When is it appropriate to create custom controls and evidence?
Even though Strike Graph comes pre-installed with hundreds of standard controls and evidence items, there are situations where you may need to add custom controls and evidence items to your account. Whether it's due to a security program unique to your business, or based on auditor feedback, you can customize your Control Library and Evidence Repository by following the steps below.
How to create custom controls
Navigate to your Control Library.
Click on the "+ New Control" button.
Fill in the control details required in the modal:
Name: How do you identify this control?
Description: How does this control operate within your organization?
Control Status: This will likely be "Active."
Owner: Who is responsible for operating this control?
Frequency: How often is this control performed?
Progress: Is this control currently operational?
Click "Save Changes."
Now the control can be found in your Control Library and managed as part of your security compliance program.
Finally, don't forget to link the new control to other items in your Strike Graph account like risks, evidence, and criteria. This step ensures that your custom controls operate the same way as Strike Graph pre-installed controls. More information on linking your custom controls can be found below.
How to create custom evidence
Navigate to the Evidence Repository.
Click on the "+ New Evidence" button
Fill in the evidence details required in the modal:
Name: How do you identify this evidence item?
Description: What exactly does this evidence item showcase?
Owner: Who is responsible for gathering and uploading this evidence item? (This is often the same owner as the linked control!)
Status: This will likely be "Active."
Type: Is this evidence item a policy document, proof of your organization’s settings, a sample document, or a population?
Expiration Schedule: How often should this evidence item be replaced with a fresh version?
Click "Save Changes."
Now the custom evidence item can be found in your Evidence Repository and managed as part of your security compliance program.
Finally, don't forget to link the new evidence item to appropriate control(s). In other words, which control(s) does this evidence item provide proof of? More information on linking your custom evidence items can be found below.
How to link new evidence items to controls
Navigate to your newly created evidence item by clicking on the evidence title from within your Evidence Repository
Click on the "+ Link Controls" button on the right side of the screen.
Search for the control(s) that this evidence item provides proof of and click the link icon.
Exit the modal and check that your newly linked control is listed.
How to link controls to criteria
Linking controls to criteria is a critical step if you plan to use the control as part of a compliance program that will be audited by an internal or external party. Controls only show up in the Audit Export bundle if they are active and linked to framework criteria.
To link the new control to framework criteria:
Navigate to your newly created control by clicking on the control title from within your Control Library.
Click on the "+ Link" button on the right side of the screen and select "Criteria."
In the modal, select the framework that you would like to link to and navigate to the criteria that you would like to map to the control.
You can link the control to any level of the framework tree, or expand the tree by clicking on the arrow icon to the left of each criteria branch. You can link to multiple criteria, if needed.
Once you have selected the criteria from the list that you would like to link to, click on the "Add Link" button on the right side .
Exit the modal and check that your newly linked criteria is listed.