FAQ for KCM GRC
In this article, you can find frequently asked questions about the KCM GRC Compliance Management module and general questions about KCM GRC. If this article doesn't include the question that you're looking for, please submit a ticket to our support team.
For general information about your KCM GRC platform, see the questions below:
1. Question: Can I incorporate my existing compliance efforts and processes into KCM GRC?
Answer: Yes. KCM GRC allows you to use CSV files to easily upload existing processes. For example, you can import compliance requirements and import the controls that your organization already has in place. Once imported, you can map controls to one or more requirements in your scopes.
2. Question: What modules are available in the KCM GRC console and what do they do?
Answer: The following modules are available in the KCM GRC console. You may not have access to all of these modules, depending on your subscription level. Contact your Customer Success Manager if you'd like to add an additional module to your account.
- Compliance Management (CM) Module - Compliance is a module included with your KCM GRC subscription. It allows you to manage compliance initiatives and audits by assigning control tasks, creating auditor reports, and storing evidence. For more information on getting started with your compliance module, please see our Getting Started with the Compliance Management Module article.
- Policy Management (PM) Module - Policy Management is a module included with your KCM GRC subscription. It allows you to manage, distribute, and track acknowledgments of your organization's required policies. For more information, please see our Policy Management Module Guide.
- Risk Management (RM) Module - Risk Management is a module that can be added to your KCM GRC subscription. It allows you to manage risk by conducting risk assessments and establishing and implementing mitigation efforts. For more information, please see our Risk Management Module Guide.
- Vendor Risk Management (VRM) Module - Vendor Risk Management is a module that can be added to your KCM GRC subscription. The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts in your platform. You can even set a frequency for how often your vendors are assessed, to continually monitor the associated risk. For more information, please see: Vendor Risk Management Module Guide.
3. Question: How do I determine whether a user is counted against my KCM GRC user count license?
Answer: The following user roles are counted against your user limit: Account Administrator, Contributor, Scope Administrator, Policy Administrator, Campaign Administrator, Risk Administrator, and Vendor Administrator.
The Auditor and Vendor User user roles, and policy management end-users (added within the Policy Management module) are considered soft licenses and do not count against your KCM GRC user count license.
4. Question: How can I enable or disable support access to my account?
Answer: You can decide whether or not you'd like to allow KnowBe4's KCM GRC Support team to view your account data so they can better assist you. You can shut this feature on or off from your Account Settings. For more information, please see our How to Manage Your KCM GRC Account Settings article.
5. Question: How do I request a new feature, template, or improvement?
Answer: We recommend reaching out to your Customer Success Manager, the KnowBe4 support team, or posting on our KCM Community Board for Feature Requests. We base a lot of our development on customer feedback and requests, so we appreciate your input.
6. Question: Can I change the time zone in my account?
Answer: Yes, you can change your time zone in your account. The time zone that is selected in your account settings will affect your policy management campaigns. All other dates and times in your account are based on the Universal Coordinated Time (UTC). To learn how to change the time zone in your account settings, see the Account Settings section of our How to Manage Your KCM GRC Account Settings article.
7.Question: If I add my organization's logo under my Account Settings, where will it appear?
Answer: Adding your organization's logo under your Account Settings is a great way to personalize your KCM GRC environment. The logo will display at the top-left corner of your platform and in any emails that are generated from your KCM GRC platform.
To learn about working with user roles in your KCM GRC platform, see the questions below:
1. Question: What are the differences between the various user roles in KCM GRC?
2. Question: Can Scope Administrators create controls?
Answer: Yes, Scope Administrators can create controls for the requirements that are included in their allowed scopes. From a Scope Administrator's user profile, the Allowed Scopes field is where you can add or remove access to the scopes in your account. To learn more about adding or removing a user's allowed scopes, please see the Updating User Account Details section of our How to Create and Manage KCM GRC User Accounts article.
To create a new control, Scope Administrators will navigate to a scope and then, open the requirement that they want to create a control for. For further instructions, please see the Creating Controls Individually section of our How to Create Controls for Scoped Requirements article.
3. Question: How do I add additional permissions for my users with the Contributor user role?
For more information on Contributors and other KCM GRC user roles, see our User Roles Guide.
4. Question: How do you remove Account Administrator permissions from a user?
Answer: For security reasons, the KnowBe4 Support team must revoke these permissions for you. Please reach out to email@example.com for assistance.
5. Question: A KCM GRC user left our organization. How do I transfer the user's responsibilities?
Templates and Scopes
To learn about templates and scopes in your KCM GRC platform, see the questions below. This section includes also includes questions about requirements.
1. Question: What is the difference between a template and a scope?
Answer: A template is a framework, or collection, of requirements that relate to one another. A scope is a framework, or collection, of requirements that relate to one another and describe the boundaries of a project or audit framework. We recommend creating a scope from a template. You must have a scope in your account before you can begin to create and assign the appropriate controls for your requirements.
