diff --git a/apps/app/src/app/(app)/[orgId]/components/OnboardingTracker.tsx b/apps/app/src/app/(app)/[orgId]/components/OnboardingTracker.tsx index 753625398..987b15f8d 100644 --- a/apps/app/src/app/(app)/[orgId]/components/OnboardingTracker.tsx +++ b/apps/app/src/app/(app)/[orgId]/components/OnboardingTracker.tsx @@ -119,6 +119,7 @@ export const OnboardingTracker = ({ onboarding }: { onboarding: Onboarding }) => case 'QUEUED': case 'EXECUTING': case 'PENDING_VERSION': + case 'DEQUEUED': case 'DELAYED': return (
@@ -156,7 +157,6 @@ export const OnboardingTracker = ({ onboarding }: { onboarding: Onboarding }) => case 'CANCELED': case 'CRASHED': case 'SYSTEM_FAILURE': - case 'DEQUEUED': case 'EXPIRED': case 'TIMED_OUT': { const errorMessage = run.error?.message || 'An unexpected issue occurred.'; diff --git a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/actions/regenerate-risk-mitigation.ts b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/actions/regenerate-risk-mitigation.ts new file mode 100644 index 000000000..63dcfcf99 --- /dev/null +++ b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/actions/regenerate-risk-mitigation.ts @@ -0,0 +1,35 @@ +'use server'; + +import { authActionClient } from '@/actions/safe-action'; +import { generateRiskMitigation } from '@/jobs/tasks/onboarding/generate-risk-mitigation'; +import { tasks } from '@trigger.dev/sdk'; +import { z } from 'zod'; + +export const regenerateRiskMitigationAction = authActionClient + .inputSchema( + z.object({ + riskId: z.string().min(1), + }), + ) + .metadata({ + name: 'regenerate-risk-mitigation', + track: { + event: 'regenerate-risk-mitigation', + channel: 'server', + }, + }) + .action(async ({ parsedInput, ctx }) => { + const { riskId } = parsedInput; + const { session } = ctx; + + if (!session?.activeOrganizationId) { + throw new Error('No active organization'); + } + + await tasks.trigger('generate-risk-mitigation', { + organizationId: session.activeOrganizationId, + riskId, + }); + + return { success: true }; + }); diff --git a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/components/RiskActions.tsx b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/components/RiskActions.tsx new file mode 100644 index 000000000..9901c407e --- /dev/null +++ b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/components/RiskActions.tsx @@ -0,0 +1,77 @@ +'use client'; + +import { regenerateRiskMitigationAction } from '@/app/(app)/[orgId]/risk/[riskId]/actions/regenerate-risk-mitigation'; +import { Button } from '@comp/ui/button'; +import { + Dialog, + DialogContent, + DialogDescription, + DialogFooter, + DialogHeader, + DialogTitle, +} from '@comp/ui/dialog'; +import { + DropdownMenu, + DropdownMenuContent, + DropdownMenuItem, + DropdownMenuTrigger, +} from '@comp/ui/dropdown-menu'; +import { Cog } from 'lucide-react'; +import { useAction } from 'next-safe-action/hooks'; +import { useState } from 'react'; +import { toast } from 'sonner'; + +export function RiskActions({ riskId }: { riskId: string }) { + const [isConfirmOpen, setIsConfirmOpen] = useState(false); + const regenerate = useAction(regenerateRiskMitigationAction, { + onSuccess: () => toast.success('Regeneration triggered. This may take a moment.'), + onError: () => toast.error('Failed to trigger mitigation regeneration'), + }); + + const handleConfirm = () => { + setIsConfirmOpen(false); + toast.info('Regenerating risk mitigation...'); + regenerate.execute({ riskId }); + }; + + return ( + <> + + + + + + setIsConfirmOpen(true)}> + Regenerate Risk Mitigation + + + + + !open && setIsConfirmOpen(false)}> + + + Regenerate Mitigation + + This will generate a fresh mitigation comment for this risk and mark it closed. + Continue? + + + + + + + + + + ); +} diff --git a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/page.tsx b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/page.tsx index af51b6fdd..1c860f8a0 100644 --- a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/page.tsx +++ b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/page.tsx @@ -9,6 +9,7 @@ import { headers } from 'next/headers'; import { redirect } from 'next/navigation'; import { cache } from 'react'; import { Comments } from '../../../../../components/comments/Comments'; +import { RiskActions } from './components/RiskActions'; interface PageProps { searchParams: Promise<{ @@ -35,6 +36,7 @@ export default async function RiskPage({ searchParams, params }: PageProps) { { label: 'Risks', href: `/${orgId}/risk` }, { label: risk.title, current: true }, ]} + headerRight={} >
@@ -74,8 +76,6 @@ const getRisk = cache(async (riskId: string) => { return risk; }); - - const getAssignees = cache(async () => { const session = await auth.api.getSession({ headers: await headers(), diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/regenerate-vendor-mitigation.ts b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/regenerate-vendor-mitigation.ts new file mode 100644 index 000000000..1d01d08e3 --- /dev/null +++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/regenerate-vendor-mitigation.ts @@ -0,0 +1,35 @@ +'use server'; + +import { authActionClient } from '@/actions/safe-action'; +import { generateVendorMitigation } from '@/jobs/tasks/onboarding/generate-vendor-mitigation'; +import { tasks } from '@trigger.dev/sdk'; +import { z } from 'zod'; + +export const regenerateVendorMitigationAction = authActionClient + .inputSchema( + z.object({ + vendorId: z.string().min(1), + }), + ) + .metadata({ + name: 'regenerate-vendor-mitigation', + track: { + event: 'regenerate-vendor-mitigation', + channel: 'server', + }, + }) + .action(async ({ parsedInput, ctx }) => { + const { vendorId } = parsedInput; + const { session } = ctx; + + if (!session?.activeOrganizationId) { + throw new Error('No active organization'); + } + + await tasks.trigger('generate-vendor-mitigation', { + organizationId: session.activeOrganizationId, + vendorId, + }); + + return { success: true }; + }); diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/components/VendorActions.tsx b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/components/VendorActions.tsx new file mode 100644 index 000000000..287314252 --- /dev/null +++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/components/VendorActions.tsx @@ -0,0 +1,77 @@ +'use client'; + +import { regenerateVendorMitigationAction } from '@/app/(app)/[orgId]/vendors/[vendorId]/actions/regenerate-vendor-mitigation'; +import { Button } from '@comp/ui/button'; +import { + Dialog, + DialogContent, + DialogDescription, + DialogFooter, + DialogHeader, + DialogTitle, +} from '@comp/ui/dialog'; +import { + DropdownMenu, + DropdownMenuContent, + DropdownMenuItem, + DropdownMenuTrigger, +} from '@comp/ui/dropdown-menu'; +import { Cog } from 'lucide-react'; +import { useAction } from 'next-safe-action/hooks'; +import { useState } from 'react'; +import { toast } from 'sonner'; + +export function VendorActions({ vendorId }: { vendorId: string }) { + const [isConfirmOpen, setIsConfirmOpen] = useState(false); + const regenerate = useAction(regenerateVendorMitigationAction, { + onSuccess: () => toast.success('Regeneration triggered. This may take a moment.'), + onError: () => toast.error('Failed to trigger mitigation regeneration'), + }); + + const handleConfirm = () => { + setIsConfirmOpen(false); + toast.info('Regenerating vendor risk mitigation...'); + regenerate.execute({ vendorId }); + }; + + return ( + <> + + + + + + setIsConfirmOpen(true)}> + Regenerate Risk Mitigation + + + + + !open && setIsConfirmOpen(false)}> + + + Regenerate Mitigation + + This will generate a fresh risk mitigation comment for this vendor and mark it + assessed. Continue? + + + + + + + + + + ); +} diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/page.tsx b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/page.tsx index 0cc00a95d..d1fd53ab9 100644 --- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/page.tsx +++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/page.tsx @@ -8,6 +8,7 @@ import { headers } from 'next/headers'; import { redirect } from 'next/navigation'; import { cache } from 'react'; import { Comments } from '../../../../../components/comments/Comments'; +import { VendorActions } from './components/VendorActions'; import { VendorInherentRiskChart } from './components/VendorInherentRiskChart'; import { VendorResidualRiskChart } from './components/VendorResidualRiskChart'; import { SecondaryFields } from './components/secondary-fields/secondary-fields'; @@ -31,6 +32,7 @@ export default async function VendorPage({ params }: PageProps) { { label: 'Vendors', href: `/${orgId}/vendors` }, { label: vendor.vendor?.name ?? '', current: true }, ]} + headerRight={} >
{ - if (window.confirm('Are you sure you want to delete this comment?')) { - try { - // Use API hook directly instead of server action - await deleteComment(comment.id); - - toast.success('Comment deleted successfully.'); - refreshComments(); - } catch (error) { - toast.error('Failed to delete comment.'); - console.error('Delete comment error:', error); - } + setIsDeleting(true); + try { + await deleteComment(comment.id); + toast.success('Comment deleted successfully.'); + refreshComments(); + setIsDeleteOpen(false); + } catch (error) { + toast.error('Failed to delete comment.'); + console.error('Delete comment error:', error); + } finally { + setIsDeleting(false); } }; @@ -171,7 +181,7 @@ export function CommentItem({ comment, refreshComments }: CommentItemProps) { setIsDeleteOpen(true)} > Delete @@ -229,6 +239,25 @@ export function CommentItem({ comment, refreshComments }: CommentItemProps) {
+ {/* Delete confirmation dialog */} + !open && setIsDeleteOpen(false)}> + + + Delete Comment + + Are you sure you want to delete this comment? This cannot be undone. + + + + + + + + ); } diff --git a/apps/app/src/components/pages/PageWithBreadcrumb.tsx b/apps/app/src/components/pages/PageWithBreadcrumb.tsx index 054cec64f..c2c486adc 100644 --- a/apps/app/src/components/pages/PageWithBreadcrumb.tsx +++ b/apps/app/src/components/pages/PageWithBreadcrumb.tsx @@ -39,6 +39,7 @@ interface PageLayoutProps { */ maxItems?: number; maxLabelLength?: number; + headerRight?: React.ReactNode; } export default function PageWithBreadcrumb({ @@ -46,6 +47,7 @@ export default function PageWithBreadcrumb({ breadcrumbs, maxItems = 3, maxLabelLength = 40, + headerRight, }: PageLayoutProps) { const totalItems = breadcrumbs.length; const shouldCollapse = totalItems > maxItems; @@ -58,82 +60,85 @@ export default function PageWithBreadcrumb({ return ( - - - {visibleItems.map((item, index) => { - const isFirst = index === 0; - const isLast = index === visibleItems.length - 1; - const showEllipsis = shouldCollapse && index === 1; +
+ + + {visibleItems.map((item, index) => { + const isFirst = index === 0; + const isLast = index === visibleItems.length - 1; + const showEllipsis = shouldCollapse && index === 1; - return ( - - - {item.dropdown ? ( - - - {item.current ? ( - - {item.label.length > maxLabelLength - ? `${item.label.slice(0, maxLabelLength)}...` - : item.label} - - - ) : ( - <> - {item.label.length > maxLabelLength - ? `${item.label.slice(0, maxLabelLength)}...` - : item.label} - - - )} - - - {item.dropdown.map((dropdownItem) => ( - - - {dropdownItem.label.length > maxLabelLength - ? `${dropdownItem.label.slice(0, maxLabelLength)}...` - : dropdownItem.label} - - - ))} - - - ) : item.current ? ( - {item.label} - ) : ( - - {item.label} - - )} - - {!isLast && } - {showEllipsis && hiddenItems.length > 0 && ( - <> - + return ( + + + {item.dropdown ? ( - - + + {item.current ? ( + + {item.label.length > maxLabelLength + ? `${item.label.slice(0, maxLabelLength)}...` + : item.label} + + + ) : ( + <> + {item.label.length > maxLabelLength + ? `${item.label.slice(0, maxLabelLength)}...` + : item.label} + + + )} - - {hiddenItems.map((hiddenItem) => ( - - {hiddenItem.label} + + {item.dropdown.map((dropdownItem) => ( + + + {dropdownItem.label.length > maxLabelLength + ? `${dropdownItem.label.slice(0, maxLabelLength)}...` + : dropdownItem.label} + ))} - - - - )} - - ); - })} - - + ) : item.current ? ( + {item.label} + ) : ( + + {item.label} + + )} + + {!isLast && } + {showEllipsis && hiddenItems.length > 0 && ( + <> + + + + + + + {hiddenItems.map((hiddenItem) => ( + + {hiddenItem.label} + + ))} + + + + + + )} + + ); + })} + + + {headerRight} +
{children} ); diff --git a/apps/app/src/jobs/tasks/onboarding/generate-risk-mitigation.ts b/apps/app/src/jobs/tasks/onboarding/generate-risk-mitigation.ts new file mode 100644 index 000000000..b67fab7d7 --- /dev/null +++ b/apps/app/src/jobs/tasks/onboarding/generate-risk-mitigation.ts @@ -0,0 +1,108 @@ +import { RiskStatus, db } from '@db'; +import { logger, queue, task } from '@trigger.dev/sdk'; +import axios from 'axios'; +import { + createRiskMitigationComment, + findCommentAuthor, + type PolicyContext, +} from './onboard-organization-helpers'; + +// Queues +const riskMitigationQueue = queue({ name: 'risk-mitigations', concurrencyLimit: 10 }); +const riskMitigationFanoutQueue = queue({ name: 'risk-mitigations-fanout', concurrencyLimit: 3 }); + +export const generateRiskMitigation = task({ + id: 'generate-risk-mitigation', + queue: riskMitigationQueue, + run: async (payload: { organizationId: string; riskId: string }) => { + const { organizationId, riskId } = payload; + logger.info(`Generating risk mitigation for risk ${riskId} in org ${organizationId}`); + + const [risk, policies, author] = await Promise.all([ + db.risk.findFirst({ where: { id: riskId, organizationId } }), + db.policy.findMany({ where: { organizationId }, select: { name: true, description: true } }), + findCommentAuthor(organizationId), + ]); + + if (!risk) { + logger.warn(`Risk ${riskId} not found in org ${organizationId}`); + return; + } + + if (!author) { + logger.warn( + `No eligible author found for org ${organizationId}; skipping mitigation for risk ${riskId}`, + ); + return; + } + + await createRiskMitigationComment(risk, policies as PolicyContext[], organizationId, author.id); + + // Mark risk as closed and assign to owner/admin + await db.risk.update({ + where: { id: risk.id, organizationId }, + data: { + status: RiskStatus.closed, + assigneeId: author.id, + }, + }); + + // Revalidate only the risk detail page in the individual job + try { + const detailPath = `/${organizationId}/risk/${riskId}`; + const url = `${process.env.NEXT_PUBLIC_BETTER_AUTH_URL}/api/revalidate/path`; + logger.info('url', { url }); + await axios.post( + url, + { + path: detailPath, + secret: process.env.REVALIDATION_SECRET, + }, + { + headers: { + 'Content-Type': 'application/json', + }, + }, + ); + logger.info(`Revalidated risk path: ${detailPath}`); + } catch (e) { + logger.error('Failed to revalidate risk paths after mitigation', { e }); + } + }, +}); + +export const generateRiskMitigationsForOrg = task({ + id: 'generate-risk-mitigations-for-org', + queue: riskMitigationFanoutQueue, + run: async (payload: { organizationId: string }) => { + const { organizationId } = payload; + logger.info(`Fan-out risk mitigations for org ${organizationId}`); + + const risks = await db.risk.findMany({ where: { organizationId } }); + if (risks.length === 0) { + logger.info(`No risks found for org ${organizationId}`); + return; + } + + await generateRiskMitigation.batchTrigger( + risks.map((r) => ({ + payload: { organizationId, riskId: r.id }, + concurrencyKey: `${organizationId}:${r.id}`, + })), + ); + + // Revalidate the parent risk routes after batch triggering + try { + const listPath = `/${organizationId}/risk`; + await Promise.all([ + axios.post(`${process.env.NEXT_PUBLIC_BETTER_AUTH_URL}/api/revalidate/path`, { + path: listPath, + secret: process.env.REVALIDATION_SECRET, + }), + ]); + logger.info(`Revalidated risk parent paths: ${listPath}`); + } catch (e) { + logger.error('Failed to revalidate risk parent paths after batch', { e }); + } + }, +}); diff --git a/apps/app/src/jobs/tasks/onboarding/generate-vendor-mitigation.ts b/apps/app/src/jobs/tasks/onboarding/generate-vendor-mitigation.ts new file mode 100644 index 000000000..30d573cae --- /dev/null +++ b/apps/app/src/jobs/tasks/onboarding/generate-vendor-mitigation.ts @@ -0,0 +1,99 @@ +import { VendorStatus, db } from '@db'; +import { logger, queue, task } from '@trigger.dev/sdk'; +import axios from 'axios'; +import { + createVendorRiskComment, + findCommentAuthor, + type PolicyContext, +} from './onboard-organization-helpers'; + +// Queues +const vendorMitigationQueue = queue({ name: 'vendor-risk-mitigations', concurrencyLimit: 10 }); +const vendorMitigationFanoutQueue = queue({ + name: 'vendor-risk-mitigations-fanout', + concurrencyLimit: 3, +}); + +export const generateVendorMitigation = task({ + id: 'generate-vendor-mitigation', + queue: vendorMitigationQueue, + run: async (payload: { organizationId: string; vendorId: string }) => { + const { organizationId, vendorId } = payload; + logger.info(`Generating vendor mitigation for vendor ${vendorId} in org ${organizationId}`); + + const [vendor, policies, author] = await Promise.all([ + db.vendor.findFirst({ where: { id: vendorId, organizationId } }), + db.policy.findMany({ where: { organizationId }, select: { name: true, description: true } }), + findCommentAuthor(organizationId), + ]); + + if (!vendor) { + logger.warn(`Vendor ${vendorId} not found in org ${organizationId}`); + return; + } + + if (!author) { + logger.warn( + `No eligible author found for org ${organizationId}; skipping mitigation for vendor ${vendorId}`, + ); + return; + } + + await createVendorRiskComment(vendor, policies as PolicyContext[], organizationId, author.id); + + // Mark vendor as assessed and assign to owner/admin + await db.vendor.update({ + where: { id: vendor.id, organizationId }, + data: { + status: VendorStatus.assessed, + assigneeId: author.id, + }, + }); + + // Revalidate the vendor detail page so the new comment shows up + try { + const detailPath = `/${organizationId}/vendors/${vendorId}`; + await axios.post(`${process.env.NEXT_PUBLIC_BETTER_AUTH_URL}/api/revalidate/path`, { + path: detailPath, + secret: process.env.REVALIDATION_SECRET, + }); + logger.info(`Revalidated vendor path: ${detailPath}`); + } catch (e) { + logger.error('Failed to revalidate vendor paths after mitigation', { e }); + } + }, +}); + +export const generateVendorMitigationsForOrg = task({ + id: 'generate-vendor-mitigations-for-org', + queue: vendorMitigationFanoutQueue, + run: async (payload: { organizationId: string }) => { + const { organizationId } = payload; + logger.info(`Fan-out vendor mitigations for org ${organizationId}`); + + const vendors = await db.vendor.findMany({ where: { organizationId } }); + if (vendors.length === 0) { + logger.info(`No vendors found for org ${organizationId}`); + return; + } + + await generateVendorMitigation.batchTrigger( + vendors.map((v) => ({ + payload: { organizationId, vendorId: v.id }, + concurrencyKey: `${organizationId}:${v.id}`, + })), + ); + + // Revalidate the parent vendors route after batch triggering + try { + const parentPath = `/${organizationId}/vendors`; + await axios.post(`${process.env.NEXT_PUBLIC_BETTER_AUTH_URL}/api/revalidate/path`, { + path: parentPath, + secret: process.env.REVALIDATION_SECRET, + }); + logger.info(`Revalidated vendors parent path: ${parentPath}`); + } catch (e) { + logger.error('Failed to revalidate vendors parent path after batch', { e }); + } + }, +}); diff --git a/apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts b/apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts index 969715031..cdc9c0ffa 100644 --- a/apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts +++ b/apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts @@ -1,4 +1,3 @@ -import { anthropic } from '@ai-sdk/anthropic'; import { openai } from '@ai-sdk/openai'; import { CommentEntityType, @@ -7,6 +6,7 @@ import { FrameworkEditorFramework, Impact, Likelihood, + Risk, RiskCategory, RiskTreatmentType, VendorCategory, @@ -16,6 +16,7 @@ import { generateObject, generateText } from 'ai'; import axios from 'axios'; import z from 'zod'; import type { researchVendor } from '../scrape/research'; +import { RISK_MITIGATION_PROMPT } from './prompts/risk-mitigation'; import { VENDOR_RISK_ASSESSMENT_PROMPT } from './prompts/vendor-risk-assessment'; import { updatePolicies } from './update-policies'; @@ -154,7 +155,7 @@ export async function createVendorRiskComment( : 'No specific policies available - use standard security policy guidance.'; const riskMitigationComment = await generateText({ - model: anthropic('claude-sonnet-4-20250514'), + model: openai('gpt-5-nano'), system: VENDOR_RISK_ASSESSMENT_PROMPT, prompt: `Vendor: ${vendor.name} (${vendor.category}) - ${vendor.description}. Website: ${vendor.website}. @@ -262,6 +263,70 @@ export async function createVendorRiskComments( } } +/** + * Creates a risk mitigation comment for a risk + */ +export async function createRiskMitigationComment( + risk: Risk, + policies: PolicyContext[], + organizationId: string, + authorId: string, +): Promise { + const policiesContext = + policies.length > 0 + ? policies + .map((p) => `- ${p.name}: ${p.description || 'No description available'}`) + .join('\n') + : 'No specific policies available - use standard security policy guidance.'; + + const mitigation = await generateText({ + model: openai('gpt-5-nano'), + system: RISK_MITIGATION_PROMPT, + prompt: `Risk: ${risk.title} (${risk.category} / ${risk.department})\n\nDescription:\n${risk.description}\n\nTreatment Strategy:\n${risk.treatmentStrategy}: ${risk.treatmentStrategyDescription || 'N/A'}\n\nResidual Assessment: Likelihood ${risk.likelihood}, Impact ${risk.impact}\n\nAvailable Organization Policies:\n${policiesContext}\n\nWrite a pragmatic mitigation plan with concrete steps the team can implement in the next 30-90 days.`, + }); + + await db.comment.create({ + data: { + content: mitigation.text, + entityId: risk.id, + entityType: CommentEntityType.risk, + authorId, + organizationId, + }, + }); + + logger.info(`Created risk mitigation comment for risk: ${risk.id} (${risk.title})`); +} + +/** + * Creates risk mitigation comments for all risks provided + */ +export async function createRiskMitigationComments( + risks: Risk[], + policies: PolicyContext[], + organizationId: string, + authorId: string, +): Promise { + for (const risk of risks) { + await createRiskMitigationComment(risk, policies, organizationId, authorId); + } +} + +/** + * Create risk mitigation comments for risks + */ +export async function createRiskMitigation( + risks: Risk[], + policies: PolicyContext[], + organizationId: string, +): Promise { + const commentAuthor = await findCommentAuthor(organizationId); + + if (commentAuthor && risks.length > 0) { + await createRiskMitigationComments(risks, policies, organizationId, commentAuthor.id); + } +} + /** * Extracts risks from context using AI */ @@ -321,7 +386,8 @@ export async function getExistingRisks(organizationId: string) { export async function createRisksFromData( riskData: RiskData[], organizationId: string, -): Promise { +): Promise { + const createdRisks: Risk[] = []; for (const risk of riskData) { const createdRisk = await db.risk.create({ data: { @@ -337,10 +403,12 @@ export async function createRisksFromData( }, }); + createdRisks.push(createdRisk); logger.info(`Created risk: ${createdRisk.id} (${createdRisk.title})`); } logger.info(`Created ${riskData.length} risks`); + return createdRisks; } /** @@ -420,7 +488,7 @@ export async function createRisks( questionsAndAnswers: ContextItem[], organizationId: string, organizationName: string, -): Promise { +): Promise { // Get existing risks to avoid duplicates const existingRisks = await getExistingRisks(organizationId); @@ -432,7 +500,8 @@ export async function createRisks( ); // Create risk records in database - await createRisksFromData(riskData, organizationId); + const risks = await createRisksFromData(riskData, organizationId); + return risks; } /** diff --git a/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts b/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts index d5b28b9f8..f0c71600d 100644 --- a/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts +++ b/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts @@ -1,9 +1,10 @@ import { db } from '@db'; -import { logger, queue, task } from '@trigger.dev/sdk'; +import { logger, queue, task, tasks } from '@trigger.dev/sdk'; import axios from 'axios'; +import { generateRiskMitigationsForOrg } from './generate-risk-mitigation'; +import { generateVendorMitigationsForOrg } from './generate-vendor-mitigation'; import { createRisks, - createVendorRiskMitigation, createVendors, getOrganizationContext, updateOrganizationPolicies, @@ -41,12 +42,25 @@ export const onboardOrganization = task({ // Create vendors const vendors = await createVendors(questionsAndAnswers, payload.organizationId); - // Create risk mitigation for vendors - await createVendorRiskMitigation(vendors, policies, payload.organizationId); + // Fan-out vendor mitigations as separate jobs + await tasks.trigger( + 'generate-vendor-mitigations-for-org', + { + organizationId: payload.organizationId, + }, + ); // Create risks await createRisks(questionsAndAnswers, payload.organizationId, organization.name); + // Fan-out risk mitigations as separate jobs + await tasks.trigger( + 'generate-risk-mitigations-for-org', + { + organizationId: payload.organizationId, + }, + ); + // Update policies await updateOrganizationPolicies(payload.organizationId, questionsAndAnswers, frameworks); diff --git a/apps/app/src/jobs/tasks/onboarding/prompts/risk-mitigation.ts b/apps/app/src/jobs/tasks/onboarding/prompts/risk-mitigation.ts new file mode 100644 index 000000000..9400f40c3 --- /dev/null +++ b/apps/app/src/jobs/tasks/onboarding/prompts/risk-mitigation.ts @@ -0,0 +1,53 @@ +export const RISK_MITIGATION_PROMPT = `Comprehensive Risk Mitigation Plan +You are a risk-management assistant. Your task is to produce a concise, actionable mitigation plan for a given organizational risk using the organization's policy library as context. + +IMPORTANT CONTEXT: Assume you are advising a modern SaaS company. Consider realistic constraints: +- Focus ONLY on controls the COMPANY can implement +- Leverage governance, oversight, configuration, and contractual controls the company actually manages +- Consider the organization's maturity and avoid generic security boilerplate + +INPUTS + +- Risk: [User will insert a risk title, description, category, department, residual assessment, and existing treatment strategy] +- Available Organization Policies: [User will provide a list of the organization's actual security policies with names and descriptions] +- CONTEXTUAL KNOWLEDGE: You have access to the organization's actual security policies provided in the prompt. You must use these specific policies to inform your entire response and select the most relevant ones for the risk being mitigated. + +MAIN TASKS + +When generating your treatment plan, internally consider: +- What the COMPANY can realistically control +- The provided risk's category, department, and residual assessment +- Which policies from the Available Organization Policies list are most relevant +- Prioritize the most relevant and actionable controls for this specific risk + +1. Generate Treatment Plan: + - Set the treatment type. Prefer the risk's existing treatment strategy if provided and sensible + - Focus ONLY on controls the COMPANY can implement: + * Contractual and legal controls (agreements, SLAs, terms) + * Governance controls (reviews, assessments, monitoring) + * Configuration controls (settings the company controls in its systems) + * Access management (roles, permissions, periodic reviews) + * Data management (classification, minimization, retention) + * Oversight controls (auditing, incident response readiness) + - AVOID suggesting controls the vendor implements or generic boilerplate + - Rephrase each control in your own words. Do not copy text directly from the policy. +2. Present Output: Provide your response in the exact plain-text structure below with no extra formatting: + +IMPORTANT: Do not include any reasoning, thoughts, analysis, or explanations in your response. Only provide the treatment plan in the exact format below. Do not mention which policies you selected or why - just provide the clean output. + +Treatment plan (Type) +This plan reduces the risk through 5 controls: +- [Control description] +- [Control description] +- [Control description] +- [Control description] +- [Control description] + +Rules: +- Output EXACTLY 5 bullets. +- Each bullet MUST be one concise sentence (aim for 8–16 words). +- Use plain, simple language; avoid jargon, buzzwords, and fancy wording. +- Prefer active voice and concrete verbs; avoid unnecessary adjectives/adverbs. +- When a control clearly maps to a provided policy, append " (Policy: [Policy Name])" to that bullet. +- Only reference policies from the provided list; if none applies, omit the policy suffix. +- Do not include numbering, sub-bullets, or extra commentary.`; diff --git a/apps/app/src/jobs/tasks/onboarding/prompts/vendor-risk-assessment.ts b/apps/app/src/jobs/tasks/onboarding/prompts/vendor-risk-assessment.ts index 85f33d05d..7f68adb00 100644 --- a/apps/app/src/jobs/tasks/onboarding/prompts/vendor-risk-assessment.ts +++ b/apps/app/src/jobs/tasks/onboarding/prompts/vendor-risk-assessment.ts @@ -45,9 +45,19 @@ When generating your treatment plan, internally consider: IMPORTANT: Do not include any reasoning, thoughts, analysis, or explanations in your response. Only provide the treatment plan in the exact format below. Do not mention which policies you selected or why - just provide the clean output. -Treatment plan ([Type]) -This plan reduces the risk through [X] controls: +Treatment plan (Type) +This plan reduces the risk through 5 controls: - [Control description] - [Control description] - [Control description] -- [Additional controls as needed]`; +- [Control description] +- [Control description] + +Rules: +- Output EXACTLY 5 bullets. +- Each bullet MUST be one concise sentence (aim for 8–16 words). +- Use plain, simple language; avoid jargon, buzzwords, and fancy wording. +- Prefer active voice and concrete verbs; avoid unnecessary adjectives/adverbs. +- When a control clearly maps to a provided policy, append " (Policy: [Policy Name])" to that bullet. +- Only reference policies from the provided list; if none applies, omit the policy suffix. +- Do not include numbering, sub-bullets, or extra commentary.`; diff --git a/packages/db/prisma/seed/primitives/FrameworkEditorPolicyTemplate.json b/packages/db/prisma/seed/primitives/FrameworkEditorPolicyTemplate.json index 22fb3b4a2..10e08d1d3 100644 --- a/packages/db/prisma/seed/primitives/FrameworkEditorPolicyTemplate.json +++ b/packages/db/prisma/seed/primitives/FrameworkEditorPolicyTemplate.json @@ -1,23 +1,13 @@ [ - { - "id": "frk_pt_685e3f7b4ebcb27b60c51434", - "name": "Information Security & Privacy Governance", - "description": "Assigns clear ownership and management accountability for security and privacy, keeps policies current, and measures compliance through regular reviews.", - "frequency": "yearly", - "department": "admin", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Security Governance Roles", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Management Accountability", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Policy Management", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Security Awareness", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Define clear ownership for security and privacy and ensure decisions are documented.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All personnel, contractors, information systems, SaaS/IaaS services and company-managed devices.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Security Governance Roles", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Designate a ", "type": "text"}, {"text": "Security & Privacy Owner (SPO)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " and a documented backup.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record names in the Comp AI platform.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-confirm role assignments at least annually and after role changes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Management Accountability", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "SPO presents a concise security status during a scheduled management on an as needed basis.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Senior management signs an annual statement acknowledging ultimate responsibility for security and privacy.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allocate at least one measurable security improvement task per sprint or work cycle.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Policy Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store all policies in Comp AI; SPO verifies access and link integrity annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain version control with change logs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Merge or retire overlapping policies to keep each document brief.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Security Awareness", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "New personnel read this policy set and electronically acknowledge before receiving system access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Distribute security awareness training on an annual basis and record completion.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Annual check that: policies exist, SPO is documented, annual sign-off filed, awareness log current.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Document deviations in a “Security-Decisions” log with reason and expiry.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Missing logs or overdue actions corrected within two weeks or escalated at the next management review.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Audit and incident lessons feed into the next scheduled policy refresh.", "type": "text"}]}], - "createdAt": "2025-06-27 06:51:38.574", - "updatedAt": "2025-06-27 06:52:00.833" - }, { "id": "frk_pt_685e4010bde64520b9abaf1d", "name": "Compliance & Regulatory Monitoring", "description": "atalogues all legal, regulatory, and contractual obligations, links them to controls and evidence, and tracks enquiries and gaps to closure.", "frequency": "yearly", "department": "gov", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Regulatory Obligations List", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Compliance Register", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Regulator & Customer Liaison", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Evidence Review", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Identify applicable laws, standards and contractual commitments and keep proof of conformance.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All products, data processing activities, jurisdictions of operation and contractual obligations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Regulatory Obligations List", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a plain-language list of relevant legal and industry requirements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Mark each entry ", "type": "text"}, {"text": "Applies", "type": "text", "marks": [{"type": "bold"}]}, {"text": " or ", "type": "text"}, {"text": "N/A", "type": "text", "marks": [{"type": "bold"}]}, {"text": " with a short justification.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the list semi-annually or upon market expansion.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Compliance Register", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For every applicable requirement record: Internal Control Reference and Evidence Link.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Refresh evidence at least annually; schedule reminders before links expire.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Flag any missing evidence as a ", "type": "text"}, {"text": "Gap", "type": "text", "marks": [{"type": "bold"}]}, {"text": ".", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Regulator & Customer Liaison", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use a dedicated email alias forwarding to compliance contacts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Acknowledge external compliance enquiries within 48 hours.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log date, question and resolution reference in the Compliance Register.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Evidence Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct a 30-minute annual sweep to update links and close gaps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record the review date in the register header.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – No evidence older than 12 months; zero gaps open beyond 30 days.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Deferred items require documented justification and target date approved by senior management.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Unanswered enquiries or overdue gaps escalated to the next management meeting and added to the work backlog.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – After each audit or major customer questionnaire, adjust evidence format to streamline future requests.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identify applicable laws, standards, and contractual commitments for {{COMPANY}} and keep proof of conformance in Comp AI. Protect {{DATA}} processed in {{CRITICAL}} and stored in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All products, data processing activities, jurisdictions of operation, and contractual obligations. Applies to {{LOCATION}} staff and contractors using {{DEVICES}} and workloads hosted in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain governance to identify applicable requirements, track associated controls, and retain evidence for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, include HIPAA Privacy, Security, and Breach Notification Rules and retain documentation for 6 years; track BAAs and subcontractors.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Regulatory Obligations List", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a plain-language list of relevant legal, regulatory, and industry requirements (include contracts, SLAs, DPAs, BAAs) relevant to {{INDUSTRY}}, {{CRITICAL}}, {{GEO}}, and {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Mark each entry Applies or N/A with a short justification.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the list semi-annually or upon market expansion.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure each entry references internal controls and owners to support audit requests.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Explicitly indicate HIPAA applicability and BAA status for each vendor or service handling ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Register", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For every applicable requirement, record: Internal Control Reference and Evidence Link.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence examples: access-control configuration, {{DEVICES}} baseline and encryption status, {{CRITICAL}} security configuration and audit logs, and records showing how {{DATA}} is handled and retained in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Refresh evidence at least annually; schedule reminders before links expire.