Dash ComplyOps v2.3.0 introduces a new comprehensive process for creating, managing, and documenting Policy Activities. This feature replaces the old Dash Policy Calendar Guide. (Update Dash to the latest version).
The latest Policy Activity and Policy Calendar feature enables organizations to keep track of important compliance activities, document actions taken, and attach evidence. Policy Activities are defined in relation to Compliance Policies and answers to policy questions. Users will be reminded of activities as activity due dates approach. In addition, compliance issues will be created when the organization does not complete a policy activity on time.
What Is a Policy Activity?
A policy activity is a meeting, task, or review that the organization must complete on a regular interval. These activities are related to at least one or more compliance framework controls. In order for the organization to better maintain proper levels of compliance, these activities must be completed on time regularly. Here are a few examples of policy activities:
- Review compliance policies (Policy Management Policy)
- Perform a Risk Assessment (Risk Management Policy)
- Test the Incident Response Plan (Incident Response Plan)
Creating Policy Activities
- Go to Policy Center -> Compliance Policies -> Edit Policy
- Navigate to the question you would like to define a Policy Activity for.
- Dash provides recommended Policy Activities for certain reoccurring events.
- Click on the Gear button next to the policy question to create or edit a Policy Activity/Action.
- The Policy Activity drawer will appear.
- For Dash Recommended Policy Activities – A recommended action may be enabled, similar to the drawer shown below.
- For Questions without Dash Recommended Policy Activities – Your team may create a new Policy Activity/Action by clicking “Create Policy Action“
- You will be prompted to create an Action Title and Description
- Your team may consider creating actions to review question settings or perform administrate tasks. For Example – “Review communication method” or “Review role responsible for ABC”
- After creating a Policy Action, your team can set the schedule for an Action by expanding the Policy Action Due Date section. Teams can define a schedule for when tasks are “due” and when teams will be notified of the Actions.
- Options for scheduling actions will look like the image below.
- Your team can set Policy Actions to repeat Yearly, Monthly, Weekly, Daily or Hourly.
- After scheduling a Policy Activity/Action, your Action will appear in the Policy Calendar Page of Dash.
Reviewing Policy Activities
After creating Policy Activities, teams can view all scheduled tasks and track and document actions taken in the Policy Calendar.
Policy Activities are ordered with all the overdue activities at the top, with most overdue first. The upcoming activities are sorted with soonest due activities first.
- Go to Policy Center -> Policy Calendar
- The Policy Calendar page will look like this:
- You can click on an individual Policy Activity to view more information on the task. Individual Policy Activity Pages will look like this:
From here you can:
- View policy activity metadata and status
- View overdue activity issues
- Mark policy activities as completed
- Add resolution notes to completed policy activities
Documenting Policy Activity Actions
After marking Policy Activities as complete, your may want to document what actions were taking in completing the activity.
To document Policy Actions and Tasks conducted:
- Navigate to the Policy Calendar -> Individual Policy Activity Page
- In the Action Log section of the Policy Activity -> Click on the individual date for the action you have taken.
- After clicking on a date, you will see the following view.
- In the documentation view your team can add the following documentation
- Findings – Any security findings found during the task
- Actions – Actions taken to complete tasks
- Resolutions – Steps taken to resolve security findings
- Evidence Files – Documentation, reviews, and audit files may be uploaded and stored as evidence
Teams may carefully document Policy Activities and collect evidence in order to be better prepared for security evaluation and audits.