Manage policy statements and policies

The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and policy statements.

Overview

The Policies and Procedures Overview is contained in the Policies and procedures module and provides an executive view into compliance requirements, overall compliance, and compliance breakdowns so areas of concern can be identified quickly. Users with the Compliance Administrator and Compliance Manager roles view the Policies and Procedures Overview.
Table 1. Policies and Procedures Overview reports in the base system
Name Visual Description
Control compliance Donut chart Displays the overall compliance of all the controls in the system.
Control details Donut chart Displays a breakdown of controls, grouped by owner, category, or type.
Control Overview Column Chart Displays the total number of controls related to each policy. The chart is stacked to display overall control compliance status for each policy.
Control Issues by Policy (Opened Date) Line Chart Displays the number of control issues opened each week, grouped by policy.
Policy Exceptions List Displays a list of control issues that have been closed with a response value of accept, meaning the issue was not remediated.
Total Policy Statements by Policy Bar graph Displays a count of the overall number of policy statements in each policy. The chart is stacked to display policy statements by type.

My Policy Approvals

My Policy Approvals is contained in the Policy and Compliance module and contains all policies requiring your approval. Policies go through an approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.

States of policy approval and publishing

Policies are part of a strict approval process to ensure compliance and to reduce exposure to risk. Publishing a policy is automatically incorporated in the approval process.

The image depicts the approval process flow that is shown at the top of each policy record.

Table 2. Policy approval states
State Description
Draft All policies start in Draft state. In this stage, all compliance users can modify the policy and policy statements.
Review The owner, owning group, and reviewers can modify the policy and policy statements and send it on to the next state.
Awaiting Approval The policy is read only in this state. Approved policies move forward to the Published state. Unapproved policies move back to Review. If no approvers are identified on the policy form, the state is skipped and published without an approval.
Published Approved policies are automatically published to a template-defined KB. Once a policy is published, it remains in a read-only state. The Valid to field on the policy form defines how long the policy is valid. When a policy is no longer valid, it is automatically sent back to Draft state.

When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in the Policy and Compliance > Administration > Properties. The article template field on the policy form defines the style of the published policy.

Retired The KB article is removed when a policy is put into a Retired state.

Policies

Compliance managers catalog and publish internal policies that define a set of business processes, procedures, and or standards.

Policy Statements

Compliance managers catalog the policy statements and generate controls from those policy statements.

Policy statements only reference a single policy, although they can cover multiple citations from different authority documents. They can be organized into Classification, Category, and Type.
Note: UCF refers to policy statements as Controls. When UCF is data is imported, controls are imported into the policy statements table.

Create a draft policy

A policy is a document which defines an internal practice that processes must follow. Policies are defined as policies, procedures, standards, plans, checklists, frameworks, and templates.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 3. Policy
    Field Description
    Name The name of the policy.
    Type

    Select from a list of options:

    • Policy
    • Procedure
    • Standard
    • Plan
    • Checklist
    • Framework
    • Template
    Owning Group Group that owns the policy.
    Owner User that owns the policy.
    State The policy state is a read-only field. Possible choices are:
    • Draft In this state, all compliance users can modify the policy and policy statements. All compliance users can click Ready for Review at the bottom of the form, which sets the state to Review.
    • Review In this state, the owner, owning group, and reviewers can modify the policy and policy statements. The owner, owning group, and reviewers click Request approval, starting the workflow by sending approvals to the users in the Approvers list. The owner, owning group, and reviewers move the policy back to Draft, by clicking Back to draft, as well.
    • Awaiting approval In this state, the policy and policy statements are read- only for all. Approvers can approve the policy by updating the approval state in the Approvals Related List on the policy form, or by viewing My Approvals. If the policy is approved, the policy goes to the Published state. Otherwise, it goes back to the Review state.
    • Published In this state, the policy and policy statements are read-only for all. Admins can click Retire which sets the state of the policy to Retired
    • Retired In this state, the policy is read-only for all.
    Valid From The date and time for which the policy becomes valid.
    Valid To The date and time for which the policy is no longer valid.
    Approvers Select the users you want to be included in the approval process.
    Reviewers Select the users you want to be included in the review process.
    Description A general description of the policy.
    Policy text A detailed description of the policy.
    Article template The article template to use for the publication of this policy.
    KB article The KB article number and link where the policy is published.
  4. Continue with one of the following options.
    OptionAction
    To save and submit the policy
    • Click Submit.
    To mark the policy ready for review
    • Click Ready for review.

