KnowBe4 Compliance Manager Glossary of Terms
This glossary contains terms and key concepts that will help you better utilize your KCM console, easing the burden of staying compliant year-round!
The order of the terms reflects the hierarchy of the KCM platform:
Templates -> Requirements -> Controls -> Tasks -> Evidence
Scopes tie all of these objects together.
-Scope Requirements Self-Assessment (Optional)
-Responsible User/User Responsible (Assignee)
-Effective Date Range
-Documents (File Upload)
--Scope Admin (Standard User Promoted To Admin)
A Scope is an umbrella structure to manage a series of related Requirements, Controls, and Evidence. A Scope is a way to describe the boundaries of a project or audit. Permissions, Reports, and Dashboards are divided up by Scope.
Scopes can represent separate physical locations, different ongoing compliance initiatives, remediation and audit findings, incident and vendor management, tracking projects, etc.
Scope Requirements Self-Assessment (Optional)
Each Scope has a set of Requirements. Each Requirement has a Self-Assessment question associated with it. You can set the answer for each Requirement in a Scope by either going through the Scope's Self-Assessment or each Requirement, individually.
You should mark the answer as:
-‘Met’ if this is a Requirement that you are meeting
-‘Not Met’ if you have not met the Requirement
-‘Not Applicable’ if the Requirement is not applicable to your organization for that Scope.
(You can later remove the Not Applicable Requirements from the Scope.)
The answers to the Self-Assessment questions determine your compliance percentage.
Each Scope can be exported so that the data can be saved for offline archiving. The format of this export is a zip file (which can be password protected) which will contain a series of HTML files that mimic the Detailed Compliance Report.
Compliance Templates are the highest level object within KCM. A Template is a repository or collection of Requirements that are related to one another. A Template can either be a ‘Managed Template’ which is created by and kept current by KnowBe4, or a ‘Custom Template’ which is created by the KCM customer to suit their needs.
These are common groups of Requirements that are created and managed by KnowBe4.
As of August 2017, the available Templates are:
- ISO 27001
- NIST SP800-53
- NIST Cyber Security Framework
- FFIEC Cybersecurity Assessment Tool
- CIS Critical Security Controls
- COSO Fundamentals
- ACCSC Accreditation
- NIST SP800-171 Protecting Controlled Unclassified Information
- SEC OCIE Cybersecurity Examination Initiative
- AICPA SSAE16 SOC 2 Trust Services Principles with Privacy
- Cloud Security Alliance - Cloud Controls Matrix 3
- New York State - Department of Financial Services - 23 NYCCT 500 Cybersecurity Requirements
- FDA 21 CFR Part 11 Requirements for Electronic Records.
- UK Cyber Security Essentials
The list of available Managed Templates will continue to grow.
Templates contain a group of Requirements that a KCM customer will create and manage. This can be anything from audit requirements and findings, state and local regulations, security best practices, vendor management, incident management, IT and non-IT based projects, and more.
A Requirement is a concrete statement that describes a compliance objective, audit finding, best practice, or other obligation that the organization is striving to achieve or correct.
Some examples of Requirements are:
- PCI DSS 1.1.2 – Current Network Diagram – There must exist a current network diagram with all connections to cardholder data, including any wireless networks.
- HIPAA 164.308(a)(2)(ii) – Facility Security Plan – Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
- Internal IT Audit FY2015 – Finding #4 Missing Security Patches – The following servers did not have the most recent security patches applied: SERVER1.
Controls can be thought of as the method, evidence or proof that demonstrates how you are meeting your various Requirements. Controls are a document, process, technical implementation, or other action that relates to one or more Requirements.
It is recommended that the Control description be very detailed. The Control description should include what the Control is, how to review and assess the Control, what type of Evidence is expected as a result of a review, and where that Evidence should be placed. The Control description is used in the Task reminder emails and in the Detailed Compliance Reports. If you should need to change ownership of the Control, providing these details will make it much easier for the new user to understand what is expected.
Examples of Controls are:
- Disaster Recovery Policy and periodic review and testing of the policy
- Active Directory password configuration settings review
- Apply the latest patches to SERVER1
- Collect Security and Privacy documentation from VENDOR
- Review and Document Incident
Responsible User/User Responsible (Assignee)
Responsible Users are assigned specific Tasks within a Control. The Responsible User will provide documentation and Evidence that the Control has been evaluated. Responsible Users will receive reminder emails based on the due dates of upcoming Tasks.
