Security Measures

1. Access Control Measures

KnowBe4 has established and maintains comprehensive policies, controls, and practices to ensure appropriate access control and protection of Customer Data, including:

Access Management Policy: A defined policy that outlines standards for access control, including a framework and principles for user provisioning.
User Provisioning: Access to systems, applications, and infrastructure is granted based on job roles, adhering to the least privilege principle, and enforced through authentication processes.
Role-Based Access Control: Access to Customer Data for KnowBe4 staff is strictly limited based on role and only on a need-to-know basis.
Segregation of Duties: Includes access control reviews, HR-managed security groups, and workflow controls to ensure appropriate separation of responsibilities.
Approval and Review of User Accounts: User accounts require prior management approval before accessing data, applications, infrastructure, or network components, based on the data classification level. Access rights are reviewed periodically based on the relevant role.
Mobile Device Management (MDM): Managed MDM solutions with defined lockout periods and posture checks for both endpoints and mobile devices.

2. Awareness and Training Program

KnowBe4 has established and maintains comprehensive policies, controls, and practices for security awareness and training activities, including:

Security, Privacy, and Compliance Training: Comprehensive training covering security, privacy, and compliance topics is provided to all employees during induction and annually, utilizing various formats such as online, in-person, pre-recorded sessions, and phishing simulations.
Role-Specific Training: Tailored training for employees with elevated privileges to address relevant risks and enhance their expertise.
Training Record Management: All training records are maintained within a designated learning management system.
Automated Reminders and Escalation: Automated reminders for training deadlines, including an escalation process to respective managers for overdue training.
Continuous Security Awareness: Secure coding practices are taught by security champions embedded within engineering teams.
Secure Coding Training: Centrally managed MDM solution with defined lockout periods and posture checks for both endpoints and mobile devices.
Annual Security Events: Annual mandatory security training and events to reinforce security principles, emphasizing collective responsibility through various activities.

3. Audit and Accountability

KnowBe4 has established and maintains a comprehensive set of formal policies, controls, and practices for auditing and accountability, which include:

Logging Standards: Comprehensive logging standards are included within KnowBe4's policy management framework, subject to annual review and senior management approval.
Centralized Log Management: Secure forwarding and storage of system logs to a centralized cloud-based log platform, with read-only access.
Security Log Monitoring: Monitoring of security audit logs to identify unusual activity, with defined procedures for reviewing and addressing anomalies.
Logging Scope Updates: Regular updates to the scope of logged information and system events for Cloud Products and related infrastructure to align with new features and changes.
Time Synchronization: Use of time sync services from relevant cloud providers (e.g., AWS or Microsoft Azure) to ensure accurate timekeeping across deployed instances.

4. Assessment, Authorization, and Monitoring

KnowBe4 has established and maintains a comprehensive set of formal policies, controls, and practices for consistent monitoring and security assessments, which include:

Audit and Assurance Policies: Extensive audit policies, reviewed and updated annually.
Centralized Policy Program: A centralized policy program that categorizes global policies by domain, with annual review and senior management approval.
Audit Management: Encompassing audit planning, risk analysis, security control assessments, conclusions, remediation schedules, and reviews of past audit reports.
Internal and External Audits: Conducting internal and independent external audits annually to evaluate legal and contractual compliance, as well as control effectiveness.
Compliance Verification: Ongoing verification of compliance against standards such as ISO 27001 and SOC 2.
Addressing Nonconformities: Systematic handling of nonconformities found during audits, including root-cause analysis, severity assessment, corrective actions, and meticulous tracking.
Annual Penetration Testing and Bug Bounty: Annual penetration testing for products and proactive bug bounty programs to identify and mitigate vulnerabilities.
Continuous Vulnerability Scanning: Regular vulnerability scans, with remediation efforts aligned with KnowBe4’s policies.

