Purpose:
Section titled “Purpose:”This WI details how to add users to the Policy Scorecard dashboard as well as creation and deploying policies.
Scope:
Section titled “Scope:”Technology
Responsibility:
Section titled “Responsibility:”SOC, vCIO, vITM
Completion Criteria:
Section titled “Completion Criteria:”Client is added, users are added, policies are created and adopted.
Records:
Section titled “Records:”Within the Policy Scorecard dashboard.
Adding New Clients
Section titled “Adding New Clients”-
Go to clients.
-
Add New client from the button on top.
-
Enter client information, Address, City, State and Zip Code is required.
-
Click Add
- Client gets added and automatically activated.
Adding users to client
Section titled “Adding users to client”- Select the client you wish to edit.
- Manage Contacts
-
Keep in mind the MSP users (Policy Scorecard admins) will appear under all clients.
-
Click Create a new contact.
We can Add manually, Import from CSV, Import from MS Graph
MS Graph
Section titled “MS Graph”
-
Choose to Auto Sync contacts or not, usually we would want to autosync.
-
Click on Import & Sync Now and you will be prompted to log into M365. Use an account with Global Admin privileges and allow access to permissions that are requested.
Manually add
Section titled “Manually add”
Once contact is created, they need to be invited to the platform. When you click on the invite, that user will receive a unique invite via their email. That user then creates their own username/password and MFA.
Audiences
Section titled “Audiences”Audiences are the “roles” for what each user can do and see within Policy Scorecard
-
Reviewers: Provide feedback and review the documents
-
Approvers: Executives that have permissions to authorize and approve a document. This is the role required to make documents as well.
-
Assessment Audience – For Assessments, not used at this time.
-
Adopters: No access to edit/review documents. Can only view/sign/adopt documents.
-
Legal: usually 3rd party, legal reviewers
- You can click on each audience to review who has what permissions and add users to each permission. Alternatively, you can add contacts to the right audience directly from the contact page.
Manage Policies
Section titled “Manage Policies”Under the left side, select Policy Scorecard, then Our Policies
-
You can Add a Policy from scratch or utilize the template. For this demo, we will be using the password policy template.
-
Add policy
-
Name document
-
Choose from template
The next page will contain quite a bit of data around the context of the document.
-
Category – Depends on the company, usually designated by terms such as Policy/Procedure/SOP/Checklist etc. Can config for each company.
-
Reference Material – Any material you would like to link to (Password Policy to NIST)
-
Policy Tags - Control Numbers for internal KBs
-
Time Reminder – Set this to 9 months out so we can schedule the annual review before the 12-month mark arrives.
-
Short Description (Used in company Knowledge Base)
-
Intended Audience (All Staff, Certain departments)
-
Related Documents (Any other published documents)
-
KB Article Link (Once published, KB link will appear)
-
RMF sliders (optional, can choose if it applies)
-
Hit save to save all the fields.
-
Now go to draft version 1.0.0
-
Then you can edit the policy document or create it if you are starting from scratch.
-
Document the summary of changes and edit as needed.
-
The editor also supports copy/paste from Word and PDFs as well if needed.
-
Make the required changes to the document, then save draft to save a version, and you can switch between versions
- You also have the ability to add comments/redlining.
You can export to PDF if needed for hard copy.
Submit to Review
Section titled “Submit to Review”-
Select the people who need to approve and review. Only individuals who have been invited to the platform, have accepted the invite, and have created their account will show here.
-
Approvers and reviewers are required, can be the same person. Legal is optional.
-
For the base package policies, the reviewer will be the vCIO, and the approver will be the designated client POC. Addition reviewers and adopters can be added.
- Once you hit submit an email will be sent to the individuals with a link to log into the platform and provide reviewing/approving, and the status will show pending.
- Reviewer will open link from email, and can comment, redline, download the document, reject, or approve.
- After reviewers and approvers accept, it will show as authorized.
- Then you go back into the document and publish the document
- Once you publish, you create an adoption campaign.
Create Adoption Campaign
Section titled “Create Adoption Campaign”
Choose Audience Group
Section titled “Choose Audience Group”-
Campaign Title
-
Description
-
Set a reminder time. The users that need to adopt this policy will get a reminder every (x) days that you choose.
Send notifications.
Section titled “Send notifications.”-
After that an email will be sent to everyone in the chosen audience group.
-
The adopters will click on the link in the email that will take them to the policy. They will need to check the box at the bottom of the policy and hit adopt, as well as digitally signing their name.
- You can click on the adoption campaign to see who has adopted and hasn’t and can send reminders.
- Once published as well, you can view in the company KB, send KB link to users and select expiration date.
- Users can view all published documents within the Knowledge Base. All version control and a list of users that have signed off on the document can be viewed from here as well.
