What comes to mind when you hear “digital evidence”?

Who cares?

I mean, who actually has to care about digital evidence? Consider the audiences or different roles of people who need to produce or rely on digital evidence: management and business unit leaders; auditors; information management, technology, compliance, and security professionals; and the officers of your organization. We are producing unstructured data, much of it valuable, at a breakneck pace. Do you know who your producers of quality digital evidence are?

When I hear digital evidence, I think of the artifacts that may be considered digital evidence such as raw data, reports, signed documents, test results, specifications, and performance receipts. Documentation of activities that provide assurance, including procedures, work instructions, training sessions and materials, and attestations are also critical. Have you identified which practices and assurances are closest to your significant accounts, risks, and controls?

How do we wrap our arms around digital evidence?

There are systems and practices that provide the bookends for ensuring relevant and reliable results contributing to digital evidence such as systematic management and monitoring of workflow, milestones, deadlines, analyses, and remediations. Digital evidence also relies on the trail of bread crumbs that show who touched what and when including the audit trail of changes, versions, handoffs, and approvals. Without a central portal or system in place, it is plain to see, we cannot reliably manage digital evidence.

Are you taking advantage of all that policyIQ has to offer in these areas?

Alerts, dashboard notifications, and email generated systematically by RGP’s policyIQ helps employees know when work is required of them. The taxonomy of the digital content is configurable and can be subject to the information governance preferences of your organization with appropriate read, write, and approve rights established during initial configuration. policyIQ can provide an enforceable framework to manage contributions, the complete capture, monitoring, and reporting on critical documentation and evidence.

If your opportunity has more to do with the quality of your existing evidence or the need for corroborating evidence, RGP’s subject matter experts can help to assess your need and to fill any gaps identified. Right now—whether related to technology, process, quality, or completeness—make a note of some of those gaps or pain points that just crossed your mind. And then reach out to us: Information@policyIQ.com; 412-263-3330.

From our Supreme Tech Nerd (aka Senior Director of Technology) to Yours

Introducing Matthew Krummert, Senior Director of Technology at RGP, policyIQ. Matt was asked to share his thoughts on some of the common concerns of IT professionals related to cloud applications—and to tell us what some of those concerns are. Matt noted that there are a lot of applications that don’t always fit the customer’s needs, implementation of new products often takes months or years, it seems there are always hurdles to getting your information back from them, you’re never totally comfortable that your content is secure, you have a long wait for support departments to address your concerns, and you’re not sure if anyone on the other end is listening. Following are Matt’s thoughts on how policyIQ stacks up against these concerns.

Especially utilized for small to medium sized businesses, the cloud is transforming the way software works through its reduction of IT risks and ongoing support costs.  Through utilizing these benefits, and those from Web2.0, policyIQ continues to transform the way that businesses handle their content and GRC needs.

Cloud delivery is less risky: Easy to turn on…and to turn off.

Purchasing software can be a complex process as you are never entirely sure what you are getting. Because policyIQ works on demand, organizations are able to mitigate that by testing the software out prior to purchase in a 30-day free trial site. Because policyIQ uses web2.0 features, you can customize the site to fit your needs to ensure that each installation is an optimal package for you and your organization. This means that companies are also able to have a site up and running in a couple of hours and configured for everyday use in a matter of days or weeks rather than typical months-long implementations. If you are not completely satisfied, policyIQ allows you to disconnect at any time and receive a direct delivery of your content to your designated contact.

Is the content really secure? Yes!

Seamless security is also a concern for most departments. Upon creating a site, policyIQ offers three options for authentication: single sign on, custom authentication using SHA1, and LDAP (or Active Directory) security. Once you are in the site, you are able to set security down to the granular item level (a Page, File, or Weblink) or folder in a user or group based fashion which allows multiple departments of an organization to use the site concurrently and securely without knowing that the others exist.

Power at your fingertips and Support to back you up!

Mistakes are always a possibility:

“I deleted something that I need after all.”
“I made changes to the wrong content.”