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Flag any missing or stale evidence as a Gap.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Store evidence in a tamper-resistant location with version/date; keep change history for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include HIPAA-specific artifacts such as risk analysis, training logs, sanctions policy, and incident/breach documentation links.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Regulator & Customer Liaison", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use a dedicated email alias forwarding to compliance contacts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Acknowledge external compliance enquiries within 48 hours during the business hours of our {{LOCATION}} team.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log date, question, and resolution reference in the Compliance Register.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain enquiry and response records to demonstrate communication control and oversight.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For OCR or HIPAA-related enquiries, follow documented response procedures and coordinate with Privacy and Security Officers; align with breach notice timelines where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Evidence Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct a 30-minute annual sweep to update links and close gaps. For teams over {{EMPLOYEES}} employees, add a mid-year spot check focused on access reviews and {{CRITICAL}} security baselines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record the review date in the register header.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Time the sweep to precede audit evidence requests; confirm availability of attachments and access permissions.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Verify HIPAA evidence remains current within the 12-month cadence and documented within the 6-year retention window.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No evidence older than 12 months; zero gaps open beyond 30 days. Prioritize controls tied to {{DATA}}, {{CRITICAL}}, {{GEO}}, and {{INDUSTRY}}.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Deferred items require documented justification and target date approved by senior management. Note any residual risk to {{DATA}} and compensating controls in the device policy or hosting environment.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unanswered enquiries or overdue gaps are escalated to the next management meeting and added to the work backlog.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "After each audit or major customer questionnaire, adjust evidence format and register structure to streamline future requests. When {{GEO}} changes, update the obligations list and register entries.", "type": "text"}]}], "createdAt": "2025-06-27 06:54:08.199", - "updatedAt": "2025-06-27 06:54:23.504" + "updatedAt": "2025-08-19 18:23:31.407" }, { "id": "frk_pt_685e426ccbb0de15a90cf446", @@ -25,19 +15,9 @@ "description": "Approves secure VPN or zero-trust methods, sets endpoint hardening and mobile controls, and logs and reviews remote sessions.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Approved Remote Access Methods", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Endpoint Security Requirements", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Mobile/BYOD Controls", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Monitoring & Session Management", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Secure connectivity for off-site work while protecting company data on personal and remote devices.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All remote network connections and any personally owned devices used for company activities.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Approved Remote Access Methods", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use VPN or zero-trust proxy with MFA for administrative or data-sensitive access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "SSH only with key-based auth; prohibit direct RDP/SSH from the public internet.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable remote access on systems where not required.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Endpoint Security Requirements", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Devices must run supported OS, be fully patched, and have disk encryption enabled.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Install company-approved endpoint protection and auto-lock after 15 minutes idle.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Mobile/BYOD Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Register BYOD devices; enforce PIN/biometric, encryption, and remote-wipe capability.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Company email and data stored in managed app or container where feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove company data and access immediately upon contract end or device loss.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Monitoring & Session Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log VPN and privileged remote sessions; retain logs for at least 90 days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Auto-disconnect inactive VPN sessions after 12 hours or shorter if supported.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review remote-access logs monthly for anomalies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Quarterly sample confirms 100 % of remote devices meet patch/encryption policy; VPN logs reviewed.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Temporary allowance for unsupported device requires management approval and remediation timeline.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Non-compliant device blocked from network until remediated; repeat violations escalated to HR/management.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Evaluate new secure-access technologies and refine BYOD requirements annually.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Secure connectivity for off-site work while protecting {{DATA}} for {{COMPANY}} on personal and remote devices that access {{CRITICAL}} in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All remote network connections and any personally owned devices used for company activities. Applies to {{LOCATION}} staff and contractors using {{DEVICES}} to reach {{CRITICAL}} workloads.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align to SOC 2 Security; extend to Confidentiality where applicable to data-in-transit and endpoint protection.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is accessed or stored, apply Security Rule technical safeguards: access control, audit controls, integrity, and transmission security.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Approved Remote Access Methods", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use VPN or zero-trust proxy with MFA for administrative or data-sensitive access to {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "SSH only with key-based authentication; prohibit direct RDP/SSH from the public internet.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable remote access on systems where it is not required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict remote access from outside {{GEO}} unless explicitly approved; use VPN while traveling.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Avoid split tunneling when accessing {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce MFA on all remote admin access; restrict inbound management ports; manage changes to remote-access configs through change control.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt all remote sessions handling ePHI and avoid split tunneling when accessing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Endpoint Security Requirements", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{DEVICES}} must run a supported OS, be fully patched, and have disk encryption enabled.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Install company-approved endpoint protection; auto-lock after 15 minutes idle.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only managed {{DEVICES}} may access {{CRITICAL}} or store {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require device posture checks where supported before granting remote access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce device encryption and auto-lock for any endpoint that can access ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Mobile/BYOD Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Register BYOD devices; enforce PIN/biometric, encryption, and remote-wipe capability.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Company email and data stored in a managed app or container where feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove company data and access immediately upon contract end or device loss.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require enrollment prior to access; record enrollment and removal events.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Prohibit backups of ePHI to personal cloud accounts; ensure remote wipe of ePHI when access is terminated.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Monitoring & Session Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log VPN and privileged remote sessions; retain logs for at least 90 days in {{GEO}} storage.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Auto-disconnect inactive VPN sessions after 12 hours or shorter if supported.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review remote-access logs monthly for anomalies, including access from outside {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Alert on excessive authentication failures and unusual geolocation; sample log reviews monthly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain audit logs for ePHI access via remote sessions and retain per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample confirms 100% of remote devices meet patch/encryption policy; VPN logs reviewed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For teams over {{EMPLOYEES}} employees, expand the quarterly sample size and include a check of access to {{CRITICAL}} by {{DEVICES}}.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary allowance for an unsupported device requires management approval and a remediation timeline. Note any added risk to {{DATA}} and compensating controls before granting access.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Non-compliant devices are blocked from the network until remediated; repeat violations are escalated to HR/management.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evaluate new secure-access technologies and refine BYOD requirements annually, considering {{INDUSTRY}} needs and changes to {{GEO}}.", "type": "text"}]}], "createdAt": "2025-06-27 07:04:11.567", - "updatedAt": "2025-06-27 07:04:22.496" - }, - { - "id": "frk_pt_685e4508d8c0d14ae873e644", - "name": "Physical Security & Environmental", - "description": "Controls facility and server-room access, manages visitors, safeguards against fire, flood, or climate risks, and audits logs and walk-throughs.", - "frequency": "yearly", - "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Facility Access Control", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Visitor Management", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Environmental Protections", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Equipment Protection & Disposal", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Physical Security Monitoring & Review", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Protect personnel, equipment, and information from unauthorised physical access or environmental damage.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Offices, co-working spaces, data-centre cages, and any site hosting company assets.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Facility Access Control", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use electronic badge or key system; disable badges immediately upon employment termination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Segregate secure areas (e.g., server closets) with locked doors; limit keys to authorised staff.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Visitor Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require sign-in, government-issued ID, and visible visitor badge.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Host must escort visitor at all times; log retained 12 months.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Environmental Protections", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure HVAC maintains manufacturer-recommended temperature/humidity.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Equip server areas with smoke detection and automatic fire suppression or fire-rated cabinets.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Elevate equipment or use leak sensors in flood-prone areas.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Equipment Protection & Disposal", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Cable-lock laptops in shared spaces; lock server racks.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sanitize or destroy storage media prior to disposal or reuse; record disposal event.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Physical Security Monitoring & Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "CCTV or access-control logs reviewed monthly for anomalies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct annual walk-through to verify controls and signage.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Access logs show 100 % badge use; visitor log complete; yearly inspection report filed.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Temporary unsecured space usage requires compensating controls (e.g., lockable cabinet).", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Tailgating or propped-open doors reported as incidents; corrective action within one week.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Enhance controls based on incident trends and facility changes.", "type": "text"}]}], - "createdAt": "2025-06-27 07:15:20.007", - "updatedAt": "2025-06-27 07:15:31.589" + "updatedAt": "2025-08-19 18:23:48.629" }, { "id": "frk_pt_685e462046667f75a50a2c3e", @@ -45,19 +25,39 @@ "description": "Inventories vendors, tiers them by data impact, conducts due diligence, embeds security clauses in contracts, and monitors attestations and incidents.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Vendor Inventory & Tiering", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Security Due Diligence", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Contractual Safeguards", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Ongoing Monitoring", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Off-boarding & Data Return", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Manage risks from suppliers that access company data or impact operations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All SaaS, cloud, consulting, and data-processing vendors.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Vendor Inventory & Tiering", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain central list of active vendors with owner and contact.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tier vendors by risk (High = handles customer or Restricted data; Medium = internal tools; Low = no data access).", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Security Due Diligence", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "High-risk: obtain SOC 2/ISO 27001 report or complete security questionnaire before contract.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium-risk: basic questionnaire or public security statement review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record findings and approval decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Contractual Safeguards", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include confidentiality, breach-notification, right-to-audit, and data-return clauses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal-data processors, execute a data-processing agreement.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Ongoing Monitoring", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review High-risk vendors’ attestations or questionnaires annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track security-breach news; initiate assessment if incident reported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Off-boarding & Data Return", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On contract end, ensure vendor deletes or returns data; obtain written confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove integrations and access tokens within 48 h.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – 100 % High-risk vendors have up-to-date due-diligence evidence; inventory reconciled quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Urgent onboarding without full diligence allowed only with executive sign-off and action plan.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Missing evidence or expired contracts flagged to procurement and Security for immediate action.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Streamline questionnaire, add automation, and refine tiering criteria annually.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manage risks from suppliers that access {{COMPANY}} data or impact operations.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All SaaS, cloud, consulting, and data-processing vendors.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy aligns to SOC 2 Trust Services Criteria, at minimum Security (Common Criteria). Name any optional criteria in scope (Availability, Confidentiality, Processing Integrity, Privacy).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Clarify that the policy covers vendors and any vendors that act as “subservice organizations” to your system as defined in SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "State that the policy applies to all vendors that create, receive, maintain, or transmit PHI, including subcontractors of Business Associates. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Vendor Inventory & Tiering", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain central list of active vendors with owner and contact.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tier vendors by risk", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical = Business cannot run without it", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "High = handles customer or Restricted data", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium = internal tools", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Low = no data access", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Flag which vendors are subservice organizations in your SOC 2 report and record whether you use the carve-out or inclusive method for each.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link each vendor entry to the service commitments and system requirements they support in your SOC 2 system description). ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Classify each vendor’s HIPAA role: Business Associate, Subcontractor BA, or neither.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track whether PHI is stored, processed, or transmitted, where it resides, and whether data are de-identified or a limited data set. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Due Diligence", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical/High-risk: obtain SOC 2/ISO 27001 report or complete security questionnaire before contract.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Medium-risk: basic questionnaire or public security statement review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record findings and approval decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer SOC 2 Type 2. Record report type, period covered, criteria in scope, auditor opinion, exceptions, relevant subservice organizations, and whether carve-out or inclusive.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain a bridge (gap) letter when the SOC 2 period does not cover the present date. Note that a bridge letter is a management assertion, not auditor-attested.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Extract the vendor’s Complementary User Entity Controls (CUECs). Map each CUEC to your internal controls and keep evidence that you operate them.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "If no SOC 2 is available, collect alternate assurance (for example ISO 27001 certificate with SoA, pen test summary, security questionnaire) and record a risk-based acceptance with compensating controls and a timeline to obtain SOC 2. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} Add a HIPAA checklist for Critical and High vendors that handle PHI:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence of a HIPAA Security Rule risk analysis and risk management plan.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Administrative safeguards: workforce training, sanction policy, access authorization, termination, contingency planning and backups, periodic evaluations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical safeguards: facility access controls, device and media controls, secure disposal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Technical safeguards: unique IDs, access controls, audit controls, integrity controls, transmission security, authentication.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Logging: the vendor must maintain and retain system activity logs for ePHI and provide extracts on request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Data minimization: confirm “minimum necessary” access design and role-based access . ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Contractual Safeguards", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include confidentiality, breach-notification, right-to-audit, and data-return clauses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal-data processors, execute a data-processing agreement.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require vendors in Critical or High tiers to provide a current SOC 2 Type 2 report annually and a bridge letter for any period not covered.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include obligations to notify you of material control changes, new subprocessors, or security incidents, and to cooperate with your incident investigations. Tie this to your service commitments and system requirements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve right-to-audit or, at minimum, right to obtain independent assurance (SOC report or equivalent) and remediation evidence for noted exceptions. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}} The BAA must at minimum require the BA to:", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use and disclose PHI only as permitted by the BAA and HIPAA; apply minimum necessary.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Implement the HIPAA Security Rule safeguards and ensure subcontractors sign equivalent BAAs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report any security incident or breach without unreasonable delay and set an internal time box (for example, within 5 calendar days) with content requirements for the notice.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make PHI available to support individual rights: access within 30 days, amendment, and accounting of disclosures within 60 days; incorporate amendments as directed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Make internal practices, books, and records relating to PHI available to HHS upon request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Return or destroy PHI at termination and stop all uses; if infeasible, extend protections and limit uses.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Permit termination for material breach of the BAA.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit sale of PHI and marketing uses without proper authorization, and prohibit re-identification of de-identified data unless expressly permitted. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Ongoing Monitoring", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review Critical/High-risk vendors’ attestations or questionnaires annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track security-breach news; initiate assessment if incident reported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Cadence: Critical reviewed at least semiannually; High at least annually. Re-review after any material change, incident, ownership or hosting change, scope change to Restricted data, or SLA breach.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track remediation of exceptions noted in the vendor’s SOC 2 and verify you operate their CUECs each period.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "When using the carve-out method, monitor the vendor’s subservice organizations where they could affect your commitments. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require BA to notify you without unreasonable delay (internal target within 5 days) and include the incident description, PHI types, number of affected individuals, timeframes, mitigation, and corrective actions. You will handle regulatory filings and individual notices per HIPAA timelines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review BAAs annually and after material changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-obtain evidence of HIPAA risk analysis updates, contingency plan tests, and access review results.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monitor vendor breach disclosures and OCR settlements affecting the vendor. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Off-boarding & Data Return", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "On contract end, ensure vendor deletes or returns data; obtain written confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove integrations and access tokens within 48 h.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction or written deletion confirmation and link it to the off-boarding ticket. Verify all accounts, API keys, and OAuth tokens are revoked, and keep timestamps as evidence. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require certificate of destruction for all media containing PHI or confirm secure return. Capture timelines and format. Retrieve or request final audit logs that may be needed for accounting of disclosures.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm termination of all BA subcontractors that handled your PHI. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 1, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100 % High-risk vendors have up-to-date due-diligence evidence; inventory reconciled quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of Critical and High vendors have a current SOC 2 Type 2 review or approved alternate assurance with a time-bound plan, plus bridge letters covering any gaps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of CUECs from Critical and High vendors are mapped and evidenced as operated.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of subservice organizations show method recorded (carve-out or inclusive) and monitoring documented.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Evidence is retained for at least the full SOC 2 Type 2 period and 12 months beyond. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA and Subcontractor BA vendors have an executed BAA before PHI exchange.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors have a current HIPAA risk analysis and risk management plan on file.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors provide breach reporting within the internal time box.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of BA vendors documented with PHI data map and minimum-necessary justification. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Urgent onboarding without full diligence allowed only with executive sign-off and action plan.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allow emergency onboarding only with Security approval, a short-term risk acceptance, compensating controls, and a plan to obtain SOC 2 or equivalent assurance within a defined time box. ", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing evidence or expired contracts flagged to procurement and Security for immediate action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Streamline questionnaire, add automation, and refine tiering criteria annually.", "type": "text"}]}], "createdAt": "2025-06-27 07:19:59.742", - "updatedAt": "2025-06-27 07:20:13.106" + "updatedAt": "2025-08-19 18:24:04.729" }, { - "id": "frk_pt_685e3fc75bd72cd0745dc5d1", - "name": "Risk Management", - "description": "Maintains a living risk register, scores and prioritises threats, sets treatment actions, and injects threat-intel updates into decision-making.", + "id": "frk_pt_685e3f7b4ebcb27b60c51434", + "name": "Information Security & Privacy Governance", + "description": "Assigns clear ownership and management accountability for security and privacy, keeps policies current, and measures compliance through regular reviews.", "frequency": "yearly", "department": "admin", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Risk Identification & Register", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Risk Assessment & Prioritization", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Risk Treatment", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Threat Intelligence", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Identify, rank and address material risks in a repeatable, lightweight manner.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Strategic, operational, technical, vendor, legal and financial risks affecting the organization.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Risk Identification & Register", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a single ", "type": "text"}, {"text": "Risk Register", "type": "text", "marks": [{"type": "bold"}]}, {"text": " on Comp AI platform that contains: Risk, Impact, Likelihood, Owner, Treatment.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add or update entries when launching new services, adopting vendors, or learning of relevant threat events.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure the register is never blank.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Risk Assessment & Prioritization", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use simple 1-5 scoring for Impact and Likelihood.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Highlight the three highest-scoring risks each quarter.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record rationale for any score change.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Risk Treatment", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Choose a response for highlighted risks: ", "type": "text"}, {"text": "Mitigate, Transfer, Avoid, Accept", "type": "text", "marks": [{"type": "bold"}]}, {"text": ".", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create one actionable task with a due date for each decision other than Accept.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Mark “Accepted” items with date and approving manager initials.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Threat Intelligence", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Subscribe to reputable free alerts (e.g., national CERT, CISA, major cloud vendor advisories).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Post relevant items to an internal threat-intel channel and add new risks or actions when applicable.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Register exists, three risks flagged, and no mitigation task more than 30 days overdue.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Acceptance of any High-impact risk requires documented senior-management approval.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Register empty or stale (>90 days) triggers discussion at the next management meeting until resolved.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Closed or obsolete risks are removed during quarterly review to keep the list concise.", "type": "text"}]}], - "createdAt": "2025-06-27 06:52:54.596", - "updatedAt": "2025-06-27 06:53:07.899" + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define clear ownership for security and privacy at {{COMPANY}} and ensure decisions are documented.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personnel, contractors, information systems, SaaS/IaaS services hosted in {{CRITICAL}}, and company-managed {{DEVICES}}. Applies to the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain governance to identify applicable requirements, assign ownership, and retain artifacts for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, document responsibilities under the Security Rule and retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Governance Roles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Designate a Security & Privacy Owner (SPO) and a documented backup. Ensure coverage across {{LOCATION}} time zones.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record names in the Comp AI platform.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-confirm role assignments at least annually and after role changes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document the SPO’s scope, authority, and reporting line; keep a dated record of annual role reconfirmation.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Name a Security Official responsible for developing and implementing policies (164.308(a)(2)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Management Accountability", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "SPO presents a concise security status during scheduled management reviews.", "type": "text"}, {"type": "hardBreak"}, {"text": "For teams over {{EMPLOYEES}} employees, hold reviews at least quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Senior management signs an annual statement acknowledging ultimate responsibility for security and privacy.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allocate at least one measurable security improvement task per sprint or work cycle, prioritized to protect {{DATA}} in {{CRITICAL}} and stored in {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record management reviews, decisions, and assigned actions with due dates in Comp AI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure management oversight of Security Rule activities and document sanctions, if applied, per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store all policies in Comp AI; the SPO verifies access and link integrity annually. Note storage and retention locations in {{GEO}} where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain version control with change logs.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Merge or retire overlapping policies to keep each document brief.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track effective dates and owners; preserve prior versions for audit sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain policy documents and revisions for 6 years (164.316(b)(2)(i)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Awareness", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "New personnel read this policy set and electronically acknowledge before receiving system access to {{CRITICAL}} from {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Distribute security awareness training annually, tailored to {{INDUSTRY}} risks and the handling of {{DATA}}; record completion for the {{LOCATION}} workforce.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track completion status and follow up on overdue training within defined timelines.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide Security Rule awareness and periodic updates for workforce with ePHI access (164.308(a)(5)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annual check that policies exist, the SPO and backup are documented, annual sign-off is filed, and the awareness log is current for the {{EMPLOYEES}} workforce.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document deviations in a “Security-Decisions” log with reason and expiry, including any residual risk to {{DATA}} and compensating controls in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing logs or overdue actions are corrected within two weeks or escalated at the next management review.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Audit and incident lessons feed into the next scheduled policy refresh. Update roles and training focus when {{GEO}} or {{INDUSTRY}} obligations change.", "type": "text"}]}], + "createdAt": "2025-06-27 06:51:38.574", + "updatedAt": "2025-08-19 18:24:16.390" + }, + { + "id": "frk_pt_685e453cad89de25e5aebf4a", + "name": "Acceptable Use & Workstation Security", + "description": "Sets responsible use rules, enforces endpoint encryption, patching, auto-lock, and restricts personal storage of company data.", + "frequency": "yearly", + "department": "it", + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define responsible use of company systems and secure configuration of endpoints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All users and devices accessing company networks or data.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Acceptable Use Rules", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use company assets for authorized business activities; limited personal use allowed if it doesn’t create risk.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit illegal, harassing, or copyright-infringing activities.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Workstation Configuration & Updates", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enable full-disk encryption, host firewall, and automatic OS patches.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Auto-lock after 10 minutes idle and require password/PIN to resume.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Internet, Email & Messaging", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Users must not forward company data to personal email.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use approved messaging tools for business discussions.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Removable Media & Printing", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect printed sensitive docs immediately; shred when done.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Personal Devices & Local Storage", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "BYOD must meet endpoint-security requirements (PIN, encryption, patching) and register with IT.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store company data only in approved, encrypted containers or apps.