No two businesses are exactly alike, and neither are our customers’ GRC programs. There is no one-size-fits all approach to managing evidence and data related to your compliance and audit objectives. With that said, whether you’re migrating your compliance program from an alternative platform or an internal process, this document will provide you with our best practices to make your migration as seamless as possible.
Step 1: Before You Migrate
Downloading All of Your Data
If you’re currently leveraging an alternative platform for managing your compliance program, especially if your access will expire before you kickoff with Drata, download all of your data. Regardless of where it is stored, you own all of the data and evidence associated with your compliance program and organizational monitoring. Downloading this information will assure that you have access to everything you may need to reference or upload to Drata for continuous monitoring and audit preparation.
Organizational Change Management and Awareness
We know your GRC program spans your entire organization, from your CEO who approves your policies to your employees and contractors who must acknowledge them. While not every member of your organization has an active role in managing the day-to-day of your compliance program, your key stakeholders should be aware of the beneficial changes in where and how you will be operating your program as you prepare to migrate to Drata.
Step 2: Kickoff with Drata
Drata Tenant Access
Your Drata tenant will be automatically provisioned based on your subscription with Drata and access will be provided on your contract start date. After your first login, you’ll have immediate access to all of the features and frameworks associated with your subscription.
Connecting Tech Stack
Immediately upon accessing your Drata tenant, you’ll be guided through the initial onboarding steps to empower you and your team to get set up quickly via our in-app welcome experience. Connecting your in-scope tech stack is generally required prior to configuring your controls and/or importing any external evidence or data in support of your compliance program, and we recommend this as your first step. These connections also fuel the automated tests within Drata. Once connections are made, that same day the automated monitoring tests will run for the first time. This will help to identify any gaps in the configuration of systems so that you can begin to remediate failing monitoring tests and take action in your own environments. This continuous daily monitoring will help ensure maintenance of compliance year round–not just during an audit.
For a full list of Drata’s currently available connections, visit drata.com/integrations and note that more and more are released monthly!
Step 3: Data and Control Configuration
Depending on where you are in your audit cycle and your objectives, you can determine what existing evidence and data, if any, you want to bring over to Drata. If you opt to bring in data from your existing platform or process to Drata, you’ll be able to determine whether to use the native features in the UI to input your evidence or leverage our “import templates” to do so (many customers will elect to leverage a combination of both).
There are several import templates in CSV format to support that migration of data into Drata; these templates are available for now only offline, and you can either contact our Technical Support Representative team via live in-app chat or work with our Customer Success Management team to request copies.
Each CSV will contain the required fields in the required format needed to import your data into Drata. Each template will have a header row, with instructions and examples in the second row denoting what’s required or optional (this row can be replaced with your data, or simply deleted). The header row must remain as-is - headers are required and validated for an exact match when we import your data.
Once you have populated and returned the CSV(s) with the data filled out, our team will need to review them to assure they meet the required format before they can be accepted for processing. Our technical support or CSM team will then work with our Solutions Architecture team on the backend to run the upload process. Our expected import processing time is 5-10 business days upon receipt and acceptance of files in the required format.
Drata Can Import:
Assets
The owner of the asset can be any current employee listed in Drata. This use case is specific to populating the Assets tab with data Drata would otherwise not bring in - e.g. virtual assets from GCP, globally deployed software, random IT inventory, etc.
You can also use this template to request a bulk change of existing asset ownership.
Controls
Drata of course has pre-mapped controls for our supported frameworks built into our platform; this template should be used to create new controls in Drata.
Controls-to-Requirements
This template should be used to map controls to requirements that already exist in Drata.
Requirements-to-Controls
This template should be used to map requirements that already exist in Drata to controls that already exist in Drata.
Controls-to-Owners
We strongly recommend leveraging control ownership management in bulk offered in the platform. If you elect to use this import template, it should be used to map controls that already exist in Drata to owners that already exist in Drata. Owners can only be current personnel who are admins or info sec manager roles.
