Skip to content
Search
Support
 Select language
Cancel

Security Measures

Effective starting: January 1st, 2026

Summary

Security is a fundamental aspect of KnowBe4’s services. This page provides an overview of KnowBe4’s security practices, including its certifications, policies, and the administrative, technical, organizational, and physical measures in place to protect Customer Data from unauthorized access, destruction, alteration, or misuse. These measures are in line with industry-recognized standards for software-as-a-service providers, such as ISO 27001 and NIST 800-53, to ensure a high level of data protection and align with commonly accepted security standards.

Any capitalized terms used but not defined have the meanings set out in the Data Processing Addendum.

1. Access Control Measures

Policies and practices to ensure secure access to KnowBe4 assets include:

  • Access Management Policy: A defined policy that outlines standards for access control, including a framework and principles for user provisioning.
  • User Provisioning: Access to systems, applications, and infrastructure is granted based on job roles, adhering to the least privilege principle, and enforced through authentication processes.
  • Role-Based Access Control: Access to Customer Data for KnowBe4 staff is strictly limited based on role and only on a need-to-know basis.
  • Segregation of Duties: Includes access control reviews, managed security groups, and workflow controls to ensure appropriate separation of responsibilities.
  • Approval and Review of User Accounts: User accounts require prior management approval before accessing data, applications, infrastructure, or network components, based on the data classification level. Access rights are reviewed periodically based on the relevant role.
  • Mobile Device Management (MDM): Centrally managed MDM solutions or equivalents with defined lockout periods and posture checks for both endpoints and mobile devices.

2. Security Awareness and Training Program

Policies and practices for KnowBe4’s Awareness and Training Program Include:

  • Security, Privacy, and Compliance Training: Comprehensive training is provided to all employees at induction and at least annually, using various formats including online, in-person, and phishing simulations.
  • Role-Specific Training: Tailored training for employees with elevated privileges to address relevant risks and enhance their expertise.
  • Training Records and Reminders: All training records are managed in a designated learning system, with automated reminders and escalation for overdue training.
  • Continuous Security Awareness: Ongoing security awareness initiatives for employees, contractors, and partners.

3. Audit and Accountability

Policies and practices for Audit and Accountability include Include:

  • Logging Standards: Default logging standards are part of KnowBe4’s policy management framework.
  • Security Log Monitoring: Security audit logs are monitored for unusual activity, with procedures to review and address anomalies.
  • Logging Scope Updates: The scope of logged information is updated regularly to align with new features and changes.
  • Time Synchronization: Time sync services from cloud providers ensure accurate timekeeping across deployed instances.

4. Assessment, Authorization, and Monitoring

Policies and practices for Assessment, Authorization, and Monitoring Include:

  • Audit and Assurance Policies: Extensive audit policies are reviewed and updated annually within a centralized policy framework.
  • Audit Management: Covers audit planning, risk analysis, security control assessments, remediation schedules, and report reviews.
  • Internal and External Audits: Annual internal and external audits assess compliance and control effectiveness.
  • Compliance Verification: Ongoing verification against standards like ISO 27001, SOC 2 Type 2. Certain KnowBe4 products are FedRamp Authorized for applicable customers.
  • Addressing Nonconformities: Systematic handling of nonconformities through root-cause analysis, corrective actions, and tracking.
  • Penetration Testing and Vulnerability Scanning: Annual penetration testing, proactive bug bounty programs, and continuous vulnerability scanning with remediation efforts.

5. Configuration Management

Policies and practices for Configuration Management Include:

  • Change Management: Policies covering risk management for asset changes, are reviewed annually. Standard procedures for encryption and cryptography to ensure secure handling of data.
  • Centralized Policy Program: Categorizes global policies with annual review and senior management approval.
  • Encryption and Endpoint Management: Policies for encryption, cryptography, endpoint management, and asset tracking in line with industry standards.
  • Change Control Standards: Our change control standards require testing documentation, authorized approval, peer reviews, and successful testing for code and infrastructure changes.
  • Emergency Changes: Strict post-implementation testing and approval process for emergency changes.
  • Intrusion Detection System (IDS): Automated system for managing and protecting against unauthorized changes.
  • Asset Tracking: Cataloguing and tracking of physical and logical assets with annual reviews to maintain accuracy.

