RAZOR THORN SECURITY LTD

Compliance Plus Training - KnowBe4

Compliance Plus is a comprehensive new-school compliance training library of more than 500 modules that provides global continuously-updated, engaging, relevant, concise and customisable content to teach employees how to be compliant with their local organisational regulations.

Features

• Integration with KnowBe4’s KMSAT training for comprehensive security and compliance.
• Lower risks: fines, reputational damage, loss of customers via noncompliance.

Benefits

• 500+ items of fresh compliance content updated regularly.
• Full coverage of legislative requirements: HIPAA, PCI, and GDPR.
• Comprehensive data privacy compliance for various regulatory frameworks.
• New-school modules integrating organization policies and procedures with quality.
• Upload your custom content SCORM-compliant training & video content.
• Supplemental learning aids such as newsletters, documents and posters.
• Completely automated compliance training campaigns.

£17 a licence

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sophia.durham@razorthorn.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

691754233111854

Contact

Sophia Durham
+447470334993
sophia.durham@razorthorn.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: None.
• System requirements:
  • Brower.
  • Internet connection.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide UK office hours support directly, including technical and best practice related questions. The client also has access to a dedicated Customer Success Manager (CSM) who will assist throughout the subscription period. On top of this the full KnowBe4 technical support service is available on US hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 1st point of contact is through the UK where the majority of queries are managed. Escalation to the US based support engineers will then be categorised level 1, 2 and Priority dependent on urgency. All telephone and web-based support is included in the cost of the subscription, there are no extra charges for support or maintenance.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: All onboarding and offboarding is managed by a customers dedicated Customer Success Manager and the KnowBe4 Support function. The CSM can assist with any documentation that is required. SCM's are there to provide guidance and assistance through a customers subscription, this also includes the cancellation of a subscription if required.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Downloadable via CSV/ API extraction. The remaining data is securely destroyed on customer request. Our SOC can provide a certificate of destruction.
• End-of-contract process: All required elements of the service are included in the price. The subscription, training, documentation, support and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew, the customer can request the data be deleted.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: N/A
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: KnowBe4’s APIs are REST APIs that allow you to pull phishing, training, user, and group data from the KnowBe4 console. Data is returned in a JSON structure by default--no additional parameter is needed. Our APIs use resource-oriented URLs for requests and HTTP response codes for error handling. HTTP features, such as HTTP authentication and HTTP verbs, are built-in and understood by standard HTTP clients. Our APIs are available to Platinum and Diamond subscription customers.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: All email templates are editable as are landing pages. The training content is not directly customisable although we can offer a paid for service to customise the training material should it be required.

Scaling

• Independence of resources: We use auto scaling which monitors our application and automatically adjusts capacity to maintain steady, predictable performance.

Analytics

• Service usage metrics: Yes
• Metrics types: Reporting on phishing and training as well as a real time view through the administration dashboard. Enterprise level reporting is available to report on all aspects of a simulated phishing campaign and training campaign.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: KnowBe4.

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Other
• Other data at rest protection approach: KnowBe4 leverages AWS for data encryption at rest (AES-GCM 256).
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Exporting data from KnowBe4 by the customer is done in the form of reports on user activity.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats: Active Directory

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: KnowBe4 leverages AWS for data encryption in transit (TLS).
• Data protection within supplier network: Other
• Other protection within supplier network: Production environment leverages Amazon AWS, WAF, Guard Duty, Shield, VPCs, IAM, security groups and other controls. Changes to environment or logged and monitored. All changes require going through the change management process. Production environment leverages Amazon AWS, WAF, Guard Duty, Shield, VPCs, IAM, security groups and other controls. Changes to environment or logged and monitored. All changes require going through the change management process.