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly workstation audit checks encryption, lock settings, and patch status.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary deviation (e.g., lab testing) requires documented approval and time limit.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Policy breaches result in access suspension until remediation; severe cases escalate to HR.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update rules with new collaboration tools and emerging endpoint threats.", "type": "text"}]}], + "createdAt": "2025-06-27 07:16:12.366", + "updatedAt": "2025-08-19 18:24:37.446" + }, + { + "id": "frk_pt_685e46557bc14fbddea6468a", + "name": "Information Sharing & Transfer", + "description": "Restricts data transfers to approved encrypted channels, enforces NDAs and minimisation, records international safeguards, and audits transfer logs.", + "frequency": "yearly", + "department": "it", + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure data moves securely between systems, parties, and jurisdictions, preserving confidentiality and integrity.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All electronic and physical transfers of organisational or customer information.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Approved Transfer Methods", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use TLS-protected channels (HTTPS, SFTP, VPN) or end-to-end encrypted messaging.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt physical media; use tracked courier services.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "External Sharing & NDAs", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm recipient identity and need-to-know.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Execute NDA or contract before sharing Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Share via least-privilege, time-bound links; disable after purpose met.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Data Minimisation & Redaction", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Share only necessary data fields; mask or anonymise where feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove test or debug data from production extracts.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "International Transfers & Safeguards", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal data leaving its origin region, apply recognised safeguards (e.g., Standard Contractual Clauses).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain record of transfer bases in privacy processing log.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Logging & Audit Trail", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log outbound transfers of Restricted data: date, sender, recipient, content summary, method.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain logs for at least one year.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample of transfer logs shows 100 % encrypted channels and valid agreements.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "One-off unencrypted transfer allowed only for low-sensitivity data with management approval.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unauthorised or insecure transfers raise incident response; notify affected parties if required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add automated redaction and secure-send tools; update safeguards with legal changes.", "type": "text"}]}], + "createdAt": "2025-06-27 07:20:53.290", + "updatedAt": "2025-08-19 18:24:50.023" }, { "id": "frk_pt_685e40d46e7b1123022bf3e8", @@ -65,9 +65,9 @@ "description": "Uses a four-tier classification scheme to label data and prescribes access, encryption, sharing, and disposal rules for each level.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Classification Scheme", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Labelling & Identification", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Access & Storage Controls", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Transmission & Sharing Rules", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Retention & Disposal Alignment", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Protect information proportionately by assigning sensitivity levels and prescribing handling requirements.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All data created, received, processed, or stored by the organisation, regardless of medium or location.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Classification Scheme", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Adopt four levels: Public, Internal, Confidential, Restricted.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define examples and default level (Internal) in a quick-reference guide.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Labelling & Identification", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Label documents and data stores at creation using headers, metadata tags, or folder names.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Automated tools may tag files where supported; otherwise manual labels are required for Confidential and Restricted data.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Access & Storage Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Grant access on least-privilege basis aligned to classification level.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt Confidential and Restricted data at rest and in backups.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log administrative access to Restricted data.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Transmission & Sharing Rules", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use encrypted channels (e.g., TLS, SFTP) for Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit public-cloud file links without access control when data is above Internal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "External sharing of Restricted data requires management approval and NDA or contract.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Retention & Disposal Alignment", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply retention periods from the Data Retention Policy to each classification.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Destroy media holding Confidential or Restricted data using secure wipe or certified shredding.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Quarterly sample confirms correct labels, encryption, and access rights; ≥ 95 % accuracy target.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Must document risk and compensating controls; senior management approval required.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Mislabelled or mishandled data triggers incident response and mandatory refresher training.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Update examples and tooling as new data types or regulations emerge.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect information proportionately by assigning sensitivity levels and prescribing handling requirements for {{COMPANY}}. Emphasis on {{DATA}} processed in {{CRITICAL}} and stored or retained in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All data created, received, processed, or stored by the organisation, regardless of medium or location. Applies to the {{LOCATION}} workforce and any {{DEVICES}} that access {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a documented scheme; ensure labelling, storage, access, transmission, and disposal practices align to Security and Confidentiality criteria; retain artefacts for the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, apply the Minimum Necessary standard and Security Rule safeguards for access control, audit controls, integrity, transmission security, and device/media handling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Classification Scheme", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Adopt four levels: Public, Internal, Confidential, Restricted.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define examples and default level (Internal) in a quick-reference guide, reflecting {{INDUSTRY}} data types and {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure classification drives access control, encryption, monitoring, and retention requirements across {{CRITICAL}} and backups in {{GEO}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Treat ePHI as Restricted unless formally de-identified per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Labelling & Identification", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Label documents and data stores at creation using headers, metadata tags, or clear folder names.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use automated tagging where supported; otherwise manual labels are required for Confidential and Restricted data.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep labels consistent across repositories and automate propagation where feasible in {{CRITICAL}}.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Mark repositories containing ePHI; prevent removal of labels during export.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Access & Storage Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Grant access on a least-privilege basis aligned to classification level.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt Confidential and Restricted data at rest in {{CRITICAL}} and in backups stored in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log administrative access to Restricted data.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review access rights on a defined cadence and protect encryption keys.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable audit logging for ePHI access; restrict admin access and review regularly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Transmission & Sharing Rules", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use encrypted channels (for example TLS, SFTP) for Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit public-cloud file links without access control when data is above Internal.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "External sharing of Restricted data requires management approval and an NDA or contract.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Disable insecure protocols and enforce MFA for privileged transfers.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI in transit and use Business Associate Agreements where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Retention & Disposal Alignment", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply retention periods from the Data Retention Policy to each classification, considering {{GEO}} obligations.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Destroy media holding Confidential or Restricted data using secure wipe or certified shredding.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure destruction is logged and, where used, certificates of destruction are filed.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Follow Device and Media Controls for ePHI and maintain documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly sample confirms correct labels, encryption, and access rights; ≥ 95% accuracy target. Scale the sample size proportionally for teams over {{EMPLOYEES}} employees.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Must document risk and compensating controls; senior management approval required. Note any residual risk to {{DATA}} and how it is mitigated in {{CRITICAL}} or through {{DEVICES}} controls.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Mislabelled or mishandled data triggers incident response and mandatory refresher training.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update examples and tooling as new {{INDUSTRY}} data types or regulations emerge, including changes affecting {{GEO}}.", "type": "text"}]}], "createdAt": "2025-06-27 06:57:24.052", - "updatedAt": "2025-06-27 06:57:35.938" + "updatedAt": "2025-08-19 18:25:02.649" }, { "id": "frk_pt_685e42a3bbd08ad14de297f0", @@ -75,19 +75,9 @@ "description": "Publishes baseline hardening guides, uses version-controlled IaC, detects configuration drift, and backs up critical configs.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Baseline Configuration Standards", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Automated Build & Harden", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Configuration Change Tracking", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Drift Detection & Remediation", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Backup of Configurations", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Ensure all systems start and stay in a hardened, defensible state.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Cloud resources, containers, virtual machines, network devices, laptops, and mobile devices.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Baseline Configuration Standards", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Publish industry-aligned baselines for each OS / platform.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include firewall rules, disabled services, logging, and banner settings.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Configuration Change Tracking", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store config files/IaC in version control; require pull-request review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annotate commit messages with ticket or change-request ID.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Drift Detection & Remediation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Run weekly scans comparing live configs to baselines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remediate or approve justified drift within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Backup of Configurations", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Snapshot critical configs (firewalls, IaC state) after approved changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain last five versions; encrypt backups and test restore quarterly.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – ≥ 95 % assets pass weekly drift scan; baselines reviewed annually.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Document risk and compensating controls; review quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Unauthorised config change triggers incident response and rollback.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Update baselines after incidents or new threat intel.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure all systems start and stay in a hardened, defensible state for {{COMPANY}}, protecting {{DATA}} on {{DEVICES}} and workloads in {{CRITICAL}}, with artifacts retained in {{GEO}} as applicable.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Cloud resources, containers, virtual machines, network devices, laptops, and mobile devices used by the {{LOCATION}} workforce and connected to {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Define, implement, and monitor baselines; retain change and scan artefacts for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, enforce secure configuration, audit logging, encryption, and patching; retain Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Baseline Configuration Standards", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Publish industry-aligned baselines for each OS and platform (reflecting {{INDUSTRY}} expectations where relevant).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include firewall rules, disabled services, logging, and login/banner settings.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use secure defaults for new deployments and golden images across {{CRITICAL}} and managed {{DEVICES}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Reference CIS/vendor guidance; record baseline owners and review dates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable audit logging and encryption on systems that can access ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Configuration Change Tracking", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store configuration files and IaC in version control; require pull-request review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annotate commits with ticket or change-request ID.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply changes through approved pipelines; no direct edits in production environments within {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep PR reviews and pipeline runs for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document security-relevant changes affecting ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Drift Detection & Remediation", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Run weekly scans comparing live configurations to baselines for {{CRITICAL}} and managed {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remediate or approve justified drift within five business days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record approved exceptions with reason and expiry.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track scan results and remediation within standard SLAs.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Investigate drift on ePHI systems as potential security events.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Backup of Configurations", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Snapshot critical configurations (for example, firewalls, IaC state) after approved changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain the last five versions; encrypt backups and test restore quarterly; store backups in {{GEO}} where residency applies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Store backups in access-controlled repositories; log restore tests.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect configuration backups for ePHI systems with encryption and access controls.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "≥ 95% of assets pass the weekly drift scan; baselines reviewed at least annually. For teams over {{EMPLOYEES}} employees, add a monthly check of tier-1 systems in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document risk and compensating controls; review quarterly with an expiry date. Note any residual risk to {{DATA}} and required compensating controls on {{DEVICES}} or in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unauthorised configuration changes trigger incident response and rollback.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update baselines after incidents, new threat intelligence, or platform changes affecting {{CRITICAL}}, {{DEVICES}}, or {{INDUSTRY}} obligations.", "type": "text"}]}], "createdAt": "2025-06-27 07:05:06.707", - "updatedAt": "2025-06-27 07:05:10.908" - }, - { - "id": "frk_pt_685e453cad89de25e5aebf4a", - "name": "Acceptable Use & Workstation Security", - "description": "Sets responsible use rules, enforces endpoint encryption, patching, auto-lock, and restricts personal storage of company data.", - "frequency": "yearly", - "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Acceptable Use Rules", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Workstation Configuration & Updates", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Internet, Email & Messaging", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Removable Media & Printing", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Personal Devices & Local Storage", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Define responsible use of company systems and secure configuration of endpoints.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All users and devices accessing company networks or data.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Acceptable Use Rules", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use company assets for authorised business activities; limited personal use allowed if it doesn’t create risk.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit illegal, harassing, or copyright-infringing activities.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Workstation Configuration & Updates", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enable full-disk encryption, host firewall, and automatic OS patches.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Auto-lock after 10 minutes idle and require password/PIN to resume.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Internet, Email & Messaging", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Users must not forward company data to personal email.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use approved messaging tools for business discussions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Removable Media & Printing", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect printed sensitive docs immediately; shred when done.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Personal Devices & Local Storage", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "BYOD must meet endpoint-security requirements (PIN, encryption, patching) and register with IT.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store company data only in approved, encrypted containers or apps.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Quarterly workstation audit checks encryption, lock settings, and patch status.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Temporary deviation (e.g., lab testing) requires documented approval and time limit.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Policy breaches result in access suspension until remediation; severe cases escalate to HR.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Update rules with new collaboration tools and emerging endpoint threats.", "type": "text"}]}], - "createdAt": "2025-06-27 07:16:12.366", - "updatedAt": "2025-06-27 07:16:58.816" + "updatedAt": "2025-08-19 18:25:14.107" }, { "id": "frk_pt_685e45c938ad29ad775a2344", @@ -95,39 +85,19 @@ "description": "Screens new hires, provisions least-privilege access, disables accounts and recovers assets at exit, and archives records securely.", "frequency": "yearly", "department": "hr", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Pre-Employment Background Screening", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Onboarding Provisioning", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Off-boarding & Exit Procedures", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Access Reconciliation & Asset Return", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Record Retention", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Verify workforce integrity, grant the right access at start, and promptly revoke it at end of engagement.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All employees, contractors, interns, and temporary staff.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Pre-Employment Background Screening", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct identity verification and right-to-work checks for all hires.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Perform criminal or reference checks proportional to role sensitivity.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Complete screening before system access is granted; document outcomes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Onboarding Provisioning", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manager submits access request ticket listing required systems and role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create individual accounts—no shared credentials.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide security training and policy acknowledgement within first week.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Off-boarding & Exit Procedures", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR/manager notifies IT of termination date at least 24 h in advance.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable accounts and collect badges by close of last working day.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Schedule exit interview to remind departing staff of confidentiality obligations.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Access Reconciliation & Asset Return", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Recover all company-owned devices; verify data wipe before reuse.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Compare recovered asset list against inventory; investigate discrepancies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove access from third-party tools (e.g., Slack, Git, cloud) within 24 h.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Record Retention", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store screening results and off-boarding checklist in secure HR system for seven years or legal minimum.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Monthly audit confirms 100 % terminated accounts disabled and assets returned.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Any skipped screening step requires executive approval and risk note in personnel file.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Missing background checks or lagging account disablement escalates to HR and Security for remediation within five business days.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Review screening vendors, checklist effectiveness, and timing metrics annually.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify workforce integrity for {{COMPANY}}, grant the right access to {{CRITICAL}} and {{DATA}} at start, and promptly revoke it at end of engagement.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All employees, contractors, interns, and temporary staff. Applies to the {{LOCATION}} workforce, including remote personnel using {{DEVICES}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain records of screenings, provisioning, and deprovisioning to support auditor sampling during the Type 2 period.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, implement Workforce Security, Workforce Clearance, and Termination Procedures, and retain Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Pre-Employment Background Screening", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct identity verification and right-to-work checks for all hires.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Perform criminal or reference checks proportional to role sensitivity, prioritizing roles with access to {{CRITICAL}} or {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Complete screening before system access is granted; document outcomes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record screening scope and completion date in the personnel file.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply workforce clearance procedures for roles with ePHI access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Onboarding Provisioning", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Manager submits an access request ticket listing required systems and role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create individual accounts only; no shared credentials.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide security training and policy acknowledgement within the first week, before granting access to {{CRITICAL}} or {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only managed {{DEVICES}} may be used to access {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Grant access based on least privilege and role; record approvals in the ticketing system.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require Security Rule awareness for any role that accesses ePHI prior to granting such access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Off-boarding & Exit Procedures", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR or manager notifies IT of termination date at least 24 hours in advance.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable accounts and remove access to {{CRITICAL}} by close of last working day; revoke remote access on {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect badges and credentials; schedule exit interview to remind departing staff of confidentiality obligations related to {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Capture disablement timestamps and confirm removal from all groups and SSO apps.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply termination procedures for ePHI access, including revoking authentication credentials and remote access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Access Reconciliation & Asset Return", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Recover all company-owned {{DEVICES}}; verify data wipe before reuse.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Compare recovered asset list against inventory; investigate discrepancies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove access from identity provider groups and cloud services within 24 hours.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Reconcile identity provider groups and tokens; document completion in the off-boarding checklist.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure devices that held ePHI are wiped or sanitized per policy before reassignment.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Record Retention", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store screening results and off-boarding checklists in a secure HR system for seven years or legal minimum; where residency applies, store records in {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain provisioning and deprovisioning evidence for at least the audit period plus the organization’s standard buffer.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain HIPAA-related workforce documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monthly audit confirms 100% of terminated accounts are disabled and all assets are returned. For teams over {{EMPLOYEES}} employees, expand the sample size and include checks of {{CRITICAL}} access removal.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any skipped screening step requires executive approval and a documented risk note in the personnel file, including any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing background checks or lagging account disablement is escalated to HR and Security for remediation within five business days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review screening vendors, checklist effectiveness, and timing metrics annually, considering {{INDUSTRY}} requirements and any changes to {{GEO}}.", "type": "text"}]}], "createdAt": "2025-06-27 07:18:33.152", - "updatedAt": "2025-06-27 07:18:36.896" + "updatedAt": "2025-08-19 18:25:31.916" }, { - "id": "frk_pt_685e46557bc14fbddea6468a", - "name": "Information Sharing & Transfer", - "description": "Restricts data transfers to approved encrypted channels, enforces NDAs and minimisation, records international safeguards, and audits transfer logs.", - "frequency": "yearly", - "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Approved Transfer Methods", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 External Sharing & NDAs", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Data Minimisation & Redaction", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 International Transfers & Safeguards", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Logging & Audit Trail", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Ensure data moves securely between systems, parties, and jurisdictions, preserving confidentiality and integrity.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All electronic and physical transfers of organisational or customer information.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Approved Transfer Methods", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use TLS-protected channels (HTTPS, SFTP, VPN) or end-to-end encrypted messaging.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt physical media; use tracked courier services.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 External Sharing & NDAs", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Confirm recipient identity and need-to-know.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Execute NDA or contract before sharing Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Share via least-privilege, time-bound links; disable after purpose met.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Data Minimisation & Redaction", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Share only necessary data fields; mask or anonymise where feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Remove test or debug data from production extracts.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 International Transfers & Safeguards", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "For personal data leaving its origin region, apply recognised safeguards (e.g., Standard Contractual Clauses).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain record of transfer bases in privacy processing log.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Logging & Audit Trail", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log outbound transfers of Restricted data: date, sender, recipient, content summary, method.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain logs for at least one year.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Quarterly sample of transfer logs shows 100 % encrypted channels and valid agreements.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – One-off unencrypted transfer allowed only for low-sensitivity data with management approval.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Unauthorised or insecure transfers raise incident response; notify affected parties if required.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Add automated redaction and secure-send tools; update safeguards with legal changes.", "type": "text"}]}], - "createdAt": "2025-06-27 07:20:53.290", - "updatedAt": "2025-06-27 07:20:55.994" - }, - { - "id": "frk_pt_685e405054f7c35d89ccccf2", - "name": "Policy Management & Exception Handling", - "description": "Inventories every policy, enforces version control and annual reviews, and documents, time-boxes, and sunsets any approved exceptions.", + "id": "frk_pt_685e3fc75bd72cd0745dc5d1", + "name": "Risk Management", + "description": "Maintains a living risk register, scores and prioritises threats, sets treatment actions, and injects threat-intel updates into decision-making.", "frequency": "yearly", "department": "admin", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Policy Inventory & Ownership", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Version Control & Distribution", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Scheduled Review Cycle", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Exception Request Process", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Exception Register & Sunset", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Ensure all governance, security, and privacy policies are current, traceable, and that any deviations are formally approved, time-boxed, and documented.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All organisational policies and standards, all personnel, and all systems governed by those documents.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Policy Inventory & Ownership", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a master list of active policies, each with a named owner.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store the inventory in a shared repository accessible to all personnel.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Version Control & Distribution", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep policies under version control with commit history.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include a version number and last-review date in each document.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify personnel of major updates within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Scheduled Review Cycle", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Owners review their policies at least once every 12 months.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document “Reviewed – no change” or note revisions in the change log.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Exception Request Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any employee may request an exception by submitting: scope, justification, risk, compensating controls, proposed expiry.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The policy owner and senior management jointly approve or reject within ten business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Exception Register & Sunset", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record all approved exceptions in an Exception Register with owner and expiry date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the register monthly; close or renew any item reaching expiry.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Inventory exists; ≥ 90 % of policies show review within 12 months; no exceptions past expiry.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Handled per 2.6 and logged in the Exception Register.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Missing reviews or unmanaged exceptions escalated to senior management and corrected within 30 days.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Incorporate audit findings and user feedback at the next scheduled review.", "type": "text"}]}], - "createdAt": "2025-06-27 06:55:11.688", - "updatedAt": "2025-06-27 06:55:26.319" - }, - { - "id": "frk_pt_685e42c38c3267d391674ce3", - "name": "Change & Release Management", - "description": "Requires ticketed, peer-reviewed changes, pre-deployment testing, scheduled releases, emergency-change documentation, and post-release reviews.", - "frequency": "yearly", - "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Change Request & Approval", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Testing & Impact Review", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Release Scheduling & Communication", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Emergency Change Handling", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Post-Implementation Review", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Deploy code, infrastructure, or configuration changes safely and predictably.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Production systems, customer-facing services, shared libraries, and core infrastructure.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Change Request & Approval", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create a ticket describing scope, risk, rollback plan.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require peer review or manager approval before merge/deploy.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Testing & Impact Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Run unit/integration tests or staging deployment when feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assess security impact; add security tests for high-risk changes.