Security, HIPAA, and/or NIST Training
The actual proof of completion file(s) itself/themselves need(s) to be provided as (a) standalone document(s), ideally collected together in a ZIP file if multiple are provided.
Policy Acknowledgement
You will need to have your policies marked active, approved, and assigned to relevant personnel/groups prior to being able to upload policy acknowledgement.
Background Checks
Drata will not accept or host raw background check files. Drata supports links to hosted background checks on the background check system of record or a customer-owned document repository/folder.
NOTE: iI you have elements of your compliance data or evidence that you plan to migrate into Drata and you do not see it listed above, generally speaking this is because we offer a UI-based workflow for managing it that you will be able to leverage once you have access to your tenant. If you have any questions about the platform options for migrating and managing your data, do not hesitate to reach out to our Technical Support Representative team via Live in-app chat or reach out directly to your Drata Account Team.
Step 4: Control Management
Drata has its own control framework referred to as the DCF (Drata Control Framework). This framework was developed with auditors and compliance experts and is based on best practices. Within the Drata UI, these controls can be tweaked or adjusted to meet your specific compliance and business requirements.
Have your own controls?
If you have your own controls, you have several options:
Opt to move to the DCF–adopting all of the Drata controls
Compare current controls to the DCF and determine the overlap or edits that need to be made to the DCF controls in the UI
Once the delta in controls is determined, you can add those controls manually in the Drata UI
OR, you can use the above Drata import templates to format the additional controls.
Request the DCF to be disabled, and provide your own controls in the Drata control template to be imported by the Drata team (while this is not recommended in order to realize the full value of our compliance automation, it is an option you can work with your Account Team to implement).
IMPORTANT CONSIDERATIONS:
A major advantage of utilizing our DCF controls is that the controls are already pre-mapped to the appropriate policies and control tests; therefore, if you choose to upload your controls as custom controls, you will need to go through the process of manually mapping the appropriate policies and control tests to your controls.
If uploading custom controls, you will need to identify the DCF controls that you are replacing with your custom controls and mark these out-of-scope to avoid having duplicate controls.
All DCF control fields can be customized to meet your needs EXCEPT for the DCF control code (i.e., you cannot change DCF-46 to ABC-xx), so if you have existing control codes that you are required to maintain, then you will need to import your controls as custom controls.
Step 5: Policy Management
Drata’s policy center allows you to seamlessly manage policy authoring/revisions, annual reviews, control mapping, and employee policy acknowledgement. We provide a comprehensive set of policy templates based on industry best practices developed by teams of compliance experts and auditors with decades of GRC experience. You are able to customize/edit these existing Drata policy templates to meet your specific compliance and business requirements; however, if you already have your own policies that you would like to utilize, you have the following options to migrate these into Drata:
Author Policy in Drata (Recommended Option): By selecting the Author policy in Drata option, you will be provided with a blank policy template, which you can then copy your existing policy content into. This option gives you the advantage of being able to edit/update the policy within Drata, instead of having to upload a new policy each time that revisions need to be made.
Upload Policy: Selecting the Upload Policy option will import your policy as a PDF, which cannot be edited/updated within the policy center. If you have existing branding or logos that you would like to maintain, then this would be the best option for you. However, the downside of this option is that you will have to upload a new PDF each time you need to make revisions to the policy.
NOTE: Regardless of the option you choose, if you are importing a policy that corresponds with one of our existing policy templates (i.e., your policy has the same title or general content as our template), it is HIGHLY recommended that you utilize the Replace Policy feature so that our corresponding template is archived and the control/control test mapping of our template is applied to your policy.
Step 6: Auditor Alignment
Drata is auditor agnostic. If you are already working with an auditor, the Drata Auditor Alliances team will work with you and your auditor in order to train your auditor partner(s) how to utilize Drata’s Auditor Hub and support them during the audit if they are new to the platform.
If you do not yet have an auditor, the Customer Success and Audit Alliance teams at Drata can provide guidance and make introductions. Drata has an Auditor Directory that customers can use to locate an auditor.