FAQ for KCM GRC
In this article, you can find frequently asked questions about the KCM GRC Compliance Management module and general questions about KCM GRC. If this article doesn't include the question that you're looking for, please submit a ticket to our support team.
For general information about your KCM GRC platform, see the questions below:
1. Question: Can I incorporate my existing compliance efforts and processes into KCM GRC?
Answer: Yes. KCM GRC allows you to use CSV files to upload your existing processes. For example, you can import compliance requirements and import controls that your organization already has in place. After you import these items into KCM GRC, you can map the controls to one or more requirements in your scopes.
2. Question: What modules are available in the KCM GRC console and what do they do?
Answer: The following modules are available in the KCM GRC console. You may not have access to all of these modules, depending on your subscription level. Contact your Customer Success Manager if you'd like to add an additional module to your account.
- Compliance Management Module - Compliance is a module included with your KCM GRC subscription. It allows you to manage compliance initiatives and audits by assigning control tasks, creating auditor reports, and storing evidence. For more information on getting started with your compliance module, see our Getting Started with the Compliance Management Module article.
- Policy Management Module - Policy Management is a module included with your KCM GRC subscription. It allows you to manage, distribute, and track acknowledgments of your organization's required policies. For more information, see our Policy Management Module Guide.
- Risk Management Module - Risk Management is a module that can be added to your KCM GRC subscription. It allows you to manage risk by conducting risk assessments and establishing and implementing mitigation efforts. For more information, see our Risk Management Module Guide.
- Vendor Risk Management Module - Vendor Risk Management is a module that can be added to your KCM GRC subscription. The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts in your platform. You can even set a frequency for how often your vendors are assessed, to continually monitor the associated risk. For more information, see our Vendor Risk Management Module Guide.
3. Question: How do I determine whether a user is included in the user count for my KCM GRC subscription?
Answer: The following user roles are included in your user count:
- Account Administrator
- Scope Administrator
- Policy Administrator
- Campaign Administrator
- Risk Administrator
- Vendor Administrator.
The following user roles are not included in your user count:
- Vendor User
- Policy Management end users
4. Question: How can I enable or disable KnowBe4 support's access to my account?
Answer: By default, KnowBe4 support can access your account to assist you with difficulties that you experience. However, you can disable this feature on or off from your Account Settings. For instructions, see our How to Manage Your KCM GRC Account Settings article.
5. Question: How do I request a new feature, template, or improvement?
Answer: We recommend contacting your Customer Success Manager, contacting the KnowBe4 support team, or posting on our KCM GRC Community Board for Feature Requests. Often, we base our development on customer feedback and requests, so we appreciate your input.
6. Question: Can I change the time zone in my account?
Answer: Yes, you can change your time zone in your account. The time zone that is selected in your account settings will affect your policy management campaigns. All other dates and times in your account are based on the Universal Coordinated Time (UTC). To learn how to change the time zone in your account settings, see the Account Settings section of our How to Manage Your KCM GRC Account Settings article.
7. Question: If I add my organization's logo under my Account Settings, where will it appear?
Answer: The logo will display at the top-left corner of your platform and in any emails that are generated from your KCM GRC platform. For more information, see the Account Settings section of our How to Manage Your KCM GRC Account Settings article.
To learn about working with user roles in your KCM GRC platform, see the questions below:
1. Question: What are the differences between the various user roles in KCM GRC?
2. Question: Can Scope Administrators create controls?
Answer: Yes, Scope Administrators can create controls for the requirements that are included in their allowed scopes. You can add or remove access to scopes from the Allowed Scopes field of the Scope Administrator's user profile. To learn how to add or remove a user's allowed scopes, see the Updating User Account Details section of our How to Create and Manage KCM GRC User Accounts article.
To create a control, Scope Administrators can navigate to a scope and then open the requirement that they want to create a control for. For more information, see the Creating Controls Individually section of our How to Create Controls for Scoped Requirements article.
3. Question: How do I add additional permissions for my users with the Contributor user role?
For more information about user roles, see our User Roles Guide.
4. Question: How do I remove Account Administrator permissions from a user?
Answer: If you are an Account Administrator, you can remove the Account Administrator's user role. However, Account Administrators cannot demote their own user roles. For more information, see the Updating User Account Details section of our How to Create and Manage KCM GRC User Accounts article.
5. Question: A KCM GRC user left our organization. How do I transfer the user's responsibilities?
Templates and Scopes
To learn about templates and scopes in your KCM GRC platform, see the questions below. This section includes also includes questions about requirements.
1. Question: What is the difference between a template and a scope?
Answer: A template is a framework, or collection, of requirements that relate to one another. A scope is a set of requirements that relate to one another and describe the boundaries of a project or audit framework. We recommend that you create a scope by converting a template to a scope.