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Release Scheduling & Communication", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Schedule non-urgent releases during low-traffic windows.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify stakeholders at least 24 h in advance for any expected downtime.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Emergency Change Handling", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allowed only to restore service or fix critical security flaws.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document retrospectively within 24 h and include in next review.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Post-Implementation Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify success metrics and error budgets.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture lessons learned in release notes or retro.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – 100 % production commits have linked approved ticket; failed change rate tracked.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Emergency path only; must follow 2.6.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Unauthorised change triggers rollback and disciplinary review.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Analyse change-failure trends quarterly; refine pipeline.", "type": "text"}]}], - "createdAt": "2025-06-27 07:05:38.952", - "updatedAt": "2025-06-27 07:05:49.647" + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identify, rank, and address material risks for {{COMPANY}} in a repeatable, lightweight manner, with emphasis on protecting {{DATA}} in {{CRITICAL}} and across jurisdictions in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Strategic, operational, technical, vendor, legal, and financial risks affecting the organisation. Applies to the {{LOCATION}} workforce and any {{DEVICES}} or workloads connected to {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a documented risk assessment and response process tied to business objectives and in-scope Trust Services Criteria; retain artifacts for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Conduct and document Risk Analysis and Risk Management for systems handling ePHI (164.308(a)(1)(ii)(A)-(B)); retain Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Risk Identification & Register", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a single Risk Register in the Comp AI platform that contains: Risk, Impact (1–5), Likelihood (1–5), Owner, Treatment, and Status.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add or update entries when launching new services, adopting vendors, changing {{CRITICAL}}, or learning of relevant threat events; include risks to {{DATA}} and cross-border impacts in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure the register is never blank.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include vendor and subservice risks; link each risk to relevant controls and an owner; review at least quarterly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Identify risks to the confidentiality, integrity, and availability of ePHI and note applicable safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Risk Assessment & Prioritization", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use simple 1–5 scoring for Impact and Likelihood.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Highlight the three highest-scoring risks each quarter.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record rationale for any score change; note dependencies on {{CRITICAL}} or handling of {{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Consider inherent and residual ratings where practical and review results during management check-ins.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Update the risk analysis upon significant environmental or operational changes affecting ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Risk Treatment", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Choose a response for highlighted risks: Mitigate, Transfer, Avoid, Accept.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create one actionable task with a due date for each decision other than Accept; tasks should reduce exposure of {{DATA}} or harden {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Mark Accepted items with date and approving manager initials.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track mitigation tasks to closure and verify effectiveness before closing the risk.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For ePHI-related risks, document chosen measures or acceptance rationale and apply sanctions per policy if required.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Threat Intelligence", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Subscribe to reputable free alerts (for example national CERT, CISA, and major {{CRITICAL}} vendor advisories).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Post relevant items to an internal threat-intel channel and add new risks or actions when applicable; include {{INDUSTRY}} bulletins when available.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Define sources and review cadence; reflect material intel in the Risk Register.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include HHS/OCR and healthcare security advisories pertinent to systems processing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Register exists, three risks are flagged, and no mitigation task is more than 30 days overdue. For teams over {{EMPLOYEES}} employees, expand quarterly sampling and include checks for {{CRITICAL}} and {{DATA}}-related risks.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Acceptance of any High-impact risk requires documented senior-management approval, including residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "A register that is empty or stale (older than 90 days) triggers discussion at the next management meeting until resolved.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Closed or obsolete risks are removed during the quarterly review to keep the list concise; adjust scoring guidance after incidents or platform changes in {{CRITICAL}} or obligations affecting {{GEO}}.", "type": "text"}]}], + "createdAt": "2025-06-27 06:52:54.596", + "updatedAt": "2025-08-19 18:25:45.874" }, { "id": "frk_pt_685e43555493efd5f79c15be", @@ -135,9 +105,9 @@ "description": "Runs routine scans, prioritises patches by CVSS and exploit activity, enforces remediation SLAs, and verifies closure.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Vulnerability Scanning Cadence", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Patch Prioritisation", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Remediation Timelines", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Verification & Documentation", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Detect and remediate software and configuration weaknesses before exploitation.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Operating systems, applications, containers, dependencies, and network devices.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Vulnerability Scanning Cadence", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "External attack surface scan monthly; internal scan quarterly or after big changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Continuous dependency scanning in CI pipeline.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Patch Prioritisation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical CVSS ≥ 9 or active exploit: patch within 7 days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "High (7–8.9): 30 days. Medium: 90 days. Low: next maintenance window.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Remediation Timelines", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track each finding in ticketing system with owner and target date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document compensating controls if patch not feasible.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Verification & Documentation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-scan after patching; ensure finding closed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep 12 months of vulnerability and patch records for auditors.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – ≥ 95 % of critical/high patches applied within SLA.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Business or technical constraints documented; reviewed quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Overdue criticals escalate to leadership; possible production access freeze.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Adjust SLAs based on threat trends and patch performance.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Detect and remediate software and configuration weaknesses before exploitation.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Operating systems, applications, containers, dependencies, and network devices.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Vulnerability Scanning Cadence", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "External attack surface scan monthly; internal scan quarterly or after big changes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Continuous dependency scanning in CI pipeline.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Patch Prioritisation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Critical CVSS ≥ 9 or active exploit: patch within 7 days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "High (7–8.9): 30 days. Medium: 90 days. Low: next maintenance window.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Remediation Timelines", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track each finding in ticketing system with owner and target date.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document compensating controls if patch not feasible.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Verification & Documentation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Re-scan after patching; ensure finding closed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep 12 months of vulnerability and patch records for auditors.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "≥ 95 % of critical/high patches applied within SLA.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Business or technical constraints documented; reviewed quarterly.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Overdue criticals escalate to leadership; possible production access freeze.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Adjust SLAs based on threat trends and patch performance.", "type": "text"}]}], "createdAt": "2025-06-27 07:08:04.684", - "updatedAt": "2025-06-27 07:08:26.667" + "updatedAt": "2025-08-19 18:26:03.456" }, { "id": "frk_pt_685e458a49e1eff0af54e3d2", @@ -145,89 +115,29 @@ "description": "Delivers onboarding and annual refresher training, role-based modules, simulated phishing, and tracks completion metrics.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Training Curriculum", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Onboarding Training", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Ongoing & Role-Based Training", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Phishing & Social-Engineering Exercises", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Training Records & Metrics", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Equip personnel with knowledge to recognise and respond to security and privacy risks.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All employees, contractors, interns, and third-party staff with system access.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Training Curriculum", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Core topics: data-classification, phishing, password/MFA, incident reporting, privacy basics.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Onboarding Training", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Complete baseline training within first week of access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sign electronic acknowledgement; system access suspended until completed.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Ongoing & Role-Based Training", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide refresher micro-modules or lunch-and-learns at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Deliver specialised modules for engineers (secure coding), support (PII handling), etc.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Phishing & Social-Engineering Exercises", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct simulated phishing tests quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Users who fall for a phish complete remedial training within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Training Records & Metrics", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track completion in HR or LMS system; retain logs three years.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report completion rate and phishing-failure rate to management quarterly.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – ≥ 95 % training completion before due date; phishing failure rate trending downward.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Short-term deferral allowed for leave of absence; complete training within two weeks of return.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Access restrictions or HR action for repeated failures or missed deadlines.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Revise curriculum based on incident trends, employee feedback, and threat landscape.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Equip personnel at {{COMPANY}} to recognize and respond to security and privacy risks, with emphasis on protecting {{DATA}} accessed via {{CRITICAL}} and handled on {{DEVICES}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All employees, contractors, interns, and third-party staff with system access. Applies to the {{LOCATION}} workforce.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain training governance and artifacts to support auditor sampling for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide Security Rule awareness and periodic updates for workforce with ePHI access; retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Training Curriculum", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Core topics: data classification, phishing, password/MFA, incident reporting, privacy basics related to {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include scenarios relevant to {{INDUSTRY}} and usage of {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include content aligned to in-scope Trust Services Criteria.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Cover minimum necessary, ePHI handling, and reporting obligations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Onboarding Training", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Complete baseline training within the first week of access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sign electronic acknowledgement; system access to {{CRITICAL}} or {{DATA}} is suspended until completed.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record completion date and acknowledgement in HR/LMS.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure workforce with ePHI access completes Security Rule training before ePHI access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Ongoing & Role-Based Training", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide refresher micro-modules or lunch-and-learns at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Deliver specialised modules for engineers (secure coding), support (PII/{{DATA}} handling), and other roles as needed in {{LOCATION}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track overdue items and follow up within defined timelines.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Provide periodic updates relevant to systems processing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Phishing & Social-Engineering Exercises", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct simulated phishing tests quarterly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Users who fall for a phish complete remedial training within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Report aggregate outcomes to management and incorporate lessons into content.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Emphasise verification of identity and secure communication when ePHI may be involved.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Training Records & Metrics", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track completion in an HR or LMS system; retain logs three years and store in {{GEO}} where residency applies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Report completion rate and phishing-failure rate to management quarterly.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve sampling evidence (rosters, timestamps, content versions).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain HIPAA-related training records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "≥ 95% training completion before due date; phishing failure rate trending downward. For teams over {{EMPLOYEES}} employees, expand sampling and target coaching for repeat failures.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Short-term deferral allowed for leave of absence; complete training within two weeks of return.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access restrictions or HR action for repeated failures or missed deadlines.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Revise curriculum based on incident trends, employee feedback, threat landscape changes, {{INDUSTRY}} developments, and {{GEO}} obligations.", "type": "text"}]}], "createdAt": "2025-06-27 07:17:30.077", - "updatedAt": "2025-06-27 07:17:43.884" + "updatedAt": "2025-08-19 18:26:23.580" }, { - "id": "frk_pt_683d2fbdba5115ed83c6652f", - "name": "P-SD Secure Development Policy", - "description": "This policy embeds secure-coding and data-validation practices into the software development life cycle (SDLC) to preserve processing integrity and prevent unauthorized or malformed data from compromising organizational systems.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who design, develop, test, or maintain software applications and services—whether on-premises or in the cloud—that store, process, or transmit organizational or customer data.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Secure SDLC Integration", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-150) Validate software-application input values against defined acceptable ranges to meet processing-integrity objectives.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-151) Enforce completion of mandatory fields before accepting any record entry or edit.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-152) Limit input values to acceptable ranges to satisfy system-input control requirements.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Developers must submit SDLC-related exception requests through the ticketing system, providing business justification, compensating controls, and requested duration. The Application Security Lead and Information Security Officer jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Code reviews, automated scans, and security audits detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include immediate code rollback or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:59:41.100", - "updatedAt": "2025-06-27 06:35:24.299" - }, - { - "id": "frk_pt_683d3302c5965789e22c8d7d", - "name": "P-EC Encryption & Cryptographic Control Policy", - "description": "This policy establishes requirements for managing encryption, keys, and cryptographic protections to safeguard the confidentiality and integrity of customer and organizational data at rest and in transit.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who design, implement, or manage cryptographic solutions, keys, databases, and network services—whether in production or non-production environments—that store or transmit organizational or customer data.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Encryption Key Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-086) Document and maintain a policy that governs encryption and cryptographic-protection controls, including key generation, storage, rotation, and retirement.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Secure Data Transfer", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 2}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-071) Encrypt all production databases that store customer data at rest using approved cryptographic mechanisms.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-072) Use industry-standard encryption (e.g., HTTPS with TLS) to keep data confidential during transmission over public or untrusted networks.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-073) Apply the same level of cryptographic protection to customer data in non-production environments as in production.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-141) Encrypt production databases containing customer data to meet confidentiality objectives.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-153) Encrypt production databases to protect system inputs, in-process items, and outputs as specified by system requirements.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit cryptographic-control exception requests through the ticketing system, providing business justification, compensating controls, and requested duration. The Information Security Officer and Data Owner jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated encryption checks, audits, and security reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include immediate key revocation, access removal, or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 05:13:38.181", - "updatedAt": "2025-06-27 06:35:42.857" - }, - { - "id": "frk_pt_683d333874c936f38d84fecc", - "name": "P-IR Incident Response Policy", - "description": "This policy ensures the organization can rapidly detect, report, and respond to information-security incidents to minimize business impact, fulfill legal obligations, and protect stakeholder interests.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who use, administer, or support organizational information systems, data, or services—across on-premises and cloud environments.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Security Incident Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-028) Provide employees with clear instructions in the Information Security Policies on how to report failures, incidents, concerns, or complaints.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-045) Establish reporting mechanisms that allow employees to communicate internal-control deficiencies promptly and confidentially.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-091) Maintain a documented incident-response policy and procedure that defines roles, responsibilities, and guidelines for handling information-security incidents.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-089) Document guidelines for notifying customers and other stakeholders in the event of a breach.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-090) Maintain records of information-security incidents, including investigations and response-plan execution detail.", "type": "text"}]}, {"type": "paragraph"}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit incident-response exceptions through the ticketing system, providing justification, compensating controls, and required duration. The Information Security Officer and Incident Response Lead must jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Continuous monitoring, audits, and post-incident reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include access revocation or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 05:14:32.403", - "updatedAt": "2025-06-27 06:36:11.959" - }, - { - "id": "frk_pt_683d2e212de960aa758a25f5", - "name": "P-CP Capacity & Performance Management", - "description": "This policy ensures critical assets are continuously monitored for capacity, performance, and anomalous behavior so the organization can anticipate demand, prevent service degradation, and defend against denial-of-service or other capacity-related threats.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who design, operate, or support the organization’s production infrastructure, applications, networks, and cloud resources that handle business-critical workloads.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Resource Capacity Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-092) Continuously monitor critical assets and generate capacity alerts that support vulnerability detection.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-093) Continuously monitor critical assets for anomaly detection.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-094) Continuously monitor critical assets and analyze data for security-event evaluation.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-131) Continuously monitor critical assets and generate capacity alerts to ensure optimal performance, meet future capacity requirements, and protect against denial-of-service attacks.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit capacity-management exceptions through the ticketing system, providing business justification, compensating controls, and requested duration. The Infrastructure Lead and Information Security Officer jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated monitoring, performance audits, and management reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include immediate access revocation or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:52:49.149", - "updatedAt": "2025-06-27 06:36:48.549" - }, - { - "id": "frk_pt_683d2d85d2a665c6334ff5c3", - "name": "P-TP Third-Party Risk Management Policy", - "description": "This policy ensures that vendors and other third parties do not introduce unacceptable risk to the organization by establishing a structured program for assessing, monitoring, and mitigating supplier risks aligned with security commitments and regulatory requirements.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and business units that select, onboard, manage, or rely on vendors, subservice organizations, or other third parties that store, process, or transmit organizational data or provide critical services.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Supplier Security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-032) Perform a formal vendor-risk-assessment exercise at least annually to identify and evaluate vendors critical to system security commitments and requirements.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-046) Review and evaluate all subservice organizations periodically to ensure they continue to meet customer commitments.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-054) Develop and update general control activities based on insights gained from periodic subservice-organization evaluations.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-120) Document policies and procedures for managing vendors and third-party suppliers, including guidance for risk assessment.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-121) Document policies and procedures to identify and mitigate vendor risks, incorporating service commitments and system requirements.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit third-party-risk exceptions via the ticketing system, outlining business justification, compensating controls, and desired duration. The Information Security Officer and Vendor Owner must jointly approve, document, and time-limit each exception, which is reviewed upon expiration or earlier if risk conditions change.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Vendor audits, continuous monitoring, and management reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations are handled under HR disciplinary tiers—verbal warning, written warning, suspension, or termination—depending on severity, and may include contract suspension or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:50:12.968", - "updatedAt": "2025-06-27 06:37:10.944" - }, - { - "id": "frk_pt_683d2de2d5691a4ba424edff", - "name": "P-LG Logging Policy", - "description": "This policy mandates continuous monitoring and logging to detect, evaluate, and respond to security events, thereby protecting the integrity, availability, and reliability of organizational systems and controls.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who design, administer, or use the organization’s information systems, networks, and cloud services that generate, store, or analyze security-related logs.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Security Monitoring & Detection", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-027) Configure systems to generate log information that is reviewed to assess impacts on internal control performance.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-043) Use a continuous-monitoring system to track and report the overall health of the information security program.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-044) Use a continuous-monitoring system to communicate internal-control deficiencies to stakeholders.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-053) Develop and refine control activities through insights gained from the continuous-monitoring system.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-087) Use a continuous-monitoring system to evaluate security events and identify failures to meet security objectives.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-088) Use a continuous-monitoring system to track and report security incidents to stakeholders.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Security Logging", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 7}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-105) Configure infrastructure to generate audit events for security-related actions to support detection monitoring.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-106) Configure infrastructure to review and analyze audit events to detect anomalous activity.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-107) Configure infrastructure to generate audit events for system-component monitoring.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-108) Configure infrastructure to review and analyze audit events for anomaly detection.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-109) Configure infrastructure to generate audit events for security-event evaluation.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-110) Configure infrastructure to review and analyze audit events to support incident analysis.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit logging exceptions through the ticketing system, detailing business justification, compensating controls, and requested duration. The Information Security Officer and system owner jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated log reviews, audits, and security monitoring detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include access revocation or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:51:46.215", - "updatedAt": "2025-06-27 06:37:45.873" - }, - { - "id": "frk_pt_683d2f8cfdf08987e67a2dff", - "name": "P-IP Information Protection Policy", - "description": "This policy preserves the confidentiality, integrity, and availability of organizational information by establishing clear requirements for data retention and secure disposal, network protections, and strong cryptographic safeguards for data at rest and in transit.", + "id": "frk_pt_685e42c38c3267d391674ce3", + "name": "Change & Release Management", + "description": "Requires ticketed, peer-reviewed changes, pre-deployment testing, scheduled releases, emergency-change documentation, and post-release reviews.", "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4, "textAlign": null}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The policy applies to all employees, contractors, and third parties who create, store, transmit, or manage organizational or customer information; and to anyone who administers production or non-production databases, hosts, or network infrastructure in any environment.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4, "textAlign": null}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5, "textAlign": null}, "content": [{"text": "Data Retention & Destruction", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document and maintain guidelines that define retention periods and secure disposal methods for all information assets.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document a policy for decommissioning information assets containing classified information, including secure sanitization procedures.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-128) Document a policy for disposing of confidential information in accordance with confidentiality objectives.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-129) Document a policy for decommissioning information assets containing confidential information to meet confidentiality objectives.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5, "textAlign": null}, "content": [{"text": "Network Security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 5}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-074) Prevent public-internet access to production databases and Secure Shell interfaces by enforcing network segmentation and restricted access controls.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-075) Protect every production host with a firewall configured with a deny-by-default rule set.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-076) Document and implement guidelines for communications protection and network security of critical systems.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 5, "textAlign": null}, "content": [{"text": "Secure Data Transfer", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 8}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-071) Encrypt all production databases that store customer data at rest using approved cryptographic mechanisms.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-072) Use industry-standard encryption (e.g., HTTPS with TLS) for all data transmitted over public or untrusted networks.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-073) Apply the same level of cryptographic protection to customer data in non-production environments as in production.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-141) Encrypt production databases containing customer data to meet confidentiality objectives.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-153) Encrypt production databases to protect system inputs, in-process items, and outputs as specified.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4, "textAlign": null}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Employees must submit information-protection exception requests through the ticketing system, providing business justification, compensating controls, and desired duration. The Information Security Officer and data owner jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4, "textAlign": null}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Continuous monitoring, audits, and incident reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include immediate access revocation or legal action.", "type": "text"}]}], - "createdAt": "2025-06-02 04:58:51.740", - "updatedAt": "2025-06-27 06:38:03.081" + "department": "it", + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Deploy code, infrastructure, or configuration changes safely and predictably for {{COMPANY}}, protecting {{DATA}} on workloads in {{CRITICAL}} and across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Production systems, customer-facing services, shared libraries, and core infrastructure that run in {{CRITICAL}} or impact access to {{DATA}}. Applies to the {{LOCATION}} workforce performing releases from approved {{DEVICES}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain documented change procedures, approvals, testing evidence, and deployment records for auditor sampling during the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For systems that handle ePHI, evaluate security impact before changes, protect integrity and audit logging, and retain Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Change Request & Approval", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create a ticket describing scope, risk, and rollback plan.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require peer review or manager approval before merge or deploy.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link commits and pipelines to the change ticket. No ad hoc production changes in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Capture approver, date and time, and artifacts (diffs, test results) in the ticketing system.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Identify effects on ePHI access, logging, and safeguards. Update procedures if required.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Testing & Impact Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Run unit or integration tests or a staging deployment when feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assess security impact. Add security tests for high risk changes, especially those affecting {{DATA}} or {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify backward compatibility and dependencies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain test results and sign offs. Block release if tests fail.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure changes do not weaken controls protecting ePHI. Document compensating controls if needed.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Release Scheduling & Communication", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Schedule non urgent releases during low traffic windows for users in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify stakeholders at least 24 hours in advance for any expected downtime.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide clear rollback and validation steps in the release plan.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a release calendar and change window approvals.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Coordinate with Privacy and Security Officers for changes affecting ePHI workflows.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Emergency Change Handling", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allowed only to restore service or fix critical security flaws.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document retrospectively within 24 hours and include in the next review.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Perform post deployment testing and finalize rollback removal once stable.