This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Acknowledgments and training

All my acknowledgment tests are passing, as they should since everyone has accepted them according to them, but the tests themselves show up as "none" for accepted.

• This is typically because the "require employee acceptance" button is NOT selected while publishing the policies. once you check that box in policy, data will backfill correctly.

Does the Workday integration support compliance with SecureFrame's policy acknowledgment training?

• No, the Workday integration does not support pulling in policy acknowledgment from users. If policy acknowledgment is completed outside of Secureframe, the data can be manually uploaded to the relevant test or to the Data Room.
• For more information on our HR integrations, check out our Using Finch to Connect HR Systems to Secureframe article, or use the View details option on the integration's card in the Integrations page. [https://support.secureframe.com/hc/en-us/articles/4410152323347-Using-Finch-to-Connect-HR-Systems-to-Secureframe](https://support.secureframe.com/hc/en-us/articles/4410152323347-Using-Finch-to-Connect-HR-Systems-to-Secureframe)

How can I verify the completion status of Security Awareness training and policy acknowledgement?

• You can verify completion by navigating to the relevant Security Awareness training or policy acknowledgement test. If you are checking completion for a specific user, you can also review their status directly from the Personnel page.

How can policy acknowledgement or any tests be re-enabled after being disabled?

• If you've previously disabled Policy Acknowledgement tests or any tests in Secureframe, you can re-enable them from the Test Library.
• Steps to re-enable Policy Acknowledgement tests:
• Go to the Tests page in Secureframe.
• In the top-right corner, click Test Library.
• Use the search bar to search for “acknowledgement” or any keyword related to the test you are looking for.
• Select the tests you want to re-enable using the checkboxes.
• Once selected, a bulk action bar will appear — click Enable.
• This will return the tests to your active test list.
• Tip: If you don’t see the Test Library, make sure you're on the main Tests tab (not Frameworks or another section).

How long is policy acknowledgement information stored in Secureframe?

• Secureframe retains policy acknowledgment records for the lifetime of your active subscription. As long as you remain a customer, all historical policy acceptance data is preserved and available for audit and reporting purposes.
• If your contract is terminated and the account is deprovisioned, policy acknowledgment records are typically deleted as part of the account cleanup process. Once removed, this historical acknowledgment data can no longer be recovered.
• At any time while your account is active, you can export a complete history of policy acknowledgments from the Data Room by using the export option in the Accepted Policies section.

How should the method by which the TPSP provides written acknowledgment be determined?

• The method by which the TPSP provides written acknowledgment should be agreed between the provider and its customers.

Our vendor is a third party that has access to sensitive data, but they are already being treated as a vendor in Secureframe. Do we also need to add their personnel to the platform to complete onboarding (e.g., security training, policy acknowledgment), or is a risk assessment enough?

• If the third party is being treated as a vendor, and you’ve completed an appropriate vendor risk assessment with supporting documentation, you do not need to add their individuals to the Personnel page for onboarding. This includes cases where the vendor’s employees have access to sensitive data, as long as:
• The vendor is classified correctly in your Vendor Access module
• A risk assessment has been completed
• The vendor’s handling of sensitive data is covered in contracts or due diligence documentation
• If you instead treat them as part of your internal team (e.g., employees or direct contractors), then onboarding through the Personnel module would be required.

What acknowledgments must written agreements with TPSPs include?

• Written agreements must include acknowledgments from TPSPs that TPSPs are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that the TPSP could impact the security of the entity’s cardholder data and/or sensitive authentication data.

What does the acknowledgment from the TPSP evidence?

• The acknowledgment from the TPSP evidences the TPSP’s commitment to maintaining proper security of the account data that it obtains from its customers.

What does the TPSP's written acknowledgment confirm?

• The TPSP’s written acknowledgment is a confirmation that states the TPSP is responsible for the security of the account data it may store, process, or transmit on behalf of the customer or to the extent the TPSP may impact the security of a customer’s cardholder data and/or sensitive authentication data.

