Reports

No Two Reports Are Alike!

All of our reports are fully brandable. Pick from several different report style templates, change the colors to match your corporate style, select from a large library of stock images for your report covers or upload your own, and even edit the documents.

If you want to pull out just a specific chart or report section, they are all in standard MS Word format, so you can copy and paste any items into other documents.

Get Access to All Reports

Fill out the form below to access our Sample Reports page, where you can download samples of any report.

Please use your business email.

Key Report Features

  • All of our reports are fully brandable. On our sample reports, we have dropped in placeholder branding elements to demonstrate where and how the branding elements show up.
  • You can pick from several different report style templates, change the colors to match your corporate style, select from a large library of stock images for your report covers or upload your own, and even edit the documents.
  • If you want to pull out just a specific chart or report section, they are all in standard MS Word format, so you can copy and paste any items into other documents.

 

Click on the tabs below to see our report thumbnails and descriptions. To gain access to samples of all our reports, complete and submit the form above.

Dashboard Reports

Compliance Manager GRC - All Employees Policy Acceptance Status Report Sample - Screenshot

All Employees Policy Acceptance Status Report

Compliance Manager GRC includes the ability to upload any number of policies or other HR-related documents into a self-serve web-based portal that employees can log-into, read and review the documents, and attest to agreement with the contents. This dashboard report presents a summary of Employee Policy Acceptance results recorded for all employees of a given organization. Information is continually tracked and updated in real time in the Compliance Manager GRC Site’s Employee Tracker Dashboard.

Compliance Manager GRC - All Vendor Assessments Status and Results Printable Report - Screenshot

All Vendors Assessments Status and Results Report

Whether you are compelled to track vendor compliance with specific IT requirements, or just do it as a matter of following best practices, Compliance Manager GRC gives you the ability to assign to your vendors specific sets of requirements — including any standards that you must adhere to. You can monitor progress for all your vendors in one place in the Compliance Manager GRC vendor portal dashboard, and print out this report at any time.

Controls Assessment Report

Presents a summary of the Controls Assessment responses and results as displayed in the Controls Assessment Dashboard.

Rapid Baseline Assessment Report

This report presents a summary of the Rapid Baseline Assessment responses and results as displayed in the Rapid Baseline Assessment Dashboard.

Requirements Assessment Report

This report presents a summary of the Requirements Assessment responses and results as displayed in the Requirements Assessment Dashboard.

Vendor Risk Assessment Dashboard Report

Quickly and easily print out what you see on the Vendor Risk Management Report.

Vendor Risk Excel Export Report

Want to take the results of your vendor risk assessment and work on them in Excel? No problem. You’ll get the summary results in one tab, and individual line itme results in another.

Policies & Procedures Reports

CIS CONTROLS IG1 – POLICIES AND PROCEDURES

Implementation Group 1 (IG1) is the definition of basic essential cyber hygiene. IG1 represents an emerging minimum standard of information security and of protection against common attacks for all. This document includes all of the policies and procedures required to be in alignment with IG1.

CIS CONTROLS IG2 – POLICIES AND PROCEDURES

Implementation Group 2 (IG2) is for enterprises that employ individuals who are responsible for managing and protecting IT infrastructure. IG2 is comprised 74 additional Safeguards and builds upon the 56 Safeguards identified in IG1. This document includes all of the policies and procedures required to be in alignment with IG2.

CIS CONTROLS IG3 – POLICIES AND PROCEDURES

IG3 assets and data contain sensitive information or functions that are subject to regulatory and compliance oversight.IG3 is comprised of an additional 23 Safeguards, and is the framework to use for maximum IT security. It builds upon the Safeguards identified in IG1 and IG2, and includes all 153 Safeguards included in the CIS Critical Security Controls. This document includes all of the policies and procedures required to be in alignment with IG3.

CMMC 2.0 – LEVEL 1 – POLICIES AND PROCEDURES

Organizations that are implementing CMMC 2.0 Level 1 security controls must create and implement a set of policies and procedures used to implement CUI data security based upon the CMMC 2.0 – Level 1 IT Security Framework.

