• We've added an in-line editing feature to your risks. Now, you can edit your risks directly from the Risk Register instead of navigating to the View Risk page. For more information, see the Viewing and Updating Risks section of our How to Use Your Risk Register article.
• We've updated the following managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  • ISO 27001 v2013 to v2022
  • ISO 27001 Annex v2013 to v2022
  • NERC CIP: Physical Security v014-2 to v014-3
• We've updated the following policy templates for you to download and customize for your organization. For more information, see our Policy Templates article.
  • Risk Assessment Policy
  • Risk Management Policy

• We've added an integration with KnowBe4’s KMSAT console to your platform. You can use this integration to create automated tasks that will collect your users' KMSAT training completions as evidence. For more information, see our How to Integrate KnowBe4's KMSAT Console with KCM GRC article.
• We've added a View All Risks button to your Risk Register. After using the search and filter features to find specific risks, you can click this button to view all of your risks at once. For more information, see our How to Use Your Risk Register article.

• We’ve added a new framework to our free tool, the Compliance Audit Readiness Assessment (CARA). This new framework is the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which you can use to make sure your organization is securing electronic protected health information (ePHI). For more information, see our Compliance Audit Readiness Assessment (CARA) Product Manual.
• We’ve improved the display and user experience of the Risk Register. To help you find your risks easily, we’ve also added a Filter widget. For more information, see our How to Use Your Risk Register article.
• We've added an integration with Atlassian Jira Software to your platform. You can use this integration to manage your KCM GRC tasks in Jira. For more information, see our How to Integrate Atlassian Jira Software with KCM GRC article.
• We’ve released revised control guidance for our PCI DSS managed template. KCM’s control guidance feature helps you create adequate controls so your organization can meet its requirements or other compliance efforts. To learn more about our control guidance, see these articles:
  • KCM GRC: Working with Control Guidance
  • Video: Control Guidance

• We've updated the following policy templates for you to download and customize for your organization. For more information, see our Policy Templates article.
  • Data Disposal Policy
  • Record Retention Policy
• We've added the new Resource Center feature to your platform. From the Resource Center, you can view a full list of product guides and release notes, search our Knowledge Base, and create support tickets. For more information, see the Using the Resource Center section of our How to Use the Product Guide Feature article.
• We've released the new product guide feature. Product guides walk you through specific features to help you get the most out of your platform. For more information, see our How to Use the Product Guide Feature article.
• We've added the following new plan template for you to download and customize for your organization. For more information, see our How to Use Plan Templates in Your Platform article.
  • Information Systems Continuity Plan
• We've updated the following managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  • UK Data Security and Protection Toolkit Standard v22-23

• We've updated the following managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  • NERC CIP Cyber Security — Personnel & Training CIP-004-7
  • NERC CIP Cyber Security — Electronic Security Perimeters CIP-005-7
  • NERC CIP Cyber Security — Configuration Change Management and Vulnerability Assessments CIP-010-4
  • NERC CIP Cyber Security — Information Protection CIP-011-3
  • NERC CIP Cyber Security — Supply Chain Risk Management CIP-013-2
• We've added the following new managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  • NERC CIP Cyber Security — Communications between Control Centers CIP-012-1

June 2022

• We've added a Notes column to the CSV file for the vendor list export. For more information, see the Exporting a Vendor List section of our How to Export Data in the Vendor Risk Management Module article.
• We’ve added a new framework to our free tool, the Compliance Audit Readiness Assessment (CARA). This new framework is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which you can use to help your organization build its cybersecurity plan. For more information, see our Compliance Audit Readiness Assessment (CARA) Product Manual.
• We've updated the following policy templates for you to download and customize for your organization. For more information, see our Policy Templates article.
  • Acceptable Use Policy
  • Email Security Policy
• We've updated the following managed template. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  • UK Cyber Security Essentials v2.2 to v3.0

May 2022

• We’ve released revised control guidance for our HIPAA Security Rule managed template. KCM’s control guidance feature helps you create adequate controls so your organization can meet its requirements or other compliance efforts. To learn more about our control guidance, see these articles:
  • KCM GRC: Working with Control Guidance
  • Video: Control Guidance
• We've improved our policy uploading process when you upload multiple policy files to your Policy Management module. Now, each file will process individually, so it may take more time for your files to upload. For more information, see the Uploaded Policies section of our Policy Management Module Guide.
• We've updated the following managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  • PCI DSS Self Assessment Questionnaire A v3.2.1 to v4.0 
  • PCI DSS Self Assessment Questionnaire A-EP v3.2.1 to v4.0 
  • PCI DSS Self Assessment Questionnaire B v3.2.1 to v4.0
  • PCI DSS Self Assessment Questionnaire B-IP v3.2.1 to v4.0 
  • PCI DSS Self Assessment Questionnaire C v3.2.1 to v4.0 
  • PCI DSS Self Assessment Questionnaire C-VT v3.2.1 to v4.0
  • PCI DSS Self Assessment Questionnaire D Merchants v3.2.1 to v4.0 
  • PCI DSS Self Assessment Questionnaire D Service Providers v3.2.1 to v4.0
  • PCI DSS Self Assessment Questionnaire P2PE v3.2.1 to v4.0 
• We've added the following new policy template for you to download and customize for your organization. For more information, see our Policy Templates article.
  • Malware Policy