What is not considered a written acknowledgment from a TPSP?

• Evidence that a TPSP is meeting PCI DSS requirements (is not the same as a written acknowledgment specified in this requirement. For example, a PCI DSS Attestation of Compliance (AOC), a declaration on a company’s website, a policy statement, a responsibility matrix, or other evidence not included in a written agreement is not a written acknowledgment.

What is the purpose of a written acknowledgment from a TPSP?

• The written acknowledgment from a TPSP demonstrates its commitment to maintaining proper security of account data that it obtains from its customers and that the TPSP is fully aware of the assets that could be affected during the provisioning of the TPSP’s service.

Policy management

"Assets & configurations" policy says passwords should be 10 characters and in "access control" policy it says 8. Which one is correct?

• For the configuration document, we recommend 10 characters for endpoint devices. At a minimum, auditors expect 8 characters across the board. Align the policies to match the implemented configurations.

According to the Data Handling and Classification Policy, is it mandatory to include a classification footnote on every file, slide, or document an employee creates?

• Not necessarily. The requirement applies to a reasonable extent and should be guided by business context and data sensitivity.
• Best practices:
  • Formal documents (e.g., customer-facing slide decks, policies) should include a classification footnote or disclosure.
  • Internal templates (e.g., slide decks, Word/Google Docs) can include built-in classification labels to make this easier.
  • If a document is not labeled, per the Data Handling and Classification Policy, it should be treated as Confidential by default.
  • Employees are encouraged to use business judgment — casual or internal working documents may not require labeling, but sensitive or external-facing materials should always be labeled appropriately.

Can actions such as a policy reset or training reset be undone?

• No, Policy and Training reset cannot be undone and a warning will be displayed so that users can make the right decision.
• The warning message is as follows for each reset option:
• Security Training Reset: This cannot be undone. The selected personnel will need to re-complete the selected trainings. Any previous completion history will be retained and can be exported from the data room.
• Policy Acceptance Reset: This cannot be undone. The selected personnel will need to re-accept the selected policies. Any previous completion history will be retained and can be exported from the data room.

Can an admin resend a policy acceptance notification to a user who didn't receive it?

• Yes. If a user missed a policy notification — whether due to notification settings, a delivery issue, or joining a group after the policy was published — an admin can manually resend the acceptance request from the Personnel section of the app.

  This ensures the user receives a fresh notification regardless of what happened with the original.

Can policy acceptance be tracked within BambooHR's policy management features?

• Currently our Bamboo HR Integration's primary function is to pull in user related data to understand personnel who are in our out of scope. The integration does not pull Policy or any other information outside of user data.

Can we have 2 versions of a policy (i.e., English vs German)?

• Yes, companies can have multiple language versions of policies if needed. However, Secureframe does not support the management of policies in multiple languages.

Do we need a separate Data Loss Prevention (DLP) policy?

• A standalone Data Loss Prevention policy is not always required, more of a nice to have.
• Instead, DLP requirements are often covered within existing policies such as an Information Security Policy or Network Security Policy. The goal is to document how your organization prevents, detects, and responds to the unauthorized use, transfer, or loss of sensitive data.
• At Secureframe, we provide a Data Loss Prevention test that validates these controls. During audit readiness, you’ll be asked to provide evidence of your DLP processes or tools (such as configurations, scans, blocking actions, and alerts). If you determine through risk analysis that a DLP tool is not required, you can document that conclusion in your policies.
• Sample Language for a Policy Section:
• You (or your customer) can add this directly into an Information Security or Network Security Policy:
  Data Loss Prevention (DLP)
  The organization implements measures to prevent, detect, and respond to the unauthorized extraction, transmission, or use of sensitive data. These measures may include:
  Use of Data Loss Prevention (DLP) tools to classify, monitor, and protect sensitive data.
  Configurations to enforce classification rules, automated actions (e.g., blocking or quarantining sensitive data transfers), and alerts.
  Regular monitoring and reviews to detect anomalous or unauthorized data movement.
  Documentation of risk analysis if a dedicated DLP tool is determined not to be required.
  These safeguards support compliance with applicable regulations (e.g., HIPAA, GDPR, PCI DSS) and align with the organization’s overall Information Security Program.

