Policy Management

Record your Policies, Procedures, Standards, Etc and manage their Reviews

  • Episodes8
  • Duration32m 13s
  • LanguagesEN
Episode 1

Introduction to the Policy Module

Quick introduction to the module key capabilities

The Policy module allows you to store and review all sorts of documents such as Policies, Standards, Procedures, Diagrams, etc. There are three ways to store the actual document content:

  • Using a built-in editor
  • Providing a URL to the actual document (Sharepoint, Google Drives, etc.)
  • Attachment (PDF, etc.)

As well as the content and/or reference to the actual document, you can also record document attributes, such as owner, reviewer, type of document, etc. 

Every document will have teams (Finance, HR, IT, etc.) associated with it, there are two roles you must specify on every document you create in eramba:

  • GRC Contact: this is typically the GRC team that has an interest in this document to be created in eramba.
  • Policy Reviewer Contact: this is typically the team that wrote the document as it reflects an activity they perform. This could be Finance, HR, IT, etc.

If you do not like these titles you can use customisations to change them to match the terms you or your organisation would normally use. Customisations in eramba allow you to rename, add, hide, and move fields and tabs in any form and any module.

Each document added to the module will have review records automatically created by eramba based on your review deadlines. Reviews have their own tab at the top and each document will have a review counter that, if clicked, will automatically redirect you to the review records.

Review records describe when the review was supposed to be carried out, when it was actually completed, by whom (typically the reviewer role is automatically assigned), the document version and the content.

Like any other module in eramba, each record supports comments and attachments that allow you to record all review interactions (including approvals) by users keeping a detailed trail.

The use of configurable notifications (that can trigger emails or REST APIs) that will trigger a user-definable number of days before and after the expected review of the document, or whenever someone writes a comment or adds an attachment for a review means all people associated with a particular document are updated on any changes.

Like any other module in eramba powerful filters allow you to query the system in many different ways.  Examples of filters are:

  • List expired policies
  • List policies expiring in two weeks
  • List all policies used in PCI-DSS that are owned by this person and expire next week.
  • Etc.

Filters can be saved and emailed automatically at regular intervals in PDF or CSV format so users do not have to log in to eramba to know what work is due to be carried out.

Since all of your policies will be stored here you can launch a policy portal that will let unauthenticated or authenticated (LDAP) users see your documents. You can search, view, and download documents (PDF reports) on this specific portal.

Reports also are available as charts showing your policies in a graphical way, not just as items in a table.

You can create your own reports with a report builder.  Widgets can be added to a template using drag and drop. Widget types include text, tables, filters and charts.

The result will be a graphical report with your desired data. These reports can also be sent by email in PDF format as often as you want so you don't have to log into the system just to get an updated report.

You can flag items based on your own set of conditions:  Examples of these conditions include:

  • when a policy expires,
  • when a review is missing evidence,
  • when a policy has no linked control,
  • when the associated controls are not tested or not working, etc.

We use statuses across all modules to highlight these flags and eramba is shipped with hundreds of them preconfigured for you.

You can also create your own statuses based on your own conditions.  You have access to thousands of possibilities to meet your exact needs with the status configuration tool.

Every time a status matches (or fails to match) a label will be shown or hidden in those policies affected by the status. Optionally an email or REST API call can be triggered when a status switches on or off.

For example, you can notify the policy owner and reviewer when the policy-associated controls are not passing audits. The options are endless and it is really up to you what level of complexity you wish to use 

Web forms are used in eramba to create items and enter data.  These forms have been predefined for everyone. The good news is that eramba ships with custom fields in every module so you can add, hide, rename, and move fields on the form to match the data you need to collect and the layout that works best for your processes.


 

A user-friendly interface lets you make customisations without needing to know how to code software.