The original post: /r/cybersecurity by /u/Veloci7y_ on 2024-11-13 17:34:55.
Hi Everyone,
We currently use Knowbe4 KCM for managing our tracking of compliance requirements for HIPAA and GLBA since were in Higher Ed. We also use it for managing our IT security risk register. KCM is being discontinued which is a bummer because it works really well for smaller businesses. We don’t need much for automation which most other vendors seem to sell themselves on. Right now we basically use it for a risk register with about 100 items and links to a control library that we use to measure inherent vs residual risk. We also have compliance scopes like HIPAA that track our evidence and status (met or unmet) for several hundred requirement items.
I am looking for recommendations that would be the right size for us. Most of the other options like Vanta, Zen GRC, and Drata are probably about twice as much being from 25-50k per year. They seem to be more expensive and do more automation than we really need. I think they are really focused on organization who are trying to do things like SOC2 which we don’t need.
I really just want another system like KCM where I can have multiple risk registers with a control library and being able to track compliance requirements with our response and some minor automation. Any players out there that would meet our needs?