Employees must be made aware of their responsibilities as they relate to information security. Regardless of which compliance framework your organization is working towards, you will end up with additional policies that will not be relevant to all employees.
With Drata’s updated functionality to create groups of employees, assigning different groups to different policies can ease the lift of getting employees to read and acknowledge policies as part of the onboarding process. However, many still prefer or see it as a best practice to have all employees acknowledge all policies.
Below, guidance is provided on how to use the grouping functionality while ensuring you cover what is needed for the framework you are pursuing.
However, your auditor will ultimately determine what they deem necessary so we suggest that you review with your company’s auditor as well.
Complete List of Policies and Acknowledge:
The table below contains all of the policies provided by Drata, as well as our recommendations around who should be acknowledging these policies.
Within the “Policy” column, we have listed out the policies you will need to have in place before your audit and in the “Acknowledged By” column, we have listed out the groups of employees we recommend review and acknowledge the specific policy. These are our recommendations, but you may determine that additional employees and/or different groups are also appropriate for said policies based on your company’s unique facts and circumstances.
Policy | Acknowledged By |
Acceptable Use Policy | Everyone |
Asset Management Policy | Engineering/IT/Security |
Backup Policy | Engineering/IT/Security |
Business Continuity Policy | Executives, Engineering/IT/Security |
Change Management Policy | Engineering/IT/Security |
Code of Conduct | Everyone |
Data Classification Policy | Everyone |
Data Retention Policy | Engineering/IT/Security |
Data Protection Policy | Everyone |
Disaster Recovery Plan | Executives, Engineering/IT/Security |
Encryption Policy | Engineering/IT/Security |
Global Network Firewall Policy (UK Cyber Essentials) | Engineering/IT/Security |
Incident Response Plan | Executives, Engineering/IT/Security |
Information Governance Policy (CCM) | Everyone |
Information Security Policy | Everyone |
Password Policy | Everyone |
Personal Data Management Policy (CCPA/CPRA) | Everyone (recommended), OR Departments who may receive and/or respond to privacy requests, such as Engineering/IT/Security/Sales/Marketing
|
Physical Security Policy | Everyone |
Responsible Disclosure Policy | Everyone |
Risk Assessment Policy | Executives and employees responsible for performing the risk assessment |
Shared Responsibility Policy (CCM) | Engineering/IT/Security |
Software Development Lifecycle Policy | Engineering/IT/Security |
System Access Control Policy | Engineering/IT/Security |
Vendor Management Policy | Employees responsible for vendor management |
Vulnerability Management Policy | Engineering/IT/Security |
Information Security Management System (ISMS) Plan | None |
Breach Notification Policy (HIPAA) | Everyone |
Business Associate Policy (HIPAA) | Everyone |
Privacy, Use, and Disclosure Policy (HIPAA) | Everyone |
Maintenance Management Policy (NIST) | Engineering/IT/Security |
System and Information Integrity Policy (NIST) | Engineering/IT/Security |
System and Services Acquisition Policy (NIST) | Engineering/IT/Security |
System Security Planning Policy (NIST) | Engineering/IT/Security |