Member Login
login help
Contact Us
24x7 CSIRT

Aggregate Purchase Program for SANS Training

Steeply discounted pricing for exceptional SANS security awareness and technical training is available through REN-ISAC during special aggregate purchase periods. This offer is open only for accredited educational institutions, including universities, colleges, technical training institutes, and K-12 schools, in the United States and Canada.

The next purchasing window is scheduled for June 1 - July 31, 2014. For details on the specific offerings, visit:

OnDemand Technical Training and GIAC Certification
Securing The Human - End User Awareness Training
Securing The Human - Developer Training
Securing The Human - Phishing

Webcast to Learn About Program

On May 15, persons from SANS and REN-ISAC held a webcast to discuss the special offerings.

Securing The Human - End User Awareness Training

Securing The Human - End User Awareness training (STH) provides extensive employee security awareness training that targets today's weakest link in enterprise security - the human. STH goes beyond just compliance and addresses the most common risks using a proven framework based on the 20 Critical Security Controls. The program contains 23 security modules and 13 compliance modules. Each module includes an online assessment. Student progress through the program can be tracked via a site administration web interface. STH is appropriate for small to extremely large numbers of users and is supported in multiple languages.

Training is delivered via SCORM-compliant web video-based modules utilizing the SANS-hosted Virtual Learning Environment (VLE) or internally via your own learning management system (LMS).

STH awareness training addresses numerous standards including PCI DSS, HIPAA, FISMA, ITAR, ISO 27001, and FERPA.

Optional supporting media: Each module has an associated newsletter, poster, and screensaver. These are available for optional purchase. The media are branded with your name, logo and contact info. They are delivered in electronic format. You can use them as much or as little as you wish, for as long as you wish.

Demo accounts are available, giving you the ability to sample the video modules.


STH is purchased according to the number of persons undergoing training. The aggregate-purchase price is $1.75 per person for 1 year, or $3.00 per person for 2 years. The minimum order $2,100 for 1-year purchases or $3,600 for 2-year purchases.

Optional supporting materials, including posters, newsletters, and screensaver costs $3,500 when ordered with the STH videos, or $5,000 without. Samples of the supporting materials are here.

Additional information is available at the SANS Securing The Human main web page

A full list of the training modules and demo short snippets is available here.

I have never seen such high quality training, distilled to a perfected message, and compressed into a timeframe that any organization should willingly commit employee time to taking as a risk reduction strategy.

James A. (Jim) Richards III, West Virginia Chief Information Security

We just purchased the SANS Securing the Human, which I think is the best I have ever seen. In addition it's backed up by SANS extensive experience and knowledge base in infosec.

Karen McDowell, Ph.D., Information Security Analyst, University of Virginia

Securing The Human - Frequently Asked Questions

FAQ answers are courtesy of SANS

Please note that this FAQ is best effort and that answers are subject to change or clarification.

Hosting Environment

How is the training system delivered?

The training can be hosted on your own Learning Management System (LMS) or you can choose to use the SANS hosted LMS which is called the SANS Virtual Learning Environment (VLE).

Is there a price difference between SANS-hosted and hosting on our own LMS?

Integrating into client's LMS will cost an additional $2,000.

Can we append local info to the end of the module?

Changing the SANS modules is a customization effort that has extra cost. Therefore to enable your organization to add their own custom content to the training. You can use two options:

  1. The SANS VLE allows you to add a document that you host on your intranet to the end of each training module. This custom content then becomes part of the required training for that module and is tracked and reported.
  2. Using your own LMS means that SANS will not understand how you have set it up. You will need to ask your LMS Administrator if this can be done.

Our LMS is hosted by a vendor. Would we be able to get a test module so they could load it in to make sure it will work properly?

Yes, we can send you a player with a test module loaded. To do this, contact and request a "test module to try on <name of LMS>".

Is it possible to use the SANS hosted VLE and then migrate to our own-hosted LMS platform?

Yes, if done within the first 3 months. You can download the results data of your current training from the VLE in csv format for import into your own LMS.

Is there information available about integrating STH with our own LMS?

Instead of providing a laundry list of LMS options, the best way to test STH with your own hosted LMS is to ask SANS for a "Test Module". To do this, contact and request a "test module to try on <name of LMS>". This will help you ensure compatibility with any customization you may have made.


Is there a module that addresses FERPA (student education records) issues?

Yes there is such a compliance module. Other education related compliance modules include:

  • Red Flag Rules
  • GLBA
  • Federal Tax Information

How often will the video training modules be updated?

All our security awareness content is mapped to the 20 Critical Controls Security Framework. They are updated as the Human Attack Vectors change but not less than twice per year. This doesn't mean that every module is changed just for the sake of changing. They're changed if the attack vector data indicates that they need to be changed.

Are these the only stock videos available?

We currently have a stable of 23 security awareness and 18 compliance modules. As we go through the twice-annual updating process we add new modules as required at that time.

Will new modules that are added to the security awareness library be made available freely to standard license holders?

Yes. Any updates made to the security awareness training will be made available during the license term.

Support Materials

What are the additional training materials that are available and what do they cost?

Each module has an associated Newsletter, Poster and Screensaver. These are branded with your name, logo and contact info. They are delivered in electronic format. You can use them as much or as little as you wish for as long as you wish.

The cost is $5,000 for the entire package if you purchase them on their own. If you purchase them in association with the computer-based training (STH videos), then the cost is $3,500.

Note that future updates to these Newsletters/Posters/Screensavers are NOT covered in this purchase. If, for example, you wish to use the updated newsletters in 18 months time you will have to purchase them again.

Module Quiz

Is there a user assessment piece after each module?

