Policies are rules established by an organization that are designed to guide their
employees. In an IT environment, policies are used to guide the decisions that
relate to the management of the IT infrastructure. Policies have an arbitrary
hierarchy and may map to one or many control statements.
Apolicy with no control statements can indicate an unimportant policy or a policy
where compliance cannot be monitored. A control statement with no policy can
indicate a gap showing noncompliance with one or more regulations.
Every policy has a status that is assigned to it at all times.
The status is one of the following:
A policy that is authored in its initial form. The policy has not been
reviewed. The policy may or may not be complete in the view of the
Also, a policy that has been reviewed but which has change requests,
or a policy that has been unpublished.
Policies can only be changed while in Draft status.
A policy in its first draft that is considered complete by the author.
The policy is automatically submitted to the policy reviewers for their
comments. Reviewer comments and change requests can be made
while the policy is In Review.
A policy that may or may not have reviewer comments. If a policy
does not have change requests from reviewers, the status changes
Awaiting Approval. The status changes automatically when the
deadline that was set during the policy creation passes.
If a policy does have change requests, its status reverts automatically
to Draft when the review deadline passes. After the change requests
are addressed, the author can submit it for review again.
Apolicy is Approved when the author has incorporated all the reviewer
comments and is completely satisfied. A policy that is marked as
Approved is ready for publication.
A policy administrator with rights to the policy can publish an
approved policy. A published policy is accessible to members of the
audience from theControl Compliance Suite Web Portal.
A policy that is archived and no longer in effect. An archived policy
is not visible in the Policy view. Inactive policies are stored in the
Due to the workflow/life cycle of a policy, the status cannot be manually changed and must wait for the review deadline to pass. As a workaround, the value can be manually changed in the database. To do this, run through the following steps:
1. Open up the CSM_DB database
2. Open the policy.Policy table
3. Find the target policy name in the Title column
4. Change the status of this policy to 4 to publish the policy
The following are other status values: