This comprehensive how-to guide will walk you through how to set up both the Ostendio training module as well as selecting Knowbe4 training videos and rolling them out to your users.
Topics Covered in This Guide
- Setting Up Your Training User Groups
- Ostendio Training Module Setup
- Recurring Audit Tasks for Audit Compliance
- KnowBe4 Setup steps
Ostendio Setup
Ostendio can be used to support the awareness and training requirements in support of most security framework audits.
This guide will show you how to make the most of your Ostendio platform to consistently manage and measure compliance with your awareness and training requirements.
This guide will use the following Ostendio features:
- User Groups (Dynamic)
- Training
- Audit tasks
Dynamic User Group Steps
The first task is to Create a Dynamic User Group for each department in your organization, if you are planning to roll out role-based training. If you are not ready for role-based training, you still need to create at least 1 Dynamic User Group, and you can call it “All Staff” or “All Employees.”
We recommend the following groups to start with:
- All Employees
- Engineering or Software Development
- Security Operations/SIRT
- Executive Training (optional)
- HR (optional)
- Contractors (optional, could be included in All Staff/Employees)
Pro Tip: It is helpful to have a dynamic group created for all of your departments for ease of assignment to role-specific documents, assets, access controls decisions, and audit tasks.
- Scroll down to the Settings menu and select Groups
- In the Top Right hand corner, click on the Add Group Icon
- Enter the Name of your Group
- Select Dynamic (not static!)
- Add an optional description of your group (Optional)
- Create All User Group Dynamic Group:
- Filter by: Status = Active
- NOTE: This way the group will update automatically when you activate a new user or deactivate a terminated user.
- Click Preview to validate all the correct users are in the All User Group
- Click Save when finished
- Create Department Groups
-
- Start group with filter status by Active
- Click on +Add Another Condition
Ostendio Training Module Steps
Once training user groups are set up, the next step is to set up the Ostendio training module to deploy and track user participation within Ostendio.
Once the training deployment structure is set up within Ostendio, we will log into KnowBe4 to select the training videos and associate them with the Ostendio training modules.
- Go to the Ostendio training module and select Manage Training:
2. In the top right-hand corner click on the Add New Training button:
3. Go to the details and fill out the following fields:
-
- Name: Create a name for your training session.
-
- Hint: You can group multiple KnowBe4 modules into one training if they are related, such as “Annual Awareness Training”, or you can do a separate training for each KnowBe4 module if they are scheduled at separate times or for separate purposes.
4. Priority: You can assign a priority to your training module depending on your own priority for this training, for example you might rate Annual Awareness Training as high priority because it is an audit requirement. The default is medium priority.
5. Training Description: We recommend that you include a brief description of the purpose of the training or the topics covered in the training. If you are pressed for time, it is acceptable to copy the title of the KnowBe4 training.
-
- Pro Tip: You can include the following text in the Training description section: Click the link under Training Materials to take the KnowBe4 2022 Security Awareness Training. Upon completion, download the completion certificate from KnowBe4 and attach the certificate in Ostendio. (Pro Tip: Add the KnowBe4 link to your bookmarks as all training starts from that page)
7. If KnowBe4 has a video module for the topic you would like to roll out training for, include the following link in that box: https://training.knowbe4.com/enrollments
8. If you want to roll out customized training content that is specific to your organization, such as specific BCP or Incident Response process training, you can upload the document, PowerPoint or video content that you have created instead. (If you need help creating this content, let us know!)
9. Lastly, scroll down to the Access Control section as shown below:
Assign your consumers: This is that dynamic group or groups that are required to take the training.
- You can include instructions to the consumer, such as the Pro-tip.
- We recommend that you check the box to require consumers to Acknowledge Completion of Training.
- You can also edit the acknowledgement text or leave the default text as-is.
10. In the Submission Settings section, you will set the training frequency, interval, first due date, availability date, ends on date, late submission settings, and new user assignment settings.
- Set the frequency for how often you want the training to occur: we recommend annually (yearly) at minimum for compliance purposes, but studies show that shorter quarterly or monthly trainings have more consistent results in impacting staff behavior.
11. Lastly, in the Links selection, select any applicable Organizations, Projects, and Tags.
Click Create Training
12. Once you have created the training it will be set as a draft.
Click on the Create Quiz link as shown below:
13. Click Add Quiz Question, and add the Pass Rate. It can be 100% or you can set it to 80% or another value to align with your training program policy.14. Select Add New Question
15. Once you save, Click on Publish Training as shown below:
Audit Task Steps
We recommend using the Ostendio Audit Tasks as a mechanism to drive updates of your awareness program. Most security frameworks recommend training your staff at least annually, if not more often.
We recommend that you select the frequency that you want to roll out your training (e.g. annually, quarterly, monthly) and then set up an audit task to remind you to review the current set of training modules that you have set up, update them as needed to address your awareness risks and priorities, and then roll them out to your users.