For more information, please see the following articles:
- Glossary of Compliance Terms
- Getting Started with the Compliance Management Module
- Creating Custom Templates for Scopes
- Converting Templates to Scopes
2. Question: What types of templates can I use in my KCM GRC platform?
Answer: KCM GRC has four types of templates that you can use in your platform. To learn how to use each template, see the list below:
- Custom Templates: You can use custom templates in the Compliance Management module to select requirements that you will work toward under a scope. Custom templates are most useful if your organization has unique compliance objectives that our managed templates do not cover. For information about creating custom templates, see our How to Create Custom Templates for Scopes article.
- Managed Templates: You can use a managed template in the Compliance Management module to convert the template into a scope. Managed templates already include requirements, so they are a simple alternative to creating a custom template. After you convert a managed template to. a scope, you can create or map additional requirements, or you can unmap requirements that do not apply to your organization. For information about the managed templates that we offer, see our Managed Templates article.
- Policy Templates: You can use policy templates in the Policy Management module to document your organization's policies. Your KCM GRC account offers ten policy templates that you can download and customize for your organization. For information about customizing policy templates and the policy templates that we offer, see our Policy Templates article.
- Risk Templates: You can use risk templates to add risks from our master risk repository to your Risk Register. Risk templates have pre-populated names and descriptions, and you can customize details such as the risk status, likelihood, and impact. Risks that you import to or create from your Risk Register also appear in the Risk Templates area of your platform. For more information about risk templates, see our Risk Templates article.
- Questionnaire Templates: You can use questionnaire templates in the Vendor Risk Management module to create questionnaires that you will send to your vendors. KCM GRC offers questionnaire templates for the Standardized Information Gathering (SIG) questionnaire and the Consensus Assessment Initiative Questionnaire (CAIQ). For more information about questionnaire templates, see our Creating and Configuring Questionnaires article.
3. Question: I’ve converted my template to a scope. What should I do next?
Answer: Now that you have converted your template to a scope, the next step is to complete a Scope Self-Assessment of the scoped requirements. The Scope Self-Assessment helps you see how far along your organization is, in meeting the requirements under the selected framework (scope). This information can help you figure out which requirements you can quickly create controls for in your platform and which requirements your organization will need to work on.
For more information, please see our How to Complete a Scope Self-Assessment article.
4. Question: How do I map requirements to my scope?
Answer: Regardless of whether you're working in a custom scope or a scope that you've created from one of our Managed Templates, you can map any requirement in your account to a scope.
To add an existing requirement to a scope, follow the steps below:
- Navigate to Compliance > Scopes from the navigation panel on the left-hand side of your account.
- Click the scope name.
- From the View Scope page, click the Requirements tab.
- Click the Map Requirements to Scope button.
- Search for the desired requirement, and then, click the checkbox on the left-hand side of each requirement that you would like to add to the scope.
- Once you've selected the desired requirements, click the Map button.
If you need to create requirements for your scope, click the Create Requirement button on the View Scope page.
5. Question: When uploading or creating a new requirement, what is the "default" ID Separator?
Answer: When adding new requirements to your console, you can determine the type of character that you want to use between the numbers or letters that make up your Requirement ID. This character is known as the ID Separator. The Requirement ID is a combination of the requirement's Primary ID and Sub ID. The ID Separator will be placed between these two values.
To set the ID separator character, you will select one of the following options from the ID Separator drop-down menu:
- Space Separated ( )
- Comma Separated (,)
- Dash Separated (-)
- Dot Separated (.)
If you do not make a selection from this drop-down menu, the default separator will be used. See below for details:
- If your Primary IDs and Sub IDs only contain numbers: The default separator will be a period (.)
- If your Primary IDs or Sub IDs contain numbers and letters: The default separator will be a space ( )
6. Question: Can I download a report of my scope with control, task, and evidence details?
Answer: Yes. Please see our How to Export Scope Information article for more information.
7. Question: How do I completely remove all scopes and controls in our account?
Answer: To remove controls and scopes from your account, use the following steps:
First, follow these steps to delete your controls:
- Navigate to the Controls area by clicking Controls from the left-hand side of your account.
- Click on a control name to open a control.
Tip: When deleting multiple controls, we recommend right-clicking the control name and opening the control in a new tab or window, instead.
- Click the Delete button at the top of the page. Once prompted, click Delete.
- Repeat these steps as needed.
Next, follow these steps to delete your scopes:
- From the navigation panel on the left-hand side, click Compliance > Scopes.
- From the View All Scopes page, under the Actions column, click the trash can icon for a scope that you want to delete. Once prompted, click Delete.
- Repeat these steps as needed.
You also have the option to archive your controls and scopes, which would allow you to retain information while still hiding the controls and scopes from your account. To archive instead, follow the steps above but click the Archive button or icon, instead of the Delete button or icon.
Controls and Tasks
To learn about working with controls and tasks in your KCM GRC platform, see the questions below:
1. Question: What is the difference between a control and a task?
Answer: A control is an action or procedure that you are taking to ensure that you are meeting the associated requirement or requirements.
