Symantec Phishing Readiness Service
Service Description
February 2016
Service Overview
The Symantec Phishing Readiness Service (the “Service”) is a phishing attack simulator used to determine the susceptibility of
personnel to such attacks.
This Service Description, with any attachments included by reference, is part of any agreement which incorporates this Service
Description by reference (collectively, the “Agreement”), for those services which are described in this Service Description and are
provided by Symantec.
Table of Contents


Technical/Business Functionality and Capabilities
o
Service Features
o
Customer Responsibilities
o
Supported Platforms and Technical Requirements
o
Assistance and Technical Support
Service-Specific Terms
o
No Automatic Renewal
o
Service Conditions

Data Collection and Notice

Definitions
SYMANTEC PROPRIETARY– PERMITTED USE ONLY
1
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the
document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The contents of
this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document.
Symantec Phishing Readiness Service
Service Description
February 2016
TECHNICAL/BUSINESS FUNCTIONALITY AND CAPABILITIES
Service Features
Stand-Alone Private Instance: The Service is managed within Customer’s dedicated instance and accessed through a secure
Web interface both hosted on Symantec’s environment. All Emails sent to phishing targets contain uniquely encoded
identifiers that only map to User details when the results are viewed within Customer’s dedicated instance, making these
identifiers useless to a third party.
Administrator Roles: There are three (3) levels of administrator access, Full Admin, Manager and Platform User. Customer
determines which personnel resources are assigned to each type of role.
Phishing Assessments: The Service includes simulated phishing assessments and templates which addess the four (4) most
common attack types, as follows: .




Open Only: This test will measure which of the targeted Users will open and load remote content in messages from
unknown and untrusted sources.
Click Only: This test aims to elicit a single response from a targeted User: clicking a link in the test Email.
Data Leakage Tests: This test aims to convince Users to enter additional sensitive data into a form or application on a
malicious website.
Attachment Tests: This test aims to entice Users to open a malicious attachment.
Templates: The Service includes frequently refreshed templates for each assessment type that can be further customized by
Customer to match specific organizational branding, messaging or culture. In addition, Customer may create their own original
templates. There is no limit to the number of phishing campaigns that Customer can run while receiving the Service. Templates
are provided in English. Customer is permitted to translate the templates and content into other languages for use during the
time it receives the Service.
Reporting: The Service provides a private portal to view reports, data and metrics for each simulated phishing assessment. This
data may be used in demonstrating the effectiveness of personnel awareness training. It also can identify persons and groups
who are unintentionally exposing the Customer to the risk of compromise through the phishing attack type. Reporting types
include:





Assessment Overview
Assessment Activity Detail
Vulnerable User Mapping
Vulnerable User Activity Summary
Raw Data Download
Training Message: For each assessment, a specific training message and schedule can be created according to
Customer policies. Users that do not complete the training immediately after clicking on a phishing link will be
reminded via email to return to complete the training.
SYMANTEC PROPRIETARY– PERMITTED USE ONLY
2
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the
document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The contents of
this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document.
Symantec Phishing Readiness Service
Service Description
February 2016
Phishing Training and Awareness
The Service includes a video-based training module on phishing awareness and risks that can be used before or
after executing a simulated phishing assessment. Available training topics specifically related to phishing include:
•
Basics of phishing and the threat it poses to organizational security (beginner)
•
Understanding and identifying malicious links (intermediate)
•
Understanding and identifying malicious attachments (intermediate)
•
Understanding email headers and how to use them to validate malicious Email (advanced)
Platform Access and Availability

Each Customer has access to a dedicated, private instance of the Platform.

Customer can access the Platform by using a secure password protected login. The Platform provides the ability for
Customer to configure and manage the Service, access reports, and view data and statistics when available as part of the
Service.
The Platform is available on a twenty-four (24) hours/day by seven (7) days/week basis and is monitored for availability and
service capacity.
Reporting for the Service is available through the Platform. Reporting may include activity logs and/or statistics. Customer
can view reports live in the Platform or downloaded the raw data (CSV) for further analysis.