April 2022

• We've added the following new plan template for you to download and customize for your organization. For more information, see our How to Use Plan Templates in Your Platform article.
  • System Security Plan
• We've added the following new policy template for you to download and customize for your organization. For more information, see our Policy Templates article.
  • Security Awareness Training and Testing Policy
• We've updated the following managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  
  • International Traffic in Arms Regulations (ITAR) v4.2021 to v4.2022
  • OWASP Level 1 v4.0.2 to v4.0.3
  • OWASP Level 2 v4.0.2 to v4.0.3
  • OWASP Level 3 v4.0.2 to v4.0.3
  • PCI DSS v3.2.1 to v4.0
  • PCI DSS Appendix A v3.2.1 to v4.0
  • UK Anti Bribery Statute Adequate Procedures Checklist v5.21012 to v2022
  • UK Data Security and Protection Toolkit Standard v20-21 to v21-22

March 2022

• We’ve released revised control guidance for our NIST CSF managed template. KCM’s control guidance feature helps you create adequate controls so your organization can meet its requirements or other compliance efforts. To learn more about our control guidance, see these articles:
  • KCM GRC: Working with Control Guidance
  • Video: Control Guidance
• We've improved our search feature in specific areas of your platform. On the pages listed below, KCM GRC will save the previous terms you entered into the search bars. This will allow you to refresh your page, close your browser, or move between different KCM GRC tabs without losing the last search term you searched for. If you clear your browser cache, you will lose your previous search term entry.
  • Requirements subtab of the View Scope page
  • Task subtab of the View Scope page
  • Vendors page
  • Controls page
• We’ve added the KnowBe4 Privacy Policy and Terms of Service to KCM GRC. Now, KCM GRC users will be prompted to acknowledge these policies. For more information, see our Terms of Service and Privacy Policy article.
• We’ve added a new framework to our free tool, the Compliance Audit Readiness Assessment (CARA). This new framework is the Statement on Standards for Attestation Engagements no. 18 Trust Services Criteria (SSAE 18 TSC), which you can use to assess the quality of financial reporting and system security that your organization provides. For more information, see our Compliance Audit Readiness Assessment (CARA) Product Manual.
• We've added the option to permanently delete controls in bulk. For more information, see the Deleting Controls in Bulk section of our How to Use Controls in Your KCM GRC Platform article.
• We've added the following new policy templates for you to download and customize for your organization. For more information, see our Policy Templates article.
  • System Integrity Policy
  • Third-party Risk Management
• We've updated the following managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager. 
  • Cybersecurity Maturity Model Certification (CMMC) Level 1 v1.02 to v2.0
  • Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.02 to v2.0
  • ISO 27002 v2013 to v2022
  • NY DFS Cybersecurity Requirements v2017 to v2021
  • Gramm-Leach-Bliley Act Safeguard Rule v5.2002 to v12.2021
  • Gramm-Leach-Bliley Act Privacy Rule v5.2002 to v12.2021

February 2022

• We've added a button that allows you to preview file evidence in your browser. For more information, see the Reviewing Evidence section of our How to Monitor and Approve Tasks article. 
• We've added the following new policy templates for you to download and customize for your organization. For more information, see our Policy Templates article.
  • Change Management Policy
  • Configuration Management Policy
• We've updated the following managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  • Australian Government (ASD) Information Security Manual v4.2021 to v12.2021
  • Higher Education Community Vendor Assessment Tool (HECVAT) v2.11 to v3.0

January 2022

• We've updated the following managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  
  • Standardized Information Gathering (SIG) Lite v2021 to v2022
  • Standardized Information Gathering (SIG) Core v2021 to v2022
• We've added the following new managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  
  • Standardized Information Gathering (SIG) Detail v2022
• We've added the following new Standardized Information Gathering (SIG) questionnaire templates for you to use when creating a questionnaire in your Vendor Risk Management module. For more information, see our How to Create and Configure Questionnaires article.
  • 2022 SIG Core
  • 2022 SIG Lite
• We've added our first plan template to the Policy Management module. The Incident Response Plan includes instructions for detecting, responding to, containing, and remediating security incidents that happen in your organization. For more information, see our Policy Templates article.
• We've added the following new policy templates for you to download and customize for your organization. For more information, see our Policy Templates article.
  • Acceptable Use Policy
  • Data Classification and Handling Policy
  • System Maintenance Policy

