Policy Manager
Successful data governance programs rely on well-defined policies and regulations to safeguard both data and users. Policy Manager simplifies this process by offering a place to create and manage data policies.
Policy Manager allows you to store and show the metadata of your policies and regulations, allowing you to link the metadata to your knowledge graph. It provides an overview of your organization’s governance assets, and key functions to adopt, implement, and monitor the digital policies for your organization.
Policy Manager helps keep your data safe by classifying data based on sensitivity and linking these classifications to specific data. For example, personal information, which requires stringent protection, can be managed efficiently. Your Privacy team can create data classification policies to classify data according to its sensitivity. They can then link the Policy asset to relevant resources to track compliance.
Key benefits
With Policy Manager, you can have an overview of the organization’s governance assets:
- Standards, such as ISO-standards or other local standards.
- External regulations, such as GDPR.
- Entities, such as EBA, ISO, EC, and FDA.
- Internal regulations, such as policies, goals, and constraints.
- Controls, such as a dissemination plan.
- Risks, evaluation, and mitigation, such as privacy risk and market access risk.
- Accreditation and certificates, such as conformance certificates.
You can also have an overview of the policy lifecycle:
- Adoption: See the regulations and the respective regulations, paragraphs, and sections to check the adoption of the applicable regulations throughout the organization.
-
- Risks: Define the risks and their mitigation rules, and trace them to the policies and data assets.
Opening Policy Manager
You can open Policy Manager if you have the Product Rights > Policy Manager global permission. To open Policy Manager, on the main toolbar, click
→
Policy Manager.
Policy Manager contains Governance assets such as business rules, data sharing agreements, policies, and rules. You can create your own view or switch to another view.
Use cases
Policy Manager helps keep your data safe by:
- Classifying data based on sensitivity.
- Connecting these classifications to specific data.
Personal information
In any organization, personal information needs to be adequately protected. Typically, your Privacy team sets up the Data Classification Policy, where they classify the data based on how sensitive or critical it is.
Consider the following three classifications for sensitivity:
- Public data: Least sensitive data.
- Private data: Slightly more sensitive than public data.
- Restricted data: Most sensitive data and therefore needs the highest level of protection.
These classifications help determine what level of security is needed for the applications that store or move the data.
A Policy asset and its standards can be linked to the relevant assets, such as Data assets or Technology assets, through the "complies with" relation.
The following image shows the standard sub-assets of the Data Classification Policy asset.
The following image shows a diagram depicting how the Data Classification Policy asset is cascaded down into logical and physical data layers.
Retention policy
Retention policy defines how long data should be retained. For example, some personal data might need to be stored only for one year. Policy Manager helps enforce these retention policies, ensuring that information is removed when it is no longer needed.
Asset types
The following table contains out-of-the-box asset types that are relevant to Policy Manager.
| Asset type | Description | Public ID |
|---|---|---|
| Governance Asset |
A high-level classification for assets designed to monitor, advocate for, and optimize the performance of business and data assets. They serve to align operational activities with organizational goals while minimizing risk. |
GovernanceAsset |
| Data Sharing Agreement |
An agreement between data producers and consumers with terms and conditions including provisions concerning access and dissemination to pool a set of data for specific purposes. Example: Sales growth information that is available only to the Risk team for generating internal reports. |
DataSharingAgreement |
| Policy |
A statement of intent that is set by a council and is implemented by a set of standards. Example: Personal information must be adequately protected. |
Policy |
| Standard |
Consists of specific low-level, mandatory controls that help enforce and support the policy. Example: All personal information must be encrypted with a specific encryption type. |
Standard |
| Rule |
Defines or constrains some aspect of specific business data categories. It is intended to control or influence the behavior of the business. Example: Every customer must have a unique identifier. |
Rule |
| Business Rule |
Defines or constrains some aspect of specific business data. It is intended to control or influence the behavior of business data. Example: Customer numbers must be unique. |
BusinessRule |
Relation types
The following table contains out-of-the-box relation types that are relevant to Policy Manager.
| Relation type | Head | Role | Co-role | Tail | Public ID |
|---|---|---|
| applies to Asset | Asset | complies to | applies to | Governance Asset | AssetCompliesToGovernanceAsset |
| is enforced by Managed Control | Managed Control | enforces | is enforced by | Policy | ManagedControlEnforcesPolicy |
| applies to Compliance Target |
Compliance Target | complies to | applies to | Policy
|
ComplianceTargetCompliesToPolicy |
| governs Rule Target | Rule Target | is governed by | governs | Rule | RuleTargetIsGovernedByRule |
| governed by Governance Asset | Asset | governed by | governs | Governance Asset | AssetGovernedByGovernanceAsset |
Attribute and complex relation types
No out-of-the-box attribute types or complex relation types are included in the global assignments of any Policy Manager-related asset types.