For more information about templates and scopes, see the articles listed below:
- Glossary of Compliance Terms
- Compliance Management Module Guide
- How to Create Custom Templates for Scopes
- How to Convert a Template to a Scope
2. Question: What types of templates can I use in my KCM GRC platform?
Answer: KCM GRC has four types of templates that you can use in your platform. To learn how to use each template, see the list below:
- Custom Templates: You can use custom templates in the Compliance Management module to select requirements that you will work toward under a scope. Custom templates are most useful if your organization has unique compliance objectives that our managed templates do not cover. For information about creating custom templates, see our How to Create Custom Templates for Scopes article.
- Managed Templates: You can use a managed template in the Compliance Management module to convert the template into a scope. Managed templates already include requirements, so they are a simple alternative to creating a custom template. After you convert a managed template to. a scope, you can create or map additional requirements, or you can unmap requirements that do not apply to your organization. For information about the managed templates that we offer, see our Managed Templates article.
- Policy Templates: You can use policy templates in the Policy Management module to document your organization's policies. Your KCM GRC account offers ten policy templates that you can download and customize for your organization. For information about customizing policy templates and the policy templates that we offer, see our Policy Templates article.
- Risk Templates: You can use risk templates to add risks from our master risk repository to your Risk Register. Risk templates have pre-populated names and descriptions, and you can customize details such as the risk status, likelihood, and impact. Risks that you import to or create from your Risk Register also appear in the Risk Templates area of your platform. For more information about risk templates, see our Risk Templates article.
- Questionnaire Templates: You can use questionnaire templates in the Vendor Risk Management module to create questionnaires that you will send to your vendors. KCM GRC offers questionnaire templates for the Standardized Information Gathering (SIG) questionnaire and the Consensus Assessment Initiative Questionnaire (CAIQ). For more information about questionnaire templates, see our Creating and Configuring Questionnaires article.
3. Question: I’ve converted my template to a scope. What should I do next?
Answer: Now that you have converted your template to a scope, the next step is to complete a scope self-assessment for the scoped requirements. The scope self-assessment can help you see how much progress your organization has made in meeting the requirements for the scope. This information can help you determine which requirements you can quickly create controls for in your platform and which requirements your organization will need to work on.
For more information, see our How to Complete a Scope Self-Assessment article.
4. Question: How do I map requirements to my scope?
Answer: To learn how to map existing requirements to a scope, see the Mapping Requirements to Scopes section of our How to Add and Remove Scoped Requirements article. To learn how to create requirements for a scope, see the Creating Requirements for Scopes section of our How to Add and Remove Scoped Requirements article.
5. Question: When uploading or creating a new requirement, what is the default ID Separator?
Answer: When you add new requirements to your platform, you can set the type of character to use between the numbers or letters that make up your Requirement ID. This character is known as the ID Separator. The Requirement ID is a combination of the requirement's Primary ID and Sub ID. The ID Separator will display between the Primary ID and Sub ID.
To set the ID separator character, you will select one of the following options from the ID Separator drop-down menu:
- Space Separated ( )
- Comma Separated (,)
- Dash Separated (-)
- Dot Separated (.)
If you do not select a seperator from this drop-down menu, the default separator will be used. If your Primary ID and Sub IDs only contain numbers, the default separator will be a period. If your Primary ID and Sub IDs contain numbers and letters, the default separator will be a space.
6. Question: Can I download a report of my scope with control, task, and evidence details?
Answer: Yes. For more information, see our How to Export Scope Information article.
7. Question: How do I completely remove all scopes and controls in our account?
Answer: To remove controls and scopes from your account, follow the steps listed below:
First, delete your controls by following the steps below:
- From your navigation panel, select the Controls tab.
- Select a control name to open a control.
Tip: When deleting multiple controls, we recommend right-clicking the control name and opening the control in a new tab or window, instead.
- Click the Delete button at the top of the page. Once prompted, click Delete.
- Repeat these steps as needed.
Next, delete your scopes by following the steps below:
- From your navigation panel, navigate to Compliance > Scopes.
- In the Actions column of the View All Scopes page, click the trash can icon next to the scope that you would like to delete. When you click this button, a pop-up window will open to confirm whether you would like to delete the selected controls.
- In the pop-up window that opens, enter DELETE into the field to confirm the deletion.
- Click the Delete button.
- Repeat these steps as needed.
You can also archive your controls and scopes, which would allow you to retain information while still hiding the controls and scopes from your account. To archive the controls in scopes instead, click the Archive button or icon, instead of the Delete button or icon.
Controls and Tasks
To learn about working with controls and tasks in your KCM GRC platform, see the questions below:
1. Question: What is the difference between a control and a task?
Answer: A control is an action or procedure that you are taking to ensure that you are meeting the associated requirement or requirements.
You assign a task schedule to a control. The task schedule determines how often your organization must provide evidence to prove that you're meeting the control. By meeting a control, you are proving that your organization is either partially or fully satisfying the requirement or requirements that are mapped to the control.
