How Do I Use Policy Management in the KnowBe4 KCM GRC Platform?
The KCM GRC Policy Management module is a great tool for storing, managing, distributing, and tracking the various acknowledgments and agreements required of the employees in your organization.
Using the Policy Management module, you'll create campaigns consisting of policy agreements assigned to user groups. You can create these groups based on whatever parameters you'd like, such as office location, department, job role, start date, etc. These groups will be the driving factors of policy acknowledgment campaigns.
Your users will receive and acknowledge the policy agreements by email. Once your users acknowledge the policies, the acknowledgments will be recorded in your KCM GRC platform.
See the sections below to get started with and manage the KCM GRC Policy Management module.
Getting Started with Policy Management
Step One: Add Users to Manage Your Policy Management Campaigns
Step Two: Create User Groups for Policy Management Campaigns
Step Three: Add End Users to the Policy Management Module
- 1) Manually Create Users
- 2) Quick Import
- 3) CSV Import
Manage Users
Step Four: Adding Policies
- Uploading and Linking Policies
- Converting Evidence to Policies
Step Five: Creating Policy Campaigns
Monitoring and Managing Campaigns
User Experience
Getting Started with Policy Management
There are four types of KCM GRC users that are able to view and/or create, manage, and edit policy management campaigns:
- Account Administrator
- Policy Administrator
- Campaign Administrator
- Auditors (view only)
See here for more information about the various user roles in KCM GRC.
Each policy management campaign will have an owner. The campaign owner is the user who created the campaign. The campaign owner will be the user who receives campaign notifications intended for "Campaign Owners".
For more information, see item number seven under the Step Five: Creating Policy Campaigns section below.
Step One: Add Users to Manage Your Policy Management Campaigns
If you need users other than the Account Administrator(s) to manage policy acknowledgment campaigns, see the Creating New Users section of our Working with Users article for instructions on adding additional users to your console.
Adding policy management permissions for existing KCM GRC users:
If you already have users in your account who need access to policy management campaigns, you can edit the user and add a new role: Policy Administrator or Campaign Administrator.
See the Managing Users section of our Working with Users article for instructions.
Step Two: Create User Groups for Policy Management Campaigns
In order to assign policy acknowledgments to your end users, they must be in a user group.
You can create user groups based on job roles, office locations, or any other categorization that would cater to your organization's, or industry's policies. At a minimum, create an "All Employees" group if your organization's policies will apply to all personnel.
Once the groups are created, you'll be able to specify which group(s) the users will be a member of upon creating or importing them.
Follow the steps below to create groups in your Policy Management module.
- From the navigation menu on the left-hand side, select Policy Management, then Users & Groups.
- Click the Groups tab at the top-left, then the Create New Group button.
Step Three: Add End Users to the Policy Management Module
In order to send your end users policies to acknowledge, you'll add them to the Policy Management module. These end users will not be able to log in to KCM GRC, they're only added for the purpose of receiving policies by email.
Note:
End users added to the Policy Management module of the KnowBe4 Compliance Manager will not count against your purchased license count for KCM GRC.
For more information on your license count, please contact your Customer Success Manager.
KCM GRC Account Administrators, Policy Administrators, or Campaign Administrators can add end users to the Policy Management Module.
There are three different ways you can add/import your end users into the Policy Management module: 1) Manually create users, 2) Quick import, 3) CSV import.
1) Manually Create Users
If you only need to add one user to your policy management campaigns, you can manually add a single user by following the instructions below.
- From the navigation menu on the left-hand side, select Policy Management, then Users & Groups.
- From the Users tab, select the Create New User button.
- Fill out the required fields and click the Select Group(s) to Add Users To field to see the drop-down list of your user groups. Select all applicable groups for this user.
2) Quick Import
Using this method, you can type or paste a list of user email addresses, first names, and last names into the Quick Import form to upload users in bulk.
- From the navigation menu on the left-hand side, select Policy Management, then Users & Groups.
- Click the Import Users tab and then click the Quick Import toggle button, as shown below.
- Select the Import Users button.
3) CSV Import
Using this method, you can upload a CSV file of up to 5,000 users to add to your console. As a best practice, create a separate CSV file for each of the user groups you've added to your Policy Management module in Step 2.
- From the navigation menu on the left-hand side, select Policy Management, then Users & Groups.
- Click the Import Users tab and then click the CSV Import toggle button.
- Choose your CSV file using the Choose File button.
Note:
In order for the import to be successful, there must be no blank fields, and you must include the following headers in your CSV file: email, first_name, last_name.
Manage Users
You can manage your end users under the Users tab in the Policy Management module. You can add users to groups, view user information and acknowledgments history, edit/update basic profile information, and disable or enable end users.
