Policies

What is a policy?

A policy is a document that describes the intention, expectations, and overall approach that an organization uses to maintain certain processes and procedures within the organization.

Organizational policies exist at many different levels, from high-level constructs that describe an enterprise’s general goals and principles to documents addressing specific issues, such as remote access or Wi-Fi use. A policy is frequently used in conjunction with other types of documentation, such as standard operating procedures. These documents work together to help the organization achieve its compliance, security, and privacy goals. The policy defines the overall strategy and stance, with the other documents helping build the structure around that practice. You can think of a policy as answering the “what”, “why,” and some part of the “how”, while procedures, standards, and guidelines answer the “how” in great detail.

Policies in TrustOps

In TrustOps, personalized policies are intelligently crafted based on the controls that are present in your program in Trust Cloud.

Here is a list of policies that TrustOps automatically personalizes for you:

1. Access Control Policy: Establish the principles and guidelines for controlling access to organizational systems.
2. Information Security Policy: Establish an information security program that protects the confidentiality, integrity, and availability of the organization’s data and assets.
3. Authentication and Password Policy: Describe requirements with regard to account authentication, including how passwords should be generated, used, and protected.
4. Security Incident Management Policy: Establish requirements and plans for reporting and responding to security incidents impacting corporate or customer systems.
5. Physical Security Policy: Establish the requirements and process for controlling access to organization facilities and the requirements for data centres hosting organization system components.
6. Information Security Management System Policy: Establish an information security program that protects the confidentiality, integrity, and availability of the organization’s data and assets.
7. Backup Policy: Describe the controls that are necessary to mitigate the accidental loss of data by maintaining backups.
8. Vendor Management Policy: Establish the scope and objectives for the selection, acquisition, and management of products and services from third-party vendors in order to maintain the security of the organization’s information assets that are accessible by those vendors.
9. Data Retention and Disposal Policy: Establish requirements surrounding the retention and eventual disposal of data in order to ensure the confidentiality of sensitive organization and customer information.
10. Audit Logging Policy: Outline how systems generate log events for audit purposes and how these logs are stored and processed to help detect security issues.
11. Encryption Policy: Establish practices for protecting your organization’s data in the event of unauthorized access through the use of encryption.
12. Internal Audit Policy: Define the objectives, authority, and responsibilities of the internal audit role within the organization.
13. Change Management Policy: Provide guidance on the process of managing change across organization-critical systems and products.
14. Human Resource Policy: Establish the requirements for a comprehensive human resources process wherein the organization attracts, develops, and retains competent and high-performing individuals capable of achieving the organization’s business and security objectives.
15. Asset Management Policy: Outline guidelines and practices to protect IT assets used to access sensitive customer or organization data and ensure any such access maintains the security and confidentiality of the data.
16. Vulnerability Management Policy: Establish vulnerability management controls and provide guidelines for their implementation.
17. Business Continuity Policy: Establish requirements and plans to recover organization operations following a disruption due to causes such as natural disasters, loss of access to premises, pandemics, or malicious activity from external or internal sources.
18. Acceptable Use Policy: Outline the acceptable use of computer equipment and systems at the organization.
19. Data Classification Policy: Define a data classification framework that can be used to determine the sensitivity of data and systems.
20. Risk Management Policy: Establish a framework for managing risk at the organization and incorporating risk assessments throughout the organization’s operations.
21. Compliance Program Management Policy: Describe the organization’s compliance program and provide guidance around the program’s management infrastructure and goals.

You can view policies in list or card view on the “Policies” page.

The following screenshot shows a TrustOps policies page list view.

Policy Attributes

A policy in TrustOps has the following attributes:

1. Policy name: the corresponding name of the policy.
2. Policy ID: policy abbreviation.
3. Group: the group policy belongs to.
4. Description: a brief description of what the policy entails.
5. Lat Imported: The last time a user has imported a policy.
6. Last Approved: The last time the policy owner added an approval record to the policy owner, policy owner, and approver.
7. Risk: Policy risk is calculated based on control-mapped status.
8. Controls mapped: controls associated with the policy.
9. Policy Owner: The name of the owner of the policy.

The following screenshot shows the policy attributes.

Assignment

Once you have reviewed and edited your policies, your auditor will see that the policy owner (a specific person or a job title) is continuously reviewing and approving them. That’s the reason TrustOps provides the ability to add an approval record right in the TrustOps program.

Who is a policy owner?

The policy owner and approver are typically a department head or someone who is highly skilled in the policy content. The following video explains how to assign ownership to a policy and how to add an approval record to that policy.

The following video will show the steps to assigning a policy.

Steps to assign a policy:

1. Go to the “Policies” page.
2. Click on a policy.
3. On the policy details page, click on the circle icon to assign a policy owner.
4. Select the circle icon to assign a policy owner.
   
   
5. Select the name and click on the “Assign to New Owner” button.
6. You can assign your name as the owner by clicking on the “Assign to Yourself” button.
7. You can click on the “Invite New Owner” button to invite people who are not present in the list.

Approval

Once you have reviewed and edited your policies, it is best practice to have one or more people review and approve them at a certain frequency. Typically, policies are approved every year or when they change. Certain policies can be set up to be approved more frequently.

Steps to approve policies: (if you are assigned a policy to approve)
From Tasks page,

1. In TrustOps, go to the Policies page.
2. On the “Tasks” page, click on the task to view it.
3. Click on “Begin Task” to review and approve the policy.
4. Click on “Add Approval Record.”

