Policy Management

Record your Policies, Procedures, Standards, Etc and manage their Reviews

  • Episodes13
  • Duration1h 15s
  • LanguagesEN
Episode 1

Introduction to the Policy Module

Quick introduction to the module key capabilities

The Policy module allows you to store and review all sorts of documents: Policies, Standards, Procedures, Diagrams, etc. There are three ways to store the actual document content:

  • Using a built-in editor
  • Providing a URL to the actual document
  • Attachment (PDF, etc.)

On top of the content and/or reference to the actual document, you will record document attributes, such as owner, reviewer, type of document, etc. 

 

 

Every document will have people associated with two main roles, policy owner and reviewer

  • Owner: is typically the person that has an interest in the document, as it is mitigating a problem and also ensuring that the document never misses a review. Most of the time, this role is taken by the GRC team. 
  • Reviewer: is typically the person that follows instructions, standard the document mentions and needs to review it (many times in conjunction with the owner) to ensure that its content is relevant. 

 

 

If you do not like these titles, you can use customisations to change them to whatever name you prefer. Customisations allow you to rename, add, hide, and move around fields and tabs in any form and any module.

 

 

Each document on the module will have review records automatically created by eramba based on your review deadlines. Reviews have their own tab at the top, and each document will have a review counter that, if clicked, will automatically redirect you to the review records.

 

 

Review records describe when the review was supposed to be done, when it was actually done, by whom (typically the reviewer role is automatically assigned), the document version, and the content.

 

 

Like any other module in eramba, each record supports comments and attachments that allow you to record all review interactions (including approvals) by users, making email discussions unnecessary.

You will use extensive configurable notifications (that can trigger emails or REST APIs) that will trigger in x amount of days before and after the expected review of the document, or whenever someone writes a comment or attachment for a review.

 

 

Like any other module in eramba, powerful filters will allow you to query the system in literally thousands of different ways (e.g., give me all expired policies, give me all policies expired in two weeks, give all policies used in PCI-DSS that are owned by this person that expire next week).

 

 

Filters can be saved and emailed to you automatically at regular intervals in PDF or CSV format, so you do not have to log in to eramba to know what work is ahead of you.

Since all of your policies will be stored here, you can launch a policy portal that will let unauthenticated or authenticated (LDAP) users see your documents. You can search, view, and download documents (PDF report) on this specific portal.

 

 

Reports also are available as charts. These are shipped with standard reports and let you know visually what is going on.
 

 

You can create your own reports with a report builder based on widgets that you drag and drop into a template. You can use text, tables, filters, and charts that we ship with.

 

 

The result will be a graphical report with your desired data. These reports can also be sent over email in PDF format as often as you want, so you don't have to log into the system.

 

 

You will want to flag items based on your own conditions, when a policy expires, when a review is missing evidence, when a policy has no linked control, when the associated controls are not tested or not working, etc. We use statuses across all modules to highlight these flags, and we ship with hundreds of them preconfigured for you.

 

 

But you can also create your own statuses based on your own conditions, and again, you have access to thousands of possibilities with the status configuration tool.

 

 

Every time a status matches (or fails to match) your conditions, a label will be applied to the policies. You can optionally trigger emails and REST APIs, too. For example, you can notify the policy owner and reviewer when the policy-associated controls are not passing audits. The options are endless, and it is really up to you what level of complexity you wish to use.

Eramba uses web forms to create things, and these forms have been predefined for everyone. The good news is that eramba ships with custom fields on every module, so you can add, hide, rename, and move around fields on the form in almost any way you want.

 


 

 

A user-friendly interface lets you do all of the work without needing to know how to code software.