Many security managers would likely place security tasks associated with regulatory compliance on their lists of “most hated” job requirements because they must wrestle with so many difficulties and problems surrounding compliance.
For example, a security manager may be faced with multiple compliance requirements, each with its own cycle of deliverables. This could lead to duplication of efforts, as the same control must be accounted for in multiple compliance reports. He might assign specific aspects of compliance requirements to the user or administrator closest to that task; for example, making the firewall administrator responsible for documenting compliance with firewall requirements across several standards. If this user is not directly responsible for security and compliance, however, he doesn’t have much incentive to submit reports in a timely and accurate fashion.
In addition, many organizations lack a formal compliance process and instead require managers to sift through many, and at times overlapping, spreadsheets.
KnowBe4 Compliance Manager tries to make this cumbersome process easier and more efficient. The solution is available as software-as-a-service (SaaS) that is hosted on Amazon Web Services. In essence, the service helps administrators create, assign and monitor simple automated compliance-related workflows for such regulations as PCI-DSS, Sarbanes-Oxley and HIPAA. KnowBe4 Compliance Manager aligns controls with requirements and assigns documentation of compliance to specific individuals.
KnowBe4 Compliance Manager maps each individual standard/regulation to a master table built on NIST Special Publication 800-53 Rev 4, “Recommended Security Controls for Federal Information Systems and Organizations,” which is essentially a catalog of security controls that every business would benefit from implementing.
KnowBe4 Compliance Manager maps standards and regulations, such as HIPAA and PCI, onto NIST controls. Alternatively, customers can map the controls their organizations currently utilize back onto NIST SP 800-53 Rev 4. Controls can then be mapped back to the standards that they’re required to meet.
Hands On Compliance
Upon logging in to KnowBe4 Compliance Manager, I was greeted with a portal for use in managing my test company’s compliance efforts. As this contains detailed security information, it’s important that each customer’s data is logically separated from others and encrypted.
From My Dashboard, I navigated to the Account Manager view where I could map the controls required for my company onto the broader NIST requirements. I was particularly interested in establishing a compliance program for PCI DSS; it turns out that KnowBe4 has already mapped the PCI DSS onto NIST, so all I had to do was navigate to each control and edit its properties to TK. It is very easy to add new controls and map them for compliance programs other than PCI DSS.
My Dashboard quickly and easily showed me the status of my controls. Failed controls are red, satisfied controls are green, overdue controls are yellow, and active controls that are coming due soon are blue. I could also see how compliant my security programs were in terms of all controls together. This is shown as a single percentage that takes into account failed, overdue, active and satisfied controls to make an overall statement like “we are 46 percent compliant with PCI DSS.” I could also quickly see the percentage of requirements that had controls assigned to them. In an ideal world, all requirements would be mapped onto controls and all controls would be in compliance. In practice this can be quite different.
KnowBe4 is particularly useful in identifying gaps where there’s nothing in place for managing a control. For example, I drilled down into NIST’s SC-7a Boundary Protection where there is a requirement to implement a firewall between wireless networks and sensitive data stores, set a due date, then set a frequency and the user responsible for documenting compliance. I created the control, mapped to three requirements and sent an email to the user now responsible for the documenting compliance. I could also attach a document with instructions. (There’s a full audit trail for creating and documenting tasks.). Most customers usually have a link to a document or the complete document itself in order to prove that compliance has been achieved.
KnowBe4 Compliance Manager is a great tool for managing the process of compliance measurement. Reports make it easy to pinpoint gaps in compliance programs. In addition, the company plans to add an “Auditor View” where an external auditor can be assigned an account so he can log in, see requirements, controls and evidence that the control is in use. This will allow an auditor to assess a company’s controls remotely and save time (and cost) while on site during an audit.
KnowBe4 Compliance Manager is priced based on the number of employees at a company. Typical size of customer companies is 500-5,000 employees, which costs between $7,000 and $17,000 per year.