Policies

What is a policy?

A policy is a document that describes the intention, expectations, and overall approach that an organization uses to maintain certain processes and procedures of the company.

Company policies exist at many different levels, from high-level constructs that describe an enterprise’s general goals and principles to documents addressing specific issues, such as remote access or Wi-Fi use. A policy is frequently used in conjunction with other types of documentation such as standard operating procedures. These documents work together to help the company achieve its compliance, security, and privacy goals. The policy defines the overall strategy and stance, with the other documents helping build structure around that practice. You can think of a policy as answering the “what”, “why,” and some part of the “how”, while procedures, standards, and guidelines answer the “how” in great detail

Policies in TrustOps

TrustOps, personalized policies are intelligently crafted, based on controls that are present in your program in Trust Cloud.

Here are a list of policies that TrustOps automatically personalizes for you:

1. Access Control Policy – Establish the principles and guidelines for controlling access to company systems.
2. Information Security Policy – Establish an Information Security Program which protects the confidentiality, integrity, and availability of the company’s data and assets.
3. Authentication and Password Policy – Describe requirements with regards to account authentication, including how passwords should be generated, used, and protected.
4. Security Incident Management Policy – Establish requirements and plans for reporting and responding to security incidents impacting corporate or customer systems.
5. Physical Security Policy – Establish the requirements and process for controlling access to company facilities and requirements for data centers hosting company system components.
6. Information Security Management System Policy – Establish an Information Security Program which protects the confidentiality, integrity, and availability of the company’s data and assets.
7. Backup Policy – Describe controls that are necessary to mitigate the accidental loss of data by maintaining backups.
8. Vendor Management Policy – Establish the scope and objectives for the selection, acquisition, and management of products and services from third-party vendors, in order to maintain the security of the company’s information assets that are accessible by those vendors
9. Data Retention and Disposal Policy – Establish requirements surrounding the retention and eventual disposal of data, in order to ensure confidentiality of sensitive company and customer information.
10. Audit Logging Policy – Outline how systems generate log events for audit purposes, and how these logs are stored and processed to help detect security issues.
11. Encryption Policy – Establish practices for protecting your company data in the event of unauthorized access through the use of encryption.
12. Internal Audit Policy – Define the objectives, authority, and responsibilities of the Internal Audit role within the company.
13. Change Management Policy – Provide guidance on the process of managing change across company critical systems and products.
14. Human Resource Policy – Establish the requirements for a comprehensive human resources process wherein the company attracts, develops, and retains competent and high-performing individuals capable of achieving the company’s business and security objectives.
15. Asset Management Policy – Outline guidelines and practices to protect IT assets used to access sensitive customer or company data, and ensure any such access maintains the security and confidentiality of the data.
16. Vulnerability Management Policy – Establish vulnerability management controls and provide guidelines for their implementation.
17. Business Continuity Policy – Establish requirements and plans to recover company operations following a disruption due to causes such as natural disaster, loss of access to premises, pandemic, or malicious activity from external or internal sources.
18. Acceptable Use Policy – Outline the acceptable use of computer equipment and systems at the company.
19. Data Classification Policy – Define a data classification framework that can be used to determine the sensitivity of data and systems.
20. Risk Management Policy – Establish a framework for managing risk at the company and incorporating risk assessments throughout the company’s operations.
21. Compliance Program Management Policy – Describe the company’s Compliance Program and provide guidance around the program’s management infrastructure and goals.

TrustOps policy page with the policy cards:

Policy Attributes

A policy in TrustOps has the following attributes:

Policy name – Corresponding name of the policy.

Description –   Brief description of what the policy entails.

Policy ID – Policy abbreviation.

Last Edited – The last time a user has edited a policy.

Last Approved –  The last time the Policy owner had added an approval record to the policy.

Owner –  Policy owner and approver.

Risk –  Policy risk calculated based on controls mapped status.

Controls mapped –  Controls associated with the policy.

Assignment

Once you have reviewed and edited your policies, your auditor will want to see that the policy owner, whether it be a specific person or a job title, continuously reviews and approves the policy. That’s why we have given customers the ability to add an approval record right on their TrustOps program.

Who should own a policy?

