Documents

What are GRC documents?

GRC documents represent a consolidated section where users can upload, share, manage, and showcase key GRC documents like penetration testing reports, insurance policies, and procedures. Providing them satisfies a number of controls, showing your stakeholders, auditors, and customers that you are fulfilling your obligations. The documents help complete your compliance program. Providing them satisfies several controls, as well as showing your stakeholders, auditors, and customers that you are fulfilling your obligations.

In addition, upload any number of documents in one place and use them as evidence across all your controls and tests.

The following screenshot shows the “Documents” page in your TrustOps program.

Adding a Custom Document

You can also create your own document buckets and upload multiple files within them. To get started,

1. Go to “Documents” page in your TrustOps program.
2. Click on the “Add Document” button.
3. Enter document name, owner, type, group and description. Click on “Add Document” button.
   
   
4. Add the desired document by uploading it or pasting a link to the document. Click on “Review Document Details” button.
   
5. Review the file details and click on “Finish” button. Your document will appear in documents list.
   
   

What types of documents exist?

The following is a list of the document types that are supported:

1. Procedure
2. Test Report
3. Legal
4. Insurance Policy
5. User Documentation
6. Org Chart
7. Meeting Minutes
8. Other

Upload once; use many times! The document functionality allows you to upload any number of custom documents and access these key pieces of evidence as part of the self-assessment evidence requirement. Upload documents within the pre-existing buckets or create a custom document directly within the document page.

A step-by-step guide to providing document as evidence

1. Go to “Controls” page of your TrustOps program.
2. Click on the control.
   
3. Go to Self-Assessment section and click on the plus icon to “Add evidence.”
   
4. Click on “Add from Documents.” This will allow you to search through all the documents in your repository and select the key piece of evidence for your control.
5. Select the document by searching and click on the “Continue” button.
   
6. Confirm your documents and click on “Add Files as Evidence” button.
   

Please note that the evidence will have to be refreshed regularly unless a pre-existing document bucket is used. Pre-existing buckets automate the controls, for which no user actions are required, but custom documents will have to be refreshed via the test page.

Pre-existing Document Buckets

To get started, TrustCloud provides a standard set of document buckets that are extensively used across the platform to meet TrustShare requests, automate controls, and serve as evidence for auditors. Access settings can be managed so that no document is visible to external users without explicit permission.

When navigating to documents, there is a list of predefined buckets that map to key controls across your program. It is recommended to upload or link files for each one of these buckets, as it will result in maximum automation.

For example, linking or uploading your cyber insurance policy automatically populates evidence for the BIZOPS-21 control. Every time you get a new policy, you can upload a new version, and control logic automatically picks up the new file as evidence. You can also view what controls each document automates in the “Controls Automated” section and the standard in the “Satisfies” tag.

The following screenshot shows the “Satisfies” tag and “Controls Automated” section within the document detail view.

Control Evidence and Automation

This functionality automates 22 controls, with several more being added on an ongoing basis.

Document Name	Controls Automated	Control Name
Cyber Insurance Policy	BIZOPS-21	Cyber Insurance
Disaster Recovery Test Report	BIZOPS-6	Disaster Recovery Testing
Security Incident Test Report	BIZOPS-8	Security Incident Testing
Release Notifications	CUST-11	Release Notifications
User Documentation	CUST-15	Documentation Site
Master Services Agreement	CUST-17	Masters Services Agreement
Terms of Use	CUST-18	Terms of Use
Privacy Policy	CUST-19	Privacy Policy
Data Retention Procedure	DATA-16	Data Retention
Data Disposal Procedure	DATA-17	Data Disposal
Disciplinary Process Procedure	HR-7	Disciplinary Process
Board Members Profile	HR-9	Board of Directors
Org Chart	HR-12	Organizational Structure
Code of Conduct	HR-13	Employee Handbook / Code of Conduct
Employee NDA Template	HR-15	Confidentiality Agreement
Career Page	HR-16	Job Descriptions
BOD Meeting Agenda	HR-20	Board Oversight
Pen Testing	INFRA-2	Pen Testing
System Hardening Standards	INFRA-8	Host Hardening
SDLC Standards	PDP-11	SDLC – Security Reviews
Backup Restore Test	PDP-2	Restore Testing
Change Release Procedures	PDP-7	Change Management Workflow

Adding Files to Pre-existing Document Buckets

To add files within each document bucket, 

1. Go to “Documents” page in your TrustOps program.
2. Click on the desired document.
   
3. Click on “Add Files” button. As long as the file upload date is within the evidence refresh date, the evidence is automatically sent over to the control.
   The following screenshot shows how to add files to a pre-existing document bucket.
   
4. Upload files and click on “Add Documents” button.

Do custom documents automate controls the same way as the pre-existing buckets?

The document functionality supports over 22 different control automations, ranging from cyber insurance to board oversight. While this list is actively expanding, certain organizations have unique control and automation requirements. A functionality is under development to allow you to map custom documents to additional control automations. 

Until self-service automation for custom document buckets is released, you can check out additional user guides on control testing here. The existing evidence management and upload workflows allow you to provide any number of links and files as evidence, irrespective of the source.

In addition, feel free to contact the support team if there is a particular control you need help with or would like to automate next.