KnowBe4 Compliance Manager (KCM) - Amazon S3User+Guide-4-2014.pdfbuilt templates related to IT controls, Requirements are taken from NIST SP-800-53 (Recommended Security Controls for

KnowBe4 Compliance Manager™ (KCM)

User Guide March 2014

Table of Contents

Purpose and Overview .................................................................................... 3

Key Terms and Concepts ................................................................................. 4

Standards/Templates ................................................................................................ 4 References ............................................................................................................. 4 Requirements ......................................................................................................... 4 Controls ................................................................................................................ 4 Evidence ............................................................................................................... 5 Users .................................................................................................................... 5 Templates.............................................................................................................. 5

Getting Started ............................................................................................. 7

Self-Assessment ....................................................................................................... 7 Assigning Controls .................................................................................................... 8 Satisfying Tasks ....................................................................................................... 9

Menu Items ................................................................................................ 11

Global Dashboard (Account Owner Only)....................................................................... 11 My Dashboard (All Users) .......................................................................................... 11 Self-Assessment (Account Owner Only)......................................................................... 11 Custom Templates (Account Owner Only) ..................................................................... 11 Compliance .......................................................................................................... 12 Controls .............................................................................................................. 13 Evidence (All Users) ................................................................................................ 14

Working with Users....................................................................................... 15

Creating Users....................................................................................................... 15 Deleting/Disabling Users .......................................................................................... 15 Confirming Accounts ............................................................................................... 15 Forgot Password .................................................................................................... 15

Common Questions ....................................................................................... 16

I have a user who left the company, how do I move their responsibilities? ............................. 16

© 2014 KnowBe4. All Rights Reserved. 3 KCM User Guide

Purpose and Overview

The KnowBe4 Compliance Manager (KCM) is designed to eliminate many of the errors and inefficiencies that are a part of most current compliance and audit tasks. Spreadsheets are not very auditable, scalable, or reliable. KCM was built as a reliable and scalable service to streamline your compliance and audit tasks. Users are assigned responsibility for periodically providing evidence that controls are in place and operating effectively.

The quick and simple workflow for KCM starts with creating your users who will be responsible for some aspect of compliance in your organization. Next, you step through the self-assessment questions to get a baseline of how many requirements you are currently meeting. After the self-assessment is complete, you will know how many controls are: not met, partially met, or complete. Last, you assign responsibility of a control to a user and set a frequency in which evidence needs to be provided. Once all controls have been assigned, email reminders will be sent to the users when it is time for evidence to be provided.

Based on what controls are not being met, or are partially met, you can create compensating controls to show that you are meeting the requirements in a different way.

Not only can you track and manage requirements and controls from pre-build compliance templates, you can also create custom compliance templates. With custom templates you can create requirements that are specific to you and your organization such as state and local requirements, quality control, supply chain, environmental, and other requirements.


Key Terms and Concepts

There are several key terms and Concepts that you should be familiar with for KCM. These are the WHY, WHAT, and HOW of compliance. The hierarchy for KCM is the following: Standards -> References -> Requirements -> Controls, where each level maps to object on the next level lower. Each of these objects and their sub-parts are discussed in this section.

Standards/Templates Standards, also known as Compliance Templates are the highest level object within KCM. An example of a Standard would be HIPAA, or PCI DSS. These are the regulations or frameworks that you would be required to follow as part of compliance.

Standards have a one-to-many mapping to References.

References References are the individual line items that are contained within a Standard. These are taken straight from the regulation. Sometimes the original standard will refer to each line item as a requirement or a control. For the purposes of KCM, anything that comes straight from a standard is called a Reference. An example of a reference for HIPAA would be 164.308(a)(1)(ii)(A) – Risk Analysis.

References have a many-to-many mapping to Requirements.

Requirements Requirements are the things that must be satisfied in order to be in compliance. These can be derived exactly from References or they can be taken from a different document. For pre-built templates related to IT controls, Requirements are taken from NIST SP-800-53 (Recommended Security Controls for Information Systems).

Each Requirement has a self-assessment questions associated with it. You should mark the answer as ‘Yes’ if this is a Requirement that you are meeting, and ‘No’ if not.

The answers to the self-assessment questions determine if the Controls are being met completely, partially, or not at all.

Requirements have a many-to-many mapping to References.

Requirements have a many-to-many mapping to Controls.

Controls Controls are the people, policies, processes, and tools that you have in place to meet Requirements. When describing a control there is a control description, title, frequency, responsible individual, type, and status. The control status can be ‘Complete’, ‘Partial’, or ‘Not Implemented’ depending on how many of the Requirements are being met.

There are implementation details where you describe the exact policy, process, or tool that you have in place to meet the Requirement.

