Incident management type: Supplier-defined controls
Incident management approach: Recording of incidents in an incident log, and reporting to board level. Incidents involving personal data to be handled in accordance with GDPR requirements.

Secure development

Approach to secure software development best practice: Supplier-defined process

Public sector networks

Connection to public sector networks: No

Social Value

Fighting climate change

As an organisation we have committed to be Net Zero in 2022

Equal opportunity

We are an equal opportunity employer and have staff from a very diverse range of backgrounds.

Pricing

Price: £1.80 to £48 a person a year
Discount for educational organisations: Yes
Free trial available: Yes
Description of free trial: 2-4 week trial demonstrating RedFlags™
Phishing Threat Awareness and RedFlags™ Security Stories capabilities

Service documents

Pricing document

PDF
Skills Framework for the Information Age rate card

PDF
Service definition document

PDF
Terms and conditions

PDF
Modern Slavery statement

PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tim.ward@thinkcyber.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.