For these instances, policyIQ utilizes a simple recycling bin, and also offers snapshots which you can schedule at will. Through utilizing either of these processes, policyIQ empowers an individual to fix most potential problems that come up directly within the application. You can also ask any of our existing clients or refer to our recent survey results to rest assured that our Support department is top notch! They address any questions that you have quickly and thoroughly…and you will get to see your ideas for future development come to fruition! We’re actually listening.

Speaking of listening, we’d love to hear from you! If you haven’t already seen a demonstration of policyIQ, go to our website to sign up for a personalized demo or to watch our 5 minute video introduction.

Talk to you soon!

Guidance for Streamlining Audits by Granting Access to External Auditors

Each year we notice more and more policyIQ clients are engaging their external auditors to perform their audits electronically using policyIQ. Earlier this year, we shared how data from policyIQ could be extracted to share it with external auditors. Many organizations find it helpful to give auditors direct access to policyIQ so that they can use the functionality of policyIQ to locate documentation.

Tips for Granting External Auditors Access to policyIQ

If it’s been some time since you implemented or expanded your use of policyIQ, you might have forgotten how to set things up so that new users have appropriate access to content. Here are the critical steps for granting viewing rights to appropriate content to your external auditors:

1. Add Group for External Auditors – policyIQ sites included a group for External Auditors by default, so you might start by locating the group in your structure. If it has been deleted, it is simple to drill down to the position in your Groups and Users structure where you would like to add the group and choose Add > New Group from the table toolbar. Going forward, rather than adding any individual auditors to view Pages, you will only have to manage the users added to this group—this will simplify maintenance.

2. Add Group as Viewers on Pages – Remember that Pages are the root of security in your policyIQ site. The easiest way to grant your new External Auditors group viewing rights to your Pages is to create a report that will pull back all relevant Pages and use the reporting toolbar options to make the change in bulk.

Bulk Report Change

3. Verify Folder Security is Properly Set – Many companies have chosen to allow policyIQ Folders to be visible to all users. If the security of your policyIQ Folders has been restricted to viewing by only specific groups, then you will want to ensure that the External Auditors Group that you added is also among the Viewers of your Folders.

Folder Security

Remember that Page security trumps Folder security. Removing Viewers from a Folder will only make the appearance of the Folder in the left navigation disappear from the Viewers—Search and Report results will still return all Pages upon which any users have been granted rights as Viewers.

4. Ensure Pages are Published – Note that Viewers on Pages are only able to see those Pages once the Pages are Published. Your team can comfortably continue performing their work and updating content knowing that it is only visible to those with appropriate security access rights (Administrators and Editors of the Page and anyone with Global Permissions to view Pages in the site—such as your Site Administrators). When you’re ready to share with your external auditors and any other Viewers of the Pages, be sure to Publish the Pages.

A Bonus Tip Regarding User Profiles

If you are unsure of which type of Access to grant your External Auditors, here’s a reminder of some characteristics of each profile that might be helpful to you:

Read Only Users – These accounts can be shared and are always free. Read-only users do not have access to Advanced Search or Reports. They must use the Folder Structure or Search capability to locate content.

Standard Users – There is a small fee for Standard Users (contact us to look at your agreement). These users will have access to Advanced Search—the option in the left navigation that is a slimmed down version of Reports. It allows users to create a list of Pages narrowed down by any number of Filters.

Advanced Users – There is a fee for Advanced Users (contact us to look at your agreement). Advanced Users have access to both Advanced Search and the Reports module. This is the type of account that can utilize Reports such as a Risk-Control-Test Matrix (a Detail Link Report) to view and analyze content.

If you have any questions about granting access to your External Auditors, contact us at support@policyIQ.com and we’ll get you started right away!


Here a cloud, there a cloud, everywhere a cloud application! What information governance!?

I came across an article, More Employees “Going Rogue” On IT that reminded me of a recent client experience. Doolittle writes in the piece, “Employees are signing up for free apps and cloud services without running it by IT!” Yes, this practice is reaching near epidemic levels. So often people have something that they want to accomplish and the natural tendency is to come up with the fastest and easiest way to get it done. They recall encountering one of the bajillion tools that they’ve used in their personal life that would work “perfectly” in this situation.

