Policy Management

Create, manage, and track security and compliance policies.

Overview

Policy Management helps you:

• Create and maintain security policies
• Track policy versions and approvals
• Distribute policies to employees
• Monitor policy acknowledgments
• Map policies to compliance controls

Navigate to Policies in the sidebar.

Policy Structure

Policy Components

Each policy includes:

Field	Description
Title	Policy name
Version	Current version number
Status	Draft, Published, Archived
Owner	Policy owner
Approver	Required approver
Effective Date	When policy takes effect
Review Date	Next scheduled review
Content	Full policy text

Policy Categories

Organize policies by category:

• Information Security: Data protection, access control
• Acceptable Use: System and network usage
• Privacy: Data privacy, GDPR compliance
• Incident Response: Security incident handling
• Business Continuity: DR, backup procedures
• HR Security: Employee security requirements
• Physical Security: Facility access, equipment
• Vendor Management: Third-party requirements

Creating Policies

From Template

Use built-in policy templates:

1. Go to Policies → Create
2. Click Use Template
3. Select template:
   • Information Security Policy
   • Acceptable Use Policy
   • Data Classification Policy
   • Password Policy
   • Remote Work Policy
   • Incident Response Plan
   • And more...
4. Customize for your organization
5. Click Create Draft

From Scratch

Create a custom policy:

1. Click Create → Blank Policy
2. Enter policy details:
   • Title
   • Category
   • Owner
   • Approver
3. Write policy content
4. Click Create Draft

Import Policy

Import existing policies:

1. Click Import
2. Upload document (PDF, DOCX, TXT)
3. Enter metadata
4. Click Import

Policy Lifecycle

Status Flow

Draft → Under Review → Approved → Published → Archived
           ↓
        Rejected → Draft (revision)

Draft

Initial policy creation:

• Edit content freely
• Add reviewers
• Request feedback
• No employee visibility

Review

Submit for review:

1. Click Submit for Review
2. Select reviewers
3. Set review deadline
4. Reviewers provide feedback
5. Make revisions as needed

Approval

Request formal approval:

1. Click Request Approval
2. Select approver
3. Approver reviews and:
   • Approves: Policy moves to Published
   • Rejects: Returns to Draft with comments

Publishing

Publish approved policies:

1. Set effective date
2. Set review date (typically annual)
3. Click Publish
4. Policy visible to employees

Archival

Archive outdated policies:

1. Open policy
2. Click Archive
3. Policy retained for records but hidden from active list

Deletion

Permanently delete a policy:

1. Navigate to Policies
2. Find the policy in the list
3. Click the trash icon or Delete button
4. Confirm deletion

Warning

Deletion is permanent. All versions, documents, and acknowledgment records are removed. Consider archiving instead if you need to retain records for compliance.

Pending Approvals Dashboard

The GRC Dashboard shows policies awaiting your approval.

Viewing Pending Approvals

1. Navigate to GRC Dashboard
2. Look for the Pending Approvals section
3. Shows policies where:
   • You are the designated approver, OR
   • No approver is set (anyone can approve)

Quick Actions

From the Pending Approvals section:

• View: Click policy name to open details
• Approve: Publish the policy immediately
• Reject: Return to draft with feedback

The badge shows the count of policies awaiting your action.

Approval Notifications

When a policy is submitted for your approval:

• Appears in Pending Approvals section
• Count badge updates automatically
• Click to review and take action

Version Control

Version History

Track all policy versions:

Version	Date	Author	Changes
3.0	Jan 1, 2026	John	Annual review, added remote work section
2.1	Jul 15, 2025	Jane	Updated password requirements
2.0	Jan 1, 2025	John	Major revision
1.0	Jan 1, 2024	John	Initial release

Compare Versions

Compare any two versions:

1. Open policy
2. Click Version History
3. Select two versions
4. Click Compare
5. View side-by-side diff

Restore Version

Restore a previous version:

1. Open Version History
2. Select version
3. Click Restore
4. Creates new draft from old version

Document Attachments

Attach supporting documents to policies for comprehensive documentation.

