A critical component of your compliance practice is defining and documenting your security policies and procedures so that your entire organization can understand how to keep your business secure and customer data safe.
During a compliance audit, your auditor will likely want to review the most recent version of these documents to ensure that your control set aligns with your defined procedures. Additionally, employees in your organization will also need access to review these policies, whether during onboarding or routinely as part of a consistent security practice.
To make things easy, we recommend centralizing your policies and procedures for easy and transparent access for your staff, as well as enabling Automated Collection to ensure that the latest copy is always ready in Strike Graph for your next audit event.
Ready to see how that works?
Step 1: Stay organized with centralized storage
First, get your documents organized. If you use business collaboration software (like Google Workspace or Office 356), it is easy to keep documents well organized for easy access.
Pick one place to store your organization’s security policies and procedures — this way you always know where to point others when you need the most up-to-date versions of a document.
If you’re using Google Workspace, consider making a new Shared Drive with a name like “Policies and Procedures” and use this as the centralized storage location to keep your documents organized. When you make new policies, put them in this drive so you (and others) always know where to find them.
If you’re using a different business collaboration platform, like Office365, the same practice should work — find a single, central place to store your documents so that they’re easy to locate in the future.
It may also be a good idea to centralize other policies and procedures (like employee handbooks or other HR policies) into the same location to truly streamline the employee experience.
Step 2: Make them easy to access
The next thing to tackle is the permission set for the centralized storage location (or Shared Drive if you’re using Google Workspace). It is likely that you will need some combination of mixed permissions:
Editor permissions for the policy and procedure owners so they can review, edit, and maintain the documents over time
Viewer permissions for most of the staff so they can access and review the policies as needed
You may choose to set the permissions at the folder (or Drive) level, or the document level, depending on the needs of your organization. You may also have a different permission set for reviewers and editors, who can leave comments or suggestions on documents.
If you’re using Google Workspace, you can easily set the permissions at the Shared Drive level and the document level. Note: our Google Drive integration requires that the user credentials that are initiating the integration have ‘download, copy, or print’ permissions for the file that they are trying to attach as evidence.
Step 3: Leverage a single source of truth with version history
Once your policies and procedures are in a central place and the correct permissions have been established, leverage these documents as the “single source of truth” and try to avoid making duplicate copies.
Each time you make a copy, you introduce unnecessary confusion about which version is the “final” version and which is a working copy, outdated, or a duplicate.
With most modern document storage solutions, changes to files and documents are tracked automatically. This means that you can easily review or rollback to a previous version if you ever need to, and you have a reliable revision history to reference for auditing purposes. This standard feature is usually negated if you make manual copies of documents for the purposes of editing and “finalizing” policies or procedures because the revision history is typically not transferred to the new copy.
Rather than making a “version 2” copy of the file, remember that you can make changes directly to the “source of truth” — and rollback if necessary.
Another added benefit of the “single source of truth” approach is that if you make any links to the document (like in an employee handbook), those links will always remain intact and you won’t have to keep those links up-to-date as revisions to the policies roll out.
Keep each policy as the single source of truth, and this will limit confusion and save you (and your team) a ton of headaches.
Step 4: Use automated collection
At each audit event, your auditor team will want to look at your published policies to confirm their accuracy against your control set (or vice versa). With Strike Graph’s Automated Collection feature, you can ensure that a new copy of the policy or procedure is automatically attached days before the evidence itself actually expires. Here are some quick steps to make sure your policies are all connected with Automated Collection:
Log in to Strike Graph
Navigate to the Integration Manager to make sure you have an integration configured with your centralized storage location, like Google Drive or AWS S3
Navigate to the Evidence Repository and set a filter to show evidence whose Type is Policy
Open each policy-type evidence and configure Automated Collection. If the evidence already has effective evidence, you will find the Automated Collection setting under the “more” menu of the attachment status
Confirm the expiration schedule and align it with the cadence to which you expect to review and update your policies. Most companies update policies annually (every 365 days) but some prefer shorter review cycles of 90 days or less
Once configured, Automated Collection will recollect the document from the same integration point 2-3 days before the evidence expires, ensuring an up-to-date copy of your policies or procedures are always available for your auditor at time of export.
Questions?
Reach out through our chat feature for real-time Customer Success support 8 am - 5 pm PT Monday through Friday.