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Flag as emergency in the ticket. Record incident linkage and approvals.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Evaluate impact to ePHI safeguards and update risk analysis if applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Post Implementation Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify success metrics and error budgets.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture lessons learned in release notes or a retrospective.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Close or follow up on any residual risks or defects that affect {{DATA}} or {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Attach PIR or retro outcomes to the change record and track action items to completion.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Confirm audit logging and access controls function as intended after the change.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of production commits have a linked, approved ticket. Failed change rate is tracked and reviewed. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks of releases to {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Emergency path only. Must follow Emergency Change Handling and record residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unauthorized change triggers rollback and disciplinary review.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Analyze change failure trends quarterly and refine the pipeline and testing approach, considering {{INDUSTRY}} needs and any {{GEO}} constraints.", "type": "text"}]}], + "createdAt": "2025-06-27 07:05:38.952", + "updatedAt": "2025-08-19 18:26:37.094" }, { - "id": "frk_pt_685e410082a807a0274b4531", - "name": "Privacy & Data-Subject Rights", - "description": "Ensures personal data is processed on a lawful basis, keeps users informed, and fulfils data-subject requests within required timelines.", + "id": "frk_pt_685e405054f7c35d89ccccf2", + "name": "Policy Management & Exception Handling", + "description": "Inventories every policy, enforces version control and annual reviews, and documents, time-boxes, and sunsets any approved exceptions.", "frequency": "yearly", - "department": "gov", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Lawful Basis & Data Minimisation", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Transparency & Privacy Notice", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Data-Subject Request (DSR) Workflow", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Consent & Preference Management", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Record Keeping & Audit Trail", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Ensure personal data is processed lawfully, transparently, and that individuals can exercise their privacy rights.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All personal data relating to customers, end-users, employees, contractors, or any identifiable individuals.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Lawful Basis & Data Minimisation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identify and record a lawful basis (e.g., contract, consent, legitimate interest) for each processing activity.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect only data necessary for the stated purpose; review forms and APIs annually to remove unused fields.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Transparency & Privacy Notice", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain an up-to-date public Privacy Notice describing categories of data, purposes, sharing, retention, and rights.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update the notice within 30 days of any significant change in processing.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Data-Subject Request (DSR) Workflow", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide a visible channel (e.g., privacy@ email or web form) for access, correction, deletion, or portability requests.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify requester identity and respond within applicable legal timelines.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log each request, decision, and completion date in a DSR log.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Consent & Preference Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain explicit consent where required; store timestamp and method.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Offer easy withdrawal via self-service or support request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sync marketing or product systems to reflect updated preferences within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Record Keeping & Audit Trail", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a processing-activity record covering data categories, purposes, bases, recipients, transfers, and safeguards.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain DSR logs and consent records for at least three years.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Quarterly review confirms: processing record current, Privacy Notice updated, DSRs closed on time.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Any deviation (e.g., extended DSR deadline) documented with justification and regulatory allowance.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Missed deadlines or undocumented processing triggers incident response and notification to leadership; corrective action required.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Integrate feedback from users, audits, and regulatory updates into processes and the Privacy Notice.", "type": "text"}]}], - "createdAt": "2025-06-27 06:58:08.164", - "updatedAt": "2025-06-27 06:58:29.002" + "department": "admin", + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure all governance, security, and privacy policies are current, traceable, and that any deviations are formally approved, time-boxed, and documented for {{COMPANY}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All organizational policies and standards, all personnel, and all systems governed by those documents. Applies to the {{LOCATION}} workforce and systems hosted in {{CRITICAL}}; store records in {{GEO}} where residency applies.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain policy ownership, version history, review notes, and exception records for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain Security Rule policies and any related exceptions for 6 years; ensure exceptions do not weaken safeguards for ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Inventory & Ownership", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a master list of active policies, each with a named owner.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store the inventory in a shared repository accessible to all personnel, hosted in {{CRITICAL}} and retained per {{GEO}} requirements.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include effective date and next review date in the inventory; map each policy to relevant controls where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Identify HIPAA-relevant policies in the inventory and link to BAAs or procedures that reference them.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Version Control & Distribution", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep policies under version control with commit history in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include a version number and last-review date in each document.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify personnel of major updates within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve prior versions and change logs for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain historical versions and acknowledgements for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scheduled Review Cycle", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Owners review their policies at least once every 12 months and record “Reviewed – no change” or revisions in the change log.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Time reviews to precede planned audits.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record reviewer and date; align timing with audit windows.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Confirm HIPAA-related policies reflect current safeguards and regulatory updates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exception Request Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any employee may request an exception by submitting: scope, justification, risk, compensating controls, and proposed expiry.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The policy owner and senior management jointly approve or reject within ten business days; assess residual risk to {{DATA}} and impacts to systems in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Link exceptions to the Risk Register and relevant controls; ensure expiries are time-boxed.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Assess impact on ePHI; exceptions must not bypass minimum necessary, access controls, or transmission security.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exception Register & Sunset", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record all approved exceptions in an Exception Register with owner and expiry date; host in {{CRITICAL}} and retain per {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the register monthly; close or renew any item reaching expiry.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track renewals and closures; keep evidence of monthly reviews.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document HIPAA-related exceptions and closures; retain for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Inventory exists; ≥ 90% of policies show review within 12 months; no exceptions past expiry. For teams over {{EMPLOYEES}} employees, expand monthly sampling of exceptions.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Handled via the “Exception Request Process” and logged in the Exception Register, including residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missing reviews or unmanaged exceptions are escalated to senior management and corrected within 30 days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate audit findings and user feedback at the next scheduled review; update inventory fields or workflows when {{CRITICAL}} or {{GEO}} obligations change.", "type": "text"}]}], + "createdAt": "2025-06-27 06:55:11.688", + "updatedAt": "2025-08-19 18:26:51.406" }, { "id": "frk_pt_685e4319a5bb1d2d411975e6", @@ -235,9 +145,9 @@ "description": "Embeds security user stories, automated code scans, dependency checks, secrets detection, and pre-release penetration testing into every build.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Security Requirements & Stories", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Code Review & Static Analysis", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Dependency & Secrets Scanning", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Build Pipeline Security", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Pre-Release Penetration Testing", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Embed security checks into every stage of software design, development, and deployment.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All custom code, Infrastructure-as-Code, scripts, and APIs maintained by the organisation.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Security Requirements & Stories", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture security user stories or tasks during backlog grooming.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reference relevant standards (e.g., input validation, auth flows).", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Code Review & Static Analysis", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require peer code review for every pull request. OR", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Run automated static-analysis tooling with blocking rules on critical findings.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Dependency & Secrets Scanning", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Scan third-party packages for known CVEs on every build.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reject commits containing hard-coded secrets.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Build Pipeline Security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Isolate build runners; authenticate to artifact repo via short-lived tokens.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sign release artifacts; verify hash during deployment.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Pre-Release Penetration Testing", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct internal or third-party pen test for major releases or annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track findings to closure before public launch.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – CI pipeline gates show 100 % code scanned; no critical findings open on release.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Temporary allow-lists require documented risk and fix timeline.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Code merged without review or scan reverted; build blocked until rectified.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Integrate new security tooling and OWASP guidance each year.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Embed security checks into every stage of software design, development, and deployment for {{COMPANY}}, protecting {{DATA}} in services running on {{CRITICAL}} and stored or processed in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All custom code, Infrastructure-as-Code, scripts, and APIs maintained by the organisation. Applies to the {{LOCATION}} engineering team using managed {{DEVICES}} and deploying to {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain SSDLC governance, approvals, and testing artefacts for auditor sampling through the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For systems handling ePHI, ensure safeguards for access, integrity, audit logging, and transmission security are preserved; retain Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Security Requirements & Stories", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture security user stories or tasks during backlog grooming and design.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reference relevant standards and patterns (for example input validation, authentication, session management), including {{INDUSTRY}} obligations where relevant.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Link stories to controls when applicable and record sign-offs in the tracker.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Identify ePHI data flows and apply minimum-necessary handling in requirements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Code Review & Static Analysis", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require peer code review for every pull request.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Additionally run automated static-analysis with blocking rules on critical findings, especially for code paths touching {{DATA}} or {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep review approvals and scan results with the change record.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review changes that affect ePHI processing or access controls.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Dependency & Secrets Scanning", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Scan third-party packages (app, container, IaC) for known CVEs on every build.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reject commits or builds that contain hard-coded secrets or credentials.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track vulnerabilities to closure in the issue backlog.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Prioritise components that process or store ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Build Pipeline Security", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Isolate build runners; authenticate to artifact repositories with short-lived tokens.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict pipeline permissions to least privilege; log all deployment actions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sign release artifacts and verify hashes during deployment.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prevent {{DATA}} from being written to build logs or artifacts; protect pipeline secrets.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Only managed {{DEVICES}} may trigger production deployments to {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Restrict pipeline permissions to least privilege and log deployment actions.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Prevent ePHI from being written to build logs or artifacts; protect pipeline secrets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Pre-Release Penetration Testing", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct an internal or third-party penetration test for major releases or at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track findings to closure before public launch; scope tests to components in {{CRITICAL}} that handle {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store reports and remediation evidence in {{GEO}} where residency applies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain test reports and remediation evidence.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Scope tests to components that handle ePHI and validate access logging.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "CI pipeline gates show 100% code scanned; no critical findings open at release for deploys to {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary allow-lists require documented risk and a fix timeline; note any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Code merged without required reviews or scans is reverted or blocked until rectified.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Integrate new security tooling and current OWASP guidance each year, reflecting {{INDUSTRY}} changes and any obligations affecting {{GEO}}.", "type": "text"}]}], "createdAt": "2025-06-27 07:07:04.444", - "updatedAt": "2025-06-27 07:07:23.239" + "updatedAt": "2025-08-19 18:27:08.892" }, { "id": "frk_pt_685e45f736049f188c3439b4", @@ -245,39 +155,29 @@ "description": "Applies a progressive, documented disciplinary framework for security or privacy violations, ensuring fair process and consistent sanctions.", "frequency": "yearly", "department": "hr", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Disciplinary Framework", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Investigation & Due Process", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Sanction Levels", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Documentation & Appeals", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 HR Integration & Awareness", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Outline fair, consistent consequences for security or privacy violations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All workforce members, regardless of role or contract type.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Disciplinary Framework", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply progressive discipline: coaching → written warning → suspension → termination, unless severity dictates immediate action.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Align severity with impact: data breach, harassment, or unlawful acts may bypass lower steps.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Investigation & Due Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR and Security jointly investigate alleged violations; gather logs, interviews, and evidence.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Offer the accused an opportunity to provide explanation before decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Sanction Levels", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Minor: verbal coaching and retraining.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Moderate: written warning plus remedial actions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Major: suspension, access revocation, potential termination and legal referral.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Documentation & Appeals", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "File investigation report and final action in personnel record.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide appeal channel to senior leadership within five business days of sanction notice.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 HR Integration & Awareness", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR maintains sanctions log for trend analysis.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate policy summary in annual awareness training.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Quarterly review of sanctions log for consistency and closure of corrective actions.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Executive leadership may vary sanctions only with documented rationale.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Failure to follow process prompts HR-led review and policy refresher.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Adjust framework based on case analytics and legal updates.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Outline fair, consistent consequences for security or privacy violations at {{COMPANY}} while safeguarding access to {{CRITICAL}} and {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All workforce members, regardless of role or contract type. Applies to the {{LOCATION}} workforce, including personnel using {{DEVICES}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a documented sanctions process, apply it consistently, and retain records for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain and enforce a sanctions policy for workforce members who fail to comply with security or privacy policies; retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Disciplinary Framework", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply progressive discipline: coaching → written warning → suspension → termination, unless severity dictates immediate action.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Align severity with impact. Data breach, harassment, or unlawful acts may bypass lower steps.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Consider intent, prior history, and potential risk to customers or the organisation.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Demonstrate consistent application across similar cases; link outcomes to policy and code of conduct.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Reference the HIPAA sanctions policy for violations involving ePHI or Privacy Rule requirements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Investigation & Due Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR and Security jointly investigate alleged violations; gather logs, interviews, and evidence (including access/log records from {{CRITICAL}} and managed {{DEVICES}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Preserve evidence integrity and confidentiality; limit access to need-to-know.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Offer the accused an opportunity to provide explanation before decision.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record investigation steps, decision rationale, and approvals for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Engage Privacy and Security Officers when ePHI or HIPAA rights may be affected; avoid retaliation against good-faith reporters.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Sanction Levels", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Minor: verbal coaching and retraining.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Moderate: written warning plus remedial actions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Major: suspension, revocation of access to {{CRITICAL}}, removal of privileges to handle {{DATA}}, potential termination and legal referral.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Map remedial actions to control improvements or additional training.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply role-appropriate retraining where HIPAA requirements were breached.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Documentation & Appeals", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "File investigation report and final action in the personnel record; restrict access and store in {{GEO}} where residency applies.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide an appeal channel to senior leadership within five business days of sanction notice.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain final decision, appeal outcome, and corrective actions with dates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain sanction documentation and related HIPAA records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "HR Integration & Awareness", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "HR maintains a sanctions log for trend analysis.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate a concise sanctions policy summary in annual awareness training, with examples relevant to {{INDUSTRY}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review trends quarterly and feed lessons into training and process updates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Highlight examples tied to ePHI mishandling and required safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review of the sanctions log confirms consistency and closure of corrective actions. For teams over {{EMPLOYEES}} employees, expand sampling and include checks that access to {{CRITICAL}}/{{DATA}} was revoked when required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Executive leadership may vary sanctions only with documented rationale, including residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Failure to follow this process prompts an HR-led review and policy refresher; corrective actions are assigned and tracked to closure.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Adjust the framework based on case analytics, audit findings, and legal or regulatory changes, including {{INDUSTRY}} developments and obligations affecting {{GEO}}.", "type": "text"}]}], "createdAt": "2025-06-27 07:19:19.425", - "updatedAt": "2025-06-27 07:19:32.763" + "updatedAt": "2025-08-19 18:27:27.779" }, { - "id": "frk_pt_683d2716ed82ad63da55dc7f", - "name": "P-IC Information Classification & Handling Policy", - "description": "This policy ensures all information assets are consistently classified and labeled so they receive protection commensurate with their sensitivity and integrity requirements, reducing the risk of unauthorized disclosure or processing errors.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who create, store, process, transmit, or dispose of organizational information in any form—physical or digital—across all systems, facilities, and cloud environments.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Information Classification", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-026) Document and maintain policies and procedures for physical and logical labeling of information in accordance with the data-classification scheme.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-130) Physically and logically label information systems and media to identify confidential information as required by classification guidelines.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-143) Label information systems to support processing-integrity objectives and align with approved data definitions.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-144) Apply physical and logical labels to information systems to enforce policies over system inputs that affect processing integrity.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must request classification-related exceptions through the ticketing system, providing business justification, proposed compensating controls, and desired duration. The Information Security Officer and data owner jointly review, approve, document, and time-limit each exception, which is re-evaluated at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Audits, automated scans, and monitoring detect misclassification or mishandling of information. Suspected violations are reported to the Information Security Officer and HR. Confirmed violations are addressed under HR’s disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include mandatory retraining or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:22:46.117", - "updatedAt": "2025-06-27 06:44:31.514" - }, - { - "id": "frk_pt_683d26b7a8705c7002350b01", - "name": "P-RM Risk Management Policy ", - "description": "This policy establishes a structured risk management process to identify, analyze, and treat threats that could jeopardize the organization’s ability to meet its security commitments and business objectives.", + "id": "frk_pt_685e410082a807a0274b4531", + "name": "Privacy & Data-Subject Rights", + "description": "Ensures personal data is processed on a lawful basis, keeps users informed, and fulfils data-subject requests within required timelines.", "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4, "textAlign": null}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "The policy applies to all business units, employees, contractors, and third parties involved in planning, operating, or supporting the organization’s information systems, services, and infrastructure across all environments.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4, "textAlign": null}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5, "textAlign": null}, "content": [{"text": "Risk Assessment And Treatment", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-029) Perform a formal risk-assessment exercise at least annually, following documented guidelines to identify threats that could impair security commitments and requirements.", "type": "text"}, {"type": "hardBreak"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-030) Assess each identified risk and assign a risk score based on likelihood and impact on confidentiality, integrity, and availability, mapping risks to mitigating factors.", "type": "text"}, {"type": "hardBreak"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-031) Include consideration of potential fraud as a factor in the risk matrix when evaluating risks.", "type": "text"}, {"type": "hardBreak"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "(T-119) Document, maintain, and follow policies and procedures that identify risks to business objectives and incorporate service commitments and system requirements into risk mitigation plans.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 4, "textAlign": null}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Employees must request exceptions via the ticketing system, providing justification, proposed compensating controls, and desired duration. The Information Security Officer and Risk Owner jointly approve, document, and time-limit each exception, which is reviewed upon expiration or earlier if risk levels change.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4, "textAlign": null}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Audits and continuous monitoring detect non-compliance with this policy. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations are addressed per HR disciplinary tiers—verbal warning, written warning, suspension, or termination—depending on severity, and may include immediate risk mitigation actions or legal referral.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:21:10.980", - "updatedAt": "2025-06-27 06:40:09.607" + "department": "gov", + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure personal data ({{DATA}}) is processed lawfully and transparently at {{COMPANY}}, and that individuals can exercise their privacy rights across services running in {{CRITICAL}} and jurisdictions in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All personal data relating to customers, end-users, employees, contractors, or any identifiable individuals. Applies to the {{LOCATION}} workforce, systems hosted in {{CRITICAL}}, and managed {{DEVICES}} that process {{DATA}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align practices with Security and Confidentiality criteria; retain artefacts (records of processing, notices, DSR logs) for the full Type 2 period plus 12 months; treat relevant vendors as subservice organisations where appropriate.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where ePHI is involved, apply the HIPAA Privacy Rule (uses/disclosures, minimum necessary, Notice of Privacy Practices) and individual rights (access, amendment, accounting, restrictions, confidential communications). Retain required HIPAA documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Lawful Basis & Data Minimisation", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identify and record a lawful basis (for example contract, consent, legitimate interest) for each processing activity.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Collect only data necessary for the stated purpose; review forms and APIs annually to remove unused fields, reflecting {{INDUSTRY}} practices and any {{GEO}} limits.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure lawful-basis records link to data classification, retention period, and controls.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply minimum necessary; for uses/disclosures beyond TPO, obtain written authorisation or rely on another permitted basis; validate BAA coverage for Business Associates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Transparency & Privacy Notice", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain an up-to-date public Privacy Notice describing categories of {{DATA}}, purposes, sharing, retention, rights, and international transfers (including outside {{GEO}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update the notice within 30 days of any significant change in processing.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep dated copies of prior notices and evidence of publication.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Where applicable, maintain and furnish a Notice of Privacy Practices and update it upon material changes.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Data-Subject Request (DSR) Workflow", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide a visible channel (for example a privacy email or web form) for access, correction, deletion, or portability requests.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify requester identity and respond within applicable legal timelines in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log each request, decision, and completion date in a DSR log; restrict access.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect the DSR log, restrict access, and retain for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Process HIPAA individual-rights requests (access, amendment, accounting, restrictions, confidential communications) within HIPAA timelines; document decisions.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Consent & Preference Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Obtain explicit consent where required; store timestamp and method.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Offer easy withdrawal via self-service or support request; propagate changes across systems in {{CRITICAL}} within five business days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Propagate preference changes across integrated systems; retain consent and revocation records.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track and honour authorisations and revocations for uses/disclosures requiring authorisation; record agreed restrictions and confidential communication requests.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Record Keeping & Audit Trail", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a processing-activity record covering data categories, purposes, lawful bases, recipients, transfers, and safeguards (including residency in {{GEO}}).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain DSR logs and consent records for at least three years (or longer where required).", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve change history for the processing record and DSR log.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain an accounting of disclosures (where required) and retain HIPAA-related records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review confirms the processing record is current, the Privacy Notice is updated as needed, and DSRs are closed on time. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks of transfers in/out of {{GEO}} and processing in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any deviation (for example extended DSR deadline) is documented with justification and regulatory allowance, including any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missed deadlines or undocumented processing triggers incident response and notification to leadership; corrective action required.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Integrate feedback from users, audits, {{INDUSTRY}} updates, and regulatory changes affecting {{GEO}} into processes and the Privacy Notice.", "type": "text"}]}], + "createdAt": "2025-06-27 06:58:08.164", + "updatedAt": "2025-08-19 18:27:41.229" }, { - "id": "frk_pt_685e414029124c24387beff0", - "name": "Retention & Secure Disposal", - "description": "Sets record-specific retention periods, runs periodic purge reviews, and requires cryptographic or physical destruction of outdated data.", + "id": "frk_pt_685e4508d8c0d14ae873e644", + "name": "Physical Security & Environmental", + "description": "Controls facility and server-room access, manages visitors, safeguards against fire, flood, or climate risks, and audits logs and walk-throughs.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Retention Schedule", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Periodic Data Review", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Secure Disposal Methods", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Backup & Archive Controls", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Keep data only as long as it is needed and dispose of it so it cannot be recovered by unauthorised parties.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All electronic and physical records, backups, and media created or held by the organisation.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Retention Schedule", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a table listing record types, retention period, and owner.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the schedule at least annually and when new data types arise.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Periodic Data Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Owners run an automated or manual review at least quarterly to identify data beyond its retention period.