• We've added a Notes widget to the Vendor Details page. You can use the Notes widget to communicate information about your vendors. For more information, see the Working with Vendor Profiles section of our How to Create and Manage Vendor Profiles article. 
• We've added a button that allows you to create risks for the vendors or third parties your organization works with. For more information, see the Creating Risks for Vendors section of our How to Create and Manage Vendor Profiles article. 
• We've added the option to delete vendor documents. To learn how to delete vendor documents, see the Vendor Documents section of our How to Use the Documents Page article.  
• When you disable user accounts, we've added the option to transfer the controls and vendors that the user was responsible for to other users. For more information about disabling users, please see the Disabling User Accounts and Transferring Responsibilities section of our How to Create and Manage User Accounts article.
• We've added the option to create controls from requirements in bulk. For more information, see the Create Controls from Requirements section of our How to Create Controls from Scoped Requirements article.
• We've added the following new managed templates. For more information, see our Managed Templates article. To have additional templates added to your account, contact your Customer Success Manager.
  • NIST SP 800-172 v2.2021
  • InTREx-CU v1.2021

• We've added a Risk Owner field to risks in the Risk Management module. Now, you can enter the name of the person who is responsible for managing each of your risks. For more information, see our How to Use Your Risk Register article. 
• We've improved the Controls page by adding a column for your one-time tasks. To learn about the Controls page, see the Viewing All Controls from the Controls Page section of our How to Use Controls in Your KCM GRC Platform article. 
• Now, Account Administrators can demote other Account Administrators' user roles. To learn how to update user roles, see the Updating User Account Details section of our How to Create and Manage KCM GRC User Accounts article. 

• We've improved the workflow for completing and approving tasks. The Complete Task button has moved to the task description area of the View Task page, and the Task Approval area has been updated to make the approval process clearer. For information about completing tasks, see our How to Monitor and Complete Tasks article. For information about approving tasks, see our How to Monitor and Approve Tasks article. 

• The following new Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • UK IASME Governance Standard - Self Assessment Questionnaire v.5

• We've added a Notes widget to the View Risk page. You can use the Notes widget to communicate information about your risks. For more information about viewing and editing your risks from the View Risk page, see our How to Use Your Risk Register article. 
• We've added the Consensus Assessment Initiative Questionnaire (CAIQ) v4.0.2 questionnaire template to the Vendor Risk Management module.
  • This questionnaire provides updates to its previous version, CAIQ v3.1.
  • To learn more about building questionnaires for your vendors or third parties, see our How to Create and Configure Questionnaires article.
• We’ve released control guidance for our SSAE18 Trust Services Criteria managed template. This template is commonly used for customers preparing for their System and Organization Controls (SOC) 2 certification. KCM’s control guidance feature helps you create adequate controls so your organization can meet its requirements or other compliance efforts. To learn more about our control guidance, see these articles:
  • KCM GRC: Working with Control Guidance
  • Video: Control Guidance
• We’ve improved the controls CSV export to include the control notes from your account. For details, please see the Exporting Controls section of our KCM GRC: How to Export Data in the Compliance Management Module.
• We've improved the scoped requirements CSV export to include the requirement notes from your account. For details, please see the Exporting Scoped Requirements section of our KCM GRC: How to Export Data in the Compliance Management Module.
• We’ve improved the tasks CSV export to include the task notes from your account. For details, please see the Exporting Tasks section of our KCM GRC: Data Exports Guide.
• We’ve improved the Risk Register CSV export to include affected asset details for your risks. To learn more, please see the Exporting Risks section of our KCM GRC: Risk Management: Risk Register article.
• We've improved the Create Control window when you create controls from scoped requirements. Now, you will see a full Create Control for Requirement page that includes the requirement's Requirement Details and Guidance, when applicable. For more information about creating controls, see our KCM GRC: Creating and Importing Controls article.
• The following new Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • CAIQ v4.0.2
  • Web Content Accessibility Guidelines (WCAG) v2.1

