Information Security policies are the bedrock of all cybersecurity Compliance Certifications, Audits, and Assessments. Without a central system for documenting these policies, maintaining mappings to security controls, managing review cycles, approval workflows, and distribution, you will be spending countless hours in follow-ups and redundant work.
The Policies section allows you to create, edit, manage and link your organization’s policies to controls and framework objectives within the platform. If you don’t currently have written policies or have gaps in your policy portfolio, you can create new policies from our pre-existing templates to speed up your audit and ensure compliance. You can also upload your existing policies and update them accordingly if they have become antiquated over time.
Starting From Scratch
If you haven’t quick-started a framework from the My Frameworks section, the Policies section will be blank. We generally recommend quick-starting frameworks, but if you’d rather take a more hands-on approach with your policies, you can manually create them.
Select Policies from the sidebar.
Click the Create Policy button to open the “Create a new Policy” widget.
Give your policy a name in the Policy Name field.
Select Manage in Control Map, Upload as a document or Provide a link to an external system from the How do you want to setup your policy dropdown menu. “Manage in Control Map” creates a new policy within the platform from one of our templates. Select “Upload as a document” if you would like to upload a copy of one of your policies. If your policies are stored in a 3rd party software, select “Provide a link to an external system.”
If you select “Manage in Control Map,” you’ll need to select a template from the “Select a prebuilt policy to import content” dropdown menu.
Select the Save button to create your policy.
Working with Policies After Quick Start
If you’ve Quick Started a framework in ControlMap, your Policies section will look something like this after the Quick Start process has completed:
Quick Starting a framework automatically maps policies to the relevant controls, and from the Policies view, you can also see the objectives associated with the policies. Hovering over the hyperlinks in the Objectives and Controls columns will show a summary of what the Objectives and Controls entail. Clicking on the hyperlinks will open a new tab to where the Controls and Objectives are housed in the command center.
Editing and Updating Policy Language
After creating your policies, you can edit the language and add additional detail within the Policies Editor.
Select the hyperlinked title of the policy to be taken to the policies editor.
If you’d like to edit the text used in any of the sections within the policy, select the text box and edit to your liking. To save your changes, click the Save button.
The Properties sidebar within the Policy Editor lets you manage different aspects of the policy within your team.
- Policy Type - Covered on Step 4 in the Starting From Scratch section of this article. Manage in ControlMap is the most common.
- Status - This can be updated periodically to reflect the review status of the policy. When you select "Ready for Approval," a notification email will be sent to the designated Approver.
- Owner - The primary editor of the policy who will be doing most of the draft work.
- Team - The group that will oversee the policy.
- Approver - HR Supervisor, IT Department Lead or Auditor who will decide if the policy is ready.
- Contributors - Others who may help the Owner with finalizing the policy.
- Review Date - Formal review date to determine if policy is complete.
- Add Tags - Add any relevant tags to the policy to make it searchable and easier to reference.
You can map a policy to existing controls and framework objectives from the Mappings section. These will likely be auto-mapped if you used Quick Start, but if you created a policy from scratch, this is a necessary action.
- Select the Mappings icon on the right side of the screen in the Policy Editor.
- Search for the title of the Control or Framework objective (or a key term in either), and then select to link them to the policy.
Comments, Activities and Watchers
You can add comments to the policy via the Comments section of the sidebar. Type your comment in the Start typing your comment... field and then select the Add Comment button to add it to the list. Other users in the Command Center will then be able to view your comments in this section.
The Activities section will detail the changes made to the policy over time.
The Watchers section allows you to add "Watchers" to the policy edits that will be notified via email when changes are made. You can add yourself by selecting the Start Watching button and others via the Add watchers field.
If you have any questions about our Policies functionality that aren't covered in this article, please contact email@example.com for additional assistance.