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Records flagged for deletion are queued for disposal within 30 days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Secure Disposal Methods", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Electronic data: secure-wipe utilities or crypto-erasure (destroy keys).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical media: cross-cut shredding or certified destruction vendor.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document each disposal event with date, data category, and method.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Backup & Archive Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply the same retention timelines to backups and archives.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt backups; verify they age-out or are re-encrypted when keys rotate.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Quarterly check shows ≤ 5 % records past retention; disposal logs complete.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Legal hold or contract may override schedule; document reason and review date.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Over-retained or improperly disposed records escalated to senior management and remediated within 30 days.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Update schedule and tooling after audits, incidents, or regulatory change.", "type": "text"}]}], - "createdAt": "2025-06-27 06:59:11.886", - "updatedAt": "2025-06-27 06:59:21.362" + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect {{COMPANY}} personnel, equipment, and information from unauthorized physical access or environmental damage.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{LOCATION}} and any site hosting {{COMPANY}} assets.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Align to SOC 2 Trust Services Criteria in scope for the audit (Security at minimum; add Availability/Confidentiality if applicable). Treat building/data-centre operators as relevant subservice organizations. ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Applies where ePHI is created, received, maintained, or transmitted (including subcontractors of Business Associates). ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Facility Access Control", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All controlled doors use badges or keys; disable badges immediately at termination.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Segregate secure areas (for example, server/network closets) with locked doors; limit keys to authorized staff only.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep doors closed; prevent tailgating and prohibit propping doors open.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review of badge/key lists to reconfirm access need.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain access-control records and document quarterly access reviews during the Type 2 period.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain facility access procedures for areas where ePHI may be present.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Visitor Management", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require sign-in, government-issued ID check, and a visible visitor badge.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Host escorts visitor at all times.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain visitor logs for at least 12 months.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Spot-check visitor logs against host approvals as part of periodic reviews.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict visitor access to any area where ePHI may be visible or discussed.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Environmental Protections", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain HVAC within manufacturer-recommended temperature and humidity; continuous monitoring for server areas.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide smoke detection and automatic fire suppression for server rooms, or use fire-rated cabinets where suppression is unavailable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide UPS for critical equipment and test at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Elevate equipment or install leak sensors in flood-prone areas.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain maintenance and test records (for example HVAC/UPS) to support Availability when in scope.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link facility and environmental events with contingency and emergency-mode operations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Equipment Protection & Disposal", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lock server racks; use cable locks for laptops in shared/co-working spaces.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain asset inventory with physical location and owner.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sanitize or destroy storage media prior to disposal or reuse using NIST SP 800-88 methods; record disposal event and, where applicable, obtain a certificate of destruction.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Satisfies Device and Media Controls: disposal, media reuse, accountability.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Physical Security Monitoring & Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review access-control and (where deployed) CCTV logs monthly for anomalies; investigate and record outcomes.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct an annual walk-through to verify door states, signage, camera coverage, alarms, leak sensors, and rack locks.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record incidents such as tailgating or propped-open doors and track corrective actions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain review artifacts for at least the full Type 2 period plus 12 months.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain Security Rule documentation for 6 years.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Access controls in use at 100% of controlled doors; monthly log reviews completed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of visitors signed in, badged, and escorted; logs retained 12 months.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Annual environmental tests (for example UPS) and annual physical walk-through completed.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of media disposal or reuse events recorded with NIST SP 800-88 method.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary use of an unsecured space requires manager approval, an end date, and compensating controls (for example lockable cabinet).", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tailgating, propped-open doors, missing visitor badges, or unlogged visitors are recorded as incidents; corrective action within one week.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enhance controls based on incident trends, audit findings, and facility changes; review this policy at least annually.", "type": "text"}]}], + "createdAt": "2025-06-27 07:15:20.007", + "updatedAt": "2025-08-19 18:23:15.448" }, { "id": "frk_pt_685e4177d5da489e7c5e1b1b", @@ -285,89 +185,19 @@ "description": "Mandates strong encryption for data in transit and at rest, governs key generation, storage, rotation, and audits for weak configurations.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Encryption in Transit", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Encryption at Rest", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Key Generation & Storage", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Key Rotation & Retirement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Protect data confidentiality and integrity with strong, well-managed cryptography.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All systems, applications, databases, backups, and communications handling sensitive or confidential data.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Encryption in Transit", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce TLS 1.2+ (or later) for web, API, email relay, and admin channels.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable weak ciphers/protocols; use HSTS where supported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Encryption at Rest", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enable provider-level encryption for cloud storage, volumes, and managed databases.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Full-disk encryption required on laptops and removable drives.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Key Generation & Storage", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Generate keys via approved crypto libraries or cloud KMS.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store keys in managed vault/KMS; keys never hard-coded in source control.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Limit vault access to least-privilege service roles.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Key Rotation & Retirement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rotate platform/DB master keys at least annually or on suspected compromise.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Revoke and destroy retired keys; document rotation events.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Monthly scan verifies 100 % TLS coverage and encryption-at-rest flags; vault audit shows no orphaned keys.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Any legacy system lacking encryption must be isolated and tracked with mitigation plan.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Plain-text storage or transmission of sensitive data triggers immediate incident response.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Review algorithms annually; upgrade when industry deprecates current standards.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect the confidentiality and integrity of {{DATA}} at {{COMPANY}} with strong, well-managed cryptography across services in {{CRITICAL}} and jurisdictions in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All systems, applications, databases, backups, and communications handling sensitive or confidential {{DATA}}. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may access keys or configure crypto on production systems in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain encryption configuration baselines, certificate inventories, key inventories, rotation records, and access logs for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For ePHI, apply Security Rule safeguards for transmission security, integrity, access control, and device/media handling. Retain related documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Encryption in Transit", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce TLS 1.2+ for web, APIs, email relay, and admin channels to and from {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable weak ciphers and protocols; enable HSTS where supported.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer mutual TLS (mTLS) or equivalent for service-to-service traffic handling Restricted {{DATA}}; avoid split tunnelling when accessing sensitive {{DATA}} across {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document cipher suites and minimum protocol versions; monitor for downgrade or plaintext paths.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI in transit; avoid split tunnelling while accessing ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Encryption at Rest", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enable provider-level encryption for cloud storage, volumes, and managed databases in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require full-disk encryption on {{DEVICES}} (including removable drives).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure encrypted backups and snapshots inherit key policies; record storage residency in {{GEO}} where applicable.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect encryption keys and configuration from unauthorised change; log key usage.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt ePHI at rest where feasible and document the decision and safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Key Generation & Storage", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Generate keys using approved crypto libraries or cloud KMS in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store keys in a managed vault or KMS; never hard-code keys in source control.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Limit vault access to least-privilege service roles; enable detailed auditing and store logs per {{GEO}} requirements.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep key lifecycle records (creation, distribution, use, rotation, retirement) and alert on unusual access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Restrict and audit access to keys protecting ePHI repositories.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Key Rotation & Retirement", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rotate platform and database master keys at least annually or upon suspected compromise.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Revoke and destroy retired keys; document rotation events, impacted assets, and validation that old keys cannot decrypt new data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update dependent secrets and configurations as part of the rotation change.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record approvals and evidence of rotation; preserve artefacts for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure timely rotation for keys protecting ePHI and update risk analysis if a compromise is suspected.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Monthly scan verifies 100% TLS coverage and encryption-at-rest flags; vault audit shows no orphaned keys. For teams over {{EMPLOYEES}} employees, expand sampling to include random checks of services in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Any legacy system lacking encryption must be isolated and tracked with a mitigation plan, noting any {{GEO}} residency constraints and residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Plaintext storage or transmission of sensitive {{DATA}} triggers immediate incident response and remediation.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review algorithms and configurations annually; upgrade when industry guidance deprecates current standards, and reflect {{INDUSTRY}} or {{GEO}} changes where relevant.", "type": "text"}]}], "createdAt": "2025-06-27 07:00:06.600", - "updatedAt": "2025-06-27 07:00:22.794" - }, - { - "id": "frk_pt_683d2cbc12b93dc5c8fe3a7d", - "name": "Change Management Policy ", - "description": "This policy ensures that all changes to the operating environment are planned, approved, tested, and documented so that system integrity, availability, and accuracy are preserved during and after implementation.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who request, approve, develop, test, or deploy changes to the organization’s applications, infrastructure, and configuration items across production, staging, and development environments.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Change Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-113) Establish and follow approval procedures before implementing any changes to the operating environment.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-114) Document policies and procedures that govern change management activities.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-115) Implement standardized procedures to control all changes to the operating environment.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-147) Conduct application regression testing during change management to validate key processing for integrity.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-148) Require formal approval for changes that affect output accuracy and timeliness.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-149) Conduct regression testing to verify accurate output delivery after changes are implemented.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Configuration Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 7}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-116) Establish approval procedures before implementing configuration changes to the operating environment.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-117) Document policies and procedures that govern configuration-change activities.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-118) Implement standardized procedures to control all configuration changes to the operating environment.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit change-related exception requests through the ticketing system, providing business justification, compensating controls, and requested duration. The Change Advisory Board (CAB) and the Information Security Officer must jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated logging, change audits, and management reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations are handled under HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity and may include change rollback or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:46:52.065", - "updatedAt": "2025-06-04 19:44:21.237" - }, - { - "id": "frk_pt_683d23ceaf2c5e4e8933b0ae", - "name": "P-AM Asset Management Policy", - "description": "This policy ensures that all organizational assets are identified, assigned ownership, and protected according to their value and risk, reducing the likelihood of loss, misuse, or inadequate accountability.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who create, use, maintain, or dispose of the organization’s information assets, including hardware, software, data, and cloud resources across all environments.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Asset Inventory", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-015) Establish mechanisms to assign and manage asset ownership and to ensure a common understanding of protection requirements.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-041) Assign and manage asset ownership responsibilities as part of an ongoing evaluation process.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-042) Periodically update and review the system inventory as part of ongoing evaluations.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-060) Develop, document, and maintain an inventory of organizational infrastructure systems for accountability.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit asset-related exception requests through the ticketing system, including business justification, compensating controls, and requested duration. The Information Security Officer and asset owner must approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated monitoring and periodic audits detect non-compliance. Suspected violations are reported to the Information Security Officer and HR. Confirmed violations are addressed under HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include revocation of access or legal action.", "type": "text"}]}], - "createdAt": "2025-06-02 04:08:45.762", - "updatedAt": "2025-06-27 06:41:15.803" - }, - { - "id": "frk_pt_683d2375aef9512864fe62bb", - "name": "P-AC Access Control Policy", - "description": "This policy establishes controls that limit access to information systems and data to authorized users, thereby reducing the risk of unauthorized disclosure, alteration, or disruption of critical services.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who request, grant, or use logical or physical access to the organization’s production consoles, databases, applications, networks, endpoints, and cloud environments—whether on-site or remote.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Access Rights", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-055) Review and approve the list of individuals with production-console access at least annually.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-062) Require authorized personnel to approve logical access provisioning to critical systems based on individual need or predefined role.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-063) Document policies and procedures that register and authorize users before issuing system credentials.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-064) Use continuous monitoring to alert the security team to adjust access levels promptly when roles change.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-065) Periodically review and confirm that access to critical systems is limited to personnel who require it.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-066) Periodically review and confirm that administrative access to critical systems is limited to personnel who require it.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-067) Remove or disable logical access promptly when it is no longer required, including upon termination.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-068) Restrict production-database access to personnel whose job functions require it.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-145) Require documented approval for logical access provisioning to critical systems to ensure accurate and timely output delivery.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-146) Document policies and procedures that govern access control for storing inputs, in-process items, and outputs according to system specifications.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Credential Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 11}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-069) Document and publish guidelines for password management and secure login mechanisms.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-070) Enforce secure login mechanisms, including multi-factor authentication, for all staff with access to critical systems.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Remote-Work Security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 13}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-079) Perform security and privacy compliance checks on software versions and patches of remote devices before allowing internal connections.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-080) Configure endpoints that access critical servers or data to auto-lock after 15 minutes of inactivity.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-111) Conduct ongoing security and privacy compliance checks on remote devices to support security-event evaluation.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Segregation Of Duties", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 16}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-059) Segregate responsibilities and duties to mitigate risks to customer services.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit access-related exception requests through the ticketing system, providing business justification, compensating controls, and requested duration. The Information Security Officer and system owner jointly review and approve or reject each request. Approved exceptions are documented, time-bound, and reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated monitoring, periodic audits, and managerial oversight detect access-control violations. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations are addressed under HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include immediate access revocation or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:07:16.844", - "updatedAt": "2025-06-27 06:41:53.797" - }, - { - "id": "frk_pt_683d29e47d5ca62e4146ff62", - "name": "P-BC Business Continuity Policy", - "description": "This policy ensures the organization can quickly restore critical operations after a disruption by maintaining reliable backups, robust disaster-recovery plans, and validated continuity procedures, thereby reducing the risk of prolonged outages, data loss, and safety hazards.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all business units, employees, contractors, and third parties who design, operate, or support the organization’s information systems, infrastructure, and facilities—whether on-premises or in the cloud—that are required to sustain or restore business operations.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Disaster Recovery Planning", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-102) Document a policy that defines data-backup management requirements for security-incident recovery.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-132) Document a policy that aligns data-backup practices with established recovery-time and recovery-point objectives.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-133) Back up user and system data regularly to meet recovery objectives and verify backup integrity.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-134) Test backup media periodically to confirm reliability and information integrity.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-138) Test backup data periodically as part of recovery-plan validation.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-103) Document guidelines that govern disaster-recovery activities required to sustain business operations.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-135) Document guidelines that address disaster recovery for environmental protection and business continuity.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-139) Document disaster-recovery guidelines that specify procedures for recovery-plan testing.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-104) Document policies and procedures that support ongoing business operations and contingency controls.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-136) Document contingency-planning controls that protect operations and the environment.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-140) Document business-continuity policies that define requirements for recovery-plan testing.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-137) Conduct regular tests and exercises to evaluate the effectiveness and readiness of the contingency plan.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit business-continuity exceptions through the ticketing system, providing business justification, compensating controls, and requested duration. The Information Security Officer and Business Continuity Manager review each request; approved exceptions are documented, time-bound, and re-evaluated at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Audits, monitoring tools, and incident reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations are addressed under HR disciplinary tiers—verbal warning, written warning, suspension, or termination—according to severity, and may include immediate access revocation or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:34:43.519", - "updatedAt": "2025-06-27 06:42:28.410" + "updatedAt": "2025-08-19 18:27:59.049" }, { - "id": "frk_pt_683d2315c8fc7f97a083081c", - "name": "P-IS Information Security Program", - "description": "This policy defines and governs the organization’s information security program to protect the confidentiality, integrity, and availability of information assets and to reduce risks arising from inadequate governance, oversight, or staff awareness.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who design, build, manage, or use the organization’s information systems, data, networks, facilities, and cloud services across all locations.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-002) Establish procedures requiring staff to periodically acknowledge all applicable company policies.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-003) Establish procedures requiring new staff to acknowledge applicable company policies during onboarding.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-022) Make all policies and procedures readily available for staff review.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-127) Document an Information Security Policy that governs the confidentiality, integrity, and availability of information systems.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Security Governance Roles", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 5}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-004) Outline and document cybersecurity responsibilities for all personnel.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-005) Communicate roles and responsibilities to staff through established procedures.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-006) Maintain an organizational structure that defines authorities, facilitates information flow, and establishes responsibilities.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-007) Appoint a Compliance Program Manager responsible for planning and implementing the internal control environment.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-008) Assign an Information Security Officer to centrally manage and maintain the enterprise-wide cybersecurity and privacy program.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-009) Appoint a People Operations Officer to develop and drive personnel-related security strategies.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-033) Delegate the Information Security Officer to coordinate, develop, implement, and maintain the enterprise-wide cybersecurity and privacy program.", "type": "text"}, {"type": "hardBreak"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Management Security Accountability", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 12}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-010) Ensure senior management reviews and approves all company policies at least annually.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-011) Ensure senior management reviews and approves the organizational chart for all employees annually.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-012) Ensure senior management reviews and approves the Risk Assessment Report annually.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-013) Ensure senior management reviews and approves the Information Security Program at planned intervals or upon significant change.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-014) Ensure senior management reviews and approves the Vendor Risk Assessment Report annually.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-034) Conduct annual policy reviews to evaluate ongoing effectiveness.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-035) Conduct annual organizational chart reviews to evaluate ongoing effectiveness.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-036) Conduct annual risk assessment reviews to evaluate ongoing effectiveness.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-037) Conduct ongoing evaluations of Information Security Program effectiveness.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-038) Conduct annual vendor risk assessment reviews to evaluate ongoing effectiveness.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-039) Communicate Information Security Program status to senior management for corrective action.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-040) Communicate policy compliance status to senior management for corrective action.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-048) Develop control activities based on insights from annual policy reviews.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-049) Develop control activities based on insights from annual organizational chart reviews.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-050) Develop control activities based on insights from annual risk assessment reviews.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-051) Develop control activities based on insights from Information Security Program reviews.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-052) Develop control activities based on insights from annual vendor risk assessment reviews.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Disciplinary Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 29}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-021) Require periodic evaluations of employees in IT, Engineering, and Information Security roles to confirm responsibilities are fulfilled.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Regulatory Liaison", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 30}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-024) Display current service information on a customer-accessible website.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-025) Provide customers with clear instructions for reporting failures, incidents, concerns, or complaints.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Standard Operating Procedures (SOPs)", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 32}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-122) Document policies and procedures that establish expected behavior within the control environment.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-123) Document policies and procedures that support general control activities over technology.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-124) Deploy control activities in accordance with documented policies and procedures.", "type": "text"}, {"type": "hardBreak"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Personnel Security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 35}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-016) Perform security risk screening of individuals before authorizing access.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-017) Ensure security-related positions are staffed by qualified personnel with necessary skills.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-018) Provide job-related information security and privacy training to staff.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-019) Require new staff to complete security and privacy literacy training during onboarding.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-020) Document, monitor, and retain individual training activities and records.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit exception requests via the ticketing system, providing business justification, compensating controls, and requested duration. The Information Security Officer and Compliance Program Manager must approve, document, and time-bound each exception, which is reviewed at expiration or sooner if conditions change.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "E. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated monitoring, audits, and management reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations are addressed under HR’s disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity and intent, and may include access revocation or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:05:40.674", - "updatedAt": "2025-06-27 06:42:58.126" - }, - { - "id": "frk_pt_683d2b1405adc4b3773db2c6", - "name": "P-EP Endpoint Protection Policy", - "description": "This policy safeguards the organization’s information assets by ensuring endpoints are protected against malware, encrypted against unauthorized access, and accurately inventoried, thereby minimizing the risk of compromise, data loss, or service disruption.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who configure, use, or manage organizational endpoints—laptops, desktops, mobile devices, and servers—whether on-premises or remote, that access, store, or process organizational data.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Malware Protection", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-078) Ensure endpoints that access critical servers or data are protected by approved malware-protection software.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Endpoint Security Administration", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 2}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-084) Document and maintain policies and procedures that govern endpoint security and related controls.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-085) Develop, document, and maintain an inventory of organizational endpoint systems, capturing details necessary for accountability.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-082) Encrypt endpoints that access critical servers or data to prevent unauthorized access.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-083) Encrypt all critical endpoints to prevent unauthorized access.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-142) Encrypt endpoints that access critical servers or data to protect confidential information from unauthorized disclosure.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must request endpoint-security exceptions through the ticketing system, providing business justification, compensating controls, and requested duration. The Information Security Officer and system owner jointly review, approve, document, and time-limit each exception, which is re-evaluated at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated monitoring, audits, and security reviews detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity and may include immediate access revocation, device quarantine, or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:39:47.774", - "updatedAt": "2025-06-27 06:43:30.108" - }, - { - "id": "frk_pt_683d2865c3f65743f7c7a350", - "name": "P-AU Acceptable Use Policy", - "description": " Define acceptable behaviour and technology usage so employees safeguard organisational assets, uphold confidentiality, integrity and availability, and foster a respectful work environment.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "paragraph", "content": [{"text": "A. Applicability and Scope", "type": "text", "marks": [{"type": "bold"}]}, {"type": "hardBreak", "marks": [{"type": "bold"}]}, {"text": " This policy applies to all employees, contractors, interns and third parties who access or use the organisation’s information systems, networks, devices or data in any location (office, remote or hybrid) from onboarding through off-boarding.", "type": "text"}]}, {"type": "paragraph", "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Acceptable Use Standards", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "Access company resources only with unique, organisation-issued credentials protected by multi-factor authentication; never share secrets or leave sessions unattended.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "Maintain device hygiene: install security patches promptly, run approved endpoint protection, enable full-disk encryption and auto-lock screens after ≤ 5 minutes idle.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "Store sensitive data only in approved services; transmit it via encrypted channels (e.g., VPN, TLS); copying to personal storage requires written approval.