Do you have a backup policy?

• Yes, a business continuity and disaster recovery (BCDR) plan is in place.

Do you have a business continuity and disaster recovery (BCDR) policy?

• This does not require auditor supervision, but it should be implemented during the audit window.

Do you have a data deletion policy?

• Customers can delete data directly within the platform or contact Secureframe to delete requested data. Functionality may be impacted if data necessary for services is deleted.

Do you have a password policy?

• The policy recommends 8 characters at a minimum, but 10 is also acceptable. Ensure it aligns with the implemented configurations.

Do you have any suggested policy language for BYOD?

• Bring Your Own Device (BYOD) Policy Recommendation:
• To support secure access to company resources from employee-owned devices, we recommend including the following minimum configuration requirements in your internal policies (e.g., Acceptable Use Policy or Configuration & Asset Management Policy):
• Device Encryption: Require full-disk encryption on all personal devices used for work.
• Malware Protection: Ensure devices have active, up-to-date anti-malware software.
• Access Controls: Enforce screen lock mechanisms (e.g., passcode, biometric) and inactivity timeouts.
• Security Patching: Keep operating systems and applications updated with the latest security patches.
• Secure Configurations: Disallow the use of rooted or jailbroken devices.
• Remote Management: Recommend enrolling devices in a mobile device management (MDM) solution with remote wipe capabilities.
• ⚠️ Note: These recommendations are general best practices and may not apply to all organizations or frameworks. We encourage you to consult with your internal legal, security, and IT teams before enforcing or publishing any new BYOD policy language.

Do you recommend one giant policy or individual policies?

• Either can be used, but it’s recommended to keep them separate. Not all personnel need to read all policies. Keeping them separate offers flexibility, and it makes it easier for the auditor to review the documents they need rather than searching a large document.

Does the data retention and disposal policy include the storage of SAD data prior to the completion of the authorization process?

• Yes, the storage of SAD data prior to the completion of the authorization process is also included in the data retention and disposal policy so that storage of this sensitive data is kept to minimum, and only retained for the defined amount of time.

Does the email notification include information about policy non-acceptance?

• Email notifications are typically generic in nature, but they do by default speak to the objective of the email.
• For example, most system emails related to employee tasks, policies, background checks would speak to the why, like shown below.
• "To help us get and stay compliant, you'll need to complete a few tasks as soon as possible."
• It would also reference what is remaining for that individual to complete, like shown below.
• 1) Complete Security Awareness Training and Questionnaire
• 2) Complete a standard background check

Does the password policy require keeping passwords confidential?

• The minimum recommendation is 8 characters for endpoint devices, though 10 characters are acceptable. The policy should align with the implemented configurations.

For Privacy & Data Protection Policy - Is that for internal data only or does this intersect with their company’s privacy policy on their website?

• They are separate documents. The Privacy & Data Protection Policy is internal, and there is a separate template for the public-facing privacy policy on the website.

For the ISMS Policy, the customer is looking for clarification on what individuals/providers should be populated in the interfaces and Dependencies section at the bottom?

• For internal, any team/department/role relevant to maintaining the ISMS, such as engineering, info sec, compliance, CISO, CTO. For external, any vendor/system contributing to the ISMS, like authentication tools, monitoring tools, MDM, cloud services, etc.

How can I download a policy that has been signed by an employee?

• You can download employee policy acceptances by navigating to the Data Room > Export > Policy acceptance export.

How can I edit and add headers in policy documents? our auditors have always required numbering each SOP with name and date of last revision?

• Secureframe’s policy module does not have a dedicated header field. However, you can still meet auditor expectations by:
• Adding the SOP number, name, and last revision date directly in the Policy Name field
• Or including that information at the top of the policy body itself
• This approach allows you to clearly present required header details, even though there's no separate header section in the platform.