For more information on the different user types in KCM, see Users.
For a simple hierarchy of the different user types in KCM, click here.
Approving Managers receive notification emails when the Responsible User has submitted Evidence for review. The Approving Manager can then determine if the Evidence is sufficient, accurate, and complete. The Approving Manager can accept the Evidence or decline. If the Evidence is declined, the Approving Manager can add notes to the Control to let the Responsible User know what may need to be amended.
Recurring Tasks can be scheduled on an Annual, Semi-annual, Quarterly, Monthly, or Weekly basis, and are assigned to the Responsible User to complete. Tasks may also be created on an ad-hoc basis, whenever they are needed outside of the recurring schedule.
You can add example Evidence or Template documents needed by the Responsible User to satisfy a Task. This is NOT a replacement for Evidence of Task completion. Control Documents are meant to provide an example of what the evidence should be, or to support the act of gathering evidence for a particular control.
- Blank management sign-off form
- Screenshot of a particular area in Active Directory
Tasks allow for the continuous monitoring of Controls. They give you an opportunity to collect Evidence relating to a Control on a periodic basis so you will be prepared when it is time for an audit.
Email reminders are sent to the Responsible User when a Task due date is approaching. These reminders go out 30 days prior, seven days prior, one day prior, on the due date, and every day for one week following the due date (when the task is considered past due).
Effective Date Range
You can choose whether or not you want to use Effective Date Range when setting up a Task Schedule for a Control.
If you choose to utilize Effective Date Range, you are choosing to specify the length of time that the Evidence submitted for a particular Task is valid- regarding the associated compliance Requirement or alternative objective.
Say you submit Network Access files and the date range of validity for the files is January 1, 2018 - December 31, 2017.
When setting a Task Schedule for these files-select "Yes" for "Use Effective Date Range", you would choose "Annually" for the Frequency and January 1, 2018 for the Start Date. The Effective Date Range would then be automatically set to end one year from the Start Date.
The due date for Evidence to be uploaded would be three months prior to the end date of the Effective Date Range, by default. The default Evidence due date can be changed in your Account Settings.
The Evidence area of KCM acts as a file/URL repository where you can store proof that Controls are in place and operating as they should be. Evidence can be provided in the form of file uploads or URLs that point to the Evidence. Evidence is always provided to a Task.
Documents (File Upload)
File upload is one way you can use KCM to store audit evidence. Each file that is uploaded is uniquely encrypted and stored securely in the cloud. Uploaded files are associated with a specific Task.
You should use the file upload feature if you are not currently using a central storage facility for audit evidence.
DocuLinks, or links to Evidence, is an option for storing audit evidence in KCM. If you are currently using a centralized storage area on your internal network for maintaining audit evidence, you do not need to upload files to KCM as well. By providing a URL to the Evidence, you get the benefits of linking that information to a specific Control or Task without storing files in multiple places.
Any web-based file storage application can be used, whether it's internal to your network or external, such as Sharepoint, Dropbox, Google Drive, Jira, etc.
KCM uses three different user types: Account Owners, Standard Users, and Auditors, as described below. For a simple hierarchy of different user types in KCM, see our KCM: User Types article.
Administrators have complete control over all aspects of the KCM application. You can create custom Templates, assign responsibilities, create and update Controls, adjust mappings of various objects, etc. As an Account Owner you are also presented with a Global Dashboard which shows all Tasks for the organization, as well as some other useful information that pertains to the entire account. An Account Owner is allowed to see all objects within an account.
Standard Users are only presented with the information they need to satisfy a Task and to provide Evidence that a Task is satisfied. From My Dashboard, they can see the Tasks that are assigned to them as well as their status and when they are due. Standard Users have limited ability within KCM.
Scope Admin (Standard User promoted to Scope Admin)
Standard Users that are promoted to Scope Admin are only presented with the information they need to manage items within a particular Scope. Scope Admins can satisfy Tasks and modify Controls that are within their Scope. Scope Admins can see Reports and have access to the Global Dashboard which displays information for their Scopes. Scope Admins cannot create new users or see items that are outside of their Scope.
Auditor accounts are used to give a reviewer, assessor, consultant, board member, or auditor read-only access to one or more Scopes. An Auditor can see Reports for the Scopes you give them access to. Reports contain the Requirements, Controls, and Evidence related to a given project.