Set up Audit Task
- Go to Audit Task icon on the left column
- Click on Manage Audit tasks
4. Enter a Name for your Audit Task
-
- Recommended Name: Annual Review of Security Awareness Program
5. Complete Audit Information
-
- The audit number is an optional field for you to use if you want to track audit tasks; some organizations include the year or year-month as part of the identifier or point to a control ID or category if your task is related to a specific framework.
- Audit Descriptions: Recommended description:
- Review last year's training program.
- Validate whether these are the modules you want to run against this year, or if KnowBe4 has new modules that may be of interest
6. Submit Audit task as “Compliant”
7. Go to Ostendio Training Module
-
- Follow steps in the KnowBe4 Adding Training Material to be included in Campaign section below to roll out your new training modules, if any
- Remove any outdated modules
-
- If you select Individual, the task will automatically be assigned to the owner of the asset or process being audited.
- If you select Collective, then the owner of the audit task will be assigned as the project manager to follow up with the owners of the individual assets or processes being audited.
- Task scheme: This allows you to define if your task is owned by a specified individual or default to the owner of the object that is being audited.
- Select the frequency for your audit task - at minimum annually but consider whether shorter, quarterly trainings may benefit your organization.
- What date do you want this audit to start
12. To view upcoming due dates, click on: Show upcoming task due dates from the right-side menu.
13. This will be a pop out to display the upcoming due dates,
-
- Example below: use this to confirm your schedule is running as expected.
- Select this option to allow your users to submit tasks past their original due date. This is recommended so that your users can complete tasks within the assigned cycle.
-
- Select this option if you want users to verify their identity using 2FA electronic signature when submitting their assigned audit tasks.
- Allow late submissions
- Allow multiple submissions
-
- Choose what message your user is required to attest to when submitting an audit task.
- Compliance certification text is for submissions with no issues to report.
- Non-compliance certification text is for submissions with issues to report.
Option 2: Customize Certification Text
-
- Type in your personalized certification test for compliance and non compliance.
- Select the items that are related to the audit task:
- Select the items such as: Asset, Training, ect.
- Click Submit
-
- Owner: This person owns the task and submission
- Custodians: These are people who are able to edit this Audit and upload files. They are not able to submit the audit task
- Consumers: These people have view access only.
- Access control to an Audit designates who has read/write access to the overall audit details and can review task submissions.
-
- Adding collections allows you to associate your Audit to a Ostendio Project entity.
-
- Smart tags are tied to the organization's Compliance/Regulatory Standard Requirements selections in the Corporate Profile.
-
- Add documents to Audit Task, when applicable
KnowBe4 Setup
A KnowBe4 Training Campaign needs to be created in order for the KnowBe4 Training Material to be deployed through Ostendio. This configuration needs to be completed in the KnowBe4 Console. Before a campaign can be deployed, Users must be added and Groups created. Training Material must also be selected and added to your KnowBe4 Library.
Adding Users and Groups to KnowBe4:
KnowBe4 has extensive step-by-step instructions on how to add or import Users as well as set up groups in your console. We recommend using the Users and Groups resources from the KnowBe4 Knowledge base, here: Creating Users and Groups in KnowBe4
Pro Tip: *THE USERS ADDED TO KnowBe4 SHOULD MATCH THE USERS IN Ostendio*
Pro Tip: *Import First Name and Last Name, not just email so that the name appears in the certificate of completion for each training.*
Adding Training Material to be included in campaign:
- Navigate to the Modstore.
- Find training material by browsing content types, topics, or by using the search function. Reach out to your Ostendio representative for suggestions on recommended trainings if you would like hints on where to start.
3. Click on the training material to be used in a Training Campaign.
4. This will provide you with an introduction to the training material, and allow you to ‘Add To Library.” Click Add to Library.
5. Once the content has been added to your library, you are now ready to set up the campaign to deploy it to Users.Creating a Training Campaign in KnowBe4
To create a training campaign, log in to your KnowBe4 console and click the Training tab. Then, click the +Create Training Campaign button at the top-right corner of the page. Once you click this button, you will see the Create New Training Campaign page.
- Complete the ‘Campaign Name,’ ‘Content,’ and ‘Enroll Groups’ fields as they are required to deploy the campaign. If all KnowBe4 Users are required to complete the training, select All Users in the Enroll Groups field. If only certain groups are required, select the Specific Groups option.
2. Determine a start date as well as any additional campaign settings. Be sure to have your start date set for a date coinciding with or following the publication of the training in Ostendio.Pro Tip: *ENSURE THAT THE USERS BEING ASSIGNED TO THE TRAINING IN KnowBe4 MIRRORS THE CONSUMERS ASSIGNED TO THE TRAINING IN Ostendio AND VICE VERSA*
3. Choose the training content to be deployed from the ‘Content’ field. This dropdown will allow you to select material that has been previously added to your KnowBe4 Library.
4. Once all required campaign settings are customized for your training, click ‘Create Campaign.’
5. Additional assistance to help set up Training in KnowBe4 can be found in the KnowBe4 Knowledge Base, here: Creating and Managing Training Campaigns in KnowBe4