• Now, when you disable a user in your account, the user will be removed from the user groups that you've created for controls, when applicable. For more information about disabling users, please see the Disabling User Accounts and Transferring Responsibilities section of our KCM GRC: How to Create and Manage User Accounts article. 
• When importing vendors into your account, we've made the following headers optional: mail_address, city, state, postal_code, country, phone, and status. Please see our KCM GRC: How Do I Import Vendors Into My Account With a CSV File? article for more information. 
• If you have archived controls in your account that were previously mapped to risks in your risk register, as of September 13, 2021, you will notice a change in the residual risk score for these applicable risks. This is due to the following change: 
  • We resolved an issue where the residual risk score was not updating after a control was archived. Now, when you archive a control, all residual risk scores that were associated with an archived control will update. To learn more about risk scores, please see KCM GRC Risk Management: Risk Scoring.
• The following new Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • Customs Trade Partnership Against Terrorism - Consolidators v3.2020
  • Customs Trade Partnership Against Terrorism - US Customs Brokers v3.2020

• We've added an Affected Asset field to the risks in your Risk Register. Now, you can describe any assets that your risks may affect. 
• We've added several Data Exports to your platform for the Policy Management module. To learn more, see KCM GRC: How to Export Data in the Policy Management Module.
• We've added the option to delete scope exports from your platform. For more information about deleting scope exports, please see the Creating and Downloading a Scope Export section of our KCM GRC: Scope Exports article. 
• We've fixed the following report that you can find on your Metrics page: Compliance Report by User. To learn more about this report, please see the Additional Reports section of our Metrics Reports article.  
• We added a Date Created column to the Risk Dashboard, and Risk Register, and View Risk pages. Now, you can sort your risks by how recently they were created. Please see KCM GRC Risk Management: Risk Register for more information about this column. 
• We resolved an issue where the residual risk score was not updating after a control was deleted. Now, when you delete a control, all risk scores that are associated with the control will update. To learn more about risk scores, please see KCM GRC Risk Management: Risk Scoring.
  
• You can now automatically create a control using a scoped requirement’s name and description. See Creating Controls from Requirements to learn more about this new feature.
• Based on customer feedback, we improved the Risk Management module by removing the Risk ID column from the Risk Dashboard, Risk Register, and Risk Exports pages. To learn more about the Risk Management module, please see Risk Management Overview.
• The following updated Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • Bank Secrecy Act Examination Procedures v2014 to v2021 

• We resolved an issue where you were prompted to transfer responsibilities when disabling a Vendor User. You are no longer prompted to transfer responsibilities for the Vendor User user role. To learn more, see Disabling Users and Transferring Responsibilities.
• You can now send questionnaires to vendors when the Vendor Status is "Pending Approval". Previously, the Vendor Status had to be "Active" to send questionnaires. To learn more, please see Sending Vendor Questionnaires.
• The following updated Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • California Consumer Privacy Act Final Text v12.2020 to v3.2021
  • IRS Publication 1075 v9.2016 to v8.2020
  • OWASP v4.0 to v4.0.2 (all levels)
  • Technology Risk Management Checklist Framework - Monetary Authority of Singapore v6.2013 to v1.2021

• We've added several CSV exports to your platform. You can now export information about the scoped requirements, controls, and vendors that you've added to your account.
  • We've also added the Data Exports page to your account. When you create a new CSV export, you will download the CSV file from the Data Exports page. To learn more, see our Data Exports Guide.
• The following updated Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • Australian Privacy Act v12.2018 to v2.2021
  • Australian Government (ASD) Information Security Manual v3.2019 to v4.2021
  • CIS Critical Security Controls (all groups) v7.1 to v8
  • Cloud Computing Compliance Controls Catalogue v9.2017 to v2020
  • Cloud Security Alliance - Cloud Controls Matrix v3.0.1 to v4.0.1
  • Connecticut Insurance Data Security Law v7.2019 to v10.2020
  • Secure Software Lifecycle Requirements and Assessment Procedures v1.0 to v1.1
  • Singapore Personal Data Protection Act v11.2012 to v06.2021
  • UK Cyber Security Essentials v2.1 to v2.2
  • UK Ministry of Defense - Defense Standard 05-138 Issue 2 High Profile to UK Defence Cyber Protection Partnership v6.2020 High Profile
  • UK Ministry of Defense - Defense Standard 05-138 Issue 2 Moderate Profile to UK Defence Cyber Protection Partnership v6.2020 Moderate Profile
  • UK Ministry of Defense - Defense Standard 05-138 Issue 2 Low Profile to UK Defence Cyber Protection Partnership v6.2020 Low Profile
  • VDA - Trusted Information Security Assessment Exchange (TISAX) v4.1.1 to v5.0.4

• We've added Policy Templates under your Policy Management module! Visit the Policy Templates page to download templates and customize policies for your organization. To learn more, see KCM GRC: Policy Templates.
  • In addition to KCM GRC's policy templates, our customers are eligible for a 25% discount when purchasing the Altius IT Policy Collection. See the Policy Templates page in your account to learn more.
• We've added two new Standardized Information Gathering (SIG) questionnaire templates for you to use when creating a questionnaire in your Vendor Risk Management module:
  • 2021 SIG Core
  • 2021 SIG Lite
  Please note, KCM GRC pre-defines the "correct" answers for the questions in our questionnaire templates. The KCM GRC system has defined "N/A" as the correct answer for questions in both SIG 2021 templates:
  • There are 37 N/A answers in 2021 SIG Core.
  • There are 23 N/A answers in 2021 SIG Lite.
  Please refer to this guide to learn more about these questions and why KCM GRC has defined N/A as the correct answer.