How can one set the expiration for a policy?

• There is no current feature for policy expiration.
• If your policy is no longer valid, the policy owner can choose to unpublish or archive it in the platform. This action would then remove it from any associated tests where personnel would need to acknowledge.

How do we classify data per the Data Classification Policy? Do we simply utilize a file naming convention or save it in a specific location in Drive?

• You can use file names, metadata in properties, locations, headers, footers, or any other method to denote classification.

How does Secureframe help with policy management?

• Secureframe provides policy templates, allows organizations to import pre-existing policies, enables publishing and tracking of policies, and includes AI automation for policy creation and updates.

How does Secureframe simplify policy management?

• It offers policy templates, version tracking, review and approval workflows, and framework-specific policy assignments.

How does the overall information security policy differ from individual security policies?

• The overall information security policy differs from individual security policies that address specific technology or security disciplines. This policy sets forth the directives for the entire organization whereas individual security policies align and support the overall security policy and communicate specific objectives for technology or security disciplines.

How often is the company's acceptable use policy reviewed?

• Policies should be reviewed at least annually but can be updated more frequently if necessary, particularly when major software or process changes occur.

How often is the company's change management policy reviewed?

• Policies should be reviewed at least annually, with updates as needed, particularly after major software or process changes.

How often is the company's code of conduct policy reviewed?

• Policies should be reviewed at least annually, with updates as needed.

How often is the company's data retention policy reviewed?

• Typically reviewed annually, but the retention period (30, 90 days, or 1 year) depends on internal/customer needs. The retention period can be less than 30 days if justified in the policy.

How often should the information security policy be reviewed?

• The information security policy should be reviewed at least once every 12 months.

I completed the “Password policy enforcement for user endpoints (Microsoft Intune)” test, but it still shows as failing. How do I fix this?

• For Intune-based tests, ensure that:
• Configurations are set in Intune – Verify your password policy meets the requirements in the How to pass this test section (minimum 8 alphanumeric characters, uppercase and lowercase letters, numbers, special characters, no reuse, etc.).
• Devices are in compliance – All in-scope devices must apply and follow this configuration.
• Integration is synced – From the Integrations page in Secureframe, sync the Intune connection to pull updated compliance data.
• If the test still fails, it’s likely because some devices are not yet compliant. Review device compliance reports in Intune, resolve any non-compliance, then sync again to update the test status.

I had to reset his a users training and policy acceptance and now that user is getting an error. How can I reassign his tasks?

• If tasks have been reset and need to be reassigned:
  • Check the user’s group membership
  • Go to the user’s profile in the Personnel section.
  • Click Edit and ensure the user is assigned to the correct group for those tasks (e.g., Contractors, Employees).
  • Address “Invalid date” errors can occur when tasks are reset and no completion date exists.
  • Once tasks are reassigned, the date field will populate after the user completes them. Simply refresh the page to display tasks
  • Have the user log out and back in, or refresh their browser.
  • The reassigned tasks should now appear in their list.

I was editing a policy and accidentally published the policy when saving it. Can I undo the publishing?

• Yes, you can archive a policy which will unpublish it.
• When you are ready, you can click the the 3 dot menu next to the policy and click un-archive to bring the policy back into a state where you can be published again.

If a client does not have an MDM solution in place, how do they amend the Acceptable Use Policy or the Configuration and Asset Management Policy accordingly?

• Amend the policies to describe how minimum device configuration settings (e.g., encryption, anti-malware) are enforced.

If a company doesn't do any software development do they need to have a secure development policy?

• They don't need one if they do not do software development.

If a published policy is edited and saved, does it re-publish that policy and force users to re-accept?

• Editing and saving a policy does not automatically force re-acceptance. Policies only need to be re-accepted when they hit the 1-year mark from when they were initially accepted.

If our Employee Handbook covers most of the topics in an Acceptable Use Policy or Code of Conduct, do we still need all three policies?

• No, you do not need all three. One policy can suffice as long as it covers all required subjects and material.

