Policies and Documents
Overview
The Policies section helps you version, approve, and distribute security policies. Your vCISO drafts all required policies for you, tailored to your organization. You review them, request changes over Slack, and approve when ready.
Policy Lifecycle
How Policies Are Created
Your vCISO writes the policies required by your target compliance frameworks. They are drafted to match your organization's size, industry, and actual practices. The typical flow:
- Your vCISO drafts the policies and uploads them to Compliance → Policies
- You receive a notification to review
- Discuss changes or ask questions over Slack
- Approve when the policy reflects your organization accurately
Common policy types your vCISO will prepare:
- Information Security Policy
- Acceptable Use Policy
- Access Control Policy
- Incident Response Plan
- Business Continuity Plan
- Data Classification Policy
- And more, depending on your frameworks
You can also create additional policies yourself via Create Policy if you need custom internal documentation beyond what your frameworks require.
Policy Editor
The policy editor supports:
- Rich Text - Formatting, lists, tables
- Sections - Organized structure
- Variables - Dynamic placeholders (company name, etc.)
- Version Notes - Document changes between versions
Approval Workflow
Configuring Approvers
Each policy can have multiple approvers:
- Open the policy
- Click Settings → Approvers
- Add required approvers (e.g., CISO, Legal, HR)
- Set approval order (sequential or parallel)
Submitting for Approval
- Complete policy draft
- Click Submit for Review
- Approvers receive notification
- Track approval status in dashboard
Approval Actions
Approvers can:
- Approve - Move policy forward
- Reject - Return with feedback
- Comment - Add notes without decision
Version Control
Versioning
Policies are automatically versioned:
- Major versions (1.0, 2.0) - Significant changes
- Minor versions (1.1, 1.2) - Small updates
Version History
View all versions:
- Previous content
- Change notes
- Approval history
- Distribution records
Comparing Versions
- Open policy
- Click Version History
- Select two versions
- Click Compare
- View highlighted differences
Distributing Policies
Distribution Methods
| Method | Use Case |
|---|---|
| Send policy with acknowledgment link | |
| In-App | Notify users within Bastion |
| Download | Provide PDF for external use |
Creating a Distribution
- Ensure policy is approved
- Click Distribute
- Select audience:
- All employees
- Specific groups
- Individual users
- Set acknowledgment deadline
- Customize message
- Send
Tracking Acknowledgments
Monitor acknowledgment progress:
- Pending - Not yet acknowledged
- Acknowledged - Confirmed receipt
- Overdue - Past deadline
Send reminders to employees who haven't acknowledged.
Policy Library
Organizing Policies
Organize policies by:
- Category - Security, HR, IT, etc.
- Status - Draft, Approved, Archived
- Owner - Responsible department
- Framework - Related compliance requirements
Search and Filter
Find policies using:
- Full-text search
- Category filters
- Status filters
- Date ranges
Document Repository
Beyond policies, manage:
- Procedures - Step-by-step instructions
- Standards - Technical requirements
- Guidelines - Best practices
- Diagrams - Architecture and process flows
Compliance Mapping
Linking to Controls
Map policies to compliance controls:
- Open policy
- Click Compliance Mapping
- Select relevant framework controls
- Save mapping
This creates evidence links for audit purposes.
Best Practices
Keep Policies Concise
Long, complex policies are less likely to be read and followed. Focus on essential requirements.
Review Regularly
Set review cycles (typically annual) and stick to them. Outdated policies create compliance gaps.
Use Clear Language
Avoid jargon and legalese. Policies should be understandable by all employees.
Track Acknowledgments
Ensure all relevant employees acknowledge policies. Follow up on non-responses.