CMMC 2.0 – LEVEL 2 – POLICIES AND PROCEDURES

Organizations that are implementing CMMC 2.0 Level 2 security controls must create and implement a set of policies and procedures used to implement CUI data security based upon the CMMC 2.0 – Level 2 IT Security Framework.

Cyber_Essentials_Policies_and_Procedures_truncated

CYBER ESSENTIALS – POLICIES & PROCEDURES

Organizations that implement the Cyber Essentials (Plus) controls must create and implement a set of policies and procedures that are used to certify and protect businesses against the growing threat of cyber-attacks. The report gathers the necessary evidence to have the Cyber Essentials (Plus) certification completed with real data. The certification defines a focused set of controls which provide clear guidance on basic cyber security for organizations of all sizes and offers a sound foundation of cyber security measures that can be implemented at a low cost.

CYBER INSURANCE READINESS – POLICIES & PROCEDURES

Cyber-insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Compliance Manager GRC is the first software solution that allows cyber-insurance policyholders to systematically provide compliance policy and procedure documentation, which is the foundation of any compliance program, both in terms of organization and management of the program.

Essential_8_Maturity_Level_1_thumb

ESSENTIAL 8 MATURITY LEVEL 1 – POLICIES & PROCEDURES

Organizations that implement the Essential 8 controls must create a set of policies and procedures that are used to certify and protect Australian businesses against the growing threat of cyber-attacks. The report gathers the necessary evidence to have the organization follow the Essential 8 framework maturity scale, which is comprised of three levels. This report details the alignment with Maturity Level One.

ESSENTIAL 8 MATURITY LEVEL 2 – POLICIES & PROCEDURES

Organizations that implement the Essential 8 controls must create a set of policies and procedures that are used to certify and protect Australian businesses against the growing threat of cyber-attacks. The report gathers the necessary evidence to have the organization follow the Essential 8 framework maturity scale, which is comprised of three levels. This report details the alignment with Maturity Level Two.

ESSENTIAL 8 MATURITY LEVEL 3 – POLICIES & PROCEDURES

Organizations that implement the Essential 8 controls must create a set of policies and procedures that are used to certify and protect Australian businesses against the growing threat of cyber-attacks. The report gathers the necessary evidence to have the organization follow the Essential 8 framework maturity scale, which is comprised of three levels. This report details the alignment with Maturity Level Three.

EU NIS2 DIRECTIVE – POLICIES & PROCEDURES

The European Union (EU) NIS2 Directive regulations require that businesses identified by the EU Member States as operators of essential and important services in a number of industry sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents.

FTC SAFEGUARDS RULES STANDARDS AND CONTROLS – POLICIES AND PROCEDURES

Organizations that are implementing Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – must create and implement a set of policies and procedures used to implement the necessary security controls based upon the requirements of the Rule. This policies and procedures manual includes all of the standard provisions of the regulation.

EU_GDPR_Policies_and_Procedures-thumbnail

GDPR — EU CONTROLLER AND PROCESSOR – POLICIES AND PROCEDURES

One of the first requirements is to have a set of policies and procedures used to implement Personal Data privacy protection, security, and compliance with EU GDPR.

GDPR — UK CONTROLLER AND PROCESSOR – POLICIES AND PROCEDURES

One of the first requirements is to have a set of policies and procedures used to implement Personal Data privacy protection, security, and compliance with UK GDPR.

HIPAA BREACH NOTIFICATION RULE – POLICIES AND PROCEDURES

A third requirement is to have a set of policies and procedures used to implement procedures to notify individuals and the HHS Secretary of PHI breach events experienced by the organization and compliance with the HIPAA Breach Notification Rule.

HIPAA PRIVACY RULE – POLICIES AND PROCEDURES

A second requirement is to have a set of policies and procedures used to implement PHI privacy protection and compliance with the HIPAA Privacy Rule.

HIPAA SECURITY RULE – POLICIES AND PROCEDURES

One of the first requirements is to have a set of policies and procedures used to implement ePHI data security and compliance with the HIPAA Security Rule.