Is a 90-day password change requirement mandatory for the tests "Password policy enforcement for user endpoints (Jamf Pro)" in Secureframe?

• No, the 90-day password change interval is not strictly enforced as a default requirement.
  Secureframe evaluates password policy compliance based on your organization’s defined policy, not a fixed industry standard like 90 days.
• According to Secureframe platform guidance, 90-day password cycling is recommended as a best practice, not a mandatory setting. If your internal policy allows for a longer cycle (e.g., 120 days), and that policy is clearly defined and enforced through your MDM (like Jamf Pro), the devices will still be marked compliant.

Is it possible to restore a previous version of a policy from its history?

• There is no current feature to reset policies back to their original form, but our Support team does have access to the original documents and can reset them for you if needed.
• Please reachout to support@secureframe.com or ask to speak with a "human" here to request a policy reset back to its original form.

Is the policy accessible to users after it has been accepted?

• Yes, users can access the policy after accepting by going back to their Employee Onboarding in Secureframe.

Is there a policy that covers data backup?

• Business continuity and disaster recovery plan.

Is there a way to determine which policy my "enable tests" came from? I'm planning to set test intervals for some of my tests, but I need to know where to find that information in my policy so I can set it correctly.

• To identify which policy your tests are linked to, you can check the Testing tab within each policy. However, when it comes to setting test intervals, it's important to note that policy tests are platform-based and are automated based on data within the platform. Since they are automated, test intervals cannot be applied to policy tests.
• For setting test intervals:
• Intervals are only available for Upload Tests where you manually add evidence.
• You can set test intervals (monthly, quarterly, yearly) for these types of tests according to your remediation needs.
• To filter tests that have test intervals:
• Go to the Test table.
• Expand the Type section.
• Select Is Exactly and then choose Upload to filter for tests that support intervals.
• For more detailed information, refer to our [help center article ](https://support.secureframe.com/hc/en-us/articles/9216296479891-Understanding-Tests-Due-Dates-Intervals-Tolerance-Windows-auto-evidence-archives)or reach out if you need further assistance!

Is there a way to signify a department/department head as the primary owner of a policy? For example, right now, Julie is the Owner of our Acceptable Use Policy and will be making edits to it -- but we want to know if we can say "revenue" or X manager in "revenue" owns the policy overall.

• At this time, We currently don't have any features around departments and titles. However, you could indicate this into the Policy Body.
• We are currently working on improvements to Policy V2, and we will keep you updated as those additional features become available.

Is there any chance that Secureframe will provide an Acceptable use of AI Policy?

• While we do have an AI policy template, The AI Policy does not really state acceptable use for users of AI. More like the development of AI tooling
• Its recommended the customer drafts an AI section in their Acceptable Use policy that they already have in Secureframe.

Our consultants recommended we shorten the Interfaces and Dependencies of our ISMS policy and wanted to get your thoughts on that?

• You can shorten it, but it is required. It has to be formally listed out and comply with all requirements. You can modify content within a section but not remove it.

S3 bucket required encryption level (AWS) test - "This policy is breaking our logging capabilities of s3 server access logging..."

• It’s fine to disable as long as they are passing other AWS encryption at rest tests.

Should a GKE cluster have network policy enabled?

• Yes, a Google Kubernetes Engine (GKE) cluster should have Network Policy enabled, particularly in production environments.
  By default, Kubernetes allows unrestricted pod-to-pod communication within a cluster. Enabling Network Policy helps enforce least-privilege networking by controlling which pods and namespaces can communicate with each other. This reduces lateral movement risks, limits the blast radius of potential compromises, and aligns with security best practices and compliance requirements.
  While it may be optional for development or test clusters, enabling Network Policy is strongly recommended for production workloads.

Suggested language for physical security policy for a remote company in the cloud

• “As a remote company with all IT infrastructure in the cloud, {Company Name} is not responsible for implementing physical security controls to protect our data and infrastructure. {Cloud Service Provider} is responsible for securing data centers, managing physical access to servers, and ensuring environmental safeguards. {Company Name} is responsible for managing logical access to cloud resources, monitoring access logs, and ensuring proper configurations to protect data within the cloud environment.”

