Cybersecurity Awareness Training Services

The vendor is required to provide for a comprehensive cybersecurity awareness training program and the requirements are as follows:
• Annual training: the cybersecurity awareness training program should be comprehensive and tailored to address the specific needs of different user roles within the city. 
• The training must include role-based modules designed for the following categories of users:
o High-risk users: these are employees with access to sensitive information or critical systems. 
o They should receive advanced training on topics such as
▪ Phishing: identifying and avoiding phishing attempts.
▪ Social engineering: understanding and preventing social engineering attacks, and
▪ Incident response: knowing how to respond to security incidents effectively.
o Desk users: these are employees who primarily work on computers to carry out their daily tasks. 
o The training for these employees should include
▪ Password reuse: creating and managing strong passwords.
▪ Data protection: safeguarding sensitive data, and
▪ Safe internet practices: browsing the internet securely and avoiding malicious websites.
o Deskless users: these are employees who are mostly out in the field and oftentimes do not use computers to carry out their daily tasks. 
o The following should be put into consideration for these users:
▪ Physical security: include education on physical security measures to protect information; and
▪ Recognizing suspicious activities: training on how to identify and report suspicious activities. 
▪ The goal is to ensure that all employees, regardless of their role, are equipped with the knowledge and skills to protect the organization's assets and information.
- The training should be provisioned to employees annually and should be delivered to the city’s learning management system (LMS) through SCORM files.
• Phishing simulation (monthly):
o Conduct monthly phishing campaigns to test employees' awareness and response to potential phishing attempts.
o Design unique simulations to mimic real-world phishing tactics, including deceptive links, fake login pages, and urgent requests for sensitive information, such that users do not receive the same simulations in the space of 24 months.
o Provide targeted training for high-risk users, such as employees with access to sensitive information. 
o Continuously reinforce the importance of cybersecurity to ensure employees remain vigilant against phishing threats.
• Reporting phishing emails:
o Implement an easy reporting mechanism for employees to alert the cybersecurity team when they receive suspicious emails. 
o Employees should be able to report suspicious emails on outlook through the web, desktop and mobile application. 
o The platform should be able to scrutinize the elements of reported emails and determine whether the emails are legitimate or potentially harmful.
o Provide timely and informative responses or feedback in a timely manner to individuals who report suspicious emails.
o Alert the cybersecurity team to malicious emails so that appropriate action can be taken promptly to mitigate risks.
• Requirements for cybersecurity metrics and KPIs
o Percentage of reported phishing email: the system must track and report the total number of phishing emails reported by employees. this metric helps in assessing the level of awareness and vigilance among employees regarding phishing threats.
o Click-through rate on simulated phishing emails: the system must measure the percentage of employees who click on links in simulated phishing emails. 
o This metric is crucial for evaluating the effectiveness of phishing awareness training as a lower click-through rate indicates better awareness and understanding of phishing tactics.
o Improvement in employee reporting rates: the system must monitor the increase in the rate at which employees report phishing emails. 
o This KPI indicates the success of cybersecurity awareness training programs.
o Multiple phishing failures: the system must identify and report instances where employees fail to recognize phishing attempts multiple times. 
o This metric is important for targeting additional training and support to those employees.  - Contract Period/Term: 1 year
- Questions/Inquires Deadline: July 30, 2025