• We've made enhancements to our scope export feature. Now, each scope that you export will include all of its requirements and the controls that they are mapped to. For more information please see our Scope Exports article.
  • Previously, scope exports only contained the requirements and controls where one or more tasks had been created for the control.

• We've improved scope exports by adding task names to the folders that contain evidence files, within your scope export folder. To learn more see the Understanding the File Structure section of our Scope Exports article.
• The following updated Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • FedRAMP High Baseline Controls v8.2018 to v6.2020
  • FedRAMP Moderate Baseline Controls v8.2018 to v6.2020
  • FedRAMP Low Baseline Controls v8.2018 to v6.2020
  • FedRAMP LI-SaaS Baseline Controls v8.2018 to v6.2020
  • Standardized Information Gathering (SIG) Core Full v2020 to v2021

• The following new Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • NIST 800-53 High Baseline Rev 5
  • NIST 800-53 Moderate Baseline Rev 5
  • NIST 800-53 Low Baseline Rev 5
  • NIST 800-53 Privacy Baseline Rev 5

• We've added a robust guide to our knowledge base for your users who are assigned to approve tasks for controls: Monitoring and Approving Tasks (a Guide for Approving Managers). This guide will explain the following for users who are assigned to a task as an Approving Manager, Second-level Approving Manager, or Group Lead: 
  • How do I know if I need to approve a task?
  • How do I monitor my upcoming tasks?
  • How do I navigate my account?
  • Understanding task requirements
  • Reviewing evidence and approving tasks
• As of January 15, 2021, the 192.254.121.248 IP address is no longer being used to send emails from the KCM GRC platform. If you have whitelisted notifications from KCM GRC, please see our Whitelisting Notifications from KCM GRC article for the latest whitelisting information.
• We've added a Templates column to the Map Requirement to Scope window (click to view example). When a new version of a managed template is released, this column can simplify the process of updating your scope.
  
  ×

  New Column: Templates

  

  Close
• The following new Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • NERC CIP Cyber Security — BES Cyber System Categorization CIP-002-5.1a
  • NERC CIP Cyber Security — Security Management Controls CIP-003-8
  • NERC CIP Cyber Security — Personnel & Training CIP-004-6
  • NERC CIP Cyber Security — Electronic Security Perimeters CIP-005-6
  • NERC CIP Cyber Security — Physical Security of BES Cyber Systems CIP-006-6
  • NERC CIP Cyber Security — Systems Security Management CIP-007-6
  • NERC CIP Cyber Security — Incident Reporting and Response Planning CIP-008-6
  • NERC CIP Cyber Security — Recovery Plans for BES Cyber Systems CIP-009-6
  • NERC CIP Cyber Security — Configuration Change Management and Vulnerability Assessments CIP-010-3
  • NERC CIP Cyber Security — Information Protection CIP-011-2
  • NERC CIP Cyber Security — Supply Chain Risk Management CIP-013-1
  • NERC CIP Physical Security CIP-014-2
  • Payment Application Data Security Standard
  • Standardized Information Gathering (SIG) Core Full v2020
• The following updated Managed Templates are now available. Contact your Customer Success Manager to have additional templates added to your account:
  • Secure Controls Framework v2020.3 to v2021.1

• We've added the ability to download a CSV file of your Detailed Compliance Reports.
• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • California Consumer Privacy Act Final Text
  • California Consumer Privacy Act Amendment AB713
  • South Africa - Protection of Personal Information Act (POPI Act)
• The following updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • UK Cyber Security Essentials v2.0 to v2.1

• We've made the following changes under the Vendor Risk Management module portion of your platform:
  • The Consensus Assessment Initiative Questionnaire (CAIQ) v3.1 Lite questionnaire template has been added to the questionnaire builder.
  • When creating a questionnaire, you can now format custom questions to use multiple lines. When typing, press the Return or Enter button on your keyboard and your formatting will be saved.
• Under the Risk Management module, you can now format a Risk Description to use multiple lines. When typing, press the Return or Enter button on your keyboard and your formatting will be saved.
• The following updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • SAE18 SOC2 TSC vAT-C 105/205 to v3.2020

• The following updated Managed Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • NIST 800-53 Rev 4 to Rev 5
• You can now navigate to the list of Managed Templates that we offer directly from your platform. From the top right-hand side of your account, click Support > View Managed Templates.
• You can now navigate to KnowBe4's Community Discussion boards directly from your platform. From the top right-hand side of your account, click Support > Community Board. 
  • KCM GRC offers a Feature Request board and a General Discussion board. The General Discussion board is a great place where you can connect with other KCM customers and discuss aspects of your KCM GRC platform.