The policy states the need to have a mobile device management in place, but we don’t provide mobile phones to employees. How do we go about this?

• Review the policy before making any decisions about removing sections. The mobile device management section also applies to laptops/workstations.

We are a fully remote organization and do not maintain any physical locations. How does a Physical Security Policy apply?

• You have two options: 1) De-scope the physical security policy. 2) Amend the policy to describe that these controls are covered by cloud service providers. The information security policy has sections for physical security and remote work. This also applies if personnel use co-working spaces.

What are the challenges of policy management without Secureframe?

• Writing policies from scratch is time-consuming, purchasing templates is costly, and tracking policy acknowledgments manually is difficult.

What are the requirements for an overall information security policy?

• n overall information security policy must be established, published, maintained, and disseminated to all relevant personnel, as well as to relevant vendors and business partners.

What can result from the lack of an information security policy?

• Without an information security policy, individuals will make their own value decisions on the controls that are required within the organization which may result in the organization neither meeting its legal, regulatory, and contractual obligations, nor being able to adequately protect its assets in a consistent manner.

What does "relevant" mean in the context of disseminating the information security policy?

• “Relevant” for this requirement means that the information security policy is disseminated to those with roles applicable to some or all the s in the policy, either within the company or because of services/functions performed by a vendor or third party.

What does an organization's overall information security policy tie to and govern?

• An organization’s overall information security policy ties to and governs all other policies and procedures that define protection of cardholder data.

What does it mean when items are highlighted in yellow in the Retention & Storage section of the Data Retention and Disposal Policy - PCI DSS Addendum?

• The yellow highlights indicate areas that may need your manual attention. If the area in question is fine you can remove the colored area.

What does the information security policy communicate?

• The information security policy communicates management’s intent and objectives regarding the protection of its most valuable assets, including cardholder data.

What if any sections of the ISO policy should I update?

• The first thing the auditor will ask is what your scope is in your ISMS policy, which is a business description of what is in scope for the audit. This description will be part of your certification.

What if our company is remote? Do we need a physical security policy?

• If your company is remote, a physical security policy is required only if your network equipment or servers are onsite and responsible for storing, transmitting, or processing sensitive data. Additionally, if an office location directly connects to the in-scope environment, it could bring that office space into scope.

What instructions can I follow if I want to provide manual screenshots for Password Policy, HD Encryption, and Anti-virus?

• Mac:
  - Password Policy: System Settings > Profiles > Create a new configuration profile (macOS > Password).
  - HD Encryption: System Settings > Security & Privacy > FileVault.
  - Anti-virus: System Settings > General > Software Updates > Automatic Updates.
  Windows:
  - Password policy: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
  - HD Encryption: Settings > Update & Security > Device encryption.
  - Anti-virus: Settings > Control Panel > Security Center.

What is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting cardholder data?

• Formal security awareness program.

What is required to ensure the information security policy is implemented?

• To ensure the policy is implemented, it is important that all relevant personnel within the organization, as well as relevant third parties, vendors, and business partners are aware of the organization’s information security policy and their responsibilities for protecting information assets.

What is the purpose of a formal data retention policy?

• Formal data retention policy identifies what data needs to be retained, for how long, and where that data resides so it can be securely destroyed or deleted as soon as it is no longer needed.

What is the Secureframe test for "KMS permission key policy restriction" checking for?

• This test checks that your AWS KMS key policies:
• Avoid using wildcards (e.g., "Principal": "*"), and
• Limit the number of users or roles that can perform encrypt and decrypt operations.

What is the standard policy regarding charges for excessive data requests?

• Secureframe does not have a standard policy for this, but you're welcome to create one that fits your organization's needs. If you'd like additional guidance, feel free to reach out to your Customer Success Manager.

What is the time frame allowed by SecureFrame for a new employee to complete the onboarding process, including Policy Acceptance, before it is considered a control failure?