Uploading Documents

Upload policy documents via the Documents tab:

1. Open a policy
2. Click the Documents tab
3. Either:
   • Drag and drop files onto the upload zone
   • Click Upload Document and select a file
4. Select document type:
   • Official: Formal policy document
   • Training: Training materials
   • Reference: Supporting documentation
   • Procedure: Procedural guides
5. Click Upload

Supported formats: PDF, DOCX, TXT (max 10MB)

Security Scanning

Security Feature

All uploaded documents are automatically scanned for malware before storage.

Documents go through a security scan process:

1. Uploading: File is being processed
2. Scanning: ClamAV antivirus scan in progress
3. Clean: File passed security scan ✓
4. Threat Detected: Malicious content found ✗

If a threat is detected:

• File is quarantined (not stored with regular documents)
• Upload is rejected with security warning
• Incident is logged for security review

Downloading Documents

Download attached documents:

1. Open policy → Documents tab
2. Click the download icon next to any document
3. File downloads to your device

Only documents that passed security scanning can be downloaded.

Document Management

View document details:

• Filename and type
• File size
• Uploaded by (user name)
• Upload date
• Scan status

Delete documents:

1. Click the delete icon next to a document
2. Confirm deletion
3. Document is permanently removed

Policy Distribution

Employee Access

Professional Feature

Policy acknowledgment tracking requires Professional or Enterprise plan.

Employees can view policies via:

• Employee Portal: Web-based access
• Email Distribution: Direct email with PDF
• Integration: Slack/Teams announcements

Acknowledgment Tracking

Track who has read policies:

1. Open policy
2. Click Acknowledgments tab
3. View:
   • Total employees
   • Acknowledged count
   • Pending acknowledgments
   • Acknowledgment dates

Require Acknowledgment

Make acknowledgment mandatory:

1. Edit policy settings
2. Enable Require Acknowledgment
3. Set deadline
4. System sends reminders

Acknowledgment Report

Information Security Policy v3.0

Acknowledgment Status:
Total Employees: 50
Acknowledged: 45 (90%)
Pending: 5 (10%)

████████████████████████████████████░░░░ 90%

Pending:
- John Smith (reminded 2x)
- Jane Doe (reminded 1x)
- Mike Johnson (new employee)
- Sarah Wilson (on leave)
- Tom Brown (reminded 2x)

Control Mapping

Link to Controls

Map policies to compliance controls:

1. Open policy
2. Click Controls tab
3. Click Link Controls
4. Select relevant controls
5. Click Link

Control Coverage

View which controls reference a policy:

Information Security Policy

Linked Controls:
- SOC 2 CC1.1 - COSO Principle 1
- SOC 2 CC1.4 - COSO Principle 4
- ISO 27001 A.5.1.1 - Policies for InfoSec
- ISO 27001 A.5.1.2 - Review of policies
- PCI-DSS 12.1 - Security policy

Gap Analysis

Identify controls without policy coverage:

1. Go to Reports → Policy Gap Analysis
2. Select framework
3. View controls missing policy mappings
4. Create or link policies

Policy Reviews

Scheduled Reviews

Set up automatic review reminders:

1. Open policy
2. Set Review Date
3. System notifies owner before due date
4. Track review completion

Review Process

When review is due:

1. Owner receives notification
2. Review policy content
3. Make updates if needed
4. Submit for approval if changed
5. Mark review complete

Overdue Policies

View policies past review date:

Policy	Review Due	Days Overdue	Owner
Password Policy	Dec 1	32	John
Remote Work Policy	Dec 15	18	Jane

Reporting

Policy Dashboard

View policy status at a glance:

Policy Dashboard

Total Policies: 15
├── Published: 12
├── Draft: 2
└── Under Review: 1

Upcoming Reviews (30 days): 3
Overdue Reviews: 1

Acknowledgment Rate: 94%

Compliance Report

Show policies for each framework:

