Policies

Policies Articles:

policies-page

What is the Policies module?

The Policies module enables users to quickly pull relevant information from their System Security Plan (SSP) to create both a general Security Policy as well as an Acceptable Use Policy (AUP). This saves considerable time sifting through the Control Status page in search of policies developed during the creation of the SSP.

NOTE: The Security Policy is NOT your System Security Plan. The Security Policy is more of a general policy describing, at a high level, the cybersecurity posture of the organization. Your SSP lives in the Control Status module.

 

How do I create a Security Policy?

policy-type

When creating your SSP through the Control Status module, you will notice a 'Type' field next to each Organization Action. Here you can select from three options: Policy, Technical, and Hybrid. See the Control Status support page for a description of these types. When selecting Policy or Hybrid, all text within the Implementation Details field for that Organization Action populates on the Policies page under the Security Policy. If you are not seeing text populate on the Policies page when you believe it should, check that the corresponding Organization Action is marked either Policy or Hybrid.

 

How do I create an Acceptable Use Policy (AUP)?

oa-aup

When designating an Organization Action Type as 'Policy' through the Control Status module, an AUP checkbox will appear. Selecting the checkbox will populate the corresponding Implementation Details field on the Policies page under the Acceptable Use Policy:

select-aupOnly Organization Actions that are marked Policy and have the AUP checkbox selected will appear on the Acceptable Use Policy page.

 

Why does my policy export not show the Control IDs?

If you have exported either your Security Policy or your Acceptable Use Policy, but the export does not show the IDs for the Controls and their Organization Actions, you will need to select the 'Show Control IDs' toggle before exporting.