• The required timeframe depends on your organization’s internal policy. If your policy defines a specific deadline (e.g. within 7 or 14 days of hire), that becomes the benchmark for compliance.
• If no specific timeframe is defined in your policy, we suggest setting a reasonable default (e.g. 30 days) and enforcing it through Secureframe’s onboarding workflows and reminders.

What layer of the OSI model does policy enforcement by NSCs generally occur at?

• Policy enforcement generally occurs at layer 3 of the OSI model.

What must personnel acknowledge regarding the information security policy and procedures?

• Personnel must acknowledge at least once every 12 months that they have read and understood the information security policy and procedures.

What must the security policy clearly define?

• The security policy must clearly define information security roles and responsibilities for all personnel.

What should be examined to verify that the data storage amount and retention time does not exceed the requirements defined in the data retention policy?

• Examine files and system records on system components where account data is stored to verify that the data storage amount and retention time does not exceed the requirements defined in the data retention policy.

What should the security policy for the organization identify?

• The security policy for the organization should identify the purpose, scope, accountability, and information that clearly defines the organization’s position regarding information security.

What steps are users expected to do for the policy assignment alerting (Azure) tests?

• The customer needs to create diagnostic settings and specify which events to capture. This should be sufficient for Azure-related logging tests. A “pass with upload” will work.

What type of evidence to satisfy the Password policy on user endpoints?

• For SOC 2 Type 1: If you use Active Directory, you can screenshot the password setting and pass the upload since it is an integration test. If you have the Secureframe agent installed, you can disable that test since the other satisfies it. For SOC 2 Type 2: The auditor will pick a random sample from a population of endpoints, so be prepared to provide evidence for any endpoint in scope.
• If you are using the Secureframe agent, the Secureframe Agent is sufficient to validate password policy compliance. However, auditors are permitted to request screenshot samples to verify automated evidence. If requested, providing a screenshot may be faster than pushing back.

When else should the information security policy be updated?

• The information security policy should be updated as needed to reflect changes to business objectives or risks to the environment.

Where can I find the Network Security Policy referenced in the PCI DSS ROC documentation?

• The Network Security Policy is available with frameworks such as PCI DSS, SOC 2, CMMC, NIST.
• If you do not see the policy located in your Policy section, please connect with our support team to assist.
• Email support@secureframe.com or if you are on live chat simply ask for a "human" or "speak to agent" for assistance.

Where is the save button for saving policy changes?

• if you are saving a policy that has no owner, you will now become the owner assuming you have the right level of access.
• If you are trying to save a policy where someone else is the owner, you will not have access to save or publish that policy, only that owner can save or publish.

Which load balancing policy should be used to eliminate weak SSL ciphers on AWS Elastic Beanstalk?

• Use the ELBSecurityPolicy-FS-1-2-2019-08 policy to ensure strong SSL ciphers are in use for AWS Elastic Beanstalk.

Who does the Internal Control Policy apply to?

• The Internal Control Policy should be assigned only to personnel who are responsible for implementing, managing, or overseeing internal controls within the organization.
  This typically includes roles such as:
• Leadership / Executive stakeholders
• IT Security / Compliance personnel
• Engineering or DevOps roles involved in system and data governance
• Other personnel directly responsible for internal control processes
• This policy is not intended to be assigned to all employees or contractors — only those whose responsibilities relate to internal controls as defined in the policy.

Why aren't task reminder emails being sent for my policy?

• Task reminder emails require personnel to have a start date set in their profile. This is by design - the system prevents sending reminders to employees who haven't started yet.

  To fix this:

  1. Go to Personnel in Secureframe
  2. Check if affected users have a start date populated
  3. Set appropriate start dates for any personnel with empty values
  Once start dates are set, task reminders will begin sending as expected.

Why did this "KMS permission key policy restriction" test fail for my AWS account?

