Policy Management Use Cases
- Create a policy
- Create and Map Policy Statements
- Publishing a policy
- Adding policy contacts for collaboration
- Policy review
- Policy consents (coming soon in 1Q2019)
How to create a new policy record
- Use the drop-down module menu (top-right of
screen) to select the Policy Management Module
- Use the horizontal navigation bar to select the Policies Tab.
- Click on the New Policy Button
- Use the drop-down menu to select the type of policy and click ‘continue’ to be taken to the editable Policy Record (i.e. Policy, Standard). NOTE: Table with Explanation of Policy Type below the drop-down menu.
- In the editable Policy Record screen, populate, at a minimum, the required fields, then click save to create your policy record.
How to populate required fields in the policy record
- Prior to saving your Policy Record, you must complete the Required Fields, denoted with a Red Stripe. These are as follows: Policy Name Description Author (see Glossary) Reviewer (see Glossary)
- Use the ‘Look up’ option to select the Author and Reviewer
How to upload an existing policy document
- Follow the above steps to access the Policy Record.
- In the Policy Record, scroll down to the Policy Documents Section and select ‘New Policy Document’.
- Verify the name of the Policy and Description, then click ‘Save’
- In the ‘Files’ selection, select ‘Upload Files’ to upload your Policy Document.
- Upload the Policy you wish to edit 5. Click ‘Save’ or follow the prompts to share the document in ‘Chatter’
How to use chatter sharing option
- When you upload the Policy you wish to edit, you will be prompted to ‘Share Settings’
- Share the file with other reviewers by clicking Share Settings, then in the Share With section, select People, or Groups
- Edit the document and communicate with reviewers via the “share document setting” and a log of each edit will be kept and viewable by selecting “Show all Versions” (left of screen) at any time.
How to write a policy in
- A policy may be ‘cut and paste’ from an existing Policy Document into the appropriate fields in C1. The Policy Record reflects the same fields as a typical policy document (Introduction, Scope, Purpose, Roles
- C1 recommends creating the Policy directly in the policy record to save time recreating the document. Use and populate the appropriate fields.
- For policy statements, create Internal Controls (see section 2: Obligations and controls)
Policy Statement & Mapping
How to create internal controls using
bulk upload method
- Create an Excel Spreadsheet of all the Policy Statements (Internal Controls) you wish to include in the Policy for a bulk upload in C1. Include the following fields:
- Control Name (
titleof Policy Statement)
- Control Description (Policy Statement)
- Policy Name
- Policy Content Source (from C1 Policy Record)
- Control Name (
- Populate all known information fields in order to create a comprehensive record. 3. Send the spreadsheet to CyberOne Support to upload. firstname.lastname@example.org
How to create policy statements (internal controls) without bulk upload
- Internal Controls can be added individually in the Policy Record using the Internal Controls Section or from the Internal Controls Tab on the horizontal navigation bar in the Policy or Compliance Management Modules. These internal controls will be automatically mapped to the policy.
- Click on New Internal Control to open a new Internal Control Record.
- Populate the following fields (see above (1) also).
- Control Name
- Control Description (optional)
- Policy Name (use the look up
optionto find the correct policy record)
- Content Source
- Category (defined by Risk Group – Risk Category
- Question Number
How to create internal control by using a control library template
- Using the horizontal navigation bar, select the Control Library Tab.
- Select the desired control reference using
‘check box’ option.
- Using the top menu buttons, select ‘Add to Internal Control’.
- In the next screen, click ‘Add to Internal Control’ to create the Internal Control.
How to map control library from frameworks to internal control, also known as your policy statement
- Select the Control Library Tab from the horizontal navigation bar in the Policy Management Module.
- Select the Control References to map to your Internal Control using the ‘check box’ option. NOTE: Multiple controls may be selected. 3. Select Map to Internal Control button.
- In the Map to Internal Control Screen, use the look up option to select the desired Internal Control.
- Click Map Internal Control to complete
How to map internal control to policy
- Open the Internal Controls Tab on the horizontal navigation bar.
- Select and open the desired Internal Control record and click the ‘Edit’ button.
- Populate the Policy Section using the look up menu to map the internal control to the desired policy. Then click Save.
How to submit a policy for approval
- When the policy is ready to be published, in the policy record, select the Submit for Approval button.
How to approve or reject a policy review
- The Reviewer will receive an email prompting review of the policy.
- In the policy record, got to the Approval History section. Select the Reassign, Approve, or Reject.
- If ‘Re-assign is chosen, select the Policy Owner from the look up menu in the Re-assign Approval screen, add any comments and select ‘Re-assign Approval Request’.
- If the ‘Approve/Reject’ is selected, add any comments in the ‘Approve/Reject’ screen and select either ‘Approve’ or ‘Reject’.
- The Policy Owner and Author will receive and email notification that the policy has been approved and published or rejected and requires further action.
- If the policy is approved, the policy record status will automatically change to ‘Published’
The policy contact section is to assign individuals who will need to provide policy consent when the policy is published. The system will email the contacts either manually or automatically when Policy Consent Notification is kick off. To automatically kick off policy consent, contact email@example.com to turn on this automation. To manually kick off the consent, follow the steps under Policy Consent. See details on the policy consent workflow under policy consent section.
How to assign Policy Contacts
- Go to the Contact tab
- Select all the contact to assign to policy
- Click on the button Map to Policy Contacts
Note: When mapping contacts to policy, you can only map up to 100 contacts at a time.
This process collects acknowledgments for published policies and maintains an audit log for Policy Training and Awareness. The system will email each Policy Content a training request. The training page will have a link to the actual policy document and any additional training material link you want to add. Each contact is required to submit their consent at least annually for audit trail.