The Policies and Procedures module contains overview and detailed information related
to policy approvals, policies, and control objectives.
Policies and Procedures Overview
Policies and Procedures
Overview is contained in the Policies and procedures
module and provides an executive view into compliance requirements, overall compliance, and
compliance breakdowns so areas of concern can be identified quickly. Users with the compliance
administrator and compliance manager roles view the Policies and Procedures
Overview.Table 1. Policies and Procedures Overview reports in the base system
| Name |
Visual |
Description |
| Control compliance |
Donut chart |
Displays the overall compliance of all the controls in the system. |
| Control details |
Donut chart |
Displays a breakdown of controls grouped by owner, category, or type. |
| Control Overview |
Column Chart |
Displays the total number of controls related to each policy. The chart is
stacked to display the overall control compliance status for each policy. |
| Control Issues by Policy (Opened Date) |
Line Chart |
Displays the number of control issues opened each week, grouped by
policy. |
| Policy Exceptions |
List |
Displays a list of control issues that have been closed with a response value
of accept, meaning the issue was not remediated. |
| Total Policy Statements by Policy |
Bar graph |
Displays a count of the overall number of control objectives in each policy.
The chart is stacked to display control objectives by type. |
Policy approval process
Policies are part of a strict approval process that ensures compliance and reduces exposure
to risk. When a policy is published, it is automatically incorporated in the approval
process. Compliance managers set the length of time that policies are valid, ensuring that
the team reviews the policy often to affirm its validity. Policies have a type, such as a
policy, procedure, standard, plan, checklist, framework, or template.
Table 2. Policy approval states
| State |
Description |
| Draft |
All policies start in Draft state. In this stage, all
compliance users can modify the policy and control objectives. |
| Review |
The owner, owning group, and reviewers can modify the policy and control
objectives and send it on to the next state. |
| Awaiting Approval |
The policy is read only in this state. Approved policies transition to the
Published state. Unapproved policies return to
Review. If no approvers are identified on the policy
form, the state is skipped and the policy is published without an approval.
|
| Published |
Approved policies are automatically published to a template-defined KB
article, and the policy remains in a read-only state. The Valid
to field on the policy form defines how long the policy is valid.
Note that an expired policy automatically moves back to the
Draft/Review state depending on the value entered in the
Number of days after reaching a policy "Valid to" date in which the
expired policy will automatically move from its Published state back to a
Draft/Review state property. For example, if you enter the value in
this property as 30 days, the policy transitions to
Draft/Review state automatically 30 days after the valid
to date is reached. When a policy reaches the end of the
Review state and is Approved for
publishing, it is automatically published to the GRC knowledge base (as defined
in . The Article template field on the policy
form defines the style of the published policy. |
| Retired |
When a policy is put into the Retired state, its
associated KB article is removed. |
Policies
Compliance managers catalog and
publish internal policies that define a set of business processes, procedures, and
or standards.
Control objectives
Compliance managers catalog the control objectives and generate controls from those control
objectives.
Control objectives only reference a single policy, although they can cover multiple
citations from different authority documents. They can be organized into
Classification,
Category, and
Type.
Note: UCF refers to control objectives as controls. When UCF data is
imported, controls are imported into the control objectives table.