- a) The top-level checkbox allows you to select all users.
- b) The checkboxes are used to select individual users.
- c) The drop-down menu is used to choose the group to add your user(s) to.
- d) The Add Selected to Group button allows you to add the selected user(s) to the selected group.
- e) The View icon allows you to view user information and acknowledgments history.
- f) The Edit/Update icon allows you to edit user information.
g) The Enable/Disable icon allows you to change a user's status between enabled or disabled in order to include or omit them from policy campaigns. - h) The Delete icon allows you to delete a user.
Step Four: Adding Policies
Your organization's policies can be added to KCM GRC as either an uploaded file or a link to a policy hosted online. The policy links can be internal to your network, or external (SharePoint, Dropbox, Google Drive, etc.). You can also use existing compliance evidence in your console to create a policy.
Details on Policy Uploads and Links:
- The accepted file types for uploading policies are: .png, .jpg, .jpeg, .gif, .bmp, .tif, .tiff, .txt, .pdf, .rtf, .eml, .msg, .csv, .doc, .docx, .xls, .xlsx, .ppt, .pptx
- The maximum file size for policy PDF files is 50MB; all other file types have a maximum size of 10MB.
- The file name of uploaded policies has a maximum character count of 100.
Linked Policies:
- The policy link must include a protocol (i.e., https://, http://, ftp://,sftp://, \\servername\, file:\\\, or file://).
- Policy links have a maximum character count of 2000.
Uploading and Linking Policies
Follow the instructions below to add new policies to the KCM GRC Policy Management module.
- From the navigation menu on the left-hand side, select Policy Management, then Policies.
- Click either the Upload Policies or Link Policies button.
- Upload Policies: Drag and drop files or click the upload field to choose a file.
- By default, the display name of the policy in KCM GRC will match the file name. The policy will be displayed by this name in your account and in the notification emails received by end users. You have the option of changing the policy's display name under Edit Uploaded Policies (shown below).
- Upload Policies: Drag and drop files or click the upload field to choose a file.
- Link Policies: In the first field, add an appropriate Display Name for the policy. This is how the policy will be displayed in KCM GRC, as well as in end users' emails. Add the policy's link in the Link field of the form and define the policy's Version and Description if you'd like. You can add several linked policies at one time (up to 5).
Converting Evidence to Policies
You can utilize existing evidence from your Evidence Repository to create policies for your users. Follow the instructions below to convert existing evidence to a policy.
- Navigate to the evidence document or doculink that you'd like to use as a policy. You'll be able to find evidence in your Evidence Repository or from the control for which the evidence was submitted.
- Click the document icon on the right-hand side of the page (see below). The new policy will be added to your account's Policy Management module–where you can then assign it to users through a policy campaign.
- When converting evidence files to policy files, keep in mind the file sizes limitations are still applicable.
Step Five: Creating Policy Campaigns
You'll set up campaigns in your KCM GRC Policy Management module in order to email policies to your end users and track the completion of user policy acknowledgments.
To create a campaign:
- From the navigation menu on the left-hand side, select Policy Management, then Campaigns.
- Click the Create Campaign button at the top-right. Then, complete the specifications outlined below.
1) Name:
First, name your policy campaign. Give the campaign a descriptive name that compliments the scope of the policy acknowledgments included in the campaign.
2) Start Date:
Specify the desired campaign start date, start time and your time zone.
The campaign must start at least 15 minutes after the time of the campaign's creation.
3) End Campaign:
You have three options for your policy campaign's end date. Having a deadline is recommended, as it gives users an incentive to acknowledge the required policies:
- First, you can set a specific end date using the Specify Date setting. This will be a hard deadline for your users to acknowledge the assigned policies, no matter when they are added to the policy campaign.
Link Expiration: This is where you specify the length of time that the link to review your policy will be active. - The second option is to set a Relative Duration. This option will give a deadline based on when users are added to the policy campaign and the "relative duration" from this enrollment date. The (optional) notifications you've set up for these types of campaigns will be sent out accordingly–based on the user(s) enrollment date.
Relative Duration: Specify the number of days, weeks, or months you'd like to allow your users to acknowledge their policy(ies).
Link Expiration: This is where you specify the length of time that the link to review your policy will be active.
Note:
As a best practice for Relative Duration campaigns, the Link Expiration should be the same length of time as the relative duration. When users receive policy campaign notifications for these campaigns, they are instructed to acknowledge the policy before the link expiration date. - The final option, No End Date, leaves the policy campaign open indefinitely. You can always alter the end date or cancel the campaign if you need to.
Link Expiration: This is where you specify the length of time that the link to review your policy will be active.
Note:
When users receive policy campaign notifications for No End Date campaigns, they are instructed to acknowledge the policy before the link expiration date.