• The test likely failed because at least one of your customer-managed KMS keys:
• Has a "Principal" set to a wildcard ("*"), or
• Includes too many users/roles without specific restrictions, or
• Uses a role ARN in the policy that does not match the actual assumed-role being used.

Why didn't a user receive an email notification to accept a policy?

• The most common reason is that the user's notification settings are set to "Never" for tasks.
• Each user controls their own notification preferences in Secureframe, and if task notifications are disabled at the time a policy is published, they won't receive the email.
• An admin can ask the user to check their notification settings and update them, then resend the policy acceptance request.

Why must rogue wireless detection be performed even when wireless is not used within the CDE and the entity has a policy that prohibits the use of wireless technology within its environment?

• This is because of the ease with which a wireless access point can be attached to a network, the difficulty in detecting its presence, and the increased risk presented by unauthorized wireless devices.

Why is the Mapped Frameworks column blank in my policy view?

• The Mapped Frameworks column is populated based on the Personnel groups assigned to each policy. Only Secureframe's default groups (like ISO 27001 2022, SOC2) have a built-in framework association, which is what surfaces in that column. If your policies are assigned to custom groups, those don't carry a framework association, so the column will appear blank.

Templates and custom policies

Does Secureframe's Vulnerability & Patch Management Policy template include specific SLAs for remediating vulnerabilities?

• Secureframe's policy templates do not prescribe specific SLA timeframes for vulnerability remediation. This is intentional -- SLAs should be defined based on your organization's own risk tolerance and risk appetite, not a one-size-fits-all number.
  That said, your Vulnerability & Patch Management Policy should include remediation timeframes categorized by severity (e.g., Critical, High, Medium, Low). Auditors will review your policy and test whether you're actually following whatever SLAs you commit to, so it's important that the timeframes you define are realistic and consistently enforced.
  When setting your SLAs, a common starting point is:

  Critical: 15--30 days
  High: 30--60 days
  Medium: 60--90 days
  Low: 90+ days or best effort

• You're free to adjust these based on what your organization can operationally sustain. Once defined, Secureframe's Jira integration can help track open vulnerabilities against your SLAs and surface anything aging past your defined thresholds -- useful evidence for demonstrating timely remediation to auditors.

How do I add frameworks to a custom policy so they show up in the “Mapped Frameworks” column?

• If you're using a custom policy (instead of a Secureframe template), you’ll need to manually link it to the frameworks you want it to map to. This ensures the policy appears in the Mapped Frameworks column and can be selected when mapping controls.
• Here’s how to do it:
  Go to the Policies page in Secureframe.
  Locate your custom policy and click the three-dot menu to open the edit feature
  In the right-side panel, scroll to the Frameworks section.
  Select the framework groups you want this policy to map to (e.g., HIPAA, NIST, ISO).
  The page should save automatically.
• Once saved and published, the selected frameworks will appear in the Mapped Frameworks column.

How often are Secureframe’s policy templates updated, and how do customers receive updates?

• Secureframe’s policy templates are updated periodically, primarily when there are changes to underlying compliance framework requirements (such as SOC 2, ISO 27001, HIPAA, or similar standards). These updates do not occur frequently and are typically driven by material changes that affect compliance expectations.
• When a policy template update requires action from customers—such as reviewing or adopting updated language—Secureframe will notify account administrators in the platform. This ensures customers are aware of any changes that may impact their compliance posture and can take appropriate action as needed.
• For minor updates that do not require customer action, no changes are required to existing published policies.

Our existing policies overlap with Secureframe’s templates (e.g., Device section in Employee Handbook vs. Acceptable Use Policy). Should we still create a separate Acceptable Use Policy in Secureframe?

• This is up to your organization’s preference. You can:

  Adopt the Secureframe template and align it with your existing policies, or

  Continue with your current policies and clearly point to where the acceptable use content resides.
  Both approaches are acceptable as long as the requirements are addressed and content is consistent across your policy set.

Additional customer questions

How does Secureframe handle policies?

• Secureframe provides policy templates, tracks version history, enables policy assignments, and ensures acknowledgment.