This guide follows the Quick Start page found at the top of the navigation menu in the Drata platform when you first log in. The goal of this article is to help you find quick time to value by providing additional context for the activities you will complete as you work your way through the Drata Quick Start.
Prerequisites
You have an Admin role in Drata. You are logged in with your admin credentials.
Quick Start page overview
To open the Quick Start page, select Quick Start on the left navigation menu. The menu item will remain at the top of the navigation panel while you work on your Quick Start activities. Once you complete all the activities in the Quick Start page, the menu item will be relocated under Settings.
Quick Start Activities
The Quick Start contains 5 sections with accordion-style expandable subsections to lead you through the recommended best-practice activities to get started with Drata. You may select the expansion arrow, or click anywhere in a row, to open an activity.
Provide Basic Info
Make connections to power automation
Establish continuous compliance for your frameworks
Ensure your personnel stays compliant
Set up your policies
What’s next
Locked activity
Some sections have locked activities. A locked activity is displayed with a lock icon and means that a prerequisite must be met before that activity can be started.
Skipped activity
Some sections have optional activities. Optional activities can be skipped. Select Skip to skip an activity. For example, the following activity, assign roles to your team, is optional and has been skipped. You can return to a skipped activity to complete it later.
Completed task
Once you complete the activity within each section, a Completed status is displayed. For example, the following image shows that you have completed the welcome questionnaire. The section progress is displayed in the top right corner of the section to indicate the number of activities completed against the total number of activities in the section.
This remainder of this article is intended to act as a step through guide. You may find it helpful to position this guide into a side by side window, next to your Drata Quick Start. Let’s Go!
Provide Basic info section
Complete the welcome questionnaire
You have already completed the Welcome Questionnaire during the initial onboarding flow, when you first signed into Drata, as shown above.
Enter your company info
Select the expansion arrow, or click anywhere in the row, to open the activity. Select Enter details. You are redirected to the Company Info page under Settings.
For future reference: Settings is found under your Username→Settings at the bottom of the navigation panel.
The Company Info page allows you to provide an overview of your company which informs auditors and customers to help them understand what your company does and how you are satisfying common compliance requirements.
Completing the Company information page now helps satisfy the Drata controls with company information fields that are part of what will be inspected by some of our Monitoring Tests.
To learn more about the company info page, go to Company Information Fields FAQs in the Help Center.
Select Quick Start in the left side navigation panel to continue the Quick Start activities.
Make connections to power automations section
In this section, you have four very beneficial activities to complete. Completing this section enables you to sync your personnel to Drata to monitor compliance status and helps you automate evidence collection. You’ll also begin monitoring your storage and data infrastructure environments, version control software, and connect your ticketing system. In each activity, you’ll be given the opportunity to make connections you need. It is recommended to have the necessary login permissions and credentials for each of these systems handy as you begin these activities.
Set up your identity provider connection
Open the activity then Select Set up and you are redirected to the Connections→Identity→Available connections page. On this page, you will need to select and connect to the Identity Provider (IdP) that your company uses. You are limited to one IdP connection at a time. If you do not currently use an IdP, you can choose the Manual Import connection option.
It is very important that you make this connection in Drata first, before any others. This is a critical step that allows Drata to monitor your company’s personnel compliance posture and allows your employees to authenticate into the platform (via your IdP).
Here we’ve included links to the currently published help articles for the most commonly used IdPs. This list is frequently updated and may not reflect all of the latest connections.
After setting up your identity provider connection, this subsection is marked as completed.
Select Quick Start in the left side navigation panel to continue with the Quick Start Activities.
Set up infrastructure connection
Connecting your infrastructure provider to Drata allows for the automated, continuous monitoring and evidence collection of dozens of security controls specific to your compute resources, storage, data environments, and processes required for compliance.
Open the activity, select Set up and you are redirected to the Connections→Infrastructure page. Connect your infrastructure provider(s) to Drata to automate evidence collection and monitor your security controls. You may connect one or more services.
Here we’ve included links to the help articles for the infrastructure services we support on this page. This list is frequently updated and may not reflect all of the latest connections.
After setting up an infrastructure connection, this subsection is marked as completed.
Select Quick Start in the left side navigation panel to continue with the Quick Start Activities.
Set up version control connection
Open the activity then select Set up and you are redirected to the Connections→Version Control→Available connections page. Connect your selected provider(s) to Drata to automate evidence collection and monitoring. You may connect one or more services.