4) Select Campaign Policy(ies):
Select the policy or policies you'd like to include in the campaign. The policies will be in the form of doculinks (linked URLs) or documents that you've uploaded to the Policy Management module of KCM GRC. You can add numerous policies to your campaigns. When making this selection, consider the types of policies and how often the policy acknowledgments are necessary for your organization.
5) Select Campaign Group(s):
Here you can specify which user groups you need to include in your policy campaign. For instance, if your organization has policies that are role-specific, you may want to create role-based policy campaigns, including role-based user groups. On the other hand, if your organization's policies apply to all users, you may want to include an "All Users" group to distribute policies to all personnel.
6) Automatically enroll users that are added in the future:
This checkbox will automatically enroll new users that you add to the groups assigned to this policy campaign.
7) Notifications:
There are five different notification types available with policy management campaigns. Notifications intended for the Campaign Owner will be sent to the creator of the policy management campaign.
Important:
Be sure to include notifications in your campaign setup. Notifications are how your users will receive links to read and acknowledge the campaign policy or policies. See below for details on each notification type.
- On Campaign Start (User): This email will be sent to all users once the campaign begins. It will include links to all policies included in the campaign.
- Before Acknowledgement Due (User): This email will be sent to all users who have not acknowledged their policies. You will specify how many days before the due date you'd like the notification to send. You can add multiple instances of this notification by specifying a different 'Number of Days' to send before due–for each different notification version.
- On Campaign Start (Campaign Owner): This email will notify the campaign owner (creator) that the campaign has been activated and includes the start date and time for the campaign.
- Before Campaign End (Campaign Owner): This email will notify the campaign owner (creator) of the campaign's end date and time. You will specify how many days before the due date you'd like the notification to send.
- On Campaign Completion (Campaign Owner): This email will notify the campaign owner that the policy campaign has ended. It includes a link to login to the KCM GRC console to view the policy campaign.
- On Campaign Enrollment (User) (Relative Duration and No End Date campaigns): This email will be sent to users–that are added after the campaign starts–upon their enrollment. It will include links to all policies included in the campaign.
Note:
If the policy campaign has a "Relative Duration" end date, the On Campaign Completion (Campaign Owner) notification type will not be an option since these campaigns do not have an expiration date.
Monitoring and Managing Campaigns
Once a campaign has started, you can monitor its progress and see which users have or have not acknowledged their assigned policies.
To view details of individual campaigns, navigate to Campaigns under Policy Management from the navigation menu on the left-hand side. Then click on the name of the campaign you'd like to view. You'll arrive at the screen shown below. Here, you can get an overview of the campaign and/or drill into the acknowledgment status of individual users.
Campaign Overview Screen:
Campaign Overview
From the campaign overview screen, you can see the total number of policies that need to be acknowledged for the campaign to be complete, as well as the percentage of policies that have been acknowledged thus far. On the right, you will see details of the campaign such as the status, the start and end date (if applicable), the number of users in the campaign, the groups included in the campaign, and the notifications that have been scheduled for the campaign.
Nudge Users:
By clicking this button you will automatically send reminder email notifications to the users who have not acknowledged their policy agreement(s). Once the Nudge Users button has been clicked you will be notified of how many emails were sent, see below for an example.
Users tab:
The Users tab will give you detailed information on each user's acknowledgment status. Here you can see the user's names, policy name(s), start date, date of the policy link expiration, the status of each user's acknowledgment, and the date they acknowledged the policy. You can also update/edit the campaign, Nudge Users to acknowledge their policies, and if necessary, force policy acknowledgment for users.
Members tab:
The Members tab will display all of the active users in your KCM GRC account who currently have access to the campaign you're viewing.
User Experience
Your users will receive emails that include links to the policies you've included in the policy campaign. The number of reminder emails the users receive is dependent on the number of policies.
Depending on the type of policy you've included in your campaign (doculink or uploaded file), the user interface will look similar to one of the two options below.
Uploaded Policy
The user will simply scroll through the policy you've uploaded to the Policy Management module. Once they've read and understood the policy, they will use the checkbox and click Submit to complete their policy acknowledgment.
If you'd like to add a custom logo to your KCM GRC account–and therefore your policy management campaigns–upload your organization's logo image in your Account Settings.
Doculink Policy
The user will simply click the link you've added to the Policy Management module in order to read the policy. Once they've read and understood the policy, they will use the checkbox and click Submit to complete their policy acknowledgment.
Once this is complete, the user's policy Status will change to 
in the KCM GRC Policy Management module. These user policy statuses can be seen from the Users tab under the campaign overview, as well as under the Reports section of the KCM GRC Policy Management module.
Comments
0 comments
Article is closed for comments.