Manage control objectives and policies
Summarize
Summary of Manage Control Objectives and Policies
The Policies and Procedures module provides essential information regarding policy approvals, policies, and control objectives. It offers a comprehensive view of compliance requirements, showcasing areas that may need attention. Users with compliance administrator and compliance manager roles can access the Policies and Procedures Overview.
Show less
Key Features
- Policies and Procedures Overview: An executive view that highlights compliance status and issues.
- Reports: Various visual reports, including donut charts for overall compliance, control breakdowns, line charts for control issues by policy, and bar graphs for control objectives by policy.
- Policy Approval Process: Involves multiple states (Draft, Review, Awaiting Approval, Approved, Published, Retired) to ensure compliance and risk management.
- Policy Types: Policies can be categorized as procedures, standards, plans, checklists, frameworks, or templates.
- Control Objectives: Serve as guidance for operations; categorized and associated with policies.
- Acknowledgement Campaigns: Allows tracking of employee acknowledgment for compliance with published policies.
- Authority Documents and Citations: Manage citations linked to control objectives, which can be created manually or imported.
Key Outcomes
By utilizing the Policies and Procedures module, customers can effectively manage compliance through tracking and reporting. The structured approval process ensures ongoing validity and relevance of policies, while the ability to create and deprecate control objectives and citations enhances operational efficiency. Ultimately, these tools empower organizations to maintain compliance and reduce risks associated with policy management.
The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and control objectives.
Policies and Procedures Overview
Policies and Procedures Overview is contained in the Policies and procedures module and provides an executive view into compliance requirements, overall compliance, and compliance breakdowns so areas of concern can be identified quickly. Users with the compliance administrator and compliance manager roles view the Policies and Procedures Overview.| Name | Visual | Description |
|---|---|---|
| Control compliance | Donut chart |
Displays the overall compliance of all the controls in the system. |
| Control details | Donut chart |
Displays a breakdown of controls grouped by owner, category, or type. |
| Control Overview | Column Chart |
Displays the total number of controls related to each policy. The chart is stacked to display the overall control compliance status for each policy. |
| Control Issues by Policy (Opened Date) | Line Chart |
Displays the number of control issues opened each week, grouped by policy. |
| Policy Exceptions | List | Displays a list of control issues that have been closed with a response value of accept, meaning the issue was not remediated. |
| Total Control Objectives by Policy | Bar graph | Displays a count of the overall number of control objectives in each policy. The chart is stacked to display control objectives by type. |
Policy approval process
Policies are part of a strict approval process that ensures compliance and reduces exposure to risk. When a policy is published, it is automatically incorporated in the approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.
| State | Description |
|---|---|
| Draft | All policies start in Draft state. In this stage, all compliance users can modify the policy and control objectives. |
| Review | The owner, owning group, and reviewers can modify the policy and control objectives and send it on to the next state. |
| Awaiting Approval | The policy is read only in this state. Approved policies transition to the Published state. Unapproved policies return to Review. If no approvers are identified on the policy form, the state is skipped and the policy is published without an approval. |
| Published | Approved policies are automatically published to a template-defined KB article, and the policy remains in a read-only state. The Valid to field on the policy form defines how long the
policy is valid. Note:
After the policy is published and when the valid to date on the policy is reached, then based on the value of the Number of days after reaching a policy "Valid to" date in which
the expired policy will automatically move from its Published state back to a Draft/Review state property, the policy moves back to the Draft/Review state. For example, if the value of the
property is 10, then the policy moves back to review state 10 days after the valid to date is reached. When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in . The Article template field on the policy form defines the style of the published policy. |
| Retired | When a policy is put into the Retired state, its associated KB article is removed. |
Policies
Compliance managers catalog and publish internal policies that define a set of business processes, procedures, and or standards.
Control objectives
Compliance managers catalog the control objectives and generate controls from those control objectives.