Policy Management Use Cases

  1. Create a policy
  2. Create and Map Policy Statements
  3. Publishing a policy
  4. Adding policy contacts for collaboration
  5. Policy review
  6. Policy consents (coming soon in 1Q2019)

Create Policy

How to create a new policy record
  1. Use the drop-down module menu (top-right of screen) to select the Policy Management Module
  2. Use the horizontal navigation bar to select the Policies Tab.
  3. Click on the New Policy Button
  4. Use the drop-down menu to select the type of policy and click ‘continue’ to be taken to the editable Policy Record (i.e. Policy, Standard). NOTE: Table with Explanation of Policy Type below the drop-down menu.
  5. In the editable Policy Record screen, populate, at a minimum, the required fields, then click save to create your policy record.
How to populate required fields in the policy record
  1. Prior to saving your Policy Record, you must complete the Required Fields, denoted with a Red Stripe. These are as follows: Policy Name Description Author (see Glossary) Reviewer (see Glossary)
  2. Use the ‘Look up’ option to select the Author and Reviewer

How to upload an existing policy document
  1. Follow the above steps to access the Policy Record.
  2. In the Policy Record, scroll down to the Policy Documents Section and select ‘New Policy Document’.
  3. Verify the name of the Policy and Description, then click ‘Save’
  4. In the ‘Files’ selection, select ‘Upload Files’ to upload your Policy Document.
  5. Upload the Policy you wish to edit 5. Click ‘Save’ or follow the prompts to share the document in ‘Chatter’
How to use chatter sharing option
  1. When you upload the Policy you wish to edit, you will be prompted to ‘Share Settings’
  2. Share the file with other reviewers by clicking Share Settings, then in the Share With section, select People, or Groups
  3. Edit the document and communicate with reviewers via the “share document setting” and a log of each edit will be kept and viewable by selecting “Show all Versions” (left of screen) at any time.
How to write a policy in CyberOne
  1. A policy may be ‘cut and paste’ from an existing Policy Document into the appropriate fields in C1. The Policy Record reflects the same fields as a typical policy document (Introduction, Scope, Purpose, Roles and Responsibilities etc.)
  2. C1 recommends creating the Policy directly in the policy record to save time recreating the document. Use and populate the appropriate fields.
  3. For policy statements, create Internal Controls (see section 2: Obligations and controls)

Policy Statement & Mapping

 

How to create internal controls using bulk upload method
  1. Create an Excel Spreadsheet of all the Policy Statements (Internal Controls) you wish to include in the Policy for a bulk upload in C1. Include the following fields:
    • Control Name (title of Policy Statement)
    • Control Description (Policy Statement)
    • Policy Name
    • Policy Content Source (from C1 Policy Record)
  2. Populate all known information fields in order to create a comprehensive record. 3. Send the spreadsheet to CyberOne Support to upload. support@cb1security.com
How to create policy statements (internal controls) without bulk upload
  1. Internal Controls can be added individually in the Policy Record using the Internal Controls Section or from the Internal Controls Tab on the horizontal navigation bar in the Policy or Compliance Management Modules. These internal controls will be automatically mapped to the policy.
  2. Click on New Internal Control to open a new Internal Control Record.
  3. Populate the following fields (see above (1) also).
    • Control Name
    • Control Description (optional)
    • Policy Name (use the look up option to find the correct policy record)
    • Content Source
    • Category (defined by Risk Group – Risk Category
    • Question Number
How to create internal control by using a control library template
  1. Using the horizontal navigation bar, select the Control Library Tab.
  2. Select the desired control reference using check box’ option.
  3. Using the top menu buttons, select ‘Add to Internal Control’.
  4. In the next screen, click ‘Add to Internal Control’ to create the Internal Control.
How to map control library from frameworks to internal control, also known as your policy statement
  1. Select the Control Library Tab from the horizontal navigation bar in the Policy Management Module.
  2. Select the Control References to map to your Internal Control using the ‘check box’ option. NOTE: Multiple controls may be selected. 3. Select Map to Internal Control button.
  3. In the Map to Internal Control Screen, use the look up option to select the desired Internal Control.
  4. Click Map Internal Control to complete mapping process.
How to map internal control to policy
  1. Open the Internal Controls Tab on the horizontal navigation bar.
  2. Select and open the desired Internal Control record and click the ‘Edit’ button.
  3. Populate the Policy Section using the look up menu to map the internal control to the desired policy. Then click Save.

 

Publishing Policy

 

How to submit a policy for approval
  1. When the policy is ready to be published, in the policy record, select the Submit for Approval button.
How to approve or reject a policy review
  1. The Reviewer will receive an email prompting review of the policy.
  2. In the policy record, got to the Approval History section. Select the Reassign, Approve, or Reject.
  3. If ‘Re-assign is chosen, select the Policy Owner from the look up menu in the Re-assign Approval screen, add any comments and select ‘Re-assign Approval Request’.
  4. If the ‘Approve/Reject’ is selected, add any comments in the ‘Approve/Reject’ screen and select either ‘Approve’ or ‘Reject’.
  5. The Policy Owner and Author will receive and email notification that the policy has been approved and published or rejected and requires further action.
  6. If the policy is approved, the policy record status will automatically change to ‘Published’


    Policy Contacts

    The policy contact section is to assign individuals who will need to provide policy consent when the policy is published. The system will email the contacts either manually or automatically when Policy Consent Notification is kick off. To automatically kick off policy consent, contact support@cb1secuirty.com to turn on this automation. To manually kick off the consent, follow the steps under Policy Consent. See details on the policy consent workflow under policy consent section.  

    How to assign Policy Contacts
    1. Go to the Contact tab
    2. Select all the contact to assign to policy
    3. Click on the button Map to Policy Contacts

    Note: When mapping contacts to policy, you can only map up to 100 contacts at a time.  

    Policy Training

    This process collects acknowledgments for published policies and maintains an audit log for Policy Training and Awareness. The system will email each Policy Content a training request. The training page will have a link to the actual policy document and any additional training material link you want to add. Each contact is required to submit their consent at least annually for audit trail.

    How to send Policy Training
    coming soon 1Q2019

    Policy Review Cycle

    Policy is periodically review for updates to regulatory changes or to support internal business objectives. The system provides a 1 year Next Review Date default. Policy owner can override the Next Review Date as needed for internal workflow. Once the policy is published, the system will notify the Policy Owner (coordinator of the policy) 30 days before the next review date. The Policy owner will click on the link and determine if there is a change or no change to the policy. If there is a change, click on the Clone with Child button to edit the policy and obtain approval for the policy. If there’s no change, click on the button No Change Require. The system will track your review result in the Audit Log section. 

    How to set Next Review Date
    The next review date by default is set to 365 days from published date. If you want to override this date, you will populate the Next Review Date Override.  
    Why do I want to override the next review date
    If the default next review date falls under the peak time of your workload, you may want to change the next review date. Best practices recommend annual review cycle. We recommend you stay between 12-18 months range. Do not exceed the 1+ year to be in an acceptable audit range.  
    Do I need to do anything for the system to notify me for policy review
    No you don’t. But you can setup a report to monitor all policies target for review by month to monitor your workload.