To learn more, see our definitions of Controls and Tasks in our Glossary of Compliance Terms. Additionally, see our How to Work with Tasks and Task Schedules for Controls article.
2. Question: What is Control Health?
Answer: Control Health is the percentage of a control's scheduled tasks that are complete. To learn how Control Health is calculated, see the Control Health definition in the Controls section of our Glossary of Compliance Terms.
3. Question: How do I create and assign a task schedule?
Answer: To learn how to create and assign task schedules, see our How to Work with Tasks and Task Schedules for Controls article.
4. Question: What is the KCM GRC task reminder email schedule?
Answer: When you've assigned a user to a task, the console will automatically send reminder notifications to the User Assigned before the task evidence is due. To learn more about the task reminder emails, see the Control Task Notifications section of our Email Notifications and the Email Digest article.
5. Question: When is a control task considered Past Due or Failed?
Answer: You can create and assign various types of tasks to ensure that you are maintaining your organization's compliance controls. For both one-time tasks and task schedules, if the assigned user does not mark a task as complete before the task's due date, the following will occur:
- One day past the due date, the task's status will change to Past Due.
- Seven days past the due date, the task's status will change to Failed.
For more information about creating one-time tasks and task schedules, see our How to Work with Tasks and Task Schedules for Controls.
6. Question: How can I see a list of which tasks are not 100% compliant?
Answer: Tasks that are not compliant are tasks that are not in the Satisfied status. To view a list of tasks that are not in this status, see the steps below:
- Navigate to the Tasks page by selecting Tasks from the navigation panel.
- From the Status column, click the drop-down menu and select the following statuses:
- Past Due
- The page will show all incomplete tasks that are either coming due or have passed their due date.
Tip: If you would also like to view a list of the tasks that are complete but are still waiting for approval from a manager, click the drop-down menu from the Approval Stage column and select Awaiting Approval.
7. Question: What is the difference between archiving and deleting a control?
Answer: If you would like to keep a record of the control evidence or if you believe it could be used again with a different requirement, you should archive the control instead of deleting the control. If you archive the control, the control task schedules will be deleted from the Task Schedules tab. However, if you unarchive the control, the control tasks, evidence, control documents, requirement mappings, risk mappings, and the control's health score will still be associated with the control. For more information, see our Archiving Items Guide.
If the control was created by accident or if it is not sufficient for any further compliance efforts, you can permanently delete it. For more information, see the Deleting Controls in Bulk section of our How to Use Controls in Your KCM GRC Platform article.
Evidence and Files
For information about submitting evidence and files in your KCM GRC platform, see the questions below:
1. Question: Do control task evidence files need to meet any specific requirements?
Answer: Evidence files for control tasks need to meet the requirements listed below:
- File Size: Minimum of 1B, maximum of 50MB
- File Name: Maximum of 250 characters (including the file extension)
- Accepted File Types: .png, .jpg, .jpeg, .gif, .bmp, .tif, .tiff, .pdf, .txt, .rtf, .eml, .msg, .csv, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .zip, .gzip, .7z, .gz, .tar, .tgz, and .nrl
2. Question: How will my control evidence and other files be stored when uploaded to KCM GRC?
Answer: For files that are uploaded to your account, KCM GRC uses Amazon S3 for storage. Therefore, KCM GRC leverages AWS for data encryption in transit (TLS) and at rest (AES-GCM 256). For more information about the security of KnowBe4's products, see the KnowBe4 Security page.
3. Question: Is there a character limit for links that are submitted as evidence?
Answer: If you submit a link as evidence for a control task, the Link field has a maximum character limit of 2000 characters.
4. Question: What types of evidence can I link when I submit evidence for tasks?
Answer: You can submit any links as long as the links include one of the protocols listed below:
5. Question: What MIME types (media types) are allowed to be uploaded as control documents or evidence?
Answer: Only the following MIME types are allowed:
For more information on MIME types, see the Wikipedia entry on Media Types.
6. Question: Why can't I preview evidence in Microsoft Edge?
Answer: First, we recommend that you check your pop-up settings. Pop-ups will need to be enabled before you can preview evidence in your browser.
If the file is trying to open in Microsoft Office instead of the browser, you will need to disable the Microsoft Office setting in Microsoft Edge. To disable this setting, navigate to your Microsoft Edge browser settings, and select the Download tab. Then, click the Open Office files in the browser toggle to disable this setting.
7. Question: What if the evidence uploaded to Jira issues doesn't meet KCM GRC's file requirements?
Answer: If this evidence doesn't meet our file requirements, a note will be added to the Notes widget of the View Task page.
A link to the associated Jira issue will also be added to the Supporting Evidence section of the page, instead of the evidence file. To view this evidence, you'll need to navigate to the Jira issue.