ISO 27002 – Policies and Procedures

An ISO 27002 Policies and Procedures document provides a comprehensive framework for organizations aiming to align with ISO 27002 standards. It encompasses a wide range of policies, rules, and procedures necessary to safeguard sensitive data and mitigate cybersecurity risks effectively. By outlining specific controls across organizational, people, physical, and technological aspects of security, this document empowers employees at all levels to adhere to best practices. Additionally, it serves as a valuable resource during audits, enabling organizations to demonstrate their commitment to information security and regulatory adherence to external stakeholders.

Kaseya Cybersecurity Fundamentals – Policies and Procedures

Policies and Procedures for Kaseya Cybersecurity Fundamentals, our entry level standard that offers a set of common controls, are derived from (NIST CSF). This ensures that businesses are aligned with industry recognized best practices.

NIST 800-171 – POLICIES AND PROCEDURES

Organizations that are implementing NIST SP 800-171 IT security requirements must create and implement a set of policies and procedures used to implement the necessary security requirements based upon the NIST SP 800-171 IT security requirements.

NIST CSF 2.0 – POLICIES AND PROCEDURES

Organizations that are implementing NIST Cyber Security Framework 2.0 controls must create and implement a set of policies and procedures used to implement the necessary security controls based upon the NIST Cyber Security Framework.

CMGRC - NYS DFS - Policies and Procedures

NYS DFS PART 500-23 – POLICIES & PROCEDURES

The New York State Department of Financial Services (NYDFS) requires that all covered entities maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of their information systems.

PCI DSS SAQ A – POLICIES AND PROCEDURES

To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ-A is for e-commerce/mail/telephone-order (card-not-present) merchants which have completely outsourced all cardholder data functions.

PCI DSS SAQ A EP – POLICIES AND PROCEDURES

To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ-A-EP is for e-commerce-only merchants that rely on third-party service providers to handle card information, and which have a website that doesn’t process credit card data but could impact the security of the payment transaction.

PCI DSS SAQ B IP – POLICIES AND PROCEDURES

To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ-B-IP is for merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and which do not store electronic cardholder data.

PCI DSS SAQ C – POLICIES AND PROCEDURES

To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ-C is for any merchant which utilizes a payment application connected to the internet, but with no electronic cardholder data storage.

PCI DSS SAQ C VT – POLICIES AND PROCEDURES

To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ – C-VT is for merchants which utilize a virtual terminal on one computer dedicated solely to card processing, and which do not store electronic cardholder data. This is not for e-commerce activities.

PCI DSS SAQ P2PE – POLICIES AND PROCEDURES

To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ – P2PE is for merchants that process account data only via a validated PCI-listed P2PE solution.

PCI DSS SAQ SPOC – POLICIES AND PROCEDURES

To fully comply with the PCI DSS standard, three critical documentation areas are needed: policies, standards, and procedures. SAQ – SPoC is for merchants that use commercial off the shelf mobile device (for example, phone or tablet) with a secure card reader that is part of a PCI SSC validated SPoC Solution to process cardholder data.

POPIA Chapter 3 – Part A – Condition 7 – Security Safeguards-thumb

POPIA CONDITION 7 SECURITY SAFEGUARDS – POLICIES AND PROCEDURES

The South Africa Protection of Personal Information Act (POPIA) applies to any person or organization that keeps any type of personal information. The policies and procedures manual provides guidelines for all of Chapter 3 – Part A – Condition 7 – Security Safeguards, sections 19, 20, 21, and 22.

SOC-2-Trust-Services-Criteria-Policies-and-Procedures-thumb

SOC 2 TRUST SERVICES CRITERIA – POLICIES AND PROCEDURES

This policies and procedures manual includes all of the Trust Services Criteria that must be met in order to meet the requirements of a SOC 2 exam. Users are able to make modifications to the standard procedures to more closely align with their own specific methodologies. Any modifications made inside Compliance Manager GRC, will automatically update the associated Policies & Procedures document.

Primary Reports

Assessor’s Checklist

The Assessor’s Checklist gives you a high-level overview of how well the organization complies with the specific standard being managed. A separate Auditor’s check list can be generated for any Standard — whether from one of the built-in government and industry templates, or your own custom set of Requirements and Controls. The checklist details specific compliance items, their status, and helpful references. Use the checklist to quickly identify potential issues to be re-mediated in order to achieve compliance.

