📝 GetCimple Default Policy Templates

Overview

This directory contains policy templates organized into two packs (Standard, Complete) that provide standardized cybersecurity governance with customizable variables for Australian businesses.

📦 See policy-pack-structure.md for the 2-tier pack organization

Key Documents

Each policy is in Markdown format with inline variables marked using the following convention:

{{variable_name}}

Common Variables

See variable-registry.md for complete list of all variables used across policies.

Key variable categories:

• Organization details ({{company_name}}, {{company_email}})
• Document metadata ({{version}}, {{effective_date}})
• Roles and authorities ({{policy_authority}}, {{compliance_officer}})
• Provider functions ({{it_provider}}, {{security_provider}})
• Compliance references ({{privacy_legislation}}, {{financial_legislation}})

Current Policy Templates (20 Total)

Standard Pack Policies (12)

1. cyber-and-information-security-policy.md - Comprehensive cybersecurity framework
2. access-control-policy.md - User access and authentication
3. incident-response-plan.md - Security incident handling procedures
4. data-backup-and-recovery-policy.md - Backup procedures and requirements
5. privacy-policy.md - Privacy and data protection
6. password-authentication-policy.md - Password and MFA standards
7. third-party-supplier-security-policy.md - Vendor security requirements
8. business-continuity-and-disaster-recovery-policy.md - BC/DR governance
9. data-classification-policy.md - Information classification and handling
10. physical-asset-environment-security-policy.md - Physical security controls
11. remote-work-and-byod-policy.md - Combined remote work and BYOD security
12. employee-handbook---cyber-security.md - Employee cybersecurity guide

Complete Pack Additional Policies (8)

1. ai-security-policy.md - Artificial Intelligence security and usage
2. social-media-policy.md - Social media usage and security
3. infrastructure-network-and-cloud-security-policy.md - Infrastructure security
4. third-party-software-acquisition-policy.md - Software procurement security
5. vulnerability-management-policy.md - Proactive vulnerability management
6. offshore-outsourcing-and-service-provider-policy.md - Offshore provider governance (ASIC-aligned)
7. security-audit-and-compliance-policy.md - Audit and assurance program framework
8. secure-software-development-lifecycle-policy.md - Custom software development security (ACSC ISM-aligned SDLC governance)

Governance Tools (Not Policies)

• essential-eight-mapping-guide.md - Maps Standard Pack policies to E8 controls (included in both packs)

Deprecated/Merged Policies

• byod-policy.md - Merged into remote-work-and-byod-policy.md
• business-continuity-and-disaster-recovery-plan.md - Detailed procedures (separate from policy)
• essential-eight-implementation-policy.md - Renamed to essential-eight-mapping-guide.md (now a guide, not a policy)

Variable Extraction

Each policy contains variables that need to be collected during onboarding:

By Persona

• Board Director: Approval authorities, governance frequency
• Executive: Operational responsibilities, delegation
• IT Manager: Technical requirements, procedures
• Admin: Document management, distribution lists

By Category

• Organization Info: Name, industry, size
• Governance: Approval chains, review cycles
• Technical: Security controls, system names
• Compliance: Regulatory references, standards

Usage in GetCimple

1. Onboarding: Variables extracted to build question flow
2. Customization: Customer-specific values replace variables
3. Generation: Final policies generated with all values populated
4. Maintenance: Annual reviews update variable values

Integration Points

• Unified Question Bank (variables become questions)
• Policy Management UI (CRUD operations)
• Document Generation Engine (variable replacement)
• Approval Workflows (based on approval_authority variables)

Adding New Policies

When adding a new policy:

1. Follow the variable naming convention
2. Document all variables in this README
3. Map variables to appropriate personas
4. Update the extraction logic in data-pipeline.md

---

Status: ✅ Complete - 20 policy templates organized into 2-tier structure Last Updated: 2025-01-13 Variable Registry: See variable-registry.md for all variables Pack Structure: See policy-pack-structure.md for Standard vs Complete Pack details