Policy Template Variable Registry¶
This document lists all variables used across GetCimple policy templates. These variables allow policies to be customized for each organization while maintaining consistent structure.
Core Organization Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{company_name}} |
Legal name of the organization | "Acme Corporation Pty Ltd" |
{{company_email}} |
Primary organizational contact email | "info@acme.com.au" |
{{company_website}} |
Organization's website URL | "www.acme.com.au" |
Document Metadata Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{version}} |
Document version number | "1.0" |
{{effective_date}} |
Date policy becomes effective | "2024-01-01" |
{{document_owner}} |
Role responsible for maintaining the policy | "Chief Information Security Officer" |
{{next_review_date}} |
Scheduled review date | "2025-01-01" |
{{approved_by}} |
Person/role who approved the policy | "Board of Directors" |
Authority & Responsibility Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{policy_authority}} |
Primary authority for policy decisions | "CEO and CTO" |
{{managing_authority}} |
Day-to-day management authority | "IT Manager" |
{{compliance_officer}} |
Compliance oversight role | "Compliance Manager" |
{{data_controller}} |
Data protection controller | "Privacy Officer" |
{{security_officer}} |
Information security role | "Information Security Manager" |
Provider Variables (Internal or External)¶
| Variable | Description | Example Value |
|---|---|---|
{{it_provider}} |
IT support function | "IT Department" or "TechSupport Pty Ltd" |
{{security_provider}} |
Security operations function | "Security Team" or "CyberGuard Services" |
{{audit_provider}} |
Internal/external audit function | "Internal Audit" or "KPMG" |
Team References¶
| Variable | Description | Example Value |
|---|---|---|
{{management_team}} |
Executive management reference | "Management Team" |
{{board_reference}} |
Board of directors reference | "Board of Directors" |
{{hr_department}} |
Human resources function | "Human Resources" |
Compliance & Legal Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{privacy_legislation}} |
Applicable privacy laws | "Privacy Act 1988 (Cth)" |
{{financial_legislation}} |
Financial services laws | "Corporations Act 2001" |
{{financial_license_type}} |
License abbreviation | "AFSL" |
{{jurisdiction}} |
Legal jurisdiction | "Australia" |
Contact Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{privacy_contact}} |
Privacy inquiries contact | "privacy@company.com.au" |
{{security_contact}} |
Security incident contact | "security@company.com.au" |
{{compliance_contact}} |
Compliance questions contact | "compliance@company.com.au" |
{{privacy_officer_name}} |
Name of Privacy Officer | "Jane Smith" |
{{additional_collection_purposes}} |
Additional data collection purposes | "Marketing communications (with consent)" |
Usage Notes¶
- Flexibility: Variables are designed to accommodate both internal departments and external service providers
- Customization: Organizations can map variables to their specific structure
- Consistency: Use the same variable values across all policies for consistency
- Updates: When organizational structure changes, update variables in one place
Implementation Guidelines¶
When implementing these templates:
- Review all variables and determine appropriate values for your organization
- Consider whether functions are handled internally or by external providers
- Ensure role titles match your organizational structure
- Update compliance references to match your jurisdiction and industry
- Maintain a master list of your variable values for consistency
Implementation Status Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{policy_owner}} |
Person responsible for this specific policy | "IT Manager" or "Security Officer" |
{{implementation_status}} |
Current implementation state | "Yes", "Partially", or "No" |
Essential Eight Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{e8_target_maturity}} |
Target Essential Eight maturity level | "Level 1", "Level 2", or "Level 3" |
{{e8_target_timeframe}} |
Timeframe to achieve E8 targets | "12 months" |
{{e8_controls}} |
Which E8 controls this policy supports | "Application Control, MFA" |
{{patching_timeframe_apps}} |
Application patching timeframe | "48 hours" or "1 month" |
{{patching_timeframe_os}} |
OS patching timeframe | "48 hours" or "1 month" |
E8 Maturity Tracking Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{ac_current}}, {{ac_target}}, {{ac_date}} |
Application Control maturity | "0", "1", "2025-06-30" |
{{pa_current}}, {{pa_target}}, {{pa_date}} |
