Security Compliance Tailored to Your Firm


Policy Central provides over 750  guidelines, controls, procedures and audit processes.  The content covers the complete spectrum of operational controls, security and compliance.   Developed by experts with over 100 years’ experience building IT service and infrastructure organizations, this content is specifically developed to be approachable to small and medium sized IT service organizations and application developers.

  • 10 Standard Policies supported by …

  • 90 Guidelines implementing …

  • 420 Controls enforced and evidenced by …

  • 65 Procedures informed by

  • 175 Glossary and Reference entries



Policy Central content is fully cross-referenced and integrated in an on-line tool which that facilitates efficient content management, customization  and enforcement of policy management procedures.


Each PolicyCentral artifact is cross-linked to equivalent requirements of multiple security standards including:


  • SOC-2 


  • PCI 3.1

  • ISO 

  • Custom Hierachies


Policy Central delivers content in a form that supports a robust independent audit function. 


  • Roles and responsIbilities are clear

  • Policies documented

  • Controls assessed for compliance

  • Regular reviews performed

  • Acknowledgements recorded

  • Key procedures evidenced

  • Data classifications performed

  • Business continuity established

  • Vendors certified as compliant

  • Contracts contain protections

  • Disciplinary procedures established

  • Training performed

A Single Source of Best Practices

Policy Database​

Policies are the highest level documentation in a control framework.  They describe the Company's enforceable policies.  They are designed to outline clear standards for behavior and not delve into the detail of how a Policy is implemented, which is left to Guidelines and Procedures.  Policies change infrequently. 


Guidelines are documents focused on the specific implementation of policies and covers specific roles, responsibilities, systems and processes.  They establish an important framework to run the everyday business of managing an IT organization.


Controls are granular security requirements associated with a Guideline.  Each control specifies which data classifications require which controls.  Further each contains a Status indicating the Company's compliance.


Procedures are documented processes which cover the implementation of Guidelines and the controls related to those Guidelines.  For example, the Guideline which states that a systems’’ data classification must be periodically audited implements the Data Classification Procedure. In Policy Central procedures describe specific workflow steps and approvals and launch workflow tasks to provide an auditable trail of critical control processes.


Scheduled Procedures are Procedures that are specified to be performed at regular intervals. For example there is a Guideline that specifies that the Security Policy must be reviewed by the Security Committee periodically.  This Guideline is linked to the Perform Annual Review of Security Policy procedure which is scheduled to generate a new Activity .


Tools document the various systems and technologies used in the enforcement of Policies.


Services document internal and external services that are available to enforce policies such as Vulnerability Scans, Penetration Tests, etc.


Training content from Policy Central and open source training suppliers provides critical education components needed to assure that security and user teams are properly informed about security best practices.


​Adoption Workflow

Policy Central implements a complete policy adoption workflow including a structured strategy to review and confirm policy compliance.


Policy Modules


Policy Central Module is a customizable and universal hierarchy of operational controls representing the modern day best practices of an IT organization delivering secure business applications. The hierarchy is designed to map to how a business runs its operations - not a specific and/or ever changing standard such as PCI, SOC or HIPAA.  This strategy allows for a consistent and sustainable process for educating employees and building a culture of security awareness.


Policy Overlays are industry specific hierarchies such as PCI, SOC or HIPAA.  Instead of a company defining an independent control framework for these requirements, Policy Central enables the standard control framework to be mapped to these standard satisfying 80-90% of these standards with re-useable processes that a company uses to run its business. Overlays also permit the customization of content to satisfy the unique characteristics of the smaller percent of controls that are unique to the standard.  This capability is a key benefit for companies that must comply with multiple standards (e.g. PCI and HIPAA).


Content Functions


Policy Survey automates the process of selecting and adopting a subset of Policy Central’s hundreds of guidelines.  Answer simple questions about your business practices and Policy Central nominates the policies and procedures your company should adopt.


Policy Definitions creates an extensible database of common definitions used by your company. These are maintained centrally and automatically merged into policy, guidelines and procedures reducing the actual need to edit policy content.


Policy Adoption Workflow converts the sometimes daunting task for understanding, correlating existing policies and adopting a auditable framework into a step by step project plan.


Policy Updates provide access to a central repository of industry standard content under continuous development at Policy Central.  This function enables Client to subscribe and receive updates top their policy, policy overlay (e.g. PCI) and glossary content.


Other Functions

Evidentiary Activities are created by Procedures and track the steps, data collection and outcomes of these processes. Activities include reportable statuses, email notifications to assigned parties and dashboards to monitor compliance.


Policy Glossary and Resources is a database of terms and links.  Each is linked to one or more Policies, Guidelines or Procedures helping provide context for these documents.  Links might include internet resources or other content which supports or provides educational content to those responsible for implementing the policies.


Artifacts and Documents are a library of documents, spreadsheets and other content that is linked to Policies, Guidelines and Procedures in support of executing on or understanding a specific Policy entry.


Data Collections is a database of registered systems and data sets which documents the Data Classification, Ownership and Governing Policy Overlays (e.g. PCI, HIPAA, PII etc.).


Versioning Control assures that all policy modifications are tracked and subjected to appropriate review, approval, dissemination and acceptance.


Adhoc Requests for Information enables you to quickly and professionally respond to requests for security information by simply cutting and pasting the questions and references into a excel like grid and selecting PolicyCentral policies, guidelines and/or controls which satisfy the question.    A client read report is then prepared.