Here we’ve included links to the help articles for the version control services we support on this page. This list is frequently updated and may not reflect all of the latest connections.
After setting up a version control connection, this section is marked as completed.
Select Quick Start in the left side navigation panel to continue with the Quick Start Activities.
Set up ticketing connection
Open the activity then select Set up and you are redirected to the Connections→Ticketing→Available connections page. Connect your selected provider(s) to create tickets from Drata and reference tickets as part of evidence where needed. You may connect one or more services.
Here we’ve included links to the help articles for some of the ticketing services we support on this page. This list is frequently updated and may not reflect all of the latest connections.
After setting up a ticketing connection, this section is marked as completed.
Congratulations! You’ve successfully completed making the connections needed to power automation with Drata! You are well on your way to realizing all the value Drata offers!
Select Quick Start in the left side navigation panel to continue with the Quick Start Activities.
Establish continuous compliance for your frameworks section
Within this section, you have up to 3 important activities to complete. This section allows you to review framework requirements, work with your team to establish continuous compliance and then review gaps and plan remediation actions.
Assign roles to your team (optional)
Open the activity then select Assign roles. You are redirected to the Settings→ Role Administration page. Please note: You must first connect your IdP before you can assign roles from within Drata. In this section, you can invite additional admins and assign different Drata roles to the team members that will be working to help you administer Drata.
Be aware, this is not (Role Based Access Control) RBAC for your entire company’s personnel. This section only applies Drata roles and permissions to your team of Drata administrators, Information security leads, Control managers, Policy Managers, Risk managers, and others who will routinely use Drata as part of their regular work. This does not apply to ‘end-users’ in your company who will only go to Drata to complete the compliance related onboarding activities you configure within Drata.
To learn more about roles in Drata, go to the Role Administration help article.
After inviting your team to Drata roles, this section is marked as completed. You can also select Skip for now to skip this section if you choose.
Scope your framework requirements
Open the activity then select Open Frameworks. You are redirected to the Frameworks page, located on the main navigation panel. The top portion of the Frameworks page includes the framework cards for each of the compliance modules that have been purchased for your account. The framework cards give you an at-a-glance view of the progress you are making toward readiness in each framework, the number of requirements that are ready against the remaining number of requirements, and the number of controls that have been mapped to the framework. The percentage gauge on each card provides an overall view of your readiness for each framework.
Select a framework card to open the page for the enabled framework. The bottom portion of the frameworks page contains the frameworks that you have not yet purchased. You will be able to open them once purchased. You can select Learn More on these cards to schedule a demo or learn more about the framework.
Once you open a specific framework page you can review the name and description of the framework and the readiness information at the top. This page lists all the requirements, their mapped controls and their readiness status.
Here we've provided some helpful documentation about all the functions of the Frameworks pages and for help completing the Frameworks section:
Drata Frameworks (must be signed in to your Drata account to view)
Drata Controls (must be signed in to your Drata account to view)
Please note: It is not required that you are 100% ready in all your frameworks to move to the next section in the Quick Start. It is recommended that you review all the frameworks and mark requirements in or out of scope as they pertain to your organization needs. You can come back to Frameworks on the main navigation panel, later, if you wish.
After reviewing your framework readiness for each framework that is currently enabled, you can scroll to the bottom of the frameworks page to see your readiness score for frameworks that you have not yet purchased. It’s fun to see that some of your enabled frameworks contain requirements and/or controls that are also mapping to those not yet enabled! Your work in this phase will make it easier to achieve readiness in your next set of frameworks.
After you’ve reviewed your requirements, select Mark complete to complete this section. You will be able to return to the Frameworks page from the navigation panel at any time.
Select Quick Start in the left side navigation panel to continue with the Quick Start Activities. Return to Establish continuous compliance for your frameworks.
Review gaps and plan remediation action
The Control page allows you to review the scope of your controls to understand where you have gaps, assign control owners, see evidence, assign approvers mark controls in and out of scope, filter on monitoring, and create new controls if desired.
Open the activity then select View Controls. You are directed to the Controls page on the main navigation panel.
On this page you can review your controls, see monitored status, see readiness status, see evidence links and more. You can open a control detail drawer by selecting the Control Code (ex: DCF-37 for Acceptable Use Policy). You can manage controls in a more granular way in the detail drawer. Some helpful documentation for completing this section:
Drata Controls (must be signed in to your Drata account to view)
After you’ve reviewed your control requirements, select Mark complete to complete this section. You will be able to return to the Controls page from the navigation panel at any time.