Plan of Actions and Milestones Report

This report is a dynamic project plan spreadsheet document, fed by Compliance Manager GRC, that includes separate tabs of Technical Issues, Control Issues and Standards Issues. It’s prepopulated with the issue (weakness), how it was identified, along with the Control ID and description. Use this document as a simple project planner to fully implement an IT security framework and/or attain regulatory compliance.

Technical Assessment - Technical Review

Technical Assessment Report

This report includes details about all Windows and macOS assets, configurations and users uncovered during the network, computer endpoint and MS Cloud scanning process.

Technical Risk Analysis - Technical Review

Technical Risk Analysis Report

Identifies what protections are in place and where there is a need for more. It includes a list of items that must be remediated to ensure the security and confidentiality of sensitive data at rest and/or during its transmission.

Technical Risk Treatment Plan - Technical Review

Technical Risk Treatment Plan

This report prioritizes the discovered IT security risks and provides recommendations on remediation steps.

Your-Standard-Full-Assessment-Assessment-Report-thumb

Your Standard- Full Assessment Report

This report can be generated from the requirements assessment for any standard you are managing. It. compiles compliance information from automated scans, augmented data, and questionnaires. gathers evidence into one document to back up Assessor Checklist with real data.

Specialty Reports

Compliance Manager GRC - NIST SP 800-171 DoD Assessment Score Report - Screenshot

CMMC NIST SP 800-171 Scoring Report

Even though CMMC 2.0 has been launched, US Department of Defense still requires all subcontractors to perform a self-assessment against the NIST SP 800-171 requirements, and to score themselves based on a specific set of rules. Compliance Manager GRC includes the 800-171 assessment standard and automatically scores the assessment based on the DOC rules. This report provides the automically completed scorecard plus all back-up as supporting evidence in the event of an audit.

Compliance Manager GRC – Datto Unified Continuity Report

The Datto Unified Continuity Report, the first (and currently only) report that consolidates backup data from all four Datto Continuity services, including Siris and Alto (BCDR), Cloud Continuity for PCs (CC4PC), and Datto Continuity for Microsoft Azure (DCMA). This new report, available only through Network Detective Pro, consolidates back-up information from all four Datto products and summarizes it in a unified, brandable report that can be presented to managers and executives as evidence of the otherwise “hidden” back-up activities.

drive-encryption-report-thumbnail

Drive Encryption Report

Encryption is such an effective tool used to protect data that if an encrypted device is lost then it does not have to be reported as a data breach. The Disk Encryption Report identifies each drive and volume across the network, whether it is fixed or removable, and if Encryption is active.

file-share-identification-worksheet-thumb

File Share Identification Worksheet

The File Share Identification Worksheet takes the list of network shares gathered by automated network data collection and lets you identify those that store or access Sensitive Data. This is an effective tool in developing data management strategies including secure storage and encryption. This worksheet is used to document if identified network file share are “authorized” to store Sensitive Data.

LINUX COMPUTER PATCH ASSURANCE REPORT

The Linux Computer Patch Assurance Report helps verify the effectiveness of the client’s patch management program. The report uses scan data to detail which updates are missing on Linux computers operating within the network.

macOS-Computer-Patch-Assurance-Report-thumb

macOS Computer Patch Assurance Report

The MacOS Patch Assurance Report helps verify the effectiveness of the client’s patch management program. The report uses scan data to detail which updates are missing on MacOS computers operating within the network.

security-policy-assessment-thumbnails

Security Policy Assessment

This report provides a detailed overview of the security policies which are in place on both a domain wide and local machine basis.

Sensitive Data Assessment Worksheet

This report lists computer assets on the network that appear to be storing Sensitive Data. For each computer listed in this worksheet each entry references the Wi-Fi enabled status and whether ePHI, Cardholder Data (PCI DSS), GDPR Personal Data, and/or Personally Identifiable Information (PII) was detected. Upon completion of the Sensitive Data Assessment all computers assigned the a “Sensitive Data Storage Authorization” status of “”Authorized”” will be listed in this supporting document.

