Frequently Asked Questions: Policies

  • Updated

Can the owner be a title/role versus an individual name? 

  • Yes. It's totally fine to use a role or title as the policy owner. This person is the enforcer of the policy. If your employees have questions about the policy, that person should be easily identified by employees and prepared to answer any of their questions regarding the policy. 

Can the author and approver be the same person?

  • Yes. Not a problem at all. 

 Regarding the Information Security Roles & Responsibilities, can we make adjustments to the policy? 

  • Yes. The roles and responsibilities you see are examples. However, the policy should be an accurate reflection of your own organization. Please change accordingly. 

The policy mentions AWS, but we use GCP as our cloud provider. Should we change the policy to list the tool that we use?

  • Yes, Vanta template often mentioned specific tools, if the tool you are utilizing differs from the tool mentioned, please feel free to update the policy appropriately. 

What happens when I approve a policy? Will it send to all of my employees?

  • Once you approve a policy it will change the status of that specific policy from a draft to an approved policy. However, it will not send to your employees until you turn on employee notifications from within the settings of your Vanta instance.

 We are a fully remote company do we need to complete a Physical Security Policy?

  • No, If you are fully remote with no plans to return to an office, you don't need to complete the Physical Security Policy, and you can deactivate the test associated with this policy. 

I notice the policy mentions HIPAA or ISO 27001, but we are only looking to achieve SOC 2, can those items be removed? 

  • Yes, if the policy makes mention of a different Framework that you are not looking to achieve you are more than welcome to remove those sections of the policy.

While creating our policies, how do we ensure that they will apply to our subsidiary companies as well? 

  • The important thing is that the auditor knows which policies apply and the inscope individuals sign off on them. Within the policy you could do something like "[Parent Company] and all of its subsidiaries" to make this clear. 

How do we determine which employees get what policies? 

  • It all depends on your organization structure. We work with so many small businesses that overlap responsibilities so it would be hard to say definitively. "Scope" at the top of each policy will inform them of the content of the policy, and they can then determine who/which department should be involved.

How should I specify the "Effective Date" on my policies?

  • The "Effective Date" is a date of your choosing. However, we do recommend having the same date on all policies and future dating of the policies. Having the same date allows you to renew all policies as one event rather than randomly renewing one to two policies throughout the year. Future-dating the policies will allow the organization to implement any new workflows or processes required for your compliance framework(s).

What should I do for Appendix B in the Access Control Policy?

  • The point of this matrix is so that you don't have to show tickets and approvals for standard access. You should define what would be standard system or application access for roles within your organization. 

What does your Secure Development Policy refer to when it says Check-In Process under the System Change Control Procedures?

  • This is the process of new code being pushed to your production environment. What steps does your engineering or development team go through before deploying new code?

In the Data Management Policy, what is the Master Version link at the bottom? Can it be removed? 

  • If your Data Retention Matrix is all-inclusive in your policy, you can remove the Master Version link segment. If you prefer to provide a link to your Data Retention Matrix, you can remove the matrix and provide a link to where the matrix is stored internally. 

How do I add someone to our instance before we've connected our IDP/HRIS system, or who isn't in them?

  • On the People page, you'll find an option to add someone to Vanta manually. You'll be prompted to add their first and last name, contact information, and start date. From there, you can give them Editor or Admin access to your instance.