6. Contingency Planning

Policies and practices for Contingency Planning include:

  • BCDR Plans: Defined recovery time objectives (RTOs), recovery point objectives (RPOs), and resilience controls (e.g., backups, restoration testing).
  • Cyber Event Response: Procedures for response and remediation of cyber events to maintain business continuity.
  • Disaster Recovery Testing: Periodic BCDR/DR Tabletop exercises and recovery validation, with post-test analyses to continuously improve BCDR strategies.
  • Capacity Management: Continuous monitoring and adjustments to maintain service availability, including DDoS mitigation.
  • Policy Review: Centralized annual reviews and updates for global business continuity policies.
  • Backup Protocols: Robust data backup, including encryption, redundancy across data centers, and regular testing.

7. Identification and Authentication

Policies and practices for identification and authentication include:

  • Unique Employee Identification: Unique identification through a centralized directory with single sign-on (SSO) for application access.
  • Multi-Factor Authentication (MFA): MFA and geo-restrictions are implemented in all production environments where applicable for secure access.
  • Password Policies: Password creation and management follow industry guidelines, ensuring robust security.
  • Credential Security: Industry Standard encryption methods for the secure storage of credentials, such as AES 256.
  • User Account Management: Documented approvals, regular user and account reviews, and industry standard synchronization between identity systems and HR systems to maintain data integrity.

8. Security Incident Response

Policies and practices for security incident response include:

  • Incident Response Plan: Emphasizes preparedness, containment, eradication, and recovery, with a focus on data protection and regulatory compliance.
  • Cross-Functional Teams: Dedicated teams manage incidents, with defined processes for triaging events and ensuring effective communication.
  • Regular Testing and Reviews: Response plans are regularly tested to improve incident management effectiveness. Annual reviews are conducted to update response plans and share industry standard practices.
  • Post-Incident Review (PIR): Root cause analysis for high-severity incidents to focus on systemic improvements and learning.
  • Incident Response Integration: Procedures embedded in critical business processes to minimize downtime and risks.
  • System Availability Information: Availability and status information are published to assist with incident reporting and response.
  • Incident Reporting: Mechanism for customers to report incidents, vulnerabilities, and issues, ensuring prompt attention to security and availability concerns.
  • Customer Notification: Commitment to notifying customers of security incidents without undue delay, including providing information necessary for regulatory compliance.

9. Maintenance

Policies and practices for maintaining KnowBe4 cloud products include:

  • BCDR Testing: Regular testing of business continuity and disaster recovery (BCDR) plans, with periodic evaluations.
  • Availability and Monitoring: Real-time monitoring of multiple regions and regular tests for infrastructure reliability.
  • Measures Consistency: Adherence to previously established monitoring, contingency planning, and protection standards.

10. Media Protection

Policies and practices to ensure media protection include:

  • Use of Reliable Third Parties: Physical infrastructure managed by trusted third-party services.
  • Media Sanitization: Sanitization of used equipment according to industry standards.
  • Encryption: Full disk encryption for servers, databases, and endpoint devices using AES-256.
  • Secure Device Access: Bring-your-own-device (BYOD) policy restricting access to secure and compliant devices.
  • Workplace Security: Requirement that unattended workspaces have no visible confidential data and enforced clean desk policy.

11. Physical and Environmental Protection

Policies and practices for physical protection include:

  • Access Controls: Badge readers, camera surveillance, and time-specific access restrictions.
  • Access Logs: Maintenance of access logs for investigative purposes.
  • Data Center Security: Third-party data centers use compliance-certified physical security measures, such as biometric verification and controlled access points.
  • Environmental Controls: Critical equipment positioned in low-risk areas and protective measures for power and telecommunications.

12. Planning

Policies and practices for operational planning include:

  • Monitoring Regulatory Compliance: Active monitoring by legal and compliance teams.
  • Change Communication: Communicating significant changes to key products and services to users and customers.
  • Program Review: Periodic updates of the security management program.

