Policy

Introduction

The Policy module in SAFE has 25+ threat-driven controls that are based on MITRE ATT&CK mitigation controls and post-attack mitigations. MITRE ATT&CK-driven controls have Techniques mapped to them, which will also be visible on the SAFE UI to improve their risk visibility. 

You can see the summary of the Policy assessment on the Questionnaire page.

Clicking the Policy card, you will be redirected to the Policy page. All the 25+ policy controls are applicable to your organization, and you can assess them directly from the Policy page in SAFE.

The Policy page displays a summary of the enterprise risk policy assessment with the details of the number of qualified, failed, not applicable, and not assessed controls.

Assess Policies

To assess the policy controls, click the Questionnaire from the left navigation and then click Policy. On this page, you can view the summary of controls that includes the number of qualified, failed, not assessed, and not applicable controls, followed by the controls list. The control list includes the control ID, control name, control question, control option, status, and risk level.

To assess the policy controls:

1. Click the Questionnaire from the left navigation.
2. Click the Policy card.
3. On the Policy page, read the control's name and control question carefully.
4. Select an appropriate control option from the drop-down.
5. Selecting a control option changes the status of the control accordingly.

Assess Policies in Bulk

To assess the policy controls in bulk:

1. Click the Questionnaire from the left navigation.
2. Click the Policy card.
3. Select the Policies by marking the checkboxes available against them.
4. Three bulk operation options will be available at the bottom-right of the screen - Mark as Qualified, Mark as Not applicable, and Mark as Not Assessed.  
5. Select an appropriate control option.
6. Selecting an option changes the status of the controls accordingly.

Not Applicable Policies

If a policy is not applicable to your organization based on geography, industry, and size, SAFE allows you to mark those policies as Not Applicable. 

To mark a policy as Not Applicable:

1. Click the Questionnaire from the left navigation.
2. Click the Policy card.
3. Select the Policies by marking the checkboxes available against them.
4. Three bulk operation options will be available at the bottom-right of the screen - Mark as Qualified, Mark as Not applicable, and Mark as Not Assessed.  
5. Select the control option Mark as Not applicable available at the bottom-right of the screen. 
6. Selecting an option changes the status of the controls to not applicable.

View Control Details

On clicking a policy control from the list, you will be redirected to the control details page. The control details page displays the control description, risk description, remediations, MITRE ATT&CK mapping, and control history. It also allows you to add comments and evidence.

Add Comments and Evidence

SAFE allows you to upload evidence and add comments as proof of action while changing the status of Policy controls. The evidence and comments help users to understand the reason behind changing the control's status.

To add comments or evidence:

1. Navigate to Policy.
2. Click a policy control for which you want to upload evidence.
3. On the control details page, select the control answer from the drop-down.
4. Scroll down and click the Comments & Evidence option.
5. Click the + Add Comment button.
6. On the Comment & Evidence page, Add comments and upload the evidence.
7. Click the Save button.