Policy acceptance is a crucial step in compliance because it ensures that all employees, contractors, and other stakeholders formally acknowledge and understand the security, privacy, and operational controls the organization has in place.
Secureframe already includes all policies relevant to the frameworks you have purchased, but you can choose to upload our own policies if those are already defined.
Once you have made a decision on utilizing our Policy templates or your own, and you have reviewed them internally, you are now ready to publish and send for user acknowledgement.
Review, Publish and Send Policies to users
- Select Policies from the left side navigation menu
- Locate the policy you'd like to edit by clicking on the Policy name or using the three vertical dots to the right of the policy
- A Policy Owner is required to publish, so make sure to assign that owner
- If this policy requires a review by all, please check the Require employee acceptance box
- Check to ensure Policy Groups are applied to the policies, and make sure the right users are added into those groups. (note: If you have not created any groups yet, see our Groups article here for step by step instructions.)
- Once you have completed a full review, made edits, you can SAVE AND PUBLISH
- Note: Once published, the status of the policies will change from "Needs Review" to "Published"
Once you have Published all of your policies and are ready to send, visit our full Personnel Onboarding Guide to ensure all other Onboarding steps are complete before sending.
Tracking Policy from Start to Accepted
There are a number of ways in which you can track the status of your Personnel and their policy acknowledgements in Secureframe.
- Personnel Page - On the main personnel page you can add a Accepted Policies column to review those who have completed their acknowledgement or not. (Note: from this screen, we are identifying those with a check who have fully acknowledge all policies or an X for who who have not completed all.)
- Personnel Details Page - by clicking on the name of a specific Personnel, you will see the full list of all required policies, those that are Accepted with a date, and those Not Accepted.
- Test Page - In the test section, you will have a test for each individual Policy. These will start with Acknowledgement of "insert policy name." Once you click on each of these test, the evidence tab will show which users have acknowledged or not. This test page will also show you the Accepted at: date and then Next acceptance: date.
- Data Room Export - In this section, you can access the policy acceptance data for employees by exporting the information from the Data Room page.
Frequently Asked Questions (FAQ)
How do I know who will receive policy emails once I send to users?
- Only users who are part of a group assigned to a policy will be able to review and accept that policy within their employee onboarding.
- For example, if you have the Employees group assigned to a policy, it will be included to review/accept in the onboarding tasks for any user belonging to that group.
Should the invitation for employee onboarding only be done after all policies are published?
- The workflow is completely up to each customer, but we most commonly see customers wait to invite when all policies are published.
- This workflow seems to makes it much easier for the user to login, handle all the tasks and accept all policies in one go, and not have to be reminded again later.
- Regardless of which approach, there is a system in place to notify users if tasks need to be completed. So when new policies are published and not yet accepted, users will be notified via email to accept them each week by default. Those email reminders go out every Monday.
- You also do have the option to send reminders manually from the Personnel page. If anyone has a status of Overdue Tasks or Incomplete Tasks, click the status, then Remind.
I'm not clear on how to make the policies available to the users once I've published the policies?
- Make sure each policy has a user group assigned to that policy, and that group has employees applied.
- For example, you might have a Employees and Contractor group for general policies, but a Developer group that may may need to review additional policies due to their level of access.
Why aren't policies showing up under certain users tasks?
- The most common reason why policies are not showing up is due to the policies not having the employee acceptance required checked. In each policy, there is a check box in the top right to enable/disable the requirement for acceptance. This must be checked in order for the policies to be displayed in the Policies onboarding task page.
- The second most common reason is not having employees in the groups that are assigned to policies.
I want to send the initial policy review to only my managers, how would I accomplish this?
- You would need to create a Group first, then add all the applicable managers into that group.
- After that group is created, you will see tab inside that group called "Policy Access" and this will allow you to select individual policies or Select All.
- Once these policies are published, they will automatically be shared with the users in that group.
I am trying to see Policy acceptance date for some of my older archived policies, but I cannot find them?
-
For this specific case, since the previous policies have been archived, the policy acceptance data is no longer available in the Data Room. Archived policies that are no longer active will not display their acceptance data in the Data Room.
-
To view the acceptance data for these archived policies, you will need to unarchive and republish the policies. Once they are republished, the acceptance data will become accessible in the Data Room for exporting.
The status of my policies is showing ‘needs review’ but I cannot find any mechanism to update this?
- Once you publish a policy, the status of the policies will change from "Needs Review" to "Published".
- Learn how to publish a policy here
Comments
0 comments
Article is closed for comments.