In order to prepare for an audit, there are a number of policies you will need to have in place, approved by management, and acknowledged by your employees. However, many companies want to add other policies to Drata so that they can manage all policies in one place.
BEFORE DIVING IN
Those with the Account Administrator, Information Security Lead, or Workspace Manager roles will have access to create, approve and update policies within Drata.
HERE'S HOW
In the 'Policy Center' click the blue 'Create Custom Policy' button. There are 2 ways to create a policy:
Upload policy - This option lets you select a file from your computer.
Author policy in Drata - This option lets you use the built-in editor to draft and edit your new policy.
On click of ‘Create’, you'll be directed to the policy editor where you can create your custom policy. Once you're done, be sure to enter the policy renewal date on the right hand side before you ‘Submit Policy.’
NOTE: You’ll generally need to maintain policies the same way you created them. The exception is if you author a policy using Drata, you can switch to uploading a file for a future version.
You can also replace templated policies with a custom policy if it covers the same topics.
You'll notice that there is a custom renewal date on each policy you create. Automated tests and tasks use this date to help keep you on track with your compliance program goals. Keep in mind that many frameworks require review/approval of policies on an annual basis, so be sure to select a date that meets your compliance program needs.
Finalizing custom policies:
Here’s how to get a custom policy approved so people can acknowledge it:
Once you create your policy, you’ll find it in Policy Center.
The policy owner will need to approve the policy before it takes effect.
After they approve the policy, the personnel you marked in-scope when you created the policy will be able to acknowledge it.