The policy owner and approver is typically a department head or someone who is highly skilled on the policy content. Below we have included a video that explains how you can assign ownership to a policy and how you can add an approval record to that policy:

Video:  How to assign a policy:

Step-by-step to assign a policy

1. In TrustOps, locate the Policies page on the panel on the left side of the screen.
2. Each policy will have either a circle with a photo of the policy owner and their name, or an empty circle icon with Unassigned next to it.
3. Select the circle icon to assign a policy owner.
   • Choose from a suggested teammate, or search for a teammate. All teammates added to TrustOps can be found in the search. Select Assign Owner.

Note: If the Policy Owner you want to select is not in TrustOps, you can select the Invite new owner tab.

Approval

Once you have reviewed and edited your policies, it is a best practice that one or more people are asked to review and approve your policies in a certain frequency.  Typically, policies are approved every year, or when they change.  Certain policies can be set up to be approved more frequently.

Step by Step on Approving Policies

1. In TrustOps, locate the Policies page on the panel on the left side of the screen.
2. In the My Tasks page on the panel on the left side of the screen, there will be a notification to view and approve the task.
3. Select the policy you would like to approve.
4. Selecting the three ellipsis icon in the corner will open a drop-down menu to do one of the following:
   • View Approval History
   • Export a PDF
   • Change Ownership
   • Edit Policy
   • Revert to TrustCloud Policy
5. Select View Approval History.
   • Select Add an Approval Record.
   • State your role and relevant comments. Select Approve.
6. You can also view the Approval History at the bottom of the policy.

Branding

Policies are typically shared within your organization with employees, shared with auditors during audits, and in some cases, shared with customers during security reviews. It’s important to personalize your policies with your company’s logo, and other company-related information.

Here is a video that will show you how to easily personalize and add your logo to your policies in TrustOps, and share your personalized policies with customers and auditors:

Video:  How to add branding to a policy: 

Editing Policies

TrustCloud policies offer an Edit Policy menu option, allowing you to customize existing text, write your own, or bring in the contents of an existing policy by pasting its text. Once in the editor, you will be able to format your policy, choose whether or not (and where) to insert its approval log and related control list, as well as add TrustCloud control texts. TrustOps also supports Smart Variables — dynamic, auto-updating values representing key attributes of a policy such as its owner, which you can use when composing your policy.

Screenshot: Editing controls on TrustOps:

Mapping controls to policies

After editing a policy, you will be able to choose which controls you’d like to link to the policy — any adopted control in your program can be linked to any custom policy. Linked controls are automatically added to the policy’s “related controls” list, and help make your policy testable.

Below you can find a video on how you can use the “Smart Element” tool to edit your policies:

Video:  How to edit a policy:

If you’re only experimenting with policy editing, rest assured: you can revert back to using a policy fully-managed by TrustCloud at any time.

Step by Step to Edit Policies 

1. In TrustOps, locate the Policies page on the panel on the left side of the screen.
2. Select the policy you want to edit. Select the three ellipsis icon in the right corner. Select Edit Policy from the drop-down menu.
3. You will be redirected to the Edit Policy page. (We provide a template, you can choose to delete text or add text to the policy. You can also add a Smart Element to the policy, such as a Control or an Owner. Drag the Smart Element from the list on the right side directly into the Policy.)
4. Once you have made your desired edits, select Publish Changes at the top. A page will pop up asking if there are any controls you want to link to your policy. Select Publish.
   • Linking a control to a policy will allow you to track if you are actually adhering to the policy by tracking the status of the control.
   • Once you’ve made changes to a policy, you can choose to revert to TrustCloud’s policy by selecting the three ellipsis icon and selecting Revert to TrustCloud Policy.

Policy Versioning

Policy Versioning allows you to keep track of how your policies evolve over time so you can view edit history, changes, and versions with ease. Plus, you can download historical copies just in case the new version doesn’t meet your goals.

You can filter versions by date as well as download historical copies from this view

Sharing Policies with customers

The TrustShare application in Trust Cloud makes it easy for startups, SMBs, and enterprises to securely invite and share their trust and compliance program with their customers, including information about the policies.

Check out the getting started guide in TrustShare to set up your TrustShare