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "Use a corporate VPN on untrusted networks and refrain from operating rogue Wi-Fi, personal hotspots or network-scanning tools without authorisation.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "Prohibited activities include pirated software, illegal content, harassment, crypto-mining, personal commercial ventures and any action that degrades service or security.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "All activity on corporate assets may be logged and reviewed to defend against threats; users have no expectation of personal privacy on these assets.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "Personal devices (BYOD) accessing company data must enrol in mobile-device management and may be remotely wiped on termination or suspected compromise.", "type": "text"}]}]}]}, {"type": "paragraph", "content": [{"text": "Policy Acknowledgement", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "New personnel acknowledge all applicable policies during onboarding.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "All personnel re-acknowledge annually (or when significant changes occur) to reinforce accountability and awareness.", "type": "text"}]}]}]}, {"type": "paragraph", "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}, {"type": "hardBreak", "marks": [{"type": "bold"}]}, {"text": " Employees request acceptable-use exceptions through the ticketing system, providing business justification, compensating controls and duration. The Information Security Officer and HR jointly approve, document and time-limit each exception, reviewing it at or before expiration.", "type": "text"}]}, {"type": "paragraph", "content": [{"text": "D. Violations and Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}, {"type": "hardBreak", "marks": [{"type": "bold"}]}, {"text": " Automated monitoring, audits and management oversight detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension or termination—based on severity, and may include immediate access revocation or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:28:21.280", - "updatedAt": "2025-06-27 06:43:45.894" - }, - { - "id": "frk_pt_683d27517ca91b1c3c748256", - "name": "P-SA Security Awareness & Training Policy", - "description": "This policy promotes a security-conscious culture by setting behavioral expectations and ensuring all personnel possess the knowledge and qualifications necessary to safeguard organizational assets.", + "id": "frk_pt_685e414029124c24387beff0", + "name": "Retention & Secure Disposal", + "description": "Sets record-specific retention periods, runs periodic purge reviews, and requires cryptographic or physical destruction of outdated data.", "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third parties who access, manage, or support the organization’s information systems, devices, and data—whether on-site or remote.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Acceptable Use", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-001) Document a policy that defines behavioral standards and acceptable business conduct.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-047) Establish guidelines for acceptable and unacceptable technology usage, including consequences for violations.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-125) Require staff to periodically acknowledge applicable company policies to reinforce confidentiality objectives.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-126) Require new staff to acknowledge applicable company policies during onboarding to support confidentiality objectives.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Personnel Security", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 5}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-016) Perform security risk screening of individuals before authorizing access.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-017) Ensure security-related positions are staffed by qualified individuals with the necessary skill sets.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-018) Provide information security and privacy training tailored to each staff member’s job functions.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-019) Require new staff to complete security and privacy literacy training during onboarding.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-020) Document, monitor, and retain individual training activities and records.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit written exception requests through the ticketing system, including business justification, compensating controls, and requested duration. The Information Security Officer and HR must jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Monitoring, audits, and management oversight detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include mandatory retraining or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 04:23:45.315", - "updatedAt": "2025-06-27 06:44:16.716" + "department": "it", + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep {{DATA}} only as long as needed and dispose of it so it cannot be recovered by unauthorized parties at {{COMPANY}}, including data stored in {{CRITICAL}} and subject to {{GEO}} residency.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All electronic and physical records, backups, and media created or held by the organization. Applies to the {{LOCATION}} workforce, systems in {{CRITICAL}}, and managed {{DEVICES}} that store or cache {{DATA}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain the retention schedule, review records, and disposal logs for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For ePHI, apply the HIPAA Security Rule Device and Media Controls and retain required documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Retention Schedule", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a table listing record types, retention period, owner, and primary storage (e.g., repository in {{CRITICAL}}) with {{GEO}} residency where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the schedule at least annually and when new {{INDUSTRY}} data types arise.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure each record type references its storage location and protection requirements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Map ePHI record types to required retention periods and safeguard expectations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Periodic Data Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Owners run an automated or manual review at least quarterly to identify data beyond its retention period in {{CRITICAL}}, collaboration repositories, and on managed {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Records flagged for deletion are queued for disposal within 30 days.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Log review dates and outcomes; track queued deletions to completion.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Verify reviews include systems and media that may contain ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Secure Disposal Methods", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Electronic data: use secure-wipe utilities or crypto-erasure by destroying keys; confirm for cloud stores in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Physical media: use cross-cut shredding or a certified destruction vendor.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document each disposal event with date, data category, method, and location; store records in {{GEO}} where required.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Store certificates or logs of destruction where used and restrict access to disposal records.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply Device and Media Controls for ePHI, including sanitisation and accountability.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Backup & Archive Controls", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply the same retention timelines to backups and archives.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt backups; verify they age out on schedule or are re-encrypted when keys rotate; note backup residency in {{GEO}} and storage in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Periodically test backup expiry and restoration; protect keys and access.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure backup processes for ePHI maintain required safeguards during storage and restoration.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly check shows ≤ 5% of records past retention and disposal logs are complete. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks across {{CRITICAL}} and managed {{DEVICES}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Legal hold or contract may override the schedule; document the reason and review date, including any impact on {{DATA}} residency in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Over-retained or improperly disposed records are escalated to senior management and remediated within 30 days.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update the schedule and tooling after audits, incidents, or regulatory change, reflecting {{INDUSTRY}} requirements and any updates to {{GEO}} obligations.", "type": "text"}]}], + "createdAt": "2025-06-27 06:59:11.886", + "updatedAt": "2025-08-19 18:28:10.629" }, { "id": "frk_pt_685e42188e2df1c285cca159", @@ -375,19 +205,19 @@ "description": "Implements a Joiner-Mover-Leaver workflow, role-based access control, quarterly reviews, and strict approval for elevated privileges.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Joiner-Mover-Leaver (JML) Process", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Role-Based Access Control (RBAC)", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Privilege Elevation & Approval", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Periodic Access Review", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Ensure users receive only the minimum access necessary and that access adjusts promptly with role changes.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All workforce accounts, service accounts, and system roles across SaaS, IaaS, and on-prem resources.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Joiner-Mover-Leaver (JML) Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provision access via ticket with manager approval.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Modify privileges within 48 h of role change.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable or delete accounts by end of final workday.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Role-Based Access Control (RBAC)", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define standard roles per system (e.g., Admin, User, Read-Only).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign users to roles; avoid direct entitlements wherever possible.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Privilege Elevation & Approval", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary admin rights require documented business justification and auto-expire ≤ 24 h.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All permanent admin assignments approved by senior management.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Periodic Access Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "System owners review user lists at least quarterly; remove stale or excessive rights.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document review date, reviewers, and actions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Quarterly review shows ≤ 2 % orphaned accounts; all admin rights have approval record.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Emergency access allowed max 8 h; log reason and close in next review.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Unapproved elevated access or dormant accounts >30 days escalated to management and remediated within one week.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Incorporate review findings to refine role definitions and automate provisioning.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure users at {{COMPANY}} receive only the minimum access necessary and that access adjusts promptly with role changes, protecting {{DATA}} on workloads in {{CRITICAL}} and across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All workforce accounts, service accounts, and system roles across SaaS, IaaS, and on-prem resources used by the {{LOCATION}} workforce. Only managed {{DEVICES}} may access production resources in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Align to logical access controls (authentication, authorization, provisioning/deprovisioning) and retain artifacts for the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Apply workforce security and information access management with unique IDs and authentication for systems handling ePHI (164.308(a)(3)-(4), 164.312(a), 164.312(d)).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Joiner-Mover-Leaver (JML) Process", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provision access via ticket with manager approval and defined role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Modify privileges within 48 hours of role change.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable or delete accounts by end of final workday; collect tokens/keys/badges and revoke access on {{DEVICES}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tie SSO/IdP accounts to HR status; block sign-in on termination and immediately remove access to {{CRITICAL}}/{{DATA}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record approvals, timestamps, and completion in the ticket/IdP; no ad-hoc provisioning.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Remove ePHI access immediately on termination; document termination procedures.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Role-Based Access Control (RBAC)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define standard roles per system (e.g., Admin, Power User, Read-Only).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign users to roles or groups; avoid direct entitlements.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain role definitions with least-privilege permissions and named owners.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Service accounts have an owner, documented purpose, restricted scopes, and no interactive login.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Review role definitions at least annually; protect high-risk permissions with MFA.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Limit ePHI access to the minimum necessary; segregate admin from clinical/support roles where applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Privilege Elevation & Approval", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Temporary admin rights require documented business justification and auto-expire ≤ 24 hours.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Permanent admin assignments require senior-management approval.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Use just-in-time elevation where available; log all elevated actions on systems in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain elevation requests/approvals and session logs for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure elevated sessions on ePHI systems use strong authentication and are auditable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Periodic Access Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "System owners review user lists at least quarterly; remove stale or excessive rights.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Reconcile IdP groups, SaaS roles, and resource policies affecting {{CRITICAL}} and {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document review date, reviewers, findings, and actions; store evidence in {{GEO}} where residency applies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track findings to closure; verify orphaned accounts and excess privileges are remediated.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include verification of ePHI repository access and logging of adjustments.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Quarterly review shows ≤ 2% orphaned accounts; all admin rights have an approval record. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks of privileged access to {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Emergency access allowed for a maximum of 8 hours; log reason, scope, and approver, and close in the next review. Note any residual risk to {{DATA}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unapproved elevated access or dormant accounts > 30 days are escalated to management and remediated within one week.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate review findings to refine role definitions and automate provisioning/deprovisioning, considering {{INDUSTRY}} needs and obligations in {{GEO}}.", "type": "text"}]}], "createdAt": "2025-06-27 07:02:47.730", - "updatedAt": "2025-06-27 07:02:58.328" + "updatedAt": "2025-08-19 18:28:25.062" }, { - "id": "frk_pt_685e43997555c7ab39983c21", - "name": "Logging, Monitoring & Audit", - "description": "Centralises and protects logs, sets real-time alerting for critical events, retains audit trails, and reviews metrics and samples monthly.", + "id": "frk_pt_683d2cbc12b93dc5c8fe3a7d", + "name": "Change Management Policy ", + "description": "This policy ensures that all changes to the operating environment are planned, approved, tested, and documented so that system integrity, availability, and accuracy are preserved during and after implementation.", "frequency": "yearly", - "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Log Collection & Centralisation", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Log Retention & Protection", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Real-Time Alerting", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Audit & Review", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Clock Synchronisation", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Provide trustworthy evidence for security, troubleshooting, and compliance by collecting and analysing relevant logs.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Application, system, network, authentication, and cloud-provider logs across all environments.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Log Collection & Centralisation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Forward logs to a central, access-controlled SIEM or log service.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include timestamp, user, event type, source IP for security-relevant events.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Log Retention & Protection", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain security logs at least 90 days online and 1 year archive.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict write access to logging system; prohibit log tampering or deletion.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Real-Time Alerting", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create alerts for key events: failed admin logins, privilege escalations, critical errors.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Send alerts to on-call channel; maintain documented runbooks.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Audit & Review", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review alert metrics and random log samples monthly.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Produce quarterly audit report summarising anomalies and actions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Clock Synchronisation", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sync all servers and devices to trusted NTP source; alert on drift >5 s.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Central platform receives ≥ 95 % of target logs; alert queue triaged within SLA.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Systems unable to forward logs must export daily and upload; document in asset list.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Logging gaps >24 h or unreviewed alerts escalated to incident response.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Add new log sources and refine alert logic based on incident learnings.", "type": "text"}]}], - "createdAt": "2025-06-27 07:09:12.690", - "updatedAt": "2025-06-27 07:09:55.538" + "department": "none", + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Deploy code, infrastructure, or configuration changes safely and predictably for {{COMPANY}}, protecting {{DATA}} in workloads running on {{CRITICAL}} and across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Production systems, customer-facing services, shared libraries, and core infrastructure that run in {{CRITICAL}} or affect access to {{DATA}}. Applies to the {{LOCATION}} workforce using managed {{DEVICES}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain documented change procedures, approvals, testing evidence, and deployment records for auditor sampling during the Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For systems that handle ePHI, evaluate security impact before changes, preserve integrity and audit logging, and retain Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Change Request & Approval", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create a ticket describing scope, risk, and rollback plan.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Require peer review or manager approval before merge/deploy.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Link commits and pipelines to the change ticket; no ad-hoc production changes in {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Capture approver, date/time, and artefacts (diffs, test results) in the ticketing system.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Identify effects on ePHI access, logging, and safeguards; update procedures if required.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Testing & Impact Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Run unit/integration tests or a staging deployment when feasible.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assess security impact; add security tests for high-risk changes, especially those touching {{DATA}} or {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain test results and sign-offs; block release if tests fail.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure changes do not weaken controls protecting ePHI; document compensating controls if needed.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Release Scheduling & Communication", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Schedule non-urgent releases during low-traffic windows for users in {{GEO}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify stakeholders at least 24 hours in advance for any expected downtime.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain a release calendar and approved change windows.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Coordinate with Privacy/Security Officers for changes affecting ePHI workflows.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Emergency Change Handling", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Allowed only to restore service or fix critical security flaws.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document retrospectively within 24 hours and include in the next review.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Flag as emergency in the ticket; record incident linkage and approvals.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Evaluate impact to ePHI safeguards and update risk analysis if applicable.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Post-Implementation Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify success metrics and error budgets.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture lessons learned in release notes or a retrospective.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Attach PIR/retro outcomes to the change record and track action items to completion.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Confirm audit logging and access controls function as intended after the change.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "100% of production commits have a linked, approved ticket; failed change rate tracked and reviewed. For teams over {{EMPLOYEES}} employees, expand sampling and include random checks of releases to {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Emergency path only; must follow “Emergency Change Handling.”", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unauthorized change triggers rollback and disciplinary review.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Analyze change-failure trends quarterly and refine the pipeline and testing approach, considering {{INDUSTRY}} needs and obligations affecting {{GEO}}.", "type": "text"}]}], + "createdAt": "2025-06-02 04:46:52.065", + "updatedAt": "2025-08-19 18:28:36.870" }, { "id": "frk_pt_685e44939f827e6a9f736fd4", @@ -395,39 +225,9 @@ "description": "Establishes backup frequency, off-site encrypted storage, quarterly restore tests, and concise BCP/DR activation playbooks.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Backup Strategy & Frequency", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Backup Storage & Encryption", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Recovery Testing & RTO/RPO", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Business Continuity Plan Maintenance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Disaster Recovery Activation & Roles", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Ensure critical data and services can be restored within acceptable time and data-loss targets after disruption.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Production databases, file stores, configuration repositories, and essential SaaS services.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Backup Strategy & Frequency", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Perform full backups daily for critical production data; retain at least 30 days online.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Snapshot infrastructure-as-code and configs before each major change.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Backup Storage & Encryption", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store backups in geographically separate region or provider.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt at rest using managed keys; restrict restore permissions to limited roles.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Recovery Testing & RTO/RPO", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Test restores quarterly; record actual Recovery Time Objective (RTO) and Recovery Point Objective (RPO).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Compare results to targets and adjust strategy if exceeded.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Business Continuity Plan Maintenance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep concise BCP playbook covering loss of workspace, key staff, or SaaS outage.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review BCP annually or after significant operational change.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Disaster Recovery Activation & Roles", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define DR trigger thresholds; Incident Commander authorises activation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain contact list for critical vendors and service providers.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – ≥ 95 % backup success rate; latest quarterly restore test documented and within target RTO/RPO.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Systems excluded from backup require documented justification and alternative mitigation.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Missed backups or failed restore tests escalate to leadership for immediate remediation.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Incorporate findings from DR exercises and technology advances into backup/BCP strategy.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure critical {{DATA}} and services for {{COMPANY}} can be restored within acceptable time (RTO) and data-loss (RPO) targets after disruption, for workloads in {{CRITICAL}} and subject to {{GEO}} requirements.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Production databases, file stores, configuration repositories, and essential SaaS services that support workloads in {{CRITICAL}} and handle {{DATA}}. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may perform backup or restore actions.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain backup configurations, job results, test evidence, release/restore records, and BCP/DR artifacts for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For ePHI systems, implement and document Contingency Plan safeguards (data backup plan, disaster recovery plan, emergency mode operation, testing/revision) and retain records for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Backup Strategy & Frequency", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Perform full backups daily for critical production {{DATA}}; retain at least 30 days online.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Snapshot infrastructure-as-code and configs before each major change to {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Record backup job success/failure and alert on misses; protect backup schedules and jobs via change control.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Encrypt backups containing ePHI and ensure the backup plan identifies ePHI repositories explicitly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Backup Storage & Encryption", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Store backups in a geographically separate region or provider while honoring {{GEO}} residency constraints.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Encrypt at rest using managed keys; restrict restore permissions to least-privilege roles.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log all restore operations; only authorized staff on managed {{DEVICES}} may initiate restores to {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce least-privilege access to backup vaults; protect keys and log restores for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure Business Associate Agreements cover any backup/hosting provider handling ePHI; maintain safeguards during storage and restore.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Recovery Testing & RTO/RPO", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Test restores quarterly; record actual RTO and RPO for key systems in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Compare results to targets and adjust strategy if exceeded.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep written test plans, results, and remediation actions; track failed tests to closure.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Validate emergency mode operations for ePHI systems and prioritize restoration of critical clinical/operational functions.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Business Continuity Plan Maintenance", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Keep a concise BCP playbook covering loss of workspace, key staff, or SaaS outage for the {{LOCATION}} team.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review the BCP annually or after significant operational change.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Tabletop critical scenarios at least annually and record outcomes and action items.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure the BCP maintains security of ePHI during alternate workflows and communications.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Disaster Recovery Activation & Roles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Define DR trigger thresholds; an Incident Commander authorises activation and coordinates restoration of {{CRITICAL}} services.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain a contact list for critical vendors and service providers.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document activation decisions, timelines, and handoffs; preserve comms records.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Include contacts for Privacy/Security Officers and Business Associates implicated in ePHI processing.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "≥ 95% backup success rate; latest quarterly restore test documented and within target RTO/RPO. For teams over {{EMPLOYEES}} employees, expand sampling across systems in {{CRITICAL}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Systems excluded from backup require documented justification and alternative mitigation (for example, rebuild automation), including any impact on {{DATA}} residency in {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Missed backups or failed restore tests escalate to leadership for immediate remediation.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Incorporate findings from DR exercises and technology advances into the backup/BCP strategy, reflecting {{INDUSTRY}} requirements and any changes to {{GEO}} obligations.", "type": "text"}]}], "createdAt": "2025-06-27 07:13:23.442", - "updatedAt": "2025-06-27 07:14:29.685" - }, - { - "id": "frk_pt_683d3362f2059bd8f1d493bd", - "name": "P-VM Vulnerability Management Policy", - "description": "This policy ensures timely identification, evaluation, and remediation of vulnerabilities to prevent exploitation, reduce business impact, and maintain the confidentiality, integrity, and availability of organizational systems and data.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to all employees, contractors, and third-party service providers who design, administer, or use organizational platforms, infrastructure, applications, and endpoints—whether on-premises or remote.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Vulnerability Disclosure", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-095) Identify vulnerabilities on the company platform by performing regular vulnerability scans for detection monitoring.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-098) Identify vulnerabilities through periodic scans that monitor individual system components.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-101) Identify vulnerabilities annually through penetration testing to prevent security incidents.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-096) Track and remediate all identified vulnerabilities in accordance with documented procedures.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-099) Track vulnerabilities and remediate them to support anomaly analysis.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-097) Document policies and procedures that establish guidelines for managing technical vulnerabilities.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-100) Document vulnerability-management guidelines that support security-event evaluation.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Configuration & Patch Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 8}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-081) Perform security and privacy compliance checks on software versions and patches of remote devices before internal connections are established.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-112) Perform ongoing security and privacy compliance checks on devices to support security-event evaluation and incident prevention.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit vulnerability-management exception requests through the ticketing system, detailing business justification, compensating controls, and requested duration. The Information Security Officer and Vulnerability Management Lead must jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Automated scans, patch-status reports, and security audits detect non-compliance. Suspected violations are reported to the Information Security Officer and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may include immediate access revocation or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 05:15:13.657", - "updatedAt": "2025-06-27 06:44:49.548" - }, - { - "id": "frk_pt_6840747d5056e2862c94d0f5", - "name": "P-PS Physical Security Policy", - "description": "Appoint Compliance Program Manager delegated with responsibility for planning and implementing internal control environment", - "frequency": "monthly", - "department": "gov", - "content": [{"type": "paragraph"}, {"type": "heading", "attrs": {"level": 2}, "content": [{"text": "A. Objective", "type": "text"}]}, {"type": "paragraph", "content": [{"text": "This policy establishes controls that ensure the physical security of the organization’s assets, facilities, and personnel. The goal is to prevent unauthorized physical access, damage, or interference to the organization’s premises and critical infrastructure.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2}, "content": [{"text": "B. Applicability And Scope", "type": "text"}]}, {"type": "paragraph", "content": [{"text": "This policy applies to all employees, contractors, and third parties who enter or request access to the organization’s premises, including but not limited to offices, data centers, secure rooms, and other physical locations housing critical infrastructure.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2}, "content": [{"text": "C. Controls", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3}, "content": [{"text": "Access Rights", "type": "text"}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-001)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Maintain an up-to-date list of individuals authorized for physical access to secure areas, and review this list at least annually.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-002)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Require approval from authorized personnel (e.g., manager, security officer) for physical access provisioning to secure areas based on individual need or predefined role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-003)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Document procedures to register and authorize visitors and temporary staff before granting them physical access.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-004)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Implement continuous monitoring (e.g., CCTV, security personnel) to detect and respond to unauthorized physical access attempts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-005)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Periodically review and confirm that access to secure areas is restricted to personnel who require it for their job functions.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-006)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Immediately revoke or disable physical access when it is no longer required, including upon termination or change of role.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-007)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Restrict physical access to critical infrastructure (e.g., server rooms, data centers) to authorized personnel only.