You assign a task schedule to a control. The task schedule determines how often your organization must provide evidence to prove that you're meeting the control. By meeting a control, you are proving that your organization is either partially or fully satisfying the requirement or requirements that are mapped to the control.
To learn more, please refer to our explanations of Controls and Tasks in our Glossary of Compliance Terms. Additionally, please see our How to Work with Tasks and Task Schedules for Controls article.
2. Question: What is Control Health?
Answer: Control Health is the percentage of a control's scheduled tasks that are complete. To learn how Control Health is calculated, see the Control Health definition in the Controls section of our Glossary of Compliance Terms.
3. Question: How do I create and assign a task schedule?
Answer: Please see our How to Work with Tasks and Task Schedules for Controls article to learn how to create and assign task schedules, and to see the necessary prerequisites.
4. Question: What is the KCM GRC task reminder email schedule?
Answer: When you've assigned a user to a task, the console will automatically send reminder notifications to the User Assigned before the task evidence is due. To learn more about the task reminder emails, please see the Control Task Notifications section of our Email Notifications and the Email Digest article.
5. Question: When is a control task considered "Past Due" or "Failed"?
Answer: You can create and assign various types of tasks to ensure that you are maintaining your organization's compliance controls. For both one-time tasks and recurring task schedules, if the assigned user does not mark a task as complete before the task's due date, the following will occur:
- One day past the due date: The task's status will change to Past Due.
- Seven days past the due date: The task's status will change to Failed.
For more information about completing tasks, see our How to Monitor and Complete Tasks article.
For more information about approving tasks, see our How to Monitor and Approve Tasks article.
For more information about creating one-time tasks and task schedules, see our How to Work with Tasks and Task Schedules for Controls.
6. Question: How can I see a list of which tasks are not 100% compliant?
Answer: To see a list of all the tasks that have not been satisfied and closed, follow the steps below:
- Navigate to the Tasks page by clicking Tasks from the navigation panel on the left-hand side of your account.
- From the Status column, click the drop-down menu and select the following statuses:
- Past Due
- The page will show all incomplete tasks that are either coming due or have passed their due date.
Tip: If you would also like to see the tasks that are complete but are still awaiting approval from a manager, from the Approval Stage column, click the drop-down menu and then select Awaiting Approval.
7. Question: What is the difference between archiving and deleting a control?
Answer: You may want to archive a control if you'd like to keep a record of the control evidence or if you believe it could be used again with a different requirement. If you are archiving a control, its task schedules will be deleted from the Task Schedules tab, but the following items will return if you choose to unarchive the control: tasks, evidence, control documents, requirement mappings, risk mappings, and the control's health score.
If the control was created by accident or if it is not sufficient for any further compliance efforts, you can delete it.
Evidence and Files
For information about submitting evidence and files in your KCM GRC platform, see the questions below:
1. Question: Do control task evidence files need to meet any specific requirements?
Answer: Control Task Evidence Files need to meet the requirements listed below:
- File Size: Minimum of 1B, maximum of 50MB
- File Name: Maximum of 250 characters (including the file extension)
- Accepted File Types: .png, .jpg, .jpeg, .gif, .bmp, .tif, .tiff, .pdf, .txt, .rtf, .eml, .msg, .csv, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .zip, .gzip, .7z, .gz, .tar, .tgz, .nrl
2. Question: How will my control evidence and other files be stored when uploaded to KCM GRC?
Answer: You can either upload evidence files directly to your account or provide links to external data or files that are stored on your organization's intranet or a file sharing service. You have the option to limit the format in which your users can submit evidence for your controls. To learn more, please see: How Can I Limit the Type of Evidence Submitted by my Users?.
For files that are uploaded to your account, KCM GRC uses Amazon S3 for storage. Therefore, KCM GRC leverages AWS for data encryption in transit (TLS) and at rest (AES-GCM 256). To learn more about the security of KnowBe4's products, please see the KnowBe4 Security page.
3. Question: Is there a character limit for links that are submitted as evidence?
Answer: If you submit a link as evidence for a control task, the Link field has a maximum character limit of 2000 characters.
4. Question: What types of evidence can I link when I submit evidence for tasks?
Answer: You can submit any links that include one of the protocols listed below:
5. Question: What MIME types (media types) are allowed to be uploaded as control documents or evidence?
Answer: Only the following MIME types are allowed:
For more information on MIME types, you can read the Wikipedia entry on Media Types here.
6. Question: Why can't I preview evidence in Microsoft Edge?
Answer: First, we recommend that you check your pop-up settings. Pop-ups will need to be enabled before you can preview evidence in your browser.
If the file is trying to open in Microsoft Office, you will need to disable the Microsoft Office setting in Microsoft Edge. To disable this setting, navigate to your Microsoft Edge browser settings, and select the Download tab. Then, click the Open Office files in the browser toggle to disable this setting.