Skip to main content

Adding an issue to a policy

Roles and permissions

The following roles can add an issue to a policy:

  • Administrators with manager or contributor permissions on the policy

  • Compliance managers with manager or contributor permissions on the policy

  • Users with manager or contributor permissions on the policy

Issues can be used for many purposes for a policy. Two common uses include:

  • Tracking issues in the policy document that should be addressed in a future review cycle.

  • Tracking exceptions to the policy. An exception is a formal allowance for a control to deviate from a specific section in the policy and follow an alternate guideline. The exception should include an action plan and a due date to bring the policy into compliance with the policy. It can also include risks to the organization while the policy is not in compliance.

For example, if a security policy requires that all passwords be 16 characters long, but there is a legacy system that can only accept 12 characters, you can log an exception using an issue. It can state that it is acceptable to only support 12-character passwords and should contain a plan to upgrade the system to support 16-character passwords. The risk and impact on the organization should be assessed and recorded in Hyperproof as a risk.

To add an issue to a policy:

  1. From the left menu, select Policies.

  2. Select the policy where you want to add an issue.

  3. Select the Issues tab.

  4. Click +New.

    The Create new issue window displays.

  5. Enter the following information:

    1. Summary (required) - A summary of the issue and the potential result if it isn't remediated

    2. Description - A detailed overview of the issue

      For exceptions, you could include the affected control, the part of the policy where the deviation occurs, the new guideline, why the exception is needed, and who approved it.

    3. Make issue private checkbox - Select this checkbox to make the issue private. Doing so restricts inheritance—only users explicitly added to the issue’s facepile can see the issue. Other users (such as members of affected objects) can see that the issue exists, but they’ll only see the issue ID. To access the issue, they’ll need to contact the issue manager(s).

    4. Action plan - The plan to remediate the issue

    5. Impact - The impact the issue has on your organization if it isn't resolved

    6. Priority - The priority level for resolving the issue

    7. Assignee - The individual who will work to remediate the issue

    8. Effort level - The amount of effort it'll take your organization to remediate the issue

    9. Business owner - The individual who owns the issue. Note that a contact can also be an owner.

    10. Executive sponsor - The individual who is of senior level and ultimately responsible for overseeing the remediation of the issue

    11. Due date - The date that the remediation is due

    12. Discovered on - The date that the issue was discovered

    Tip

    Business owners and executive sponsors can have an Unassigned status.

    For example, if a business owner had been previously assigned to the issue, but the need for an owner is no longer required, the status can be set to Unassigned.

  6. Click Create.

Once the issue has been created, you can link that issue to any affected controls and risks. See Linking an additional affected object to an issue.

In this section: