Compliance Manager Reports
No Two Reports Are Alike!
All of our reports are fully brandable. Pick from several different report style templates, change the colors to match your corporate style, select from a large library of stock images for your report covers or upload your own, and even edit the documents.
If you want to pull out just a specific chart or report section, they are all in standard MS Word format, so you can copy and paste any items into other documents.
Get a Demo
Key Report Features
- All of our reports are fully brandable. On our sample reports, we have dropped in placeholder branding elements to demonstrate where and how the branding elements show up.
- You can pick from several different report style templates, change the colors to match your corporate style, select from a large library of stock images for your report covers or upload your own, and even edit the documents.
- If you want to pull out just a specific chart or report section, they are all in standard MS Word format, so you can copy and paste any items into other documents.
ALL EMPLOYEES POLICY ACCEPTANCE STATUS REPORT
Compliance Manager GRC includes the ability to upload any number of policies or other HR-related documents into a self-serve web-based portal that employees can log-into, read and review the documents, and attest to agreement with the contents. This dashboard report presents a summary of Employee Policy Acceptance results recorded for all employees of a given organization. Information is continually tracked and updated in real time in the Compliance Manager GRC Site’s Employee Tracker Dashboard.
ALL VENDORS ASSESSMENTS STATUS AND RESULTS REPORT
Whether you are compelled to track vendor compliance with specific IT requirements, or just do it as a matter of following best practices, Compliance Manager GRC gives you the ability to assign to your vendors specific sets of requirements — including any standards that you must adhere to. You can monitor progress for all your vendors in one place in the Compliance Manager GRC vendor portal dashboard, and print out this report at any time.
CONTROLS ASSESSMENT REPORT
Presents a summary of the Controls Assessment responses and results as displayed in the Controls Assessment Dashboard.
RAPID BASELINE ASSESSMENT REPORT
This report presents a summary of the Rapid Baseline Assessment responses and results as displayed in the Rapid Baseline Assessment Dashboard.
REQUIREMENTS ASSESSMENT REPORT
This report presents a summary of the Requirements Assessment responses and results as displayed in the Requirements Assessment Dashboard.
VENDOR RISK ASSESSMENT DASHBOARD REPORT
Quickly and easily print out what you see on the Vendor Risk Management Report.
VENDOR RISK EXCEL EXPORT REPORT
Want to take the results of your vendor risk assessment and work on them in Excel? No problem. You’ll get the summary results in one tab, and individual line item results in another.
CIS CONTROLS IG1 – POLICIES AND PROCEDURES
Implementation Group 1 (IG1) is the definition of basic essential cyber hygiene. IG1 represents an emerging minimum standard of information security and of protection against common attacks for all. This document includes all of the policies and procedures required to be in alignment with IG1.
CIS CONTROLS IG2 – POLICIES AND PROCEDURES
Implementation Group 2 (IG2) is for enterprises that employ individuals who are responsible for managing and protecting IT infrastructure. IG2 is comprised 74 additional Safeguards and builds upon the 56 Safeguards identified in IG1. This document includes all of the policies and procedures required to be in alignment with IG2.
CIS CONTROLS IG3 – POLICIES AND PROCEDURES
IG3 assets and data contain sensitive information or functions that are subject to regulatory and compliance oversight.IG3 is comprised of an additional 23 Safeguards, and is the framework to use for maximum IT security. It builds upon the Safeguards identified in IG1 and IG2, and includes all 153 Safeguards included in the CIS Critical Security Controls. This document includes all of the policies and procedures required to be in alignment with IG3.
CMMC 2.0 – LEVEL 1 – POLICIES AND PROCEDURES
Organizations that are implementing CMMC 2.0 Level 1 security controls must create and implement a set of policies and procedures used to implement CUI data security based upon the CMMC 2.0 – Level 1 IT Security Framework.
CMMC 2.0 – LEVEL 2 – POLICIES AND PROCEDURES
Organizations that are implementing CMMC 2.0 Level 2 security controls must create and implement a set of policies and procedures used to implement CUI data security based upon the CMMC 2.0 – Level 2 IT Security Framework.
CYBER ESSENTIALS – POLICIES & PROCEDURES
Organizations that implement the Cyber Essentials (Plus) controls must create and implement a set of policies and procedures that are used to certify and protect businesses against the growing threat of cyber-attacks. The report gathers the necessary evidence to have the Cyber Essentials (Plus) certification completed with real data. The certification defines a focused set of controls which provide clear guidance on basic cyber security for organizations of all sizes and offers a sound foundation of cyber security measures that can be implemented at a low cost.
CYBER INSURANCE READINESS – POLICIES & PROCEDURES
Cyber-insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Compliance Manager GRC is the first software solution that allows cyber-insurance policyholders to systematically provide compliance policy and procedure documentation, which is the foundation of any compliance program, both in terms of organization and management of the program.
FTC SAFEGUARDS RULES STANDARDS AND CONTROLS – POLICIES AND PROCEDURES
Organizations that are implementing Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – must create and implement a set of policies and procedures used to implement the necessary security controls based upon the requirements of the Rule. This policies and procedures manual includes all of the standard provisions of the regulation.
