This glossary contains terms and key concepts that will help you better-utilize the Compliance Management module portion of KnowBe4's KCM GRC platform.
In addition to the terms listed in the jump links below, you can find additional related concepts under each of these sections.
Controls
Controls can be thought of as the method, evidence, or proof that demonstrates how your organization is meeting various requirements. Controls are a document, process, technical implementation, or other action that relates to one or more requirements.
Examples of Controls:
- Disaster Recovery Policy and periodic review and testing of the policy
- Active Directory password configuration settings review
- Apply the latest patches to SERVER1
- Collect Security and Privacy documentation from VENDOR
- Review and Document Incident
We recommend making your control description very detailed. The description should include what the control is, how to review and assess the control, what type of evidence is expected as a result of a review, and where that evidence should be placed. If you should need to change ownership of the control's tasks, providing these details will make it much easier for the new user (or user group) to understand what is expected.
The control description is used in Detailed Compliance Reports. Additionally, when creating task schedules for your controls, by default, the control description will be used as the task description. Alternatively, you can modify the task description to be specific to the task. The task description is used in task reminder emails.
Additional Resources:
- Creating and Importing Controls
- Mapping Requirements and Controls
- Creating and Mapping Risk Controls
Control Task Schedules
Task schedules are created in order to automatically generate tasks for a control. Schedules can recur at one of the following intervals: weekly, monthly, bimonthly, quarterly, semiannually, annually, every two years, every three years, or every five years. A control can have multiple schedules.
If tasks are needed outside of a recurring schedule, you can create tasks on an ad-hoc basis by creating a one-time schedule.
When creating a task schedule for a control, you will assign a user to be responsible for completing the tasks under that schedule. As an alternative option, under our user group workflow, the group lead can be assigned to the task schedule, then, the group lead can re-assign the task to another member of their group.
Additional Resources:
Control Documents
Control documents are an optional way to submit an example of the evidence documents that are required of the user or users who are responsible for completing a task. While this is not a replacement for the evidence that is required for task completion, it is a way to support the act of gathering evidence for a particular control.
Examples of control documents:
- A blank management sign-off form
- A screenshot of a particular area in Active Directory
Additionally, you can use control documents to upload detailed instructions for completing a task. If you do so, when creating the task schedule, we recommend using the Task Description field to instruct the user to review the file that you've uploaded under control documents. From the View Task page, the user assigned to the task can view all of the control documents that have been uploaded to the associated control.
Control Health
The Control Health is the percentage of a control's scheduled tasks that are complete. This percentage includes tasks with Awaiting Approval, Closed Late, and Satisfied statuses. All completed tasks increase the Control Health by the same amount, regardless of status. For example, a task with a Closed Late status will increase the Control Health by the same amount as a task with a Satisfied status.
By viewing the Control Health, you can determine what percentage of a control's tasks you need to complete to reach 100%. Incomplete tasks have Failed and Past Due statuses, so completing tasks with those statuses will increase the Control Health.
Evidence
Evidence is provided to satisfy tasks, in order to support the control that you have in place for one or more requirements. Users can submit task evidence by uploading a file (referred to as "Document") or by providing a URL (referred to as "Link") to the evidence—when evidence is hosted externally from KCM GRC.
From the Documents area of your platform, the Evidence tab contains a repository of the URLs (Links) and files (Documents) that have been submitted as evidence for the controls in your account. Users with the Auditor user role can navigate this repository of evidence and see that your organization's controls are in place and operating as they should be.
Additional Resources:
- How to Monitor and Complete Tasks
- How to Use the Documents Page
- How Can I Limit the Type of Evidence Submitted by My Users?
- Guide for Auditors
Documents (File Upload)
Uploading a document is one way you can use KCM GRC to store audit evidence. Each file that is uploaded is uniquely encrypted and stored securely in the cloud. Uploaded files are associated with a specific task.
We recommend using the file upload feature if you are not currently using a central storage facility for audit evidence. For more information, please see: Are there limitations for the various files uploaded to KCM GRC?
Links (URLs)
As an alternative to uploading documents as task evidence, you can provide a link (URL) that points to externally-hosted evidence. If you are currently using a centralized storage area on your internal network for maintaining audit evidence, you do not need to upload files to KCM GRC. By providing a URL to the evidence, you get the benefit of linking that information to a specific control (via a task) without storing files in multiple places.
Additionally, any web-based file storage application can be used, whether it's internal to your network or external, such as Sharepoint, Dropbox, Google Drive, Jira, etc.
Requirements
A requirement is a concrete statement that describes a compliance objective, audit finding, best practice, or another obligation that the organization is striving to achieve or correct.