Yes, there are optional quiz questions for each module. The administrator can select which modules they wish to assign a quiz for. This is included as part of the license.

If we select to use the SANS VLE hosting option, can we set the assessment to be required for some grouping of seats but not all seats?


If we select to use the SANS VLE hosting option, can we set the assessment passing grade to be different for each group if they are administering their own seats?



When using the SANS Portal (VLE), can an account have more than one administrator?

Yes, you may have multiple Client Administrators.

When using VLE, is the user load a one-time event or can we load multiple times (e.g., by department)?

Multiple times. The Client Admin can use the User Batch Load process repeatedly.

When using VLE, who provides client support, such as password resets?

Password resets are all automated. SANS provides support to the Client Administrators. This is done by sending an email with the issue to the STH Support Team at SANS does NOT provide LIVE support to Users, other than FAQ.

Can the VLE Admin select which videos are displayed to specific users?

Yes, the VLE Admin can assign any number or all modules to any individual User.

How are content updates delivered to us?

You receive a monthly email and will have several monthsí notice before updates are ready to be delivered. They are usually delivered by download if using your own LMS.

How is license compliance managed?

You are required to have a license for each User that goes through the training. When a user views any portion of the videos in any given license period, that is considered one user license and it can NOT be reassigned to a different user until the beginning of the next license period (i.e. year by year).

It was a little unclear to me how we go about purging out vacated seats at the beginning of a new year? More specifically, how would this be done when using this with our LMS?

Simply contact SANS to confirm that you are purging the old Users and reusing the seats for Year 2.

Multiple Questions on Authentication

What are the options for users authenticating and do you support any kind of single sign-on (SSO)?

How are accounts managed, what authentication method content is hosted by SANS?

Have you integrated with an ERP system to track individual employee participation?

Has SANS considered joining InCommon as a Service Provider to facilitate federated login?

We are still working on this and cannot promise it will be in place before the beginning of June 2013. You should not assume that we will be able to support this during the license period as you make your purchase decision.

Is there any impact on the school's network bandwidth?

Two bandwidth versions are available. Typically only organizations with a very small pipe need the low-bandwidth option.

Demo accounts

How long will the VLE Demo Accounts be available?

Through the end of the Aggregated Purchase Period.

Can I get a demo for some Chinese, French, Spanish or other language modules?

Yes, you may. Please note that English is included in the standard library for this Aggregated Purchase Period through REN-ISAC. Arabic, French and Spanish are available for an additional $1,500. Please contact John Fitzgerald ( for details.

If there is one Administrator account and three demo user licenses, how are the demo user licenses allocated - can use of them be rotated between agency points of contact?

The User ID is the email that is entered. There is no way to change the User ID. We can provide multiple test administrator accounts, each with 3 users, if needed.

Agreement and Pricing

How is the number of seats determined?

Each person that undergoes training requires a license.

How does this pricing compare to regular pricing for this content?

The pricing you are receiving is comparable to the best large-volume commercial pricing available. Through the SANS Partnership program available to EDUís, we are aggregating all purchases during a specific time period (window of opportunity) to reach the highest possible volume and thus lowest possible cost per seat for everyone who purchases during this window. Through the Aggregate Purchase window, this Partnership pricing is substantially discounted from SANS list pricing - savings in the range of 90%.

Can we get an approximate number of seats and then add to it within the 1 year?

The Aggregated Purchase Period price is only available during the Aggregated Purchase Period. If you decide to add seats outside this period you will be subject to standard commercial pricing at the volume you desire.

For seats purchased outside of the Aggregated Purchase Period, what is the maintenance fee?

The maintenance would be $1.20 per seat if you buy it during the Aggregated Purchase Period by taking the two-year license instead of the one-year license. The cost for a two-year license would therefore be $2.80 instead of $1.60 for the one-year license.

If you choose to purchase a one-year license and wish to add a second year in 12 months then the cost for that second year will be the price for a one-year license at that time.

This program is designed to give you the best possible savings available for the SANS Securing the Human training. Please note, however, that these savings are ONLY available during the Aggregated Purchase Periods.

When does the 1 year clock start ticking? At the time of payment, or when the first users are provisioned? I'd like to be able to align the 1yr cycle with our academic yr.

The 1-Year clock must start within 3 months (90 days) from the end of the Aggregated Purchase Period.

How will seat counts be determined for FTEs versus students?

Licenses are measured by the number of Users, not FTEs. Every person who takes the training requires a license for the training.

If an employee leaves can you reassign the seat license in year 1? or year 2?

If the person leaves during Year 1 you can reassign that seat in Year 2. Otherwise NO, you can NOT reassign a seat (user license) within the same year of that license.

If we wanted to display a particular module in a public training forum, is that possible?


Is there any price escalation for 3 years and beyond?

We are not committing beyond two years right now.

Is there a solution for a University that wants to offer it to all staff/faculty/students (and not require it) to allow for self-registration, or would we have to preload accounts/emails?

Using the SANS VLE requires you to pre-load accounts/emails.

What is the turnaround time on invoicing once the PO is sent in?

Typically 24-48 hours but we reserve the right to say up to five (5) business days.

If we buy for Faculty and staff at this time and later decide to buy for all incoming freshman, will the price be the same?

The discounted price is only available during Aggregated Purchase Periods.


How many users have been through the training and what was their reaction?

We have 250+ clients using the service right now. We have done numerous quality checks with various clients of all sizes, and they are all satisfied and happy with the SANS Securing the Human solution.


What format are the modules in?

The training is accessible through any internet-enabled browser with Adobe Flash installed.

Is STH compliant with ADA (508 compliant)?

Yes. STH videos include both audio and sub-titles.

SANS logo