HIPAA BREACH NOTIFICATION RULE – POLICIES AND PROCEDURES
A third requirement is to have a set of policies and procedures used to implement procedures to notify individuals and the HHS Secretary of PHI breach events experienced by the organization and compliance with the HIPAA Breach Notification Rule.
HIPAA PRIVACY RULE – POLICIES AND PROCEDURES
A second requirement is to have a set of policies and procedures used to implement PHI privacy protection and compliance with the HIPAA Privacy Rule.
HIPAA SECURITY RULE – POLICIES AND PROCEDURES
One of the first requirements is to have a set of policies and procedures used to implement ePHI data security and compliance with the HIPAA Security Rule.
KASEYA CYBERSECURITY FUNDAMENTALS – POLICIES AND PROCEDURES
Policies and Procedures for Kaseya Cybersecurity Fundamentals, our entry level standard that offers a set of common controls, are derived from (NIST CSF). This ensures that businesses are aligned with industry recognized best practices.
NIST 800-171 – POLICIES AND PROCEDURES
Organizations that are implementing NIST SP 800-171 IT security requirements must create and implement a set of policies and procedures used to implement the necessary security requirements based upon the NIST SP 800-171 IT security requirements.
NIST CSF – POLICIES AND PROCEDURES
Organizations that are implementing NIST Cyber Security Framework controls must create and implement a set of policies and procedures used to implement the necessary security controls based upon the NIST Cyber Security Framework.
NYS DFS PART 500-23 – POLICIES & PROCEDURES
The New York State Department of Financial Services (NYDFS) requires that all covered entities maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of their information systems.
PCI DSS SAQ A – POLICIES AND PROCEDURES
To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ-A is for e-commerce/mail/telephone-order (card-not-present) merchants which have completely outsourced all cardholder data functions.
PCI DSS SAQ A EP – POLICIES AND PROCEDURES
To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ-A-EP is for e-commerce-only merchants that rely on third-party service providers to handle card information, and which have a website that doesn’t process credit card data but could impact the security of the payment transaction.
PCI DSS SAQ B IP – POLICIES AND PROCEDURES
To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ-B-IP is for merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and which do not store electronic cardholder data.
PCI DSS SAQ C – POLICIES AND PROCEDURES
To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ-C is for any merchant which utilizes a payment application connected to the internet, but with no electronic cardholder data storage.
PCI DSS SAQ C VT – POLICIES AND PROCEDURES
To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ – C-VT is for merchants which utilize a virtual terminal on one computer dedicated solely to card processing, and which do not store electronic cardholder data. This is not for e-commerce activities.
SOC 2 TRUST SERVICES CRITERIA – POLICIES AND PROCEDURES
This policies and procedures manual includes all of the Trust Services Criteria that must be met in order to meet the requirements of a SOC 2 exam. Users are able to make modifications to the standard procedures to more closely align with their own specific methodologies. Any modifications made inside Compliance Manager GRC, will automatically update the associated Policies & Procedures document.
GDPR — EU CONTROLLER AND PROCESSOR – POLICIES AND PROCEDURES
One of the first requirements is to have a set of policies and procedures used to implement Personal Data privacy protection, security, and compliance with EU GDPR.
ASSESSOR’S CHECKLIST
The Assessor’s Checklist gives you a high-level overview of how well the organization complies with the specific standard being managed. A separate Auditor’s check list can be generated for any Standard — whether from one of the built-in government and industry templates, or your own custom set of Requirements and Controls. The checklist details specific compliance items, their status, and helpful references. Use the checklist to quickly identify potential issues to be re-mediated in order to achieve compliance.
PLAN OF ACTIONS AND MILESTONES REPORT
This report is a dynamic project plan spreadsheet document, fed by Compliance Manager GRC, that includes separate tabs of Technical Issues, Control Issues and Standards Issues. It’s prepopulated with the issue (weakness), how it was identified, along with the Control ID and description. Use this document as a simple project planner to fully implement an IT security framework and/or attain regulatory compliance.
TECHNICAL ASSESSMENT REPORT
This report includes details about all Windows and macOS assets, configurations and users uncovered during the network, computer endpoint and MS Cloud scanning process.
TECHNICAL RISK ANALYSIS REPORT
Identifies what protections are in place and where there is a need for more. It includes a list of items that must be remediated to ensure the security and confidentiality of sensitive data at rest and/or during its transmission.
TECHNICAL RISK TREATMENT PLAN
This report prioritizes the discovered IT security risks and provides recommendations on remediation steps.
YOUR STANDARD- FULL ASSESSMENT REPORT
This report can be generated from the requirements assessment for any standard you are managing. It. compiles compliance information from automated scans, augmented data, and questionnaires. gathers evidence into one document to back up Assessor Checklist with real data.