Approve and publish policy

When a policy is approved, it is automatically published.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Open the policy record.
  3. Review the policy details, making updates as necessary.
  4. Click Approve.

Review a policy

It is important that the right people in your organization are involved in the review of policies.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Open the Policy record.
  3. Review the policy details, making updates as necessary.
  4. Continue with one of the following actions:
    OptionAction
    To move the policy back into draft
    • Click Back to draft.
    To request approval for the policy
    • Click Request approval.

Retire a policy

Retiring a policy is part of the policy management process. It can be retired any time after being approved and published to the KB.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies.
  2. Open the Policy record.
  3. In the top right corner, click Retire.
    This option is available only for policies in a published state.

Create a GRC article template

Policy and Compliance managers can create templates for policy article publishing.

Before you begin

Role required: sn_audit.manager

Procedure

  1. Navigate to Policy and Compliance > Administration > Article Templates.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 4. Authority Document
    Field Value
    Name Name of the article template.
    Type
    • Script
    • HTML
    • XML
    Script The script code. This field is dependent on the Type field.
    HTML The HTML code. This field is dependent on the Type field.
    XML The XML code. This field is dependent on the Type field.
    Is default Check box to indicate that this template is used as the default template for all KB articles.
  4. Click Submit.

Create an authority document

Authority documents manage a process and citations are created within them to manage points of the process. For example, the process called Building Security contains a citation for Entry Control.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Compliance > Authority Documents.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 5. Authority Document
    Field Value
    Name Name of the document.
    Number Read-only field that is automatically populated with a unique identification number.
    Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
    Source ID The unique identification number used by the source to catalog this authority document.
    Version The unique version number used by the source to identify this authority document.
    Common name Abbreviated version of the Name field.
    Category Category for this authority document.
    Type The document type:
    • Audit Guideline
    • Best Practice Guideline
    • Bill or Act
    • Contractual Obligation
    • International or National Standard
    • Not Set
    • Organizational Directive
    • Regulation of Statute
    • Safe Harbor
    • Self-Regulatory Body Requirement
    • Vendor Documentation
    Valid From The date and time for which the policy becomes valid.
    Valid To The date and time for which the policy is no longer valid.
    Url The URL of the stored authority document.
    Description More information about the authority document.
  4. Right-click in the header bar and select Save from the context menu.
    The authority document is created and all related lists are visible.

What to do next

Create a citation from the Authority document related list.

Create a policy statement

A policy statement is an objective, direction, or standard that acts as guidance for company interactions and operations. Policy statements can be categorized, classified, and related to policies.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Policy Statements.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 6. Policy Statement
    Field Description
    Name* The name of the policy statement.
    Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
    Source ID The unique identification number used by the source to catalog this authority document.
    Reference A unique numerical identifier
    Policy The parent policy containing the policy statement. If you create a policy statement from within a policy, this field is automatically filled.
    Parent The parent policy statement.
    Active A policy is marked active if it is not in the Draft or Retired state.
    Creates controls automatically Check box indicating that controls are automatically created from the policy statement.
    Note: Select this option if the policy statement can also serve as the control.
    Category

    Select from a list of options:

    • Acquisition or sale of facilities, technology, and services
    • Audits and risk management
    • Compliance and Governance Manual of Style
    • Human Resources management
    • Leadership and high level objectives
    • Monitoring and measurement
    • Operational management
    • Physical and environmental protection
    • Privacy protection for information and data
    • Records management
    • System hardening through configuration management
    • Systems continuity
    • Systems design, build, and implementation
    • Technical security
    • Third Party and supply chain oversight
    • Root
    • Deprecated
    Classification

    Select from a list of options:

    • Preventive
    • Corrective
    • Detective
    Type

    Select from a list of options:

    • Acquisition/Sale of Assets or Services
    • Actionable Reports or Measurements
    • Audits and Risk Management
    • Behavior
    • Business Processes
    • Communicate
    • Configuration
    • Data and Information Management
    • Duplicate
    • Establish Roles
    • Establish/Maintain Documentation
    • Human Resources Management
    • Investigate
    • IT Impact Zone
    • Log Management
    • Maintenance
    • Monitor and Evaluate Occurrences
    • Physical and Environmental Protection
    • Process or Activity
    • Records Management
    • Systems Continuity
    • Systems Design, Build, and Implementation
    • Technical Security
    • Testing
    • Training
    Attestation Select from a list of options.
    • GRC Attestation is chosen by default
    • Note: If the user changes the control’s attestation, the related policy statement's attestation type is changed also.
    Description Description of the policy statement.
  4. Click Submit.
    The policy statement is created and all related lists are visible.
    • A control is created for every policy statement when a policy is associated with a profile.
    • The control attributes default to the same attributes as the related policy statement.