Ulgh! It is difficult to keep up with all of the easy access web applications that are coming online.

policyIQ-for-Information-GovernanceThe client that I worked with has used policyIQ for their Sarbanes Oxley compliance documentation, historically. They recently discovered that employees from all ranks of the business were storing and sharing company information on a wide range of cloud applications. Alone, that might not seem like a big deal—they’re being creative and finding ways to be productive—great! The issue is that many of those tools matter-of-factly state (as Google did this week) that users should have ‘no legitimate expectation of privacy’ when sharing content through a third party. Most of those apps were not intended for business use and certainly not for the confidential sharing of sensitive business information! Not to mention that employees were driving up costs in an uncontrolled manner by subscribing to many services and loading content indiscriminately.

This is really what drove our client to reach out to us. While their IT organization had not yet adopted the practice recommended in Doolittle’s post of creating and educating their employees on their IT Security Policy, they knew that policyIQ’s hosting service was SAS70 and SSAE16 Type II compliant. They had put it through the necessary reviews and had trusted their financial compliance to policyIQ for years. They had experience with locking down some content to small teams while allowing others read only access to a broader base of work. They knew that policyIQ really walked them through the information governance discussion upon initial configuration. They had to think about who would hold the keys to the structure, who could add content and how content would be shared.

Of course, security is the paramount in the discussion of information governance. Knowing where to find things, which is the master version and having instant access to the status of work is really critical to efficient business. Just ask anyone who has tangled with multiple SharePoint sites running different versions with overlapping content that don’t speak to each other. SharePoint was intended for business and often runs head on into the information governance wall (or the wall created from the lack thereof).

If you can relate to this common issue written about in the linked post and experienced by the policyIQ user described here, reach out to us! We can help you to draft a plan for transitioning processes and documentation to a secure and controlled environment—a plan that you can then use to broach the topic of information governance with your executives who are passing confidential data via their iPad app. Yikes!

Remember when having your head in the clouds was considered a bad thing?

12-11Cloud-imageI recently read an article published by the AIIM organization discussing the struggle that some companies are still having with the pressure to move business information to the cloud. It recaps some of the well-known advantages of incorporating cloud technology into your IT framework, such as centralized access to information, a movement toward easy collaboration among employees from different locations, the reduction (and, hopefully, elimination) of a dependence on email to track down information and updates, and—in the case of some of the more advanced applications like policyIQ—version control, tailored security, and workflow features that contribute to and support your information governance goals.

A point made in the post that we’ll likely hear more often going forward is that companies may not have control of whether or not they make a shift to the cloud for management of their information. By now you’ve probably heard the phrase: the consumerization of IT. People are past that phase where they were unsure of the security around online banking. The newest generation of e12-11nothing-less-in-the-workplacemployees has only known online bill-pay. Most have never had—and never will have—a checkbook. Likewise, consumers have found that going to the web to find their friends, their shopping lists, their music and their photographs is simply commonplace. They expect to have access to everything that is important to them from anywhere! They expect nothing less in the workplace.

The ramifications, then, of not investigating and communicating your strategy for using cloud technology in your organization, is that your employees will likely fill the void by making their own selections (I do mean selections—plural) that have not been properly vetted internally. If you haven’t made a move because you’re concerned about the security of cloud technology, then don’t leave the decision up to your employees who are likely more concerned about the utility of the apps and products that they are choosing.

When you do consider making information available for online collaboration, you’d be better served by also selecting a platform that affords you the opportunity to leverage that information. policyIQ makes it simple to distill the information in your procedures, contracts or regulations down to specific steps, deadlines, dollar amounts, responsible parties, and so on. Getting a handle on the details within your documentation will propel your organization forward with the ability to report on and analyze your information and to make nearly instant business decisions that previously took many man-hours and days to discover.

So, go ahead…let your head wander into the clouds a bit…and contact us to arrange a look at how policyIQ–our secure and affordable, web-based, content management application–can serve your needs.