CMMC NIST SP 800-171 SCORING REPORT
Even though CMMC 2.0 has been launched, US Department of Defense still requires all subcontractors to perform a self-assessment against the NIST SP 800-171 requirements, and to score themselves based on a specific set of rules. Compliance Manager GRC includes the 800-171 assessment standard and automatically scores the assessment based on the DOC rules. This report provides the automically completed scorecard plus all back-up as supporting evidence in the event of an audit.
DRIVE ENCRYPTION REPORT
Encryption is such an effective tool used to protect data that if an encrypted device is lost then it does not have to be reported as a data breach. The Disk Encryption Report identifies each drive and volume across the network, whether it is fixed or removable, and if Encryption is active.
FILE SHARE IDENTIFICATION WORKSHEET
The File Share Identification Worksheet takes the list of network shares gathered by automated network data collection and lets you identify those that store or access Sensitive Data. This is an effective tool in developing data management strategies including secure storage and encryption. This worksheet is used to document if identified network file share are “authorized” to store Sensitive Data.
MACOS COMPUTER PATCH ASSURANCE REPORT
The MacOS Patch Assurance Report helps verify the effectiveness of the client’s patch management program. The report uses scan data to detail which updates are missing on MacOS computers operating within the network.
CMMC 2.0 – LEVEL 2 – POLICIES AND PROCEDURES
This report provides a detailed overview of the security policies which are in place on both a domain wide and local machine basis.
SENSITIVE DATA ASSESSMENT WORKSHEET
This report lists computer assets on the network that appear to be storing Sensitive Data. For each computer listed in this worksheet each entry references the Wi-Fi enabled status and whether ePHI, Cardholder Data (PCI DSS), GDPR Personal Data, and/or Personally Identifiable Information (PII) was detected. Upon completion of the Sensitive Data Assessment all computers assigned the a “Sensitive Data Storage Authorization” status of “”Authorized”” will be listed in this supporting document.
SENSITIVE DATA FILE SCAN REPORT
Sensitive Data File Scan Report identifies specific types of personal data stored on computers, servers, and storage devices. It does not read the files or access them, but just looks at the title and file type. This report is useful to identify local data files that may not be protected.
SHARE PERMISSION REPORT
Comprehensive lists of all:
- network “”shares”” by computer, detailing which users and groups have access to which devices and files, and what level of access they have.
- Organizes permissions by user, showing all shared computers and files to which, they have access.
SYSTEM SECURITY PLAN
The System Security Plan (SSP) is a requirement of CMMC 2.0, and can be used to as a formal document to support many other standards and frameworks. This formal report provides an overview of the security requirements for your information system and describes the security controls in place or planned for meeting those requirements.
APPLICATION INVENTORY WORKSHEET
This worksheet is used to document the “criticality” of the applications identified as being installed on the computer endpoints operating within the network.
ASSET INVENTORY REVIEW
Includes details about all assets, configurations and users uncovered during the network, computer endpoint and MS Cloud scanning process organized and presented into separate tabs in Excel for any use.
ASSET INVENTORY WORKSHEET
The worksheet is used to augment the asset data that was collected during the internal network scan. Details include the asset owner, acceptable use, environment, backup agent status, as well as device and asset criticality classification. The asset criticality classification is used to determine the risk to the organization in the event of a security incident where the asset’s access or availability is compromised.
COMMON CONTROLS OPERATIONAL PROCEDURES
These operating procedures are custom built and generated based on the policies that an organization has selected in Compliance Manager GRC Policy Builder. The generated policies and procedures document the procedures and controls that are to be implemented by the organization in order to meet IT Security and/or regulatory requirements. Each common control is mapped to relevant IT security and/or regulatory requirements. Each individual policy and procedure details the description of the policy, policy guidance, procedure to be implemented, the parties responsible, sanctions to be applied in response failures to comply with the policy, and regulatory compliance requirements.
EXTERNAL INFORMATION SYSTEM WORKSHEET
This worksheet is used to document external information systems used by your organization. Add entries for each external information system along with a description, purpose for using the system, name of the business owner of the system, along with its criticality. Examples of external information systems include Salesforce, QuickBooks Online, and Microsoft 365.
EXTERNAL VULNERABILITY SCAN RESULTS
When a Compliance Manager GRC Site is integrated with VulScan during the Technical Review assessment process, a detailed report is generated showing security holes and warnings, informational items including CVSS scores as scanned by VulScan from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.
INTERNAL VULNERABILITY SCAN RESULTS
When a Compliance Manager GRC Site is integrated with VulScan during the Technical Review assessment process, a comprehensive report is generated including identified security holes and warnings, and informational items including CVSS scores from VulScan’s point-of-view. The VulScan internal vulnerability scan operates behind the firewall to identify and expose real and potential vulnerabilities inside the network.
USER ACCESS REVIEW WORKSHEET
The worksheet is used to augment the user data that was collected during the internal network scan. Complete the worksheet to provide the additional information requested.
WINDOWS PATCH ASSURANCE
This report helps verify the effectiveness of the client’s patch management program. The report uses scan data to detail which patches are missing on the network.