From “Policies” page,

1. Click on the policy to approve.
2. Click the three dots (…) to open a drop-down menu, as shown in the screenshot.
   1. View Approval History
   2. Export a PDF
   3. Change ownership
   4. Import/Edit policy
   5. View Version History
   6. Delete Policy
      
3. Click on “View Approval History” from the menu.
   1. Click on “Add Approval Record.”
   2. State your role and relevant comments. Click on “Approve.”
      The following screenshot shows how to approve a policy.
      
      
   3. You can also view the approval history at the bottom of the policy.
      The following screenshot shows the approval history.
      
      

Branding

Policies are typically shared across the organization with employees, with auditors during audits, and, in some cases, with customers during security reviews. It’s important to personalize your policies with your organization’s logo and other organization-related information.

To personalize policies according to branding,

1. Go to “TrustCloud.”
2. Click on the profile icon and select “Account Summary.”
3. Click on “Admin” on the left-hand side menu and select “Branding.”
4. In “Brand Elements” section, upload the company logo and company icon.
5. In the “Policy Documents” section, you can opt for a header, footer and watermark. Depending on your selection, your company’s name or logo appears at the top of every page of every policy document in your program. All policy documents in your program include a standard footer that displays the policy’s last approval date, the page number, and the word “confidential.” When exported, your policy documents will include a watermark with the exporting user’s email address and the current timestamp.
   The following screenshot shows the branding on policy documents.
   
   

The following video will guide you to personalize your policies by adding your organization’s branding (like a logo, etc.) in TrustOps and sharing your personalized policies with customers and auditors:

The following video will show the steps to adding branding to a policy.

Video: How to add branding to a policy:

Creating a New Policy

TrustCloud offers a wide variety of policies out of the box; however, there may be use cases where additional policies are needed. You can contact the support team to check what policies are included in your plan.

To create a new policy,

1. In TrustOps, go to the “Policies” page.
2. Click on the “Add New Policy” button in the top-right corner. This will open a workflow that will guide you through policy addition and mapping.
   
   
3. Fill in key policy details like Policy ID, Policy Title, Group, Policy Description, Security Group, and Owner.
4. Click on the “Create” button.
   
5. On this page, you can upload an existing PDF, link an existing policy from tools like Confluence or Google Drive or create a new policy with the TrustCloud policy editor.
6. To write your own policy, click on “Author policy using the TrustCloud editor.”
   The following screenshot shows creating a new policy.
   
   
7. Click on “Publish Changes.”
   
8. “Link Controls to Your Policy” page opens; add a control and click on the “Link Controls” button. You can also skip this step.
9. Click on the “Publish” button to publish the policy. You can view the newly created policy on “Policies” page.

Linking controls to your policy

Control mapping in policies is an important factor in improving your GRC program and tracking adherence. You have the option of linking planned or adopted controls prior to publication. You can also edit this mapping at a later stage. Once you have mapped controls, publish the policy along with the version number. This new policy will be available on your policy lists across the platform.

To link controls to a policy,

1. In TrustOps, go to the “Policies” page.
2. Click on the “Link a Control” button.
   The following screenshot shows the linking of controls to a policy.
   
3. Add the desired controls and click on the “Link Controls” button.

Editing Policies

TrustCloud offers an Edit Policy menu option to customize existing text, write your own, or bring in the contents of an existing policy by pasting its text. This editor enables you to format your policy, choose whether or not (and where) to insert its approval log and related control list, and add TrustCloud control texts. TrustOps also supports smart variables—dynamic, auto-updating values representing key attributes of a policy, such as its owner—which you can use when composing your policy.

To edit policy,

1. Go to the “Policies” page.
2. Click on the policy.
3. From the three-dot menu, select “Import/Edit Policy.”
   
4. Click on “Edit the existing template in TrustCloud’s editor” or “Start from scratch in TrustCloud’s editor.”
   The following screenshot demonstrates the editing of a policy in TrustOps.
5. A template is provided to delete or add text to the policy. You can also add a Smart Element to the policy, such as a Control or an Owner by dragging the Smart Element from the list into the policy.
6. Click on the “Publish Changes” button at the top.
7. Once you’ve made changes to a policy, you can choose to revert to TrustCloud’s policy by selecting the three-dot menu (…) and clicking on “Revert.”

The following video will help you use the “Smart Element” tool to edit your policies.

Video: How to Edit a Policy

If you’re only experimenting with policy editing, be assured that you can always get back to using a policy at any time.

Policy Versioning

Policy versioning allows you to keep track of how your policies evolve over time, so you can view editing history, changes, and versions with ease. Also, you can download historical copies just in case the new version doesn’t meet your goals.

To view policy versioning,

1. Go to the “Policies” page.
2. Click on the policy.
3. From the three-dot menu, select “View Version History.”
   The following screenshot shows the version history of a policy.
   

Deleting a policy

To delete a policy,

1. Go to the “Policies” page.
2. Click on the policy.
3. From the three-dot menu, select “Delete Policy.”
4. A conformation window is shown.
   The following screenshot shows the delete confirmation window to delete a policy.
   
   
5. Select a reason for deleting a policy. Click on “Proceed” button.
   The following screenshot shows deleting the policy.
   
6. Click on “Delete Policy from your Program” button to confirm deleting the policy.

Sharing Policies with customers

The TrustShare application in Trust Cloud makes it easy for startups, SMBs, and enterprises to securely invite and share information about policies, trust, and compliance programs with their customers.

Refer to the “Getting Started” guide in TrustShare to set up your TrustShare account.