"I knew that a GRC tool could help us simplify the process and achieve better outcomes, so immediately began searching for the right one."
“Not only is KCM easier to use than other tools I’ve used, but it’s affordable and intuitive. I realized I could give an auditor access to the dashboard, and he or she could directly see each piece of the evidence puzzle he or she needed to, which is exactly what we needed.”
“I have never worked in a tool like this. The ability to line up and tie to an actual control and put in the documentation, I found that to be a game-changer.”
“All I had to do for the SOC audits this year was have our teams validate their processes. But the auditor was able to log in remotely and access all the evidence in one place. It has made the process of auditing a whole lot smoother for us.”
Early Success with the KCM GRC Platform
The compliance director for the municipality began learning more about GRC options and speaking with potential vendors. The municipality was already successfully using the KnowBe4 security awareness training and simulated phishing platform, so it was a natural progression to consider the company’s SaaS-based GRC offering, KCM.
After reviewing many possible offerings, the compliance director made a strong recommendation to upper management to move forward with KCM. The municipality was very interested in KCM’s ability to cross-reference various cybersecurity requirements from different compliance standards. Once upper management approved the municipality to move forward with KCM, the compliance director set up a proof of concept (PoC) to try out the Compliance Management module as a first step. Making things simple from the start, the module already had a template for the SOC2 and the Criminal Justice Information Services (CJIS) standards, which was “a big deal” to the team. The PoC was a success, and the municipality quickly integrated the system into its environment. At this point, it became clear that KCM could offer more to the municipality, so it was decided to explore more functionality through the platform’s Risk Management module. Led by the compliance director, the municipality was able to obtain results from a Critical Infrastructure Security Agency (CISA) assessment, take the findings and enter them into the KCM Risk Management module. This was presented to upper management and provided the drive for clarity around where the focus should be on IT projects that needed to be implemented.
Once KCM was up and running, the compliance director shared login information with the SOC auditor, who easily accessed information remotely from his home office. “All I had to do for the SOC audits this year was have our teams validate their processes. But the auditor was able to log in remotely, and access all the evidence in one place. It has made the process of auditing a whole lot smoother for us.” Given the current state of the global pandemic, this remote auditing ability was incredibly important in limiting person-to-person exposure and the need for travel, as well.
The Southwest region of the United States is home to a county municipality that has been called one of the fastest-growing counties in the country. As such a populous county, it manages vast amounts of citizen information that are largely sensitive and highly regulated. As a result, the municipality undergoes multiple audits every year in order to maintain CJIS, HIPAA, SOC2, and NIST compliance. When a new compliance director joined the county in 2019, he quickly realized that all the audit evidence he would need to provide to auditors was stored in text files. This was not an ideal situation, as the data was difficult to access and evaluate during an audit. As 2019 moved into the early months of 2020, he also recognized that the global pandemic and resulting work-from-home mandates would require that audits take place remotely rather than the more traditional—and easier to manage—in-person audits.
“We needed something to help us get organized, and to easily cross-reference all the regulatory
requirements to which we’re held,” he said. “There were also situations, like with the SOC audits, where one group was auditing through two different focuses. I knew that a governance, risk, and compliance (GRC) tool could help us simplify the process and achieve better outcomes, so immediately began searching for the right one.”
The municipality’s team has also appreciated the speed with which KCM accounts were set up and how streamlined the system has made internal processes. It has also helped them quickly see which policies and procedures need to be updated, so they can identify and address vulnerabilities and weaknesses before cybercriminals have a chance to exploit them. Another team member working in the compliance department commented on this benefit, sharing that KCM has “driven security maturity” for the municipality, by “providing a blueprint of what is missing.” “It’s been interesting just to line all those pieces up. I have never worked in a tool like this. The ability to line up and tie to an actual control and put in the documentation, I found that to be a game-changer,” said the compliance director.
With the Risk Management module and Compliance Management module set up and operating, the municipality is now adding the KCM Vendor Management module. They envision utilizing the module to determine if the third-party organizations they work with are meeting the security requirements that the municipality requires. By using KCM, the fast-growing municipality has already been able to stay better organized, cross-referencing and storing evidence in an intuitive and accessible way for themselves and auditors alike. The ease of implementation and functionality have been big wins for this county, and the team is optimistic about even further positive outcomes as their use of KCM continues to grow.
Get In Touch Today
To find out what SecureIT Consult and KnowBe4’s KCM GRC tool can do for you, get in touch with us for a demo and proof of concept, and see just how easy it really can be to maintain compliance & successfully complete your audits, in so little time!