Patch Applications maturity | "0", "1", "2025-06-30" |
{{mo_current}}, {{mo_target}}, {{mo_date}} |
MS Office Macro maturity | "0", "1", "2025-06-30" |
{{uh_current}}, {{uh_target}}, {{uh_date}} |
User Hardening maturity | "0", "1", "2025-06-30" |
{{ra_current}}, {{ra_target}}, {{ra_date}} |
Restrict Admin maturity | "0", "1", "2025-06-30" |
{{po_current}}, {{po_target}}, {{po_date}} |
Patch OS maturity | "0", "1", "2025-06-30" |
{{mfa_current}}, {{mfa_target}}, {{mfa_date}} |
MFA maturity | "0", "1", "2025-06-30" |
{{rb_current}}, {{rb_target}}, {{rb_date}} |
Regular Backups maturity | "0", "1", "2025-06-30" |
Password Policy Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{password_min_length}} |
Minimum password length | "12" or "14" |
{{password_history}} |
Number of previous passwords to remember | "6" or "12" |
{{password_max_age}} |
Days before password must change | "90" or "365" |
{{lockout_threshold}} |
Failed attempts before lockout | "5" |
{{lockout_duration}} |
Minutes account stays locked | "30" |
{{account_naming_convention}} |
Standard for usernames | "firstname.lastname" |
{{dormant_days}} |
Days before account considered inactive | "90" |
{{session_timeout}} |
Minutes before session expires | "15" or "30" |
{{service_account_review}} |
Months between service account reviews | "6" |
{{exception_duration}} |
Maximum days for policy exceptions | "90" |
Time-Based Operational Variables¶
| Variable | Description | Example Value |
|---|---|---|
{{backup_frequency}} |
How often backups occur | "daily", "twice daily", "hourly" |
{{backup_test_frequency}} |
How often backup restoration is tested | "monthly", "quarterly", "annually" |
{{recovery_test_frequency}} |
How often recovery procedures are tested | "quarterly", "annually" |
{{user_access_review_frequency}} |
How often user access rights are reviewed | "monthly", "quarterly", "bi-annually" |
{{supplier_audit_frequency}} |
How often third-party suppliers are audited | "quarterly", "annually", "bi-annually" |
{{bc_plan_test_frequency}} |
Business continuity plan testing frequency | "quarterly", "bi-annually", "annually" |
{{incident_review_frequency}} |
How often incident reports are reviewed | "monthly", "quarterly", "annually" |
{{patch_check_frequency}} |
How often patch status is checked | "weekly", "monthly", "quarterly" |
{{log_review_frequency}} |
How often system logs are reviewed | "real-time", "daily", "weekly" |
{{local_data_retention_days}} |
Days before local drive data must be deleted | "30", "60", "90" |
{{security_review_frequency}} |
How often security metrics are reviewed | "monthly", "quarterly" |
{{exception_review_frequency}} |
How often policy exceptions are reviewed | "monthly", "quarterly" |
{{full_audit_frequency}} |
How often comprehensive audits occur | "annually", "bi-annually" |
Numeric Thresholds¶
| Variable | Description | Example Value |
|---|---|---|
{{min_password_char_types}} |
Minimum character types required in passwords | "2", "3", "4" |
{{exception_min_password_length}} |
Minimum length when standard can't be met | "8", "10", "12" |
{{exception_min_char_types}} |
Minimum character types for exceptions | "2", "3" |
{{failed_login_attempts}} |
Failed attempts before account lockout | "3", "5", "10" |
{{inactive_logout_minutes}} |
Minutes before automatic session logout | "15", "30", "60" |
Reporting & Review Cycles¶
| Variable | Description | Example Value |
|---|---|---|
{{board_reporting_cycle}} |
How often board receives security reports | "monthly", "quarterly", "annually" |
{{security_metrics_cycle}} |
Frequency of security metrics reporting | "weekly", "monthly", "quarterly" |
{{compliance_review_cycle}} |
How often compliance status is reviewed | "monthly", "quarterly", "annually" |
{{default_policy_review}} |
Default policy review frequency | "annually", "bi-annually", "quarterly" |
Recommended Values by Organization Profile¶
Small Business (< 50 employees)¶
- User access reviews: quarterly
- Backup testing: quarterly
- Supplier audits: annually
- Board reporting: quarterly
- Local data retention: 90 days
Medium Business (50-500 employees)¶
- User access reviews: monthly
- Backup testing: monthly
- Supplier audits: bi-annually
- Board reporting: monthly
- Local data retention: 60 days
Enterprise/Regulated (500+ or financial/healthcare)¶
- User access reviews: monthly
- Backup testing: monthly
- Supplier audits: quarterly
- Board reporting: monthly
- Local data retention: 30 days
Future Considerations¶
Additional variables may be added as new policies are developed or requirements change. This registry should be updated whenever new variables are introduced.