Ensure your personnel stays compliant section
Within this section, you have 5 important activities to complete to ensure that you have your personnel security procedures ready and to establish compliance regarding personnel in Drata. The first step is shown as optional, but it is a highly recommended best practice if you use a Human Resources Information System (HRIS) software.
Set up your HRIS connection (optional)
Connecting your HRIS to Drata establishes a read-only access connection that allows Drata to identify which of your personnel are currently in-scope for your audit period and whose access needs to be tracked at your organization. The HRIS connection provides additional detail beyond what is provided with the IdP connection.
Open the activity to open the subsection: Set up your HRIS connection (optional). Please note: You must either connect your IdP or upload a CSV using the Manual import option on the Identity page prior to setting up HRIS.
Select Set up and you are redirected to the Connections→HRIS page. Here we’ve included links to the help articles for some of the HRIS vendors we support on this page. This list is frequently updated and may not reflect all of the latest connections.
Breathe
Personio
TriNet HR
UKG Ready
To learn more, go to Connect your HRIS to Drata.
You can select Skip for now in the quick start activity and return to this activity later via the Connections→HRIS page. After setting up your HRIS connection, this section is marked as completed.
Verify employment status of personnel
The Personnel page offers a centralized view of the compliance status of all personnel as well as the hub to perform actions such as creating exclusions, resetting security training, sending reminders, and much more. In this activity, you’ll become familiar with this page and have an opportunity to perform some of these actions now.
Drata syncs with your Identity Provider once a day to ensure we have the most up to date information about your personnel on this personnel page. If you established a connection in Drata to your HRIS software, you’ll be able to sync additional information from your HRIS as well.
Open the activity then to Verify employment status of personnel. Please note: If you did not connect an IdP and/or HRIS provider, you can manually add personnel via the Manual Import option on the Connections→Identity page.
Select Review Personnel and you are redirected to the Personnel page. You can review the employment status, compliance status, filter by sync source (HRIS or IdP) or filter by groups (if enabled in IdP).
To learn more about all the information available and the actions you can perform on the Personnel page, see the Personnel Overview article in our help center.
After you’ve reviewed and/or verified the employment status of some or all personnel on the Personnel page, select Mark complete to complete this activity. You will be able to return to the Personnel page directly from the main navigation panel at any time.
Select Quick Start in the left side navigation panel to continue with the Quick Start activities. Return to the third activity under Ensure your personnel stays compliant: Set up internal security settings.
Set up internal security settings
Select Set up and you are redirected to the Internal security page. On this page you’ll determine how evidence of workstation configuration monitoring will be pulled into Drata, make decisions about security training and attach visitor logs.
If applicable, you can learn more about the Drata Agent or MDM connections by visiting this collection: Configuring your Computer
To schedule and reset your Security training, learn more about each type of training by following these help articles:
To learn more about the Internal Security page, go to the Internal Security help article.
After you’ve set up the internal security settings, the activity will be marked as completed. Should you need to make changes, you will be able to return here via Settings→Internal Security at any time.
Select Quick Start in the left side navigation panel to continue with the Quick Start activities. Return to the fourth activity under Ensure your personnel stays compliant: Set up background checks.
Set up background checks
Select Set up and you are redirected to the Human Resource (HR) page where you can choose how to set up your background checks, automate off-boarding evidence collection, and other HR related items.
Drata can automate your background check collection evidence when you choose to connect to a Background check vendor. Navigate to Connections→Background Checks to make a connection. See these articles for more information. This list is frequently updated and may not reflect all of the latest connections.
HireRight
Sterling
To learn more about the Human Resource page, go to the Human Resources help article.
After you’ve selected a background check option, this section is marked as complete. You may return to the Background Checks page by selecting Connections→Background Checks and/or the Human Resources page by selecting Settings→Human Resources at any time.
Select Quick Start in the left side navigation panel to continue with the Quick Start activities. Return to the final activity under Ensure your personnel stays compliant: Onboard your personnel to Drata.
Onboard your personnel to Drata
Recall when you configured Internal Security settings, you made decisions about how you would monitor your personnel’s workstations and how they would complete security awareness training. Inviting your in-scope users to login to Drata for the first time is an important step toward collecting the evidence to achieve compliance for your personnel. End-users will need to login to the Drata app to be able to upload manual background check evidence (if you have not connected a background check provider), download and install the Drata agent (if applicable), upload files to show evidence of computer configuration (if applicable) and complete Security Awareness training in Drata (if applicable).