Some examples of requirements are:
- PCI DSS 1.1.2 – Current Network Diagram – There must exist a current network diagram with all connections to cardholder data, including any wireless networks.
- HIPAA 164.308(a)(2)(ii) – Facility Security Plan – Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
- Internal IT Audit FY2015 – Finding #4 Missing Security Patches – The following servers did not have the most recent security patches applied: SERVER1.
You can use requirements from the managed templates that are offered by KCM GRC, or you can create custom requirements. As a best practice for creating custom requirements: Add requirements to a custom template, then, convert the template to a scope to begin working toward achieving your requirements.
Additional Resources:
- Getting Started with the Compliance Management Module
- Creating Custom Templates for Scopes
- Converting Templates to Scopes
Scoped Requirements
When a requirement is added to a scope (by converting a template to a scope, by cloning a scope, or by mapping a requirement to a scope), a scoped version of the requirement is created under the scope. The scoped requirement has a one-to-one relationship with controls. Meaning, if a control applies to a requirement that is included in multiple scopes, you will map the control to each scoped version of the requirement. For more information, see our KCM GRC: Mapping Requirements and Controls article.
Scopes
A scope is an umbrella structure to manage a series of related requirements, controls, and evidence. A scope is a way to describe the boundaries of a project or audit. Under KCM GRC's Compliance Management module, user permissions, and some reports are divided up by Scope.
For example, scopes can represent separate physical locations; different ongoing compliance initiatives; remediation and audit findings; incident and vendor management; or tracking a project.
Scopes are typically created from custom templates or managed templates.
Additional Resources:
- Getting Started with the Compliance Management Module
- Creating Custom Templates for Scopes
- Converting Templates to Scopes
- User Roles Guide
- Metrics Reporting Guide
Scope Self-Assessment
Each scope has a set of requirements. Each requirement has a self-assessment status. You can set the status for each requirement under a scope by completing the Scope Self-Assessment. For more information, see our Completing a Scope Self-Assessment article.
Scope Export
You can use our scope exports feature to export information about your scopes from your account. Exporting your scope information may be beneficial during an audit, or if you need to keep a record of the status of your controls and evidence at a particular point in time. See our Scope Exports article to learn more.
Scope Health
The Scope Health is the percentage of a scope's scheduled tasks that are complete. This percentage includes tasks with Awaiting Approval, Closed Late, and Satisfied statuses. All completed tasks increase the Scope Health by the same amount, regardless of status. For example, a task with a Closed Late status will increase the Scope Health by the same amount as a task with a Satisfied status.
By viewing the Scope Health, you can determine what percentage of a scope's tasks you need to complete to reach 100%. Incomplete tasks have Failed and Past Due statuses, so completing tasks with those statuses will increase the Scope Health.
Tasks
Tasks allow for the continuous monitoring of controls. They provide an opportunity to collect evidence relating to a control on a periodic basis, so you will be prepared when it is time for an audit. Tasks are automatically created as part of an ongoing task schedule. Additionally, you can create a one-time task schedule, on an ad-hoc basis. For additional information, see the Controls section above.
Automated email reminders are sent to the user responsible for the task when the task's due date is approaching.
You have the option to assign one or more users to approve the evidence submitted for a task. To learn more, see the resources below.
Additional Resources:
- How to Work with Tasks for Controls
- Control Task Notifications
- Task Approval Workflows
- How to Monitor and Complete Tasks
- How to Monitor and Approve Tasks
Templates
Compliance templates are the highest-level object within KCM GRC. A template is a repository or collection of requirements that are related to one another. A compliance template can either be a managed template—which is created and kept up-to-date by KnowBe4—or a custom template created by the KCM GRC customer to suit their needs.
Custom Templates
Custom templates contain a group of requirements that a KCM GRC user will create and manage. This can be anything from audit requirements and findings, state and local regulations, security best practices, vendor management, incident management, IT and non-IT based projects, and more.
When creating scopes, we recommend you start with a template and convert it to a scope. That way, you can continue to utilize the template's requirements for additional compliance objectives, by adding them to additional scopes. For more information, please see our Creating Custom Templates for Scopes article.
Managed Templates
We offer a wide variety of managed templates for your use in the KCM GRC platform. Our team ensures that we have the up-to-date versions of the published framework available for your use.
You can find a current list of the Managed Templates we offer here.
Users
The KCM GRC platform consists of four different modules: Compliance Management, Policy Management, Risk Management, and the Vendor Risk Management module. There are multiple user roles associated with each of the KCM GRC modules.
See our User Roles Guide for more information on the permissions that are granted with each user role.
Additionally, see our Working with User Groups article if you'd like to learn how you can work with user groups in your compliance management module.