Availability and resilience

• Guaranteed availability: 99.9% to be measured annually.
• Approach to resilience: KnowBe4 engineers have designed a cloud first highly scalable and resilient product architecture within AWS. Performance of systems within our product architecture are monitored for key metrics to ensure that the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will execute to bring online additional temporary systems or to cycle out existing systems for new ones. Automation is built into the KnowBe4 architecture so system monitoring, updates, and corrective actions can take place as needed with no downtime.
• Outage reporting: Outages reported by email and on status webpage.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Single Sign on SAML with access based on Role.; ; Administrators of the console can have privileges set according to function.
• Access restriction testing frequency: At least every 6 months
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ANAB
• ISO/IEC 27001 accreditation date: 01/02/2022
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 01/12/2023
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: N/A
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: All KnowBe4 Products are SOC 2 type 2 compliant. KMSAT is also FedRamp Compliant. Please reference: https://marketplace.fedramp.gov/#/product/knowbe4-security-awareness-training?sort=productName&productNameSearch=knowbe
• Information security policies and processes: KnowBe4 has established and maintained various Information Security and Privacy Policies. These are inspected and reviewed for completeness as part of our multiple annual external audits. These include but are not limited to Change Management, BCP/DR, Information Security, Third Party Security Guidelines, Data classification, etc.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The KnowBe4 R&D department leverages a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment before they are pushed into production. The staging and production environments are logically separated and no data is shared between them.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The KnowBe4 information security team performs web application vulnerability scans monthly. These scans are configured to run as authenticated scans. Any vulnerabilities found during these scans or any other vulnerability discovery activities are added to a vulnerability tracking system. There the vulnerabilities are verified, categorised, and evaluated for actual risk. Vulnerabilities are remediated in accordance with a defined schedule.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: All KMSAT processes have audit logging enabled as part of the default configurations. Additional logging for Infrastructure, system and networking are managed leveraging various tools. These are monitored by a dedicated team.
• Incident management type: Supplier-defined controls
• Incident management approach: KB4 has a formal incident response plan, of which the key elements include: Preparation, Identification, Containment, Remediation, Investigation, Follow-up/ Lessons Learned, and Notifications.; In the event of an incident involving your data you will be informed via email within 72 hours.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Covid-19 recovery
  • Tackling economic inequality
  • Wellbeing

  Covid-19 recovery

  At the beginning of the pandemic, KnowBe4 was able to quickly transfer to remote work while still maintaining our fun and unique company culture. Our Fun and Shenanigans team adjusted all of their fun activities to continue engaging employees while they work remotely.; ; For example, the fitness classes, which are normally held onsite for the employees, are now being recorded and uploaded to one of KnowBe4’s YouTube channels where all employees can access the classes. Fun company events, such as our monthly trivia competitions, are still happening, but have moved to a virtual platform where everyone can participate safely. We also have a company-wide intranet, which essentially functions as a private social media platform for all of our employees to stay connected. Our Fun and Shenanigans team uses this platform to host fun competitions for employees.; ; We have also sent out several care packages to our employees around the world, ranging from toilet paper to full sized cakes. Additionally, we have done contactless pick-ups, which allow employees to simply drive up to the building and get care packages handed to them. New team members a starting bonus for any remote employees to help them set up their home offices.; ; https://www.knowbe4.com/careers/faq

  Tackling economic inequality

  At KnowBe4, we recognize that people are at the heart of our success. We celebrate the creativity, innovation and increased performance that comes from an inclusive and diverse workspace culture. We believe that our unique culture leads to greater success and gratification due to the diversity that each person brings to their position.; ; KnowBe4 leverages the broad diversity of its teams’ knowledge and identities to build quality products that reflect the collective experience of our users and surrounding communities. KnowBe4 understands the work needed to support and foster its culture of inclusivity is continuous and relies on our three components of - Building, Educating, Respecting.; Building: Building diverse workforces and the accompanying knowledge bases to support our employees, from training our recruiting staff and infusing culturally appropriate measurements to building and re-evaluating our onboarding materials so they represent our growing, diverse team.; Educating: Education against bias, discrimination, and inequality. This begins with a commitment from our entire executive team to support and listen to the members of our Employee Resource Groups while allowing these groups to help shape and guide KnowBe4’s company culture, policies, and philanthropic efforts.; Respecting: Respecting diversity and all of the intersections of identities that make us who we are. This respect focuses on how we are able to elevate these conversations all year long. The moment we are able to come together and learn through mutual respect enables trust to be built.; https://www.knowbe4.com/careers/diversity

  Wellbeing

  https://www.knowbe4.com/careers/benefits; Health and Wellness; Fully Paid Medical Insurance; Vision And Dental Plans; FSA (Flexible Spending Account); Free Gym Benefits Through Classpass; Virtual Yoga Classes; Free Fresh Fruit Delivered Weekly

Pricing

• Price: £17 a licence
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: With our free Phishing Security Test you can phish employees to find out what percentage are Phish-prone™. This test is available for up to 100 users and customisable for your organisation. We'll also provide a PDF with your Phish-prone % and charts to share with management.
• Link to free trial: https://www.knowbe4.com/phishing-security-test-offer

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sophia.durham@razorthorn.com. Tell them what format you need. It will help if you say what assistive technology you use.