Tasks Tasks are the periodic self-attestations that Controls are in place and operating effectively. They give you an opportunity to provide evidence of a particular control so it will be readily available at audit time.


When you assign responsibility for a Control you also set a Frequency. This frequency can be: Annual, Semi Annual, Quarterly, Monthly, or Weekly. At this point you also choose a starting date for when the first task will be due.

Email reminders are sent to the user who is responsible for the Control when a Task due date is approaching.

Evidence The Evidence area of KCM acts as a file repository where you can store proof that Controls are in place and operating as they should be. Evidence can be provided in the form of file uploads or URL’s that point to the evidence.

Documents Documents, or file uploads, is one way of using KCM to store audit evidence. Each file that is uploaded is uniquely encrypted and stored securely in the cloud. Uploaded files are associated with a Control or a specific Task.

You should use the file upload feature if you are not currently using a central storage facility for audit evidence.

DocuLinks DocuLinks, or URL’s to evidence, is another way of using KCM to store audit evidence. If you are currently using a centralized storage area on your internal network for maintaining audit evidence, you should not duplicate effort by uploading to KCM as well. By providing a URL, or link, to the evidence you get the benefits of linking that information to a specific Control or Task without needing to store files in multiple places.

Users KCM uses two different user-types: Account Owners and Regular Users, as described below.

Account Owners Account owners have complete control over all aspects of the KCM application. You can create custom templates, assign responsibilities, create and update controls, adjust mappings of various objects, etc. As an account owner you are also presented with a Global Dashboard which shows all Tasks for the organization, as well as some other useful information that pertains to the entire account. An account owner is allowed to see all objects within an account.

Regular Users Regular users are only presented with the information they need to satisfy a task and to provide evidence that a Control or Task is satisfied. From the Dashboard, you can see the Tasks that are assigned to you as well as their status and when they are due. Regular users have limited ability within KCM.

Templates Templates are the glue that ties Standards to References to Requirements to Controls. The underlying mapping of each of these objects to one another is handled via a Template. There are two types of templates, ones that are pre-built and can be provisioned into your account, or ones that you create yourself to help manage more specific sets of regulations or internal policies.


Built-In Templates Built-in templates are created by KnowBe4 and can be provisioned into your account to help you manage compliance with various well known regulations such as HIPAA, PCI DSS, or GLBA. With time, more and more pre-built templates will be available. Pre-built templates contain a custom mapping of References into NIST based Requirements and NIST based Controls.

Custom Templates Custom compliance templates allow you to build unique sets of requirements that are based off of internal policies or other regulatory compliance standards that are not yet pre-built. This could be for state and local government requirements, non IT based regulations such as OSHA or FDA, or even quality control and fraud based regulations.


Getting Started

Self-Assessment

The self-assessment feature of KCM is designed to help you get up and running with pre-built templates. The answers you give during the self-assessment will determine what requirements are being met, or not met. Once you have completed the self-assessment questionnaire, you will have an idea of how many controls are in place, partially in place, or not existent.

To complete the self-assessment just click on the ‘Self-Assessment’ menu link on the left hand menu and start answering the questions. You have an opportunity to provide some details on why you marked questions with a yes. This box translates to an ‘implementation detail’ for that control.


Self-assessment questions can also be changed or answered on the view requirement page under the Self-Assessment tab.

Assigning Controls After you complete the self-assessment, if you have not yet created your users, you should do that now. You will want to have your users created and their accounts confirmed prior to assigning responsibilities for controls.

Under the self-assessment menu item there is a section to assign unassigned controls. You can step through these and determine who is going to be responsible for periodically providing evidence. At this point you will also assign a frequency and first due date. This is going to be the schedule in which the recurring tasks are going to appear and require you to attest that a control is in place and operating effectively.


Satisfying Tasks Depending on the frequency of a Control, the user responsible will begin to receive email reminders that a Task is coming due. A user can either click the link in the reminder email or log into the site to list their currently active tasks. Satisfying a task is done by clicking the ‘Update Task’ button. If evidence is to be provided, you should do that using the upload document or Create DocuLink buttons before marking the task as satisfied. From the drop down, select ‘Satisfied’, provide any appropriate notes that will help to provide evidence that the control was in place and operating effectively.

Completed Task:



Menu Items

Global Dashboard (Account Owner Only) The Global Dashboard displays the organizations’ overall Task Completion percentage, a listing of all current Active, Due Today, and Past Due Tasks, the percentage of Requirements being met and the breakdown of Complete, Partial, and Non-Existent Controls.

The Task Calendar shows a listing of All Tasks for all users and their current status (Failed, Past Due, Active, Complete).