5. Configuration Management

KnowBe4 maintains formal policies, controls, and practices for configuration management, including:

Change Management: Policies covering risk management for asset changes, reviewed annually. Standard procedures for encryption and cryptography to ensure secure handling of data.
Centralized Policy Program: Categorizes global policies with annual review and senior management approval.
Encryption and Endpoint Management: Policies for encryption, cryptography, endpoint management, and asset tracking in line with industry standards.
Change Control Standards: Established baselines requiring testing documentation, authorized approval, peer reviews, and successful testing for code and infrastructure changes.
Emergency Changes: Strict post-implementation testing and approval process for emergency changes.
Intrusion Detection System (IDS): Automated system for managing and protecting against unauthorized changes.
Asset Tracking: Cataloguing and tracking of physical and logical assets with annual reviews to maintain accuracy.

6. Contingency Planning

KnowBe4 maintains formal policies, controls, and practices for business continuity and disaster recovery (BCDR), including:

BCDR Plans: Defined recovery time objectives (RTOs), recovery point objectives (RPOs), and resilience controls (e.g., daily backups, restoration testing).
Cyber Event Response: Procedures for response and remediation of cyber events to maintain business continuity.
Disaster Recovery Testing: Quarterly recovery tests, with post-test analyses to continuously improve BCDR strategies.
Capacity Management: Continuous monitoring and adjustments to maintain service availability, including DDoS mitigation.
Policy Review: Centralized annual reviews and updates for global business continuity policies.
Backup Protocols: Robust data backup, including encryption, redundancy across data centers, and regular testing.

7. Identification and Authentication

Policies and practices for identification and authentication include:

Unique Employee Identification: Unique identification through a centralized directory with single sign-on (SSO) for application access.
Multi-Factor Authentication (MFA): MFA and SSO enforced where applicable for secure access.
Password Policies: Password creation and management follow industry guidelines, ensuring robust security.
Credential Security: Industry Standard encryption methods for the secure storage of credentials, such as AES 256.
User Account Management: Documented approvals, regular user and account reviews, and automatic synchronization between identity systems and HR systems to maintain data integrity.

8. Security Incident Response

Policies and practices for security incident response include:

Incident Response Plan: Emphasizes preparedness, containment, eradication, and recovery, with a focus on data protection and regulatory compliance.
Cross-Functional Teams: Dedicated teams manage incidents, with defined processes for triaging events and ensuring effective communication.
Regular Testing and Reviews: Response plans are regularly tested, and metrics are established to improve incident management effectiveness. Annual reviews are conducted to update response plans and share best practices.
Post-Incident Review (PIR): Root cause analysis for high-severity incidents to focus on systemic improvements and learning.
Incident Response Integration: Procedures embedded in critical business processes to minimize downtime and risks.
System Availability Information: Availability and status information published to assist with incident reporting and response.
Incident Reporting: Mechanism for customers to report incidents, vulnerabilities, and issues, ensuring prompt attention to security and availability concerns.
Customer Notification: Commitment to notifying customers of security incidents without undue delay, including providing information necessary for regulatory compliance.

9. Maintenance

Policies and practices for maintaining KnowBe4 cloud products include:

BCDR Testing: Regular testing of business continuity and disaster recovery (BCDR) plans, with quarterly evaluations.
Availability Monitoring: Real-time monitoring of multiple regions and regular tests for infrastructure reliability.
Measures Consistency: Adherence to previously established monitoring, contingency planning, and protection standards.

10. Media Protection

Policies and practices to ensure media protection include:

Use of Reliable Third Parties: Physical infrastructure managed by trusted third-party services.
Media Sanitization: Sanitization of used equipment according to industry standards.
Encryption: Full disk encryption for servers, databases, and endpoint devices using AES-256.
Secure Device Access: Bring-your-own-device (BYOD) policy restricting access to secure and compliant devices.
Workplace Security: Requirement that unattended workspaces have no visible confidential data and enforced clean desk policy.

11. Physical and Environmental Protection

Policies and practices for physical protection include:

Access Controls: Badge readers, camera surveillance, and time-specific access restrictions.
Access Logs: Maintenance of access logs for investigative purposes.
Data Center Security: Third-party data centers use compliance-certified physical security measures, such as biometric verification and controlled access points.
Environmental Controls: Critical equipment positioned in low-risk areas and protective measures for power and telecommunications.