1. Go to Reports → Policy Compliance
2. Select framework
3. View required policies and status
4. Export for auditors

Audit Package

Generate policy package for audits:

1. Click Export → Audit Package
2. Select policies to include
3. Include version history
4. Generate PDF bundle

API Access

# List policies
GET /api/v1/policies?status=published

# Get policy details
GET /api/v1/policies/{policy_id}

# Create policy
POST /api/v1/policies
{
  "title": "Data Retention Policy",
  "category": "information_security",
  "owner_id": "user_123",
  "content": "Policy content here..."
}

# Update policy
PATCH /api/v1/policies/{policy_id}
{
  "status": "under_review",
  "reviewers": ["user_456", "user_789"]
}

# Get acknowledgments
GET /api/v1/policies/{policy_id}/acknowledgments

Approval Workflow API

The approval workflow provides endpoints for formal policy review and publication:

# Get policies pending your approval
# Returns policies where you are the designated approver,
# or where no approver is set (anyone can approve)
GET /api/v1/policies/pending-approvals

# Submit a draft policy for approval
# Changes status from DRAFT to PENDING_APPROVAL
POST /api/v1/policies/{policy_id}/submit

# Approve a policy (publishes it)
# Only the designated approver can approve (or anyone if no approver set)
# Sets approved_by_id, approved_at, and changes status to PUBLISHED
POST /api/v1/policies/{policy_id}/approve

# Reject a policy (returns to draft)
# Requires a reason (10-1000 characters)
POST /api/v1/policies/{policy_id}/reject
{
  "reason": "Policy needs revision. Please address the security requirements in section 3..."
}

Approval Fields

When a policy is approved, the following fields are automatically set:

Field	Description
approved_by_id	User ID of the person who approved
approved_at	Timestamp when approved
published_by_id	Same as approved_by_id
published_at	Same as approved_at
status	Changed to PUBLISHED
version	Incremented by 1

Approver Validation

• If approver_id is set on the policy, only that user can approve/reject
• If approver_id is NULL, any organization member can approve/reject
• Rejections require a reason for audit compliance

Document API

Manage policy document attachments:

# List documents for a policy
GET /api/v1/policies/{policy_id}/documents

# Upload a document (multipart form)
# Files are scanned for malware before storage
POST /api/v1/policies/{policy_id}/documents
Content-Type: multipart/form-data
- file: (binary)
- document_type: "official" | "training" | "reference" | "procedure"

# Download a document
GET /api/v1/policies/{policy_id}/documents/{document_id}/download

# Delete a document
DELETE /api/v1/policies/{policy_id}/documents/{document_id}

Document Response

{
  "document_id": "doc_abc123",
  "policy_id": "pol_xyz789",
  "filename": "Security_Policy_v3.pdf",
  "document_type": "official",
  "file_size": 245760,
  "scan_status": "clean",
  "uploaded_by_id": 1,
  "uploaded_by_name": "John Smith",
  "uploaded_at": "2026-01-12T15:30:00Z"
}

Scan Status Values

Status	Description
pending	Upload in progress
scanning	Malware scan running
clean	Passed security scan
infected	Threat detected (file quarantined)
error	Scan failed (retry recommended)

Policy Deletion API

# Delete a policy permanently
# Removes all versions, documents, and acknowledgments
DELETE /api/v1/policies/{policy_id}

Returns 204 No Content on success.

See API Reference for full documentation.

Best Practices

1. Use Templates: Start with templates for consistency
2. Annual Reviews: Review all policies at least yearly
3. Clear Ownership: Assign owners to every policy
4. Track Acknowledgments: Ensure employees read policies
5. Map to Controls: Link policies to compliance requirements
6. Version Everything: Maintain complete version history
7. Keep Current: Archive outdated policies promptly
8. Secure Documents: All uploads are scanned automatically; review any scan failures
9. Designate Approvers: Set specific approvers for formal approval workflows
10. Use Dashboard: Monitor pending approvals from the GRC Dashboard