September 2019

• Regarding the Questionnaire Templates offered under the Vendor Risk Management (VRM) module, we've resolved an issue where the incorrect answer was considered the 'correct answer' for vendor responses. This change affects any questionnaire that includes the question(s) below. Therefore, this will also update the Vendor Score for all applicable vendors. For more information, please reach out to our Support team.
  • Affected Questionnaire Templates: 2019 SIG Lite, 2019 SIG Full
    • Affected Questions: D.7 Are Constituents able to view client's unencrypted Data?
      • The 'correct answer' has been changed from "Yes" to "No"
• Regarding the Vendor Risk Management (VRM) module, we've fixed an issue in the questionnaire builder where the question text wasn't fully visible if it were longer than a single line. 
  • This issue also impacted "free-form" responses from vendors. The issue has now been resolved.
• Regarding the Vendor Risk Management (VRM) module, we've fixed an issue where questionnaire questions were displayed in an incorrect order for vendor users and for KCM administrators when they were completing or reviewing questionnaires, respectfully. 
• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • Connecticut Insurance Data Security Law
  • Lexcel England and Wales for In-house Legal Departments
  • Lexcel England and Wales for Legal Practices
  • Lexcel International
  • Portugal Data Protection Law
  • Sarbanes Oxley Act
  • UK Data Protection Act

August 2019

• If you're using OneLogin or Okta as your SSO/SAML provider, you can configure your single sign-on by adding the "KCM GRC Platform" application to your provider's portal. See this article for more information. 
• The following enhancements have been made to the Vendor Risk Management (VRM) Module:  
  • Regarding evidence due dates when using EDR, you can now override the default Effective Date Range Settings (found under Account Settings) on a per-control basis. See this article for more information. 
  • You can now manually offset the Vendor Score found under each vendor profile. From the Vendor Details page, click the Update button to change the existing Vendor Score.
  • You can now include informational questions in your vendor assessments. These questions are not counted against the questionnaire score.
  • Vendor Users can now edit their questionnaire answers after they have been saved, before the questionnaire has been finalized.
  • You can now permanently delete vendor profiles from the Vendor List area of your VRM module.
  • You can now permanently delete questionnaires from the Questionnaire List area of your VRM module.
  • Fixed an issue in the questionnaire builder where you could save questions without adding answer options and were unable to configure the questionnaire as a result.
• Fixed an issue where auditor users were able to view tasks that had not been approved by an approving manager. Auditor users can only see tasks and task evidence that has been approved. See this article for more information about KCM user role permissions. 
• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  
  • Australian Privacy Act
  • Australian Prudential Standard CPS 234
  • BDSG - German Federal Data Protection Act
  • MDSAP - Australia: Therapeutic Goods (Medical Devices) Regulations
  • MDSAP - Brazil: RDC (16, 23, 67)
  • MDSAP - Canada: Medical Devices Regulations
  • MDSAP - Japan: MHLW MO 169
  • MDSAP - USA: Title 21 Food and Drug Regulation
  • New Hampshire Senate Bill 193 v8.2019
  • Privacy Shield Framework - EU-US
  • Privacy Shield Framework - Swiss-US
  • Texas House Bill 4390 - Privacy Protection Act

July 2019

• The KCM GRC platform now supports single sign-on and SAML 2.0 to allow your users to quickly and easily log in to KCM using your organization's single sign-on, without having to set up or use a password. See this article for more information.
• Under the Policy Management module, we've fixed an issue where "Invalid Date" was incorrectly showing under Policy Management > Campaigns > Campaign Name > Users tab (in Safari browsers). 
• We've updated the Quarterly Product Update video in our Knowledge Base. This video covers new features that have been added to the KnowBe4 product line over the previous quarter.
• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • Brazilian Data Protection Law (LGPD)
  • Commonwealth of Virginia Hosted Environment Information Security Standard SEC 525
  • FERPA
  • Financial Conduct Authority Handbook (UK)
  • Interagency Guidelines - Information Security Standards
  • ISO 27002
  • Texas Administrative Code §202 - State Agencies
  • Texas Administrative Code §202 - Institutions of Higher Education
  • UK Public Sector Network Code of Connection
• The following are updated Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • CJIS Security Policy v5.8
  • HIPAA Privacy and Breach Rule
  • HIPAA Security Rule