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-008)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Require documented approval for any physical access to critical infrastructure, ensuring proper authorization and audit trails.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3}, "content": [{"text": "Key and Badge Management", "type": "text"}]}, {"type": "orderedList", "attrs": {"type": null, "start": 9}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-009)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Implement controls for issuing, tracking, and managing physical keys, access cards, or badges.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-010)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Require secure storage of spare keys or master keys in a locked cabinet accessible only to authorized personnel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-011)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Periodically review issued keys and badges to ensure they are returned or deactivated when no longer required.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3}, "content": [{"text": "Monitoring and Surveillance", "type": "text"}]}, {"type": "orderedList", "attrs": {"type": null, "start": 12}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-012)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Deploy and maintain surveillance systems (e.g., CCTV) in critical areas, ensuring continuous recording and appropriate retention.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-013)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Monitor physical security systems and alarms to ensure timely detection of security events.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-014)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Conduct regular inspections of physical security measures (e.g., locks, doors, barriers) to ensure they are functional and effective.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 3}, "content": [{"text": "Segregation Of Duties", "type": "text"}]}, {"type": "orderedList", "attrs": {"type": null, "start": 15}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(P-015)", "type": "text", "marks": [{"type": "bold"}]}, {"text": " Segregate duties among security personnel, facilities management, and IT staff to mitigate risks related to physical security breaches.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 2}, "content": [{"text": "D. Exceptions Process", "type": "text"}]}, {"type": "paragraph", "content": [{"text": "Employees must submit physical security exception requests through the designated ticketing system, providing business justification, compensating controls, and the requested duration. The Information Security Officer and Facilities Manager jointly review, approve, or reject each request. Approved exceptions are documented, time-bound, and reviewed prior to expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2}, "content": [{"text": "E. Violations And Disciplinary Action", "type": "text"}]}, {"type": "paragraph", "content": [{"text": "Physical security violations are detected through surveillance, periodic audits, and managerial oversight. Suspected violations must be reported to the Information Security Officer and HR for investigation. Confirmed violations are addressed according to HR disciplinary policies—verbal warning, written warning, suspension, or termination—depending on severity, and may include immediate revocation of access or legal action.", "type": "text"}]}], - "createdAt": "2025-06-04 16:29:49.189", - "updatedAt": "2025-06-27 06:45:10.546" - }, - { - "id": "frk_pt_683d352ed697c40275349026", - "name": "P-PR Privacy Policy", - "description": "This policy embeds privacy-by-design principles across all business processes to protect personal data, meet global regulatory requirements, and maintain stakeholder trust.", - "frequency": "yearly", - "department": "none", - "content": [{"type": "heading", "attrs": {"level": 4}, "content": [{"text": "A. Applicability And Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "The policy applies to every employee, contractor, and third party that collects, uses, stores, shares, or disposes of personal data on behalf of the organization in any location or system.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "B. Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Privacy Governance & Framework", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 1}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-154) Integrate privacy principles into product and process design through documented policies and procedures.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-155) Publish and maintain a Privacy Policy that satisfies applicable regulatory requirements on the company website.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-156) Include Privacy Act statements on all forms that collect information for systems of records.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-160) Document a Data Protection Policy assigning staff responsibilities for handling personal data.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-167) Appoint a Privacy Officer to oversee and facilitate regulatory compliance.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Data Inventory & Classification", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 6}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-157) Maintain an up-to-date inventory of personal-data categories with sources, usage, and purposes recorded.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Consent & Transparency", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 7}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-158) Obtain user consent as required before processing personal data.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-175) Document procedures for providing privacy notices to data subjects.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-176) Update and communicate changes to privacy practices to data subjects in a timely manner.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-177) Communicate choices available for collection, use, retention, disclosure, and disposal of personal data.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-178) Obtain explicit consent for processing personal data when required.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-179) Document the basis for determining implicit consent where permitted.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-181) Explain the need for explicit consent and the consequences of failure to provide it.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-192) Obtain consent before disclosing personal data to third parties for privacy objectives.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Data Lifecycle & Retention", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 15}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-162) Document retention and disposal guidelines for personal data.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-180) Collect personal data only for stated privacy objectives.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-182) Limit personal-data use to identified privacy objectives.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-183) Retain personal data in line with privacy objectives and legal requirements.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-184) Securely dispose of personal data when no longer required.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-201) Maintain complete and accurate personal-data records throughout the lifecycle.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Data Subject Rights", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 21}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-163) Honour Subject-Access Requests in accordance with this policy.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-185) Grant data subjects access to stored personal data for review.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-186) Provide copies of personal data upon request in electronic or physical form.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-187) Inform data subjects of access denial and the reasons when applicable.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-188) Correct, amend, or append personal data on valid data-subject request.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-189) Communicate corrections to third parties as committed or required.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-190) Inform data subjects of correction denial and the reasons when applicable.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-200) Provide an accounting of personal data held and disclosures on request.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Privacy Risk & Impact Assessment", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 29}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-165) Conduct Data Protection Impact Assessments to evaluate regulatory risks.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-166) Perform vendor privacy-risk assessments for third parties handling personal data.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-168) Assess suspected data breaches and notify affected parties without undue delay.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Vendor & Third-Party Privacy Management", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 32}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-159) Maintain a list of contractual privacy obligations derived from customer contracts.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-164) Ensure appropriate remediation when personal data is shared with vendors.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-173) Document a vendor-management policy that incorporates privacy-risk assessment guidance.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-195) Obtain written privacy commitments from vendors and third parties with personal-data access.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-196) Assess vendor privacy compliance periodically and initiate corrective action when needed.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-197) Require vendors to notify the organization of unauthorized personal-data disclosures.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-198) Report vendor notifications to the appropriate personnel per incident-response procedures.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-172) Apply documented procedures to ensure cross-border personal-data transfers comply with applicable laws.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Access & Authorization Controls", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 40}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-161) Require authorized approval for logical-access provisioning to privacy-related systems.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Awareness & Reporting", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 41}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-174) Provide employees with instructions for reporting privacy failures, incidents, and complaints.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Incident & Breach Response", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 42}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-169) Document guidelines for notifying customers and stakeholders of privacy breaches.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-170) Maintain records of privacy-incident investigations and response actions.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-171) Document guidelines for notifying customers and stakeholders of PII breaches.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-199) Provide breach notifications to affected data subjects, regulators, and others as required.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Disclosure & Recordkeeping", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 46}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-191) Disclose personal data to third parties only with explicit data-subject consent.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-193) Create and retain accurate, timely records of authorized personal-data disclosures.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-194) Create and retain accurate, timely records of unauthorized personal-data disclosures.", "type": "text"}, {"type": "hardBreak"}]}]}]}, {"type": "heading", "attrs": {"level": 5}, "content": [{"text": "Monitoring & Corrective Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "orderedList", "attrs": {"type": null, "start": 49}, "content": [{"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-202) Implement a process for receiving, addressing, and resolving privacy inquiries, complaints, and disputes.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-203) Monitor privacy-program compliance and take corrective actions for identified deficiencies.", "type": "text"}, {"type": "hardBreak"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "content": [{"text": "(T-204) Communicate resolutions of privacy inquiries, complaints, and disputes to data subjects.", "type": "text"}]}]}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "C. Exceptions Process", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Employees must submit privacy-related exception requests through the ticketing system, including business justification, compensating controls, and requested duration. The Privacy Officer and Information Security Officer must jointly approve, document, and time-limit each exception, which is reviewed at or before expiration.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 4}, "content": [{"text": "D. Violations And Disciplinary Action", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "content": [{"text": "Audits, monitoring tools, and incident reviews detect non-compliance with this policy. Suspected violations are reported to the Privacy Officer, Information Security Officer, and HR for investigation. Confirmed violations follow HR disciplinary tiers—verbal warning, written warning, suspension, or termination—based on severity, and may involve regulatory notification or legal action.", "type": "text"}]}, {"type": "paragraph", "content": [{"type": "hardBreak"}]}], - "createdAt": "2025-06-02 05:22:53.597", - "updatedAt": "2025-06-27 06:45:37.825" + "updatedAt": "2025-08-19 18:28:48.022" }, { "id": "frk_pt_685e42445c99797321ef051a", @@ -435,9 +235,19 @@ "description": "Defines robust password rules, enforces MFA on sensitive systems, secures credential storage, and locks or resets risky accounts.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Password Requirements", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Multi-Factor Authentication (MFA)", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Credential Storage & Transmission", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Account Lockout & Recovery", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Provide strong, user-friendly authentication that resists brute-force and credential-stuffing attacks.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All human and service accounts accessing organisational applications, devices, and infrastructure.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Password Requirements", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Minimum 12 characters or passphrase; prohibit commonly breached strings.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No forced periodic rotation unless compromise suspected.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unique password per system; store passwords in an approved password manager.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Multi-Factor Authentication (MFA)", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce MFA for admin accounts, remote access, and any system holding Confidential or Restricted data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer authenticator apps or hardware tokens; SMS only as fallback.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Credential Storage & Transmission", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Hash user passwords with bcrypt/Argon2 (min 10 rounds) and per-user salt.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Transmit login data only over TLS.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Never embed secrets in code repositories.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Account Lockout & Recovery", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lock accounts after 5 failed attempts within 15 minutes; auto-unlock after 30 minutes or admin reset.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Identity-verify users before password reset; issue time-limited reset links.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Automated scans ensure MFA enabled on 100 % target systems; random password audit shows compliance with length policy.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Systems lacking MFA require documented risk acceptance and compensating controls (e.g., IP-allowlist).", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Weak or reused passwords, or disabled MFA, trigger immediate password reset and user retraining.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Review emerging passwordless options; adopt stronger methods when widely supported.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide strong, user-friendly authentication at {{COMPANY}} that resists brute-force and credential-stuffing attacks, protecting access to {{CRITICAL}} and {{DATA}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All human and service accounts accessing organizational applications, {{DEVICES}}, and infrastructure. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may administer identity systems or production auth settings in {{CRITICAL}}.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain authentication configurations and audit evidence for the full Type 2 period plus 12 months; treat relevant IdP and SaaS providers as subservice organizations.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "For systems handling ePHI, apply technical safeguards for access control, authentication, and transmission security and retain documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Password Requirements", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Minimum 12 characters or a passphrase; prohibit commonly breached strings.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "No forced periodic rotation unless compromise is suspected.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unique password per system; store passwords in an approved password manager.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Do not reuse passwords across work and personal accounts.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enforce length and reuse rules in IdP/directory policies and document settings.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Require unique user identification and person or entity authentication for ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Multi-Factor Authentication (MFA)", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Enforce MFA for admin accounts, remote access, and any system holding Confidential or Restricted {{DATA}} or running in {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prefer authenticator apps or hardware tokens; SMS only as a fallback.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Apply step-up MFA for sensitive actions (e.g., policy changes, key access) where supported.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Track MFA coverage for in-scope systems; remediate gaps promptly and retain evidence.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Use MFA for remote access to ePHI and for privileged accounts on ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Credential Storage & Transmission", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Hash user passwords with bcrypt or Argon2 using per-user salt (minimum cost factor 10 for bcrypt).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Transmit login data only over TLS; block plaintext logins to {{CRITICAL}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Never embed secrets in code repositories; store application secrets in an approved vault or KMS in {{CRITICAL}} with audit logs retained per {{GEO}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Version-control authentication settings and monitor for plaintext secrets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Protect authentication credentials for ePHI systems and encrypt any credential exchange.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Account Lockout & Recovery", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Lock accounts after 5 failed attempts within 15 minutes; auto-unlock after 30 minutes or by admin reset.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Verify user identity before password reset; issue time-limited reset links.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Disable inactive accounts per the Access Control policy; remove stale sessions for {{CRITICAL}}.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Log lockouts, resets, and administrator actions; review anomalies monthly.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure authentication and reset processes preserve the confidentiality of ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Service Accounts & Keys", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Prohibit interactive login; use least-privilege scopes and short-lived credentials.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Rotate credentials at least annually and on suspected compromise; store only in vault/KMS.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log all programmatic auth to {{CRITICAL}} and review for anomalies.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain inventory, owners, and rotation evidence for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Restrict and audit service credentials that can reach ePHI repositories.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Automated scans ensure MFA is enabled on 100% of target systems; random password audit shows compliance with length policy. For teams over {{EMPLOYEES}} employees, expand quarterly sampling across {{CRITICAL}} tiers.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Systems lacking MFA require documented risk acceptance and compensating controls (e.g., IP allowlist) with an expiry date; note any residual risk to {{DATA}} and {{GEO}} constraints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Weak or reused passwords, plaintext secrets, or disabled MFA trigger immediate reset or access suspension and user retraining.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review emerging passwordless options and adopt stronger methods when widely supported, aligning with {{INDUSTRY}} practices and any obligations affecting {{GEO}}.", "type": "text"}]}], "createdAt": "2025-06-27 07:03:31.937", - "updatedAt": "2025-06-27 07:03:44.105" + "updatedAt": "2025-08-19 18:29:18.519" + }, + { + "id": "frk_pt_685e43997555c7ab39983c21", + "name": "Logging, Monitoring & Audit", + "description": "Centralises and protects logs, sets real-time alerting for critical events, retains audit trails, and reviews metrics and samples monthly.", + "frequency": "yearly", + "department": "it", + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Provide trustworthy evidence for security, troubleshooting, and compliance at {{COMPANY}} by collecting and analysing relevant logs from {{CRITICAL}} systems and services that handle {{DATA}} across {{GEO}}.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Application, system, network, authentication, and cloud-provider logs across all environments. Applies to the {{LOCATION}} workforce; only managed {{DEVICES}} may access central logging tools.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Operate centralised logging and alerting for in-scope systems and retain configurations, alerts, reports, and tickets for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable audit controls for systems handling ePHI, protect log integrity and access, and retain required HIPAA documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Log Collection & Centralisation", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Forward logs to a central, access-controlled SIEM or log service hosted in {{CRITICAL}}; archive per {{GEO}} residency where applicable.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Include timestamp, user, event type, and source IP for security-relevant events.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Tag events with environment and application identifiers.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure all in-scope systems forward logs; keep forwarding and parser configurations under version control.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Enable and retain audit logs on systems accessing ePHI; restrict who can view ePHI-related logs (managed {{DEVICES}} only).", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Log Retention & Protection", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Retain security logs at least 90 days online and 1 year in archive; store archives in {{GEO}} when required.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Restrict write access to the logging system; prohibit log tampering or deletion.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Protect archived logs with access controls and integrity checks.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Store archived logs in access-controlled repositories; preserve integrity for auditor sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain audit records for ePHI systems per policy and retain HIPAA Security Rule documentation for 6 years.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Real-Time Alerting", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Create alerts for key events: failed admin logins, privilege escalations, critical errors, and anomalous access to {{CRITICAL}}/{{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Send alerts to the on-call channel and maintain documented runbooks.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Define alert SLAs and escalation paths; track acknowledgement and resolution in tickets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Alert on anomalous access patterns involving ePHI and unsuccessful logins on ePHI systems.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Audit & Review", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Review alert metrics and random log samples monthly; include sources tied to {{CRITICAL}} and {{DATA}}.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Produce a quarterly audit report summarizing anomalies and actions.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Retain review notes, reports, and remediation tickets for sampling.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Document investigations and outcomes for events affecting ePHI.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Clock Synchronization", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Sync all servers and {{DEVICES}} to a trusted NTP source; alert on drift greater than 5 s.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}} ", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record NTP configuration and drift monitoring in system baselines.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure timestamps are accurate for ePHI audit trails.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Central platform receives ≥ 95% of target logs; alert queue triaged within SLA. For teams over {{EMPLOYEES}} employees, expand quarterly sampling across {{CRITICAL}} tiers.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Systems unable to forward logs must export daily and upload; document in the asset list, noting any {{GEO}} constraints.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Logging gaps greater than 24 h or unreviewed alerts are escalated to incident response.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Add new log sources and refine alert logic based on incident learnings, {{INDUSTRY}} risks, and any residency or transfer changes affecting {{GEO}}.", "type": "text"}]}], + "createdAt": "2025-06-27 07:09:12.690", + "updatedAt": "2025-08-19 18:29:05.410" }, { "id": "frk_pt_685e43e23b78127274355980", @@ -445,8 +255,8 @@ "description": "Defines detection, triage, containment, communication, legal notification, and post-incident lessons with clear team roles.", "frequency": "yearly", "department": "it", - "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 . Table of Contents", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "1 Document Content Page", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 Policy Objectives and Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Detection & Reporting", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Incident Response Team & Roles", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Containment & Eradication", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Breach Notification & Communications", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Post-Incident Review & Lessons Learned", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 Policy Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Compliance Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2 . Policy Objectives and Scope", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.1 Purpose", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Ensure security and privacy incidents are identified, contained, reported, and resolved quickly, and that required notifications are issued on time.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.2 Scope", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – All information assets, personnel, third-party services, and physical locations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.3 Detection & Reporting", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Security tools forward real-time alerts to an incident channel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Anyone discovering suspicious activity must report to security within one hour.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log every alert or report in the incident tracker with date/time.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.4 Incident Response Team & Roles", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign Incident Commander, Technical Lead, Communications Lead, and Scribe; publish roster with 24 × 7 contacts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain runbooks for malware, data breach, DDoS, and cloud compromise scenarios.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.5 Containment & Eradication", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Isolate affected systems within 30 minutes of confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture forensics where feasible; patch, clean, or rebuild before re-connect.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document actions and timestamps in tracker.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.6 Breach Notification & Communications", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify management immediately for incidents involving personal or regulated data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Draft customer/regulator notices within legal time-frames (e.g., 72 h for personal-data breaches).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Route all external statements through Communications Lead and legal counsel.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "2.7 Post-Incident Review & Lessons Learned", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct root-cause post-mortem within 10 business days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record corrective actions, owners, and due dates; track to closure.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3 . Policy Compliance", "type": "text", "marks": [{"type": "bold"}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.1 Measurement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Track mean time to detect (MTTD), mean time to contain (MTTC), and breach-notification deadlines; review quarterly.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.2 Exceptions", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Process deviations allowed only if required to protect life, safety, or critical systems; document afterward.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.3 Non-Compliance", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Unreported or mishandled incidents escalate to executive review; may trigger disciplinary action.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "3.4 Continual Improvement", "type": "text", "marks": [{"type": "bold"}]}, {"text": " – Update runbooks and tooling after each post-mortem or external audit finding.", "type": "text"}]}], + "content": [{"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Purpose", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Ensure security and privacy incidents are identified, contained, reported, and resolved quickly, and that required notifications are issued on time.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Scope", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "All information assets, personnel, third-party services, and physical locations.", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Maintain documented procedures, incident tickets, evidence, notifications, and post-incident reviews for the full Type 2 period plus 12 months.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Implement Security Incident Procedures (164.308(a)(6)) and the Breach Notification Rule (45 CFR 164.400–414). Retain HIPAA documentation for 6 years; Business Associates notify Covered Entities without unreasonable delay and no later than 60 days of discovery.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Detection & Reporting", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Security tools forward real-time alerts to an incident channel.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Anyone discovering suspicious activity must report to security within one hour.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Log every alert or report in the incident tracker with date/time.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Ensure alerting integrates with on-call; track acknowledgement and response times in tickets.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Flag incidents involving ePHI and begin breach-risk assessment per policy.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Incident Response Team & Roles", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Assign Incident Commander, Technical Lead, Communications Lead, and Scribe; publish roster with 24 × 7 contacts.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Maintain runbooks for malware, data breach, DDoS, and cloud compromise scenarios.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Keep current on-call rosters and role handoffs in the ticket.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Engage Privacy/Security Officers for suspected ePHI incidents and coordinate with affected Business Associates.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Containment & Eradication", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Isolate affected systems within 30 minutes of confirmation.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Capture forensics where feasible; patch, clean, or rebuild before re-connect.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Document actions and timestamps in the tracker.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Preserve logs and evidence; record containment start/stop and recovery steps.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Limit access to ePHI during containment; document safeguards applied.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Breach Notification & Communications", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Notify management immediately for incidents involving personal or regulated data.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Draft customer/regulator notices within applicable legal timeframes (for example, GDPR 72 hours to authorities; HIPAA notifications without unreasonable delay and no later than 60 days).", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Route all external statements through Communications Lead and legal counsel.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Archive notifications, approvals, and distribution lists with the incident record.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Perform breach-risk assessment, determine reportability, and document notifications to individuals, HHS, and (if applicable) media.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Post-Incident Review & Lessons Learned", "type": "text"}]}, {"type": "bulletList", "content": [{"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Conduct a root-cause post-mortem within 10 business days.", "type": "text"}]}]}, {"type": "listItem", "content": [{"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Record corrective actions, owners, and due dates; track to closure.", "type": "text"}]}]}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if soc2}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Attach the post-incident review and remediation evidence to the ticket; verify control improvements.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "{{#if hipaa}}", "type": "text"}, {"type": "hardBreak"}, {"text": "Update risk analysis and any affected procedures that impact ePHI safeguards.", "type": "text"}, {"type": "hardBreak"}, {"text": "{{/if}}", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Policy Compliance", "type": "text"}]}, {"type": "heading", "attrs": {"level": 3, "textAlign": null}, "content": [{"text": "Measurement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Track mean time to detect (MTTD), mean time to contain (MTTC), and breach-notification deadlines; review quarterly.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Exceptions", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Process deviations allowed only if required to protect life, safety, or critical systems; document afterward.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Non-Compliance", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Unreported or mishandled incidents escalate to executive review and may trigger disciplinary action.", "type": "text"}]}, {"type": "heading", "attrs": {"level": 2, "textAlign": null}, "content": [{"text": "Continual Improvement", "type": "text"}]}, {"type": "paragraph", "attrs": {"textAlign": null}, "content": [{"text": "Update runbooks and tooling after each post-mortem or external audit finding.", "type": "text"}]}], "createdAt": "2025-06-27 07:10:25.721", - "updatedAt": "2025-06-27 07:10:36.661" + "updatedAt": "2025-08-19 18:29:33.133" } ] \ No newline at end of file