My Dashboard (All Users) The My Dashboard displays your personal Task Completion percentage, a listing of all current tasks that you are assigned responsibility for, and a listing of References, Requirements, and Controls that you have responsibility.

The Task Calendar shows a listing of all of the Tasks that you are responsible for and their status.

Self-Assessment (Account Owner Only) The Self-Assessment page has three sections.

Create Users, Requirements Self-Assessment, and Assign Controls and Create Compensating.

The first step is to create some users. These are going to be users who will at some point be assigned responsibility for a Control. They must confirm their accounts prior to being assigned any Controls.

The second step is to complete the Requirements Self-Assessment. You simply step through a series of questions in which you answer Yes or No to. It is recommended that in the detailed box provided, you explain in detail how you are or why you are not meeting these requirements.

The final step is to assign responsibility of Controls to Users. At this point you will establish a Frequency for Tasks and a Start Date, where the first Task will be due.

Custom Templates (Account Owner Only) The Custom Templates wizard should be used if you wish to create your own compliance templates to follow. This could be anything from internal policies, non IT based regulations, or supplemental requirements for existing regulations.

First you establish a new Standard. Then you create a Reference. Once you save the Reference, you can either create a new Requirement, or map the Reference to an existing Requirement. If you choose to create a new Requirement, once you have saved the Requirement you can then choose to create a new Control or map to an existing Control.

You will repeat this process until all References, Requirements, and Controls for your new Template have been created.


Compliance

Standards (Account Owner Only)

This menu item takes you to a page which displays all of the Standards currently applied to your account. Clicking on a Standard will then take you to a listing of References.

References (Account Owner Only)

This menu item takes you to a listing of all References across all Standards for your account. The table shows the Standard Name, Reference ID, Reference Name, and Description.


Requirements (All Users)

This menu items takes you to a table that lists out all Requirements. The table displays the Requirement ID, Name, Description, and if it is currently being Met or Not Met. Met means that you answered ‘Yes’ to the Self-Assessment question related to that Requirement. Not Met means you answered ‘No’ to the Self-Assessment.

Controls

All Controls (Account Owner Only) This menu item displays a Table that lists all Controls. The table displays Control Name, Description, Type (Full/Compensating), Status (Non Existent, Partial, Complete), and if the Control is Assigned to a User or not.

My Controls (All Users) This menu item displays the same information as the ‘All Controls’ link except only Controls that have been assigned to you are displayed.


Tasks All Active Tasks (Account Owner Only): This menu item lists out all the currently

active Tasks, the responsible user for each, and the date it is due.

My Active Tasks (All Users): This menu item displays the same information as the ‘All Active Tasks’ but only shows the Tasks that are assigned to you.

All Past Due (Account Owner Only): This menu item lists all the currently Past Due Tasks along with the information shown in the menu items above.

My Past Due (All Users): This menu item displays the same information as the ‘All Past Due’ Tasks but only shows the Tasks that are assigned to you.

Evidence (All Users) This menu items takes you to where all the evidence for Controls and Tasks is located. The table is separated out by Files and Links. All files that have been uploaded to the system will be located in the Files tab. All URL’s or DocuLinks that have been provided will be listed under the Links tab.


Working with Users

Creating Users Creating a new user can be done by either going to the Self-Assessment menu item and selecting ‘Create Users’, or by selecting ‘Settings’ from the top menu and clicking ‘Manage Users’.

When you create a new user, they will receive an email with a confirmation link and a confirmation token that they will need to enter into a form to create their account.

You must create a user, and they must be confirmed prior to having responsibility assigned to them.

Deleting/Disabling Users Deleting or Disabling a user can be done by selecting ‘Settings’ in the top menu then choose ‘Manage Users’. On the next screen select the user you want to disable. In the actions tab, select ‘Disable/Transfer’. You must transfer responsibilities from the disabled user to another active user so that Controls and Tasks continue to be met.

Confirming Accounts Users who have just had an account created will receive an email with a confirmation link and a confirmation token. Users will need to visit the link and enter the confirmation token in the form. The user will then need to set a password. After this is completed the user may log in.

If you need to re-send a confirmation email for a User, navigate to ‘Settings’ then ‘Manage Users’. Select the user you want to re-send a confirmation email to. Under the ‘Actions’ tab, you can choose Re-Confirm.

Forgot Password If a user has forgotten their password, they can select ‘Forgot Password’ from the main login screen. The user will receive a confirmation email with a link and token. The process is exactly like the initial user confirmation process.


Common Questions

I have a user who left the company, how do I move their responsibilities? In the upper menu under the Settings dropdown, choose ‘Manage Users’. Then click on the user you wish to have responsibilities transferred from. Under the Actions tab select ‘Disable/Transfer’. Under the next screen select the User who is to have responsibility transferred to.