Policies
About policies
Section titled “About policies”A policy is a structured set of compliance requirements. Policies may represent regulations, RMFs, or internal SOPs.
Policies are made up of two types of components: — Policy details (name, description, type, etc.)
- Controls (the discrete mandates used to define and measure compliance progress)
Key actions associated with policies include:
Creating a policy
Section titled “Creating a policy”Creating a policy lets you define a set of compliance requirements for your project.
There are three ways to create a policy in Governance Studio:
- Start Fresh: Create a new policy from scratch from within the Governance Studio UI.
- From Existing Policy: Create a new policy using an existing policy as a template from within the Governance Studio UI.
- Upload Template: Create a new policy using an Excel template that is downloadable from Governance Studio.
- An empty version of this template can be downloaded from the Upload Template flow, or you can export a policy in this template from the Policy Library as described here.
All three methods achieve the same result: a new policy populates the Policy Library and is ready to apply to a project. Choose the creation method that is most efficient for you — we recommend starting with Upload Template as it offers the most flexibility.
To create a policy:
- Navigate to the Policy Library in the sidebar
- Select Create Policy
- Select which method you want to use:
- Start Fresh
- From Existing Policy
- Upload Template
When creating a policy, refer to this guide to understand each component:
Policy Details
Section titled “Policy Details”- Policy Name: The name that identifies your policy within Governance Studio.
- Policy Version: A version number for you to track policies with similar attributes.
- Policy Description: A summary explaining the purpose of your policy.
- Policy Type: The category your policy belongs to.
- Internal: Policies that represent your organization’s standard operating procedures (SOPs) or similiar documents.
- Regulatory: Policies derived from regulations or legislations.
- Risk Management: Policies that represent RMFs from agencies like NIST or those created by industry.
- Custom: Policies that are created for the unique needs of your project or don’t fit neatly into a category above.
- Icon URL: The icon associated with your policy.
Controls
Section titled “Controls”Each control represents a discrete mandate within your policy. You can add as many controls as your policy requires.
- Control Title: A short, descriptive name for the control.
- Control Code: A unique identifier for the control. Codes must be unique within the policy and can be up to 30 characters long.
- Control Description: An explanation of what the control requires.
- Control Citations (optional): Reference sources that support or define the control. For each citation, provide:
- Citation Source Name: The title of the cited document.
- Citation Source URL: A link to the cited document.
Applying a policy
Section titled “Applying a policy”Applying a policy to a project activates the policy’s controls, enabling your team to start tracking compliance.
To apply a policy from the Project Dashboard:
- Navigate to the Applied Policies tab
- Select Apply Policy
- Select the policy you want to apply
- Select Apply Policy
To apply a policy from the Policy Overview page:
- Navigate to the Policy Library in the sidebar
- Select the policy you wish to apply
- Select Apply to Project
- Choose a project
- Select Apply Policy
Archiving a policy
Section titled “Archiving a policy”If an applied policy no longer requires compliance tracking within a project, it can be archived. Archiving a policy prevents any further activity from being recorded in that policy, suspends the policy’s controls from contributing to the project’s Overall Compliance, disables indicator evaluations from being logged, and revokes active credentials when applicable.
The policy’s existing compliance history is preserved for future reference. If the policy needs to be reactivated, it can be reapplied to the project. Reapplying a policy resumes its controls’ contribution to compliance and reactivates all associated indicators.
To archive an applied policy:
- Navigate to the applied policy’s Implementation dashboard
- Select Actions and choose Archive Applied Policy
- Type the applied policy name to confirm
- Select Archive
To reapply an archived policy:
- Navigate to the Project Dashboard
- Select the Applied/Archived filter dropdown and choose Archived
- Select the archived policy
- Select Actions and choose Reapply Policy
- Type the applied policy name to confirm
- Select Reapply
Viewing the Policy Library
Section titled “Viewing the Policy Library”The Policy Library contains all policies available to apply to your project. This page is scoped to your organization and is therefore accessible to Governance Studio users across all projects. You can navigate to the Policy Library via the sidebar.
The Policy Library primarily helps your team understand what policies are available to them and what controls they contain.
The Policy Library also allows users to export a policy in the .xlsx template used in the Upload Template policy creation flow. Editing this file in a common spreadsheet editor (such as Google Sheets) is the most efficient way to make significant changes to a policy.
To export a policy:
- Navigate to the Policy Library in the sidebar
- Select the policy you wish to export
- Select Export Policy
- Download the .xlsx file