13. Program Management

Policies and practices for program management include:

  • Executive Support: Security management program supported at the executive level.
  • Information Security Policies: Documented policies covering roles, risk mitigation, and service provider security management.
  • Risk Assessments: Periodic risk assessments and prompt review of incidents for corrective action.
  • Security Standards Compliance: Alignment with recognized standards (e.g., NIST 800-53, SOC 2 Type 2, ISO 27001).
  • Risk Mitigation: Processes for identifying, assessing, and mitigating security risks, with executive approval.
  • Security Testing: Regular security testing across various potential attack vectors.
  • Program Review: Annual review and updating of the security management program.
  • Staff Development: Training programs for security staff with defined roles and responsibilities.

14. Personnel Security

Policies for personnel security include:

  • Background Checks: Pre-hire background checks, including criminal records where permitted by law.
  • Onboarding Requirements: Confidentiality agreements, employment contracts, and policy acknowledgments during onboarding.
  • Role Changes and Terminations: Processes for role changes and terminations, including de-provisioning of access.
  • Security Training: Ongoing security and privacy training, including role-specific training.
  • Disciplinary Actions: Established processes to manage violations of policies.

15. Personal Data Processing and Transparency

Policies for compliance with data protection laws include:

  • Privacy Compliance Program: Processes to adapt to applicable data protection laws.
  • Data Processing Policies: Defined categories of personal data, processing purposes, and principles.
  • Pseudonymization: Methods for creating pseudonymized data sets using technical measures.
  • Transparency and Documentation: Clear privacy policies, internal guidelines, and comprehensive compliance documentation.
  • Secure Development: Secure development practices within our SDLC process.
  • Individual Rights: Respect for individuals' rights to access, correct, and delete their data.

16. Risk Assessment

Policies for risk management include:

  • Risk Management Program: Identifying, assessing, and mitigating risks.
  • Standards Compliance: Policies aligned with standards such as NIST 800-53, SOC 2 Type 2, and ISO 27001 to mitigate organizational risks.
  • Security Testing: Regular security testing, including penetration tests and bug bounties.
  • Vulnerability Management: Metrics and processes for managing vulnerabilities.
  • Independent Audits: Security and Data Protection evaluations through external and internal audits.

17. System and Services Acquisition

Policies for secure system acquisition and development include:

  • Secure Development Life Cycle: Agile methodology with documentation for system and infrastructure changes.
  • Standardized Deployment: Secure application deployment using automated processes.
  • Change Management: Peer-reviewed changes, mandatory testing, and emergency change procedures.
  • Source Code Security: Compliance settings to prevent unauthorized changes.
  • Third-Party Libraries: Regular scanning and updating of open-source libraries.

18. System and Communication Protection

Policies for system and communication protection include:

  • Encryption: Modern cryptographic mechanisms for data protection in transit and at rest.
  • Network Segmentation: Separation of production and non-production environments.
  • Workstation Security: Management of workstations, including encryption, security patches, and password protection.
  • Access Control: Restricting access to authorized users via MDM, VPN, Single-Sign On (SSO), IP Restrictions and Firewalls, where applicable.
  • Customer Data Segregation: Measures to logically or physically segregate Customer Data.

19. System and Information Integrity

Policies for system and information integrity include:

  • Vulnerability Management: Ongoing scans to identify and remediate vulnerabilities.
  • Data Disposal: Adherence to data disposal protocols to ensure irrecoverable deletion.
  • Data Segregation: Policies and technical measures prevent use of production data in non-production environments.
  • Log Management: Managed, read-only system logs with retention aligned with industry standard practices.
  • Anti-Malware: Deployment of anti-malware strategies across infrastructure.

20. Supply Chain Risk Management

Policies for supply chain risk management include:

  • Vendor Management Framework: Security, availability, and confidentiality standards for suppliers.
  • Third-Party Risk Assessments: Risk assessments, due diligence, and monitoring throughout the vendor lifecycle.
  • Contract Review: Review of contracts, SLAs, and security measures by dedicated teams.
  • Supplier Inventory: Inventory of all suppliers with risk level assessments.
  • Audit Reviews: Yearly audit reviews (e.g., SOC 2) and assessments of supply chain security controls.