• The following enhancements have been made to the Vendor Risk Management (VRM) Module:
  • When reviewing vendor questionnaires, you can now filter questions by the following: incorrect answers, answers with attachments, answers with issues, and informational questions.
  • When reviewing vendor questionnaires, incorrect answers are now visually notated by a red line on the left-hand side of the question.
• In response to the significant growth of KCM GRC, the architecture of your platform was upgraded on July 17, 2019. This upgrade improves performance and allows us to better serve you by streamlining platform administration and maintenance.

June 2019

• The following enhancements have been made to the Vendor Risk Management (VRM) Module:
  • When creating questionnaires, you can now upload a CSV file of custom questions. See here for details.
  • When reviewing questionnaires, you can now change the score of vendor responses from the Questionnaire Review and Issue Details pages.
  • When sending (scheduling) a questionnaire, you can set a suggested due date. The questionnaire assessee will see the due date in their email notification, and in their vendor portal.
  • A Scheduled Questionnaires Calendar has been added to the Vendor Management Dashboard. All questionnaires are listed on the day were sent or will be sent. 
  • You can now cancel active questionnaires from the Assigned Questionnaires tab, under the Vendor Details page.
  • You can now cancel questionnaire schedules (questionnaires to be sent) from the Schedules tab, under the Vendor Details page.
  • If your vendor did not receive the email notification for their assigned questionnaire, you can now generate and send their login link from the Assigned Questionnaires tab, under the Vendor Details page.
  • You can now archive questionnaires that have not been sent or scheduled.
  • Vendor Administrator users can now view vendor profiles and questionnaires that have been archived. See this article to learn more about KCM user role privileges. 
• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • Gramm-Leach-Bliley Act Privacy Rule
  • Gramm-Leach-Bliley Act Safeguard Rule
  • IRS Publication 1075

May 2019

• You can now follow this article to stay informed of the new and updated Managed Templates available for your account. Our team ensures we have the up-to-date versions of these frameworks available for your use. Contact your Customer Success Manager to have additional templates added to your account.
• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • ASD Information Security Manual v3.2019
  • Commonwealth of Virginia ITRM Standard SEC501 v10.1
  • UK Ministry of Defence - Defence Standard Low Profile
  • UK Ministry of Defence - Defence Standard Moderate Profile
  • UK Ministry of Defence - Defence Standard High Profile
• The following are updated Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • CIS Critical Security Controls Group 1 7.1
  • CIS Critical Security Controls Group 2 7.1
  • CIS Critical Security Controls Group 3 7.1

April 2019

• The Vendor Risk Management (VRM) module was released.
  • The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts in your KCM GRC platform. See our Introduction Guide to learn more.
• Updates were made to the User Roles available in your account. This includes updates to the User Management and User Profile pages in your account. See more information in our Working with Users article.
• You can now manage evidence submission settings (DocuLinks and documents) at the scope level–in addition to the account-wide settings. See more information in our Managing Account Settings article, here.
• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • NCUA ACET v1.0
  • DFARS NIST 800-171 SA v11.2017
  • HMG Security Policy v1.0
  • Massachusetts Data Privacy Regulation v2009
• The following are updated Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • CIS Critical Security Controls 7.1
  • CCIS Critical Security Controls 7 to 7.1_Changes

March 2019

• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • PCI DSS SAQ A
  • PCI DSS SAQ B
  • PCI DSS SAQ B-IB
  • PCI DSS SAQ C
  • PCI DSS SAQ C-VT
  • PCI DSS SAQ D Merchants
  • PCI DSS SAQ P2PE
  • PCI DSS - SAQ D Service Providers v3.2.1
  • Secure Controls Framework
  • OWASP Level 1 v4.0
    
  • OWASP Level 2 v4.0
  • OWASP Level 3 v4.0

February 2019

• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • Financial Services Sector Coordinating Council (FSSCC) v1.0
  • NIST SP 800-171 Appendix E v2016
  • FedRAMP High Baseline Controls v8.2018
  • FedRAMP Moderate Baseline Controls v8.2018
  • FedRAMP Low Baseline Controls v8.2018
  • FedRAMP LI-SaaS Baseline v8.2018
  • NIST 800-53 High-Impact Baseline rev4
  • NIST 800-53 Moderate-Impact Baseline rev4 
  • NIST 800-53 Low-Impact Baseline rev4
  • International Traffic in Arms Regulations (ITAR) v12.2018
• The following are updated Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • NIST 800-53 rev4