Customer Responsibilities
Symantec can only perform the Service if Customer provides required information or performs required actions. If Customer does
not provide/perform per the following responsibilities, Symantec’s performance of the Service may be delayed, impaired or
prevented, as noted below.




Setup Enablement: Customer must provide information required for Symantec to begin providing the Service.
o At least one administrative user’s full name and email address must be provided.
Adequate Customer Personnel: Customer must provide adequate personnel to assist Symantec in delivery of the Service,
upon reasonable request by Symantec.
Renewal Credentials: If applicable, Customer must apply renewal credential(s) provided in the Subscription Instrument
within its account administration, to continue to receive the Service, or to maintain account information and Customer data
which is available during the Service Term.
Customer must take action to authorize the authorize Symantec Phishing Readiness mail servers to send Email to Customer
personnel. This may require “white-listing” by IP address, creating exceptions in Email filtering gateways, or bypassing other
protection or inspection mechanisms that may block suspicious, malicious or suspect Email. The IP addresses of the
Service’s Email servers are available in the Symantec Phishing Readiness Help Center (accessible from the Platform). Other
key filtering attributes such as Email headers and content tokens that can be used for Email filter bypass are also available
in the Symantec Phishing Readiness Help Center.
SYMANTEC PROPRIETARY– PERMITTED USE ONLY
3
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the
document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The contents of
this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document.
Symantec Phishing Readiness Service
Service Description
February 2016
Supported Platforms and Technical Requirements
Supported browsers for the Platforms:




Internet Explorer 9+
Chrome 36+
Firefox 25+
Safari 7+
The Platform may function adequately using other platforms/browsers but they have not been tested and will not receive the
same level of support from Symantec.
Assistance and Technical Support
Technical Support. The following technical support (“Support”) is included with the Service.
 Unlimited access during Standard Support Hours (9am – 5pm Eastern US) Help Desk for any issues related to
access and availability of the dedicated portal. Web based ticket submission service is available 24/7, via
[email protected] and response will be given during Standard Support Hours.
Maintenance. Symantec must perform maintenance from time to time. The following applies to such maintenance:

Normal Mainentance. Routine maintenance, updates, and upgrades. May be deployed to the platform at any time.
Such maintenance does not normally cause any interruption in the Service.

Emergency Maintenance. Where Emergency Maintenance is necessary and is likely to affect the Service, Symantec will
endeavor to inform the affected parties in advance by Email. “Emergency Maintenance” means unscheduled
maintenance periods which during which Service may be disrupted or prevented due to non-availability of the Service
Infrastructure or any maintenance for which Symantec could not have reasonably prepared for the need for such
maintenance, and failure to perform the maintenance would adversely impact Customer.
SERVICE-SPECIFIC TERMS
No Automatic Renewal

There is no automatic renewal of this Service available. Before the current Service term expires, Customer must contact
Symantec or the organization from which it purchased the Service to renew for an additional term.
Service Conditions
 Customer may use the Service for up to the number of Managed Users Customer has purchased for the Service, as
indicated in the applicable Subscription Instrument.

Customer may not disclose the results of any benchmark tests or other tests connected with the Service to any third
party without Symantec’s prior written consent.

The use of any Service Component in the form of software shall be governed by the license agreement accompanying
the software. If no EULA accompanies the Service Component, it shall be governed by the terms and conditions located
at
(http://www.symantec.com/content/en/us/enterprise/eulas/b-hosted-service-component-eula-eng.pdf).
Any
additional rights and obligations with respect to the use of such Service Component shall be as set forth in this Service
Description.
SYMANTEC PROPRIETARY– PERMITTED USE ONLY
4
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the
document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The contents of
this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document.
Symantec Phishing Readiness Service
Service Description
February 2016

Except as otherwise specified in the Service Description, the Service (including any provided Hosted Service Software
Component) may use open source and other third party materials that are subject to a separate license. Please see the
applicable Third Party Notice, if applicable, at http://www.symantec.com/about/profile/policies/eulas/.

Symantec may update the Service at any time in order to maintain the effectiveness of the Service.

