Need a Policy? Use One of These.
The Policy Generator is a quick way to create customized policies for your organization. Many of the controls can be fully or partially satisfied by providing evidence of company-specific policies.
Why Use the Policy Generator?
Let’s use Control 3.3.5 as an example. The control requirement states: “Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity”.
The ComplyUp Comments give us a bit more information on how to respond.
Wouldn’t it be nice to have a Security Response Plan that outlines exactly how your organization investigates and responds to indications of inappropriate, suspicious, or unusual activity? Maybe a document describing your logging processes would be helpful as well.
Let’s look at the Evidence Recommendations.
It looks like two Policy Templates are available that would work quite well with this control. Let’s head over to the Policy Generator.
Policy Generator Usage
The Policy Generator lists a series of templates available for customization.
Click on a policy to load it in the Policy Editor.
The policy editor pre-populates the template with your Organization’s Name. Use the editor to make changes to the policy so it aligns with your organization’s guidelines.
Many of the policies can be associated with more than one control. The Security Response Plan mentioned earlier is appropriate evidence for several controls: 3.3.5, 3.6.1, 3.6.2, 3.6.3, 3.13.14. Decide if you’d like to auto-associate this template to all recommended controls, then click Save in the Save Policy section. The template will be saved as a PDF and added to the Evidence View.
If the new policy was auto-associated to all recommended controls, it will be visible in the Evidence section of the associated control in the Control View.