Documents generated from CyMetric need to be reviewed and approved as a formal part of the process. The Program Policy document defines the high level commitment of the organization to its compliance program, defines the scope of the program in terms of what information systems are included in the compliance program and what compliance obligations each system has assigned to it. Additionally, specific responsibility is assigned to executive personnel for various functions comprising the program. Procedural documents that support the policy also need to be approved. These documents are assembled in the NIST control families to create segmentation between the procedural requirements of the program.
Select the Document: From the navigation area, click on the Policies module. The list of approved or pending policy documents will be presented on the landing page.
Select the policy document to review by clicking the caret (>) on the appropriate line on the right side of the screen. The policy/document details appear. All details appear as pending or undefined. Approver Notes are undefined as well.
Review the Document: To review the document in advance of approving, click on the download icon from the top right corner of the details area. The document will open a new tab in your browser where you can review the content in the document. Review the document to ensure it is in line with organization expectations and capabilities.
NOTE: For Procedural documents (NIST Family), be sure the control variables are defined in the documents. If a control has an undefined variable, the document will indicate that the VARIABLE IS NOT SET. For information on how to configure the variables for these controls please see Managing and Configuring Controls
Accept or Reject the Document: After reviewing the document, Users can accept or reject the document. If accepted, the document becomes a working document and a part of the compliance program. If the document is rejected, users can make appropriate adjustments to the program and resubmit the document for approval. To Accept or Reject the document, click on the green Approve button. A dialog box appears requiring Users to add notes to define the approval process or rejection reason. Based upon the decision, Users select Accept or Reject the button to define the disposition of the document.Users need to go through this process for all the documents listed in the grid.
Document disposition details appear in the Policy Details screen. Status, Approver, Last Reviewed Date and Next Review Date details are filled in. Approver Notes are also populated into the screen. If the document was approved, the green Approve button transitions to Review. If the policy document is rejected, the green Approve button transitions to Generate New.
Rejected Policy Resubmission: Should a policy document be rejected, Users can correct the issues and resubmit the document for approval. The document will be identified as Rejected in the Status column on the Policies main landing page. Click on the caret iu on the line of the document to access the rejected policy document to access the document. To initiate the process, click on the Generate New button from the top right corner of the Policy Details screen. Users are prompted to confirm their intent to generate a new version of the policy. Click on Continue to do so or Cancel to stop the process. If Users Continue, a dialog box appears presenting options similar to the original Policy Generation process. Populate the fields as appropriate and click on the Next button
NOTE: Clicking on the Generate Policy button generates the policy for THIS DOCUMENT ONLY. All other documents will be unaffected by this process.
Review the details to confirm the data entry values and then click on the Generate Policy button. Once generated, Users will need to go through the document Approval process to accept this document into the compliance program