January 2019

• The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • PCI DSS - Self-Assessment Questionnaire A-EP v3.2.1
  • AB-375 Consumer Privacy Act of California v1.0
  • NAIC MDL - Insurance Data Security Law v4th Quarter 2017
  • PIPEDA v12.2018
  • HITECH v2.2009
• The following are updated managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):
  • HIPAA Privacy and Breach v1.0
  • HIPAA Security Rule v1.0
  • PCI DSS Appendix A v3.2.1
  • CJIS Security Policy v5.7
  • SWIFT CSP v2019

December 2018

• New Managed Template now available (contact your Customer Success Manager to have additional Templates added to your account):
  • SSAE18 SOC2 TSC (AT-C 105/205)
• The ability to create Risk tags was added.
• Added a new tab called Risk Settings to the Account Settings page where you can manage custom categories and risk tags.
• You can now create, edit, delete, and CSV upload custom Risk templates.

November 2018

• New Managed Template now available (contact your Customer Success Manager to have additional Templates added to your account):
  • NIST SP 800-171 A
• Added the user role Risk Administrator.
• Added the ability to map controls to a risk.
• Added the Risk Management report. See here for more information.
• Added the ability to export the Evidence Repository to a CSV file.

October 2018

• The Risk Management Module has been added to KCM GRC.
  • Risk Management simplifies the processes of identifying, assessing, and managing the risks faced by your organization. See here for more information.
• The threat Quick Add screen was added. For more information, see here.
• The View Risk screen was added. See here for more information.
• Added the ability to upload risk templates with a CSV file from the Risk Templates screen.
• Added the ability to import risks to the risk registry with a CSV file.
• Added sample CSV files to download and use as a template when using a CSV file for imports.
• Added colors for the different Risk categories.

September 2018

• The ability to Clone Scopes was added.
• A new Managed Template is now available as a result of revisions to NIST SP 800-171 Rev. 1 (contact your Customer Success Manager to have additional Templates added to your account):
  • NIST SP 800-171 Rev. 1 (updated 06/07/2018)

June 2018

• Executive Reporting features have been added to KCM GRC.
  • Executive Reports give you the ability to send status reports for one or more Scopes at a frequency you choose. See here for more information.
• Two new Managed Templates are now available as a result of revisions to PCI DSS (contact your Customer Success Manager to have additional Templates added to your account):
  
  • PCI DSS v3.2.1:
    • The most current Template for this publication (supersedes PCI DSS v3.2)
  • PCI DSS Changes v3.2.1:
    • Consists only of the changes made to this publication since the previous KCM GRC Template (PCI DSS v3.2)

May 2018

• Multi-Factor Authentication is now available for your KCM GRC platform.
• New versions of Managed Templates are now available (contact your Customer Success Manager to have additional Templates added to your account):
  • CIS Critical Security Controls 7
  • NIST Cybersecurity Framework v1.1
  • NIST SP 800-171 Rev. 1 (Updated 2/20/2018)

April 2018

• New Managed Template now available (contact your Customer Success Manager to have additional Templates added to your account):
  • General Data Protection Regulation (GDPR)
• The Policy Management module was added to KCM GRC.
  • Policy Management allows you to easily track and manage your organization's policy distribution and user acknowledgments. See here for more information.

February 2018

• New Managed Template now available (contact your Customer Success Manager to have additional Templates added to your account):
  • UK Cyber Security Essentials 

January 2018

• Two new Managed Templates are now available as a result of revisions to NIST SP 800-171 (contact your Customer Success Manager to have additional Templates added to your account):
  • NIST SP800-171 2017:
    • The most current Template for this publication (supersedes NIST SP800-171 2015)
  • NIST SP 800-171 Changes 2015-2017:
    • Consists only of the changes made to this publication since the previous KCM GRC Template (NIST SP800-171 2015)

December 2017

• Improved reporting features, such as Gantt charts and additions to the Evidence Repository table

November 2017

• New and improved account settings features:
  • Ability to add a display name and company logo
  • Ability to restrict access to allow only certain IPs
  • Limit control and task documents to DocuLinks and/or uploads
  • Hide your console from KCM GRC support
  • Configure the time needed to prepare evidence for ongoing tasks, when using Effective Date Range (EDR) feature.
• Effective Date Range (EDR) feature release:
  • Allows admins to set start, end, and due date for tasks.
  • End date/Due dates are dependent on Frequency of task. Frequency settings can be manually adjusted in Account Settings.
  • Start, end, and due date can be modified within each Task.
• Set up an advanced, one-time task:
  • Allows admins to set up a one-time task with a start, end, and due date.