Deactivate a policy statement

Deactivate policy statements that are no longer relevant to their citation or policy statement.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policy Statements.
  2. Open a policy statement.
  3. In the policy statement, clear the check box marked Active.
  4. Click Update.

Relate a policy statement to a policy

Policy statements can be associated to a policy individually by choosing the policy in the document field on the policy statement, or by editing the policy statements related list.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Open the policy record.
  3. Click Edit in the Policy Statements related list.
    The slushbucket contains active policy statements with no associated policy selected.
  4. Select the policy statements.
  5. Click Save.
    Those policy statements are listed in the Policy Statement related list.

Relate a policy statement to a citation

A single policy statement can be mapped to many citations from different authority documents. This function allows you to test a policy statement once while complying with many different citations.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Compliance > Citations.
  2. Open a citation.
  3. In the Policy statements related list, click New.
  4. Fill in the fields on the form, as appropriate.
    Table 7. Policy Statement
    Field Description
    Name The name of the policy statement.
    Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
    Reference A unique numerical identifier.
    Policy The parent policy statement supported by this policy statement.
    Parent References the parent content.
    Active If the policy statement is not in the Draft or Retired states, a policy is marked active.
    Source ID The unique identification number used by the source to catalog this authority document.
    Category

    Select from a list of options:

    • Acquisition or sale of facilities, technology, and services
    • Audits and risk management
    • Compliance and Governance Manual of Style
    • Human Resources management
    • Leadership and high level objectives
    • Monitoring and measurement
    • Operational management
    • Physical and environmental protection
    • Privacy protection for information and data
    • Records management
    • System hardening through configuration management
    • Systems continuity
    • Systems design, build, and implementation
    • Technical security
    • Third Party and supply chain oversight
    • Root
    • Deprecated
    Classification

    Select from a list of options:

    • Preventive
    • Corrective
    • Detective
    • IT Impact Zone
    Type

    Select from a list of options:

    • Acquisition/Sale of Assets or Services
    • Actionable Reports or Measurements
    • Audits and Risk Management
    • Behavior
    • Business Processes
    • Communicate
    • Configuration
    • Data and Information Management
    • Duplicate
    • Establish Roles
    • Establish/Maintain Documentation
    • Human Resources Management
    • Investigate
    • IT Impact Zone
    • Log Management
    • Maintenance
    • Monitor and Evaluate Occurrences
    • Physical and Environmental Protection
    • Process or Activity
    • Records Management
    • Systems Continuity
    • Systems Design, Build, and Implementation
    • Technical Security
    • Testing
    • Training
    Description Describe the policy statement and how it supports the goals of the organization.
  5. Click Submit.

Create a citation

Usually, authority documents, citations, and policy statements are downloaded from UCF. However, citations can be created manually from an authority document.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Authority Documents.
  2. Open an authority document.
  3. In the Citations Related List, click New.
  4. Fill in the fields on the form, as appropriate.
    Table 8. Citation
    Field Description
    Name* User-defined name that identifies this citation.
    Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
    Source ID The unique identification number used by the source to catalog this authority document.
    Reference Content reference.
    Type Type of citation created. Optional field not used for any processing. Use the value in this field in reports or to query for records of a specific type.
    • Core Topic
    • Process
    • Control Objective
    • Control
    • Supporting information
    Authority document Name of the parent authority document for this citation. When you create citations from the authority document form, the system completes this field automatically.
    Active A policy is marked active if it is not in the Draft or Retired state.
    Parent References the parent content.
    Description Description of the citation.

Deactivate a citation

The Active option in a citation indicates whether the citation has been retired.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Compliance > Citations.
  2. Open a citation.
  3. In the citation, clear the check box marked Active.

Deactivate an authority document

The Active option in an authority document indicates whether the authority documents has been retired.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Compliance > Authority Documents.
  2. Open an authority document.
  3. In the authority document, clear the check box marked Active.