To help you invite your in-scope personnel to Drata, we’ve created a customizable template you can use to prepare your Drata onboarding invitation email.
Select Customize the provided template in the Prep Work area of this activity. Read the instructions on the template. Make a copy of the template for yourself to edit. Replace the yellow highlighted text with text pertaining to the framework you want to highlight when sending this email.
If you want to understand the onboarding activities your end-users will experience, you can select My Drata behind your name at the bottom of the navigation panel. To learn more about employee onboarding, go to Employee onboarding.
Some of our customers appreciate the efficiency of completing some policies before inviting their in-scope personnel into the Drata platform. If you choose this option, you can set up some of your policies in Drata before inviting employees. The benefit of this option is that they can acknowledge the policies that pertain to them when they first sign in without having to return later.
Your personnel will be prompted to Review and Acknowledge policies when they first login to Drata, so it is helpful to have the relevant policies set up in Drata before you send out the Drata invitation. If you want to complete some or all of your policies first, continue to the next section in the Quick Start and then return to Onboard your personnel to Drata.
After you’ve onboarded your personnel to Drata, select Mark complete to complete this section. Select Quick Start: Set up your policies.
Set up your policies section
In this section of Quick Start, you’ll enter the Policy Center to begin managing your policies. From Policy Center you can choose to use Drata policy templates, create policies from scratch, or import your existing policies into Drata. Policy Center helps you create, manage, version, and streamline your policy acceptance and tracking workflows.
You can start working with your policies now while you are navigating through the Quick Start page, and you can return to the Policy Center from the main navigation panel to continue working on them later. If you'd like to streamline the compliance activities assigned to your employees, it can help to have your policies approved and ready to be acknowledged when employees first login.
Completing Policies does three things:
Ensures you have the correct policies in place for the frameworks you've purchased
Ensures you can utilize the automation built into the monitoring feature
Ensures that your personnel remain compliant on an annual basis
In the Quick Start section, you’ll see a reference on the right of the section for the number of policies you’ve approved against the number remaining unapproved. This number is dynamic based on the number of frameworks purchased and the number of active policies you have approved.
Select Open Policy Center to get started. The policy center templates were developed by our GRC team with feedback from auditors and compliance experts in the field. Select the edit button on the left side of the policies table to open a template. Select Start Building to use the Drata template version, or you can upload an existing policy if you already have your own version of the policy.
When you open a Drata template, you may see some yellow highlights on the template. Notice that there are corresponding comments in the right margin which includes additional information pertaining to the highlighted text.
You can preview and edit the template as desired. Under the actions menu next above the Policy details column, you can revert to latest template if needed.
It is important to edit the Policy details section so you can enter required metadata information, such as a renewal date and a policy owner. You can also select personnel group(s) that are subject to this policy under Personnel groups. Additionally, you can view the mapped controls for the policy. You can link additional controls by selecting Link Controls, or unlink controls by selecting the chain icon next to the control description. When you are finished updating the Policy details, select Save. you can submit a policy for approval.
If there is a policy on the policy table that is not applicable to you at this time, you can archive it by selecting the box icon next to the policy name. Archiving a policy removes its controls from the readiness score. If you need to restore it, you can find it on the archived or replaced policies tab and select the restore arrow icon to return it to the active policies tab.
Lastly, you can create custom policies in Drata. If you create a custom policy that replaces any Drata templates, be sure to select the policies covered by the new custom policy in the bottom section of the Create Custom Policy drawer.
To learn more you can go to:
Policy Center Time to Completion
The time it takes to complete the policy section will vary depending on several factors including whether or not you are reviewing, assigning and using all the Drata templates, if you are simply uploading your existing policies, or creating custom templates of your own. It can take from a few days to a few weeks depending on the needs of your organization. The flexibility Drata provides here allows your organization to tailor fit the Policy Center to your needs.
When you have completed all the activities, the Quick Start will reach 100% completion status. At that time Quick Start link will move from the top of the navigation panel to inside your user submenu at the bottom of the navigation panel, under Connections. You can open the Quick Start wizard again by selecting your name on the bottom left navigation menu and then selecting Quick Start.
What’s Next
The What’s Next section highlights some additional features such as vulnerability scanning, observability connection and Trust Center to share your security posture with your customers.