KnowBe4 Compliance Manager Glossary of Terms
This glossary contains terms and key concepts that will help you better utilize your KCM console, easing the burden of staying compliant year-round!
-Scope Requirements Self-Assessment (Optional)
-Responsible User (Assignee)
-Documents (File Upload)
--Scope Admin (Regular User Promoted To Admin)
Compliance Templates are the highest level object within KCM. A Template is a repository or collection of Requirements that are related to one another. A Template can either be a ‘Managed Template’ which is created by and kept current by KnowBe4, or a ‘Custom Template’ which is created by the KCM customer to suit their needs.
These are common groups of Requirements that are created and managed by KnowBe4.
As of August 2017, the available Templates are:
- ISO 27001
- NIST SP800-53
- NIST Cyber Security Framework
- FFIEC Cybersecurity Assessment Tool
- CIS Critical Security Controls
- COSO Fundamentals
- ACCSC Accreditation
- NIST SP800-171 Protecting Controlled Unclassified Information
- SEC OCIE Cybersecurity Examination Initiative
- AICPA SSAE16 SOC 2 Trust Services Principles with Privacy
- Cloud Security Alliance - Cloud Controls Matrix 3
- New York State - Department of Financial Services - 23 NYCCT 500 Cybersecurity Requirements
- FDA 21 CFR Part 11 Requirements for Electronic Records.
The list of available Managed Templates will continue to grow.
Templates contain a group of Requirements that a KCM customer will create and manage. This can be anything from audit requirements and findings, state and local regulations, security best practices, vendor management, incident management, IT and non-IT based projects, and more.
A Requirement is a concrete statement that describes a compliance objective, audit finding, best practice, or other obligation that the organization is striving to achieve or correct.
Some examples of Requirements are:
- PCI DSS 1.1.2 – Current Network Diagram – There must exist a current network diagram with all connections to cardholder data, including any wireless networks.
- HIPAA 164.308(a)(2)(ii) – Facility Security Plan – Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
- Internal IT Audit FY2015 – Finding #4 Missing Security Patches – The following servers did not have the most recent security patches applied: SERVER1.
A Scope is an umbrella structure to manage a series of related Requirements, Controls, and Evidence. A Scope is a way to describe the boundaries or a project or audit. Permissions, Reports, and Dashboards are divided up by Scope.
Scopes can represent separate physical locations, different ongoing compliance initiatives, remediation and audit finding tracking projects, incident and vendor management, etc.
Scope Requirements Self-Assessment (Optional)
Each Scope has a set of Requirements. Each Requirement has a Self-Assessment question associated with it. You can set the answer for each Requirement in a Scope by going through the Scope Self-Assessment or each Requirement individually. You should mark the answer as ‘Met’ if this is a Requirement that you are meeting, ‘Not Met’ if not, and ‘Not Applicable’ if the Requirement is not applicable to your organization for that Scope. You can later remove the Not Applicable Requirements from the Scope.
The answers to the Self-Assessment questions determine your compliance percentage.
Each Scope can be exported so that the data can be saved for offline archiving. The format of this export is a zip file (which can be password protected) which will contain a series of HTML files that mimic the Detailed Compliance Report.
Controls can be thought of as the evidence or proof that demonstrates how you are meeting your various Requirements. Controls are a document, process, technical implementation, or other action that relates to one or more Requirements.
It is recommended that the Control description be very detailed. The Control description should include what the Control is, how to review and assess the Control, what type of Evidence is expected as a result of a review, and where that Evidence should be placed. The Control description is used in the Task reminder emails and in the Detailed Compliance Reports. If you should need to change ownership of the Control, it will be much easier for the new user to understand what is expected.
Examples of Controls are:
- Disaster Recovery Policy and periodic review and testing of the policy
- Active Directory password configuration settings review
- Apply the latest patches to SERVER1
- Collect Security and Privacy documentation from VENDOR
- Review and Document Incident
Responsible User (Assignee)
Responsible Users are assigned Tasks based on a testing schedule. The Responsible User will provide documentation and Evidence that the Control has been evaluated. Responsible Users will receive reminder emails based on the due dates of upcoming Tasks.
Approving Managers receive notification emails when the Responsible User has submitted Evidence for review. The Approving Manager can then determine if the Evidence is sufficient, accurate, and complete. The Approving Manager can accept the Evidence or decline. If the Evidence is declined, the Approving Manager can add notes to the Control to let the Responsible User know what may need to be amended.
Recurring Tasks can be scheduled on an Annual, Semi-annual, Quarterly, Monthly, or Weekly basis, and are assigned to the Responsible User to complete. Tasks may also be created on an ad-hoc basis, whenever they are needed outside of the recurring schedule.
You can add example Evidence or Template documents needed by the Responsible User to satisfy a Task. This is NOT a replacement for Evidence of Task completion. Control Documents are meant to provide an example of what the evidence should be, or to support the act of gathering evidence for a particular control.
- Blank management sign-off form
- Screenshot of a particular area in Active Directory
Tasks allow for the continuous monitoring of Controls. They give you an opportunity to collect Evidence relating to a Control on a periodic basis so you will be prepared when it is time for an audit.
Email reminders are sent to the Responsible User when a Task due date is approaching. These reminders go out 30 days prior, seven days prior, one day prior, on the due date, and every day for one week following the due date (when the task is considered past due).
The Evidence area of KCM acts as a file/URL repository where you can store proof that Controls are in place and operating as they should be. Evidence can be provided in the form of file uploads or URLs that point to the Evidence. Evidence is always provided to a Task.
Documents (File Upload)
File upload is one way you can use KCM to store audit evidence. Each file that is uploaded is uniquely encrypted and stored securely in the cloud. Uploaded files are associated with a specific Task.
You should use the file upload feature if you are not currently using a central storage facility for audit evidence.
DocuLinks, or URLs to Evidence, is another way of using KCM to store audit Evidence. If you are currently using a centralized storage area on your internal network for maintaining audit evidence, you do not need to upload files to KCM as well. By providing a URL to the Evidence, you get the benefits of linking that information to a specific Control or Task without storing files in multiple places.
Any web-based file storage application can be used, whether it's internal to your network or external, such as Sharepoint, Dropbox, Google Drive, Jira, etc.
KCM uses three different user types: Account Owners, Regular Users, and Auditors, as described below.
Administrators have complete control over all aspects of the KCM application. You can create custom Templates, assign responsibilities, create and update Controls, adjust mappings of various objects, etc. As an Account Owner you are also presented with a Global Dashboard which shows all Tasks for the organization, as well as some other useful information that pertains to the entire account. An Account Owner is allowed to see all objects within an account.
Regular Users are only presented with the information they need to satisfy a Task and to provide Evidence that a Task is satisfied. From My Dashboard, they can see the Tasks that are assigned to them as well as their status and when they are due. Regular Users have limited ability within KCM.
Scope Admin (Regular User promoted to Scope Admin)
Regular Users that are promoted to Scope Admin are only presented with the information they need to manage items within a particular Scope. Scope Admins can satisfy Tasks and modify Controls that are within their Scope. Scope Admins can see Reports and have access to the Global Dashboard which displays information for their Scopes. Scope Admins cannot create new users or see items that are outside of their Scope.
Auditor accounts are used to give a reviewer, assessor, consultant, board member, or auditor read-only access to one or more Scopes. An Auditor can see Reports for the Scopes you give them access to. Reports contain the Requirements, Controls, and Evidence related to a given project.