Sensitive Data Assessment Worksheet - Sample Report-thumbanail

Sensitive Data Assessment Worksheet – (Datto Workplace)

Sensitive Data Assessment Worksheet lists computer assets on the network that appear to be storing Sensitive Data. Each computer will be listed if ePHI, Cardholder Data (PCI DSS), GDPR Personal Data, and/or Personally Identifiable Information (PII) was detected as being stored on the computer.

sensitive-sata-file-scan-report-thumbnail

Sensitive Data File Scan Report

Sensitive Data File Scan Report identifies specific types of personal data stored on computers, servers, and storage devices. It does not read the files or access them, but just looks at the title and file type. This report is useful to identify local data files that may not be protected.

Sensitive-Data-File-Scan-Report-Sample-Report-thumb

Sensitive Data File Scan Report (Datto Workplace)

The File Scan Report identifies data files stored on computers, servers, and storage devices. It does not read the files or access them, but just looks at the title and file type. This report is useful to identify local data files that may not be protected.

Share-Permission-Report-thumbnail

Share Permission Report

Comprehensive lists of all:

  1. network “”shares”” by computer, detailing which users and groups have access to which devices and files, and what level of access they have.
  2. Organizes permissions by user, showing all shared computers and files to which, they have access.
Compliance Manager GRC - System Security Plan - Screenshot

System Security Plan

The System Security Plan (SSP) is a requirement of CMMC 2.0, and can be used to as a formal document to support many other standards and frameworks. This formal report provides an overview of the security requirements for your information system and describes the security controls in place or planned for meeting those requirements.

Unitrends Intergration Report - Screenshot

Unitrends Integrations Report

This report provides details on the latest backup statuses from Unitrends, which consolidates multiple backup solutions, and is designed to provide documentation of backup activity and assurance of backups. Data for this report is imported directly into the Compliance Manager GRC site data from the Unitrends console.

Supporting Reports

Application Inventory Worksheet

This worksheet is used to document the “criticality” of the applications identified as being installed on the computer endpoints operating within the network.

Asset Inventory Review

Includes details about all assets, configurations and users uncovered during the network, computer endpoint and MS Cloud scanning process organized and presented into separate tabs in Excel for any use.

Asset Inventory Worksheet

The worksheet is used to augment the asset data that was collected during the internal network scan. Details include the asset owner, acceptable use, environment, backup agent status, as well as device and asset criticality classification. The asset criticality classification is used to determine the risk to the organization in the event of a security incident where the asset’s access or availability is compromised.

Common Controls Operational Procedures

These operating procedures are custom built and generated based on the policies that an organization has selected in Compliance Manager GRC Policy Builder. The generated policies and procedures document the procedures and controls that are to be implemented by the organization in order to meet IT Security and/or regulatory requirements. Each common control is mapped to relevant IT security and/or regulatory requirements. Each individual policy and procedure details the description of the policy, policy guidance, procedure to be implemented, the parties responsible, sanctions to be applied in response failures to comply with the policy, and regulatory compliance requirements.

External Information System Worksheet

This worksheet is used to document external information systems used by your organization. Add entries for each external information system along with a description, purpose for using the system, name of the business owner of the system, along with its criticality. Examples of external information systems include Salesforce, QuickBooks Online, and Microsoft 365.

External Vulnerability Scan Results

When a Compliance Manager GRC Site is integrated with VulScan during the Technical Review assessment process, a detailed report is generated showing security holes and warnings, informational items including CVSS scores as scanned by VulScan from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.

Internal Vulnerability Scan Results

When a Compliance Manager GRC Site is integrated with VulScan during the Technical Review assessment process, a comprehensive report is generated including identified security holes and warnings, and informational items including CVSS scores from VulScan’s point-of-view. The VulScan internal vulnerability scan operates behind the firewall to identify and expose real and potential vulnerabilities inside the network.

User Access Review Worksheet

The worksheet is used to augment the user data that was collected during the internal network scan. Complete the worksheet to provide the additional information requested.

Windows Patch Assurance

This report helps verify the effectiveness of the client’s patch management program. The report uses scan data to detail which patches are missing on the network.