Iron Fort User Documentation

Policy Analysis

How Policy Analysis Works

Policy Analysis is one of Iron Fort's core capabilities. Upload a policy and the AI reads it, identifies HIPAA coverage, and generates compliance evidence automatically.

Upload Process

1. Go to Policies
2. Click Upload Policy
3. Select policy type
4. Choose your file (PDF or Word)
5. Click Upload
6. Wait 30-60 seconds for analysis

What the AI Extracts

Critical Information: - Effective date - Review frequency - Last reviewed date - Responsible parties - Version number - Policy status

HIPAA Coverage: - All citations addressed - Compliance family categories - Required vs addressable specs - Coverage gaps

Recommendations: - Missing provisions - Weak language - Suggested improvements - Priority actions

Citation Mapping

The AI identifies which HIPAA requirements your policy covers.

How It Works: 1. AI reads policy content 2. Matches language to HIPAA requirements 3. Identifies relevant citations 4. Links to compliance categories 5. Generates evidence automatically

Organization:

Citations organize under 9 family categories: 1. Technical Controls 2. Physical & Environmental Security 3. Business Continuity & Disaster Recovery 4. Workforce Security & Training 5. Third-Party Risk Management 6. Incident Response & Security Operations 7. Policy & Documentation 8. Governance & Risk Management 9. Privacy & Data Use Requirements

Policy-to-Evidence Automation

The Key Innovation:

Upload policies → AI scans them → Citations automatically link → Evidence appears in evaluations

What This Means: - No manual evidence gathering - No spreadsheet tracking - No citation-by-citation linking - Instant compliance updates

When to Add Manual Evidence:

Click "Add Additional Evidence" for: - Meeting minutes - Training records - Third-party reports - Screenshots - Process documentation - Compensating controls

Policy Guidance

For each policy, get:

Policy-Specific Recommendations: - Tailored to your content - Based on HIPAA requirements - Prioritized by importance

Risk Mitigation Strategies: - Specific actions to strengthen compliance - Implementation steps - Best practices

Gap Identification: - Missing required provisions - Weak or vague language - Incomplete coverage

Policy Versions and Updates

Tracking Changes:

When you update a policy: 1. Upload the new version 2. System compares to previous 3. Identifies changes 4. Re-runs citation analysis 5. Updates compliance status 6. Alerts to new gaps 7. Archives old version

Review Frequency:

The system tracks: - When reviews are due - Sends alerts before deadlines - Documents review completion - Maintains review history

Policy Templates

Access pre-built policies for: - All HIPAA requirements - Sample compliant language - Industry best practices - Customization guidance

Using Templates: 1. Browse template library 2. Select needed policy 3. Download and customize 4. Upload customized version 5. AI analyzes for completeness

Multiple Policy Management

Version Control: - System tracks all versions - Maintains complete history - Links versions to evaluations - Preserves audit trail

Policy Verification: - Automatic status checking - Green = verified and current - Orange = needs review - Red = missing or outdated

Policy Analysis Reports

Available reports: - Policy coverage across HIPAA - Gap analysis by category - Policies requiring review - Compliance score by policy - Historical changes - Missing required policies

Common Issues Identified

The AI commonly flags: - Missing effective dates - Undefined review frequencies - Vague responsible parties - Incomplete requirement coverage - Weak sanction language - Missing breach procedures - Inadequate incident reporting - Unclear access controls

Best Practices

1. Batch Upload: Upload multiple policies together
2. Review AI Findings: Don't blindly accept recommendations
3. Prioritize Critical Gaps: Focus on required specs first
4. Update Within Platform: Avoid re-uploading entire policies
5. Use Templates: Leverage provided policies for gaps
6. Track Review Dates: Set alerts for upcoming reviews
7. Document Decisions: Record why you accept/reject suggestions

---