12. Planning

Policies and practices for operational planning include:

Monitoring Regulatory Compliance: Active monitoring by legal and compliance teams.
System Security Plan: Documented plan detailing system boundaries and product descriptions.
Change Communication: Communicating significant changes to key products and services to users and customers.
Program Review: Periodic updates of the security management program.

13. Program Management

Policies and practices for program management include:

Executive Support: Security management program supported at the executive level.
Information Security Policies: Documented policies covering roles, risk mitigation, and service provider security management.
Risk Assessments: Periodic risk assessments and prompt review of incidents for corrective action.
Security Standards Compliance: Alignment with recognized standards (e.g., SOC 2, ISO 27001).
Risk Mitigation: Processes for identifying, assessing, and mitigating security risks, with executive approval.
Security Testing: Regular security testing across various potential attack vectors.
Program Review: Annual review and updating of the security management program.
Staff Development: Training program for security staff with defined roles and responsibilities.

14. Personnel Security

Policies for personnel security include:

Background Checks: Pre-hire background checks, including criminal records where permitted by law.
Onboarding Requirements: Confidentiality agreements, employment contracts, and policy acknowledgments during onboarding.
Role Changes and Terminations: Processes for role changes and terminations, including automatic de-provisioning of access.
Security Training: Ongoing security and privacy training, including role-specific training.
Disciplinary Actions: Established processes to manage violations of policies.

15. Personal Data Processing and Transparency

Policies for compliance with data protection laws include:

Privacy Compliance Program: Processes to adapt to applicable data protection laws.
Data Processing Policies: Defined categories of personal data, processing purposes, and principles.
Pseudonymization: Methods for creating pseudonymized data sets using technical measures.
Transparency and Documentation: Clear privacy policies, internal guidelines, and comprehensive compliance documentation.
Secure Development: Secure development practices from the design phase.
Individual Rights: Respect for individuals' rights to access, correct, and delete their data.

16. Risk Assessment

Policies for risk management include:

Risk Management Program: Identifying, assessing, and mitigating risks.
Standards Compliance: Policies aligned with standards such as ISO 27001 to mitigate organizational risks.
Security Testing: Regular security testing, including penetration tests and bug bounties.
Vulnerability Management: Metrics and processes for managing vulnerabilities.
Independent Audits: Security and Data Protection evaluations through external and internal audits.

17. System and Services Acquisition

Policies for secure system acquisition and development include:

Secure Development Life Cycle: Agile methodology with documentation for system and infrastructure changes.
Standardized Deployment: Secure application deployment using automated processes.
Change Management: Peer-reviewed changes, mandatory testing, and emergency change procedures.
Source Code Security: Compliance settings to prevent unauthorized changes.
Third-Party Libraries: Regular scanning and updating of open-source libraries.

18. System and Communications Protection

Policies for system and communication protection include:

Encryption: Cryptographic mechanisms for data protection in transit and at rest.
Network Segmentation: Separation of production and non-production environments.
Workstation Security: Management of workstations, including encryption, security patches, and password protection.
Access Control: Restricting access to authorised users via MDM, VPN, Single-Sign On (SSO), IP Restrictions and Firewalls
Customer Data Segregation: Measures to logically segregate customer data.

19. System and Information Integrity

Policies for system and information integrity include:

Vulnerability Management: Ongoing scans to identify and remediate vulnerabilities.
Data Disposal: Adherence to data disposal protocols to ensure irrecoverable deletion.
Data Segregation: Policies to prevent use of production data in non-production environments.
Log Management: Centrally managed, read-only system logs with retention aligned with best practices.
Anti-Malware: Deployment of anti-malware strategies across infrastructure.

20. Supply Chain Risk Management

Policies for supply chain risk management include:

Vendor Management Framework: Security, availability, and confidentiality standards for suppliers.
Third-Party Risk Assessments: Risk assessments, due diligence, and monitoring throughout the vendor lifecycle.
Contract Review: Review of contracts, SLAs, and security measures by dedicated teams.
Supplier Inventory: Inventory of all suppliers with risk level assessments.
Audit Reviews: Yearly audit reviews (e.g., SOC 2) and assessments of supply chain security controls.