Create a policy statement

A policy statement is an objective, direction, or standard that acts as guidance for company interactions and operations. Policy statements can be categorized, classified, and related to policies.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Policy Statements.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Policy Statement
    Field Description
    Name* The name of the policy statement.
    Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
    Source ID The unique identification number used by the source to catalog this authority document.
    Reference A unique numerical identifier
    Policy The parent policy containing the policy statement. If you create a policy statement from within a policy, this field is automatically filled.
    Parent The parent policy statement.
    Active A policy is marked active if it is not in the Draft or Retired state.
    Creates controls automatically Check box indicating that controls are automatically created from the policy statement.
    Note: Select this option if the policy statement can also serve as the control.
    Category

    Select from a list of options:

    • Acquisition or sale of facilities, technology, and services
    • Audits and risk management
    • Compliance and Governance Manual of Style
    • Human Resources management
    • Leadership and high level objectives
    • Monitoring and measurement
    • Operational management
    • Physical and environmental protection
    • Privacy protection for information and data
    • Records management
    • System hardening through configuration management
    • Systems continuity
    • Systems design, build, and implementation
    • Technical security
    • Third Party and supply chain oversight
    • Root
    • Deprecated
    Classification

    Select from a list of options:

    • Preventive
    • Corrective
    • Detective
    Type

    Select from a list of options:

    • Acquisition/Sale of Assets or Services
    • Actionable Reports or Measurements
    • Audits and Risk Management
    • Behavior
    • Business Processes
    • Communicate
    • Configuration
    • Data and Information Management
    • Duplicate
    • Establish Roles
    • Establish/Maintain Documentation
    • Human Resources Management
    • Investigate
    • IT Impact Zone
    • Log Management
    • Maintenance
    • Monitor and Evaluate Occurrences
    • Physical and Environmental Protection
    • Process or Activity
    • Records Management
    • Systems Continuity
    • Systems Design, Build, and Implementation
    • Technical Security
    • Testing
    • Training
    Attestation Select from a list of options.
    • GRC Attestation is chosen by default
    • Note: If the user changes the control’s attestation, the related policy statement's attestation type is changed also.
    Description Description of the policy statement.
  4. Click Submit.
    The policy statement is created and all related lists are visible.
    • A control is created for every policy statement when a policy is associated with a profile.
    • The control attributes default to the same attributes as the related policy statement.