Any Email templates or spoofed domains provided as part of the Service may only be used for assessments as part of
this Service. SYMANTEC IS NOT LIABLE FOR ANY MISUSE OF SUCH TEMPLATES AND DOMAINS NOT AUTHORIZED
UNDER THE AGREEMENT.

Symantec is not liable for any errors in translation of the Service content into other languages by Customer.

Customer shall comply with all applicable laws with respect to use of the Service. In certain countries it may be
necessary to obtain the consent of individual personnel. Configuration and use of the Service(s) is entirely in
Customer’s control, therefore, Symantec is not liable for Customer’s use of the Service(s), nor liable for any civil or
criminal liability that may be incurred by Customer as a result of the operation of the Service.
DATA COLLECTION AND NOTICE
In connection with Customer’s use of the Service, Symantec may collect, retain, disclose and use certain information (“Collected
Data”). Collected Data may include, but is not limited to, personally identifiable information about Customer, Customer’s devices or
systems or Customer’s Service usage. Symantec use(s) such Collected Data to enable, optimize and provide the Service or
maintenance/support to Customer (and may engage third parties to do so as well), to administer and enforce its license agreements
with Customer, to make recommendations regarding usage of the Service and other Symantec solutions, and/or to improve
Symantec’s products and services in general, including by reviewing aggregate data for statistical analyses. By installing and/or using
the Service, Customer agrees that Symantec may, and Customer has obtained all the necessary consents and rights for Symantec to,
collect, use, retain, disclose and/or process Collected Data as described in this section and in the applicable Symantec product
privacy notices at: http://www.symantec.com/privacy. Please note that the use of the Service may be subject to data protection
laws or regulations in certain jurisdictions. Customer is responsible for ensuring that Customer’s use of the Service is in accordance
with such laws or regulations.
DEFINITIONS
Capitalized terms used in this Service Description, and not otherwise defined in the Agreement or this Service Description, have the
meaning given below:
“Administrator” means a Customer User with authorization to manage the Service on behalf of Customer. Administrators may have
the ability to manage all or part of a Service as designated by Customer.
“End User License Agreement (EULA)” means the terms and conditions accompanying Software (defined below).
“Email” means any inbound or outbound SMTP message passing through a Service.
“Infrastructure” means any Symantec or licensor technology and intellectual property used to provide the Services.
“Managed User” means the total number of Customer’s employees (excluding third party contractors), and is reflected in the
banded amount in the SKU Description for Services set forth in the Subscription Instrument.
SYMANTEC PROPRIETARY– PERMITTED USE ONLY
5
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the
document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The contents of
this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document.
Symantec Phishing Readiness Service
Service Description
February 2016
“Service Component” means certain enabling software, hardware peripherals and associated documentation which may be
separately provided by Symantec as an incidental part of a Service.
“Service Software” means Software (defined below), as may be required by a Service, which must be installed on each Customer
computer, in order to receive the Service. Service Software includes the Software and associated documentation that may be
separately provided by Symantec as part of the Service.
“Software” means each Symantec or licensor software program, in object code format, licensed to Customer by Symantec and
governed by the terms of the accompanying EULA, or this Service Description, as applicable, including without limitation new
releases or updates as provided hereunder.
“Subscription Instrument” means one or more of the following applicable documents which further defines Customer’s rights and
obligation related to the Service: a Symantec certificate or a similar document issued by Symantec, or a written agreement between
Customer and Symantec, that accompanies, precedes or follows the Service.
“Phishing Readiness Help Center” means the online Support and Knowledge Base available from within th Platform.
“User” means an individual person and/or device authorized to use and/or benefit from the use of the Service, or that actually uses
any portion of the Service.
END OF SERVICE DESCRIPTION
SYMANTEC PROPRIETARY– PERMITTED USE ONLY
6
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo and any other trademark found on the Symantec Trademark List that are referred to or displayed in the
document are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The contents of
this document are only for use by existing or prospective customers or partners of Symantec, solely for the use and/or acquisition of the Services described in this document.