increment patch for release (via Makefile)

automated asset refresh (via Makefile)
Merge branch 'master' of github.com:strongdm/comply
2025-12-15 19:00:50 +00:00 · 2018-05-18 12:35:15 -07:00 · 2018-05-18 12:35:06 -07:00 · 2018-05-18 12:33:51 -07:00 · 2018-05-18 12:33:48 -07:00 · 2018-05-18 12:33:08 -07:00
36 changed files with 1855 additions and 153 deletions
--- a/5
+++ b/5
@@ -107,9 +107,14 @@ release: release-env dist release-deps
 	@echo "Update homebrew formula with the following: "
 	@echo "version $(VERSION)"
 	@curl -L https://github.com/strongdm/comply/archive/$(VERSION).tar.gz |shasum -a 256
+
 patch-release: release-env push-assets patch release
+	$(eval VERSION := $(shell git describe --tags --always --dirty="-dev"))
+	curl -X POST --data-urlencode 'payload={"channel": "#release", "username": "release", "text": "comply $(VERSION) released", "icon_emoji": ":shipit:"}' https://hooks.slack.com/services/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

 minor-release: release-env push-assets minor release
+	$(eval VERSION := $(shell git describe --tags --always --dirty="-dev"))
+	curl -X POST --data-urlencode 'payload={"channel": "#release", "username": "release", "text": "comply $(VERSION) released", "icon_emoji": ":shipit:"}' https://hooks.slack.com/services/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

 patch: clean gitsem
 	gitsem -m "increment patch for release (via Makefile)" patch
--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.19
+1.1.22
--- a/example/policies/application.md
+++ b/example/policies/application.md
@@ -8,4 +8,111 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. This application security policy defines the security framework and requirements for applications, notably web applications, within the organization’s production environment.
+
+a. This document also provides implementing controls and instructions for web application security, to include periodic vulnerability scans and other types of evaluations and assessments.
+
+a. This policy applies to all applications within the organization’ production environment, as well as administrators and users of these applications. This typically includes employees and contractors.
+
+# Background
+
+a. Application vulnerabilities typically account for the largest number of initial attack vectors after malware infections. As a result, it is important that applications are designed with security in mind, and that they are scanned and continuously monitored for malicious activity that could indicate a system compromise. Discovery and subsequent mitigation of application vulnerabilities will limit the organization’s attack surface, and ensures a baseline level of security across all systems.
+
+a. In addition to scanning guidance, this policy also defines technical requirements and procedures  to ensure that applications are properly hardened in accordance with security best practices.
+
+# References
+
+a. Data Classification Policy
+
+a. OWASP Risk Rating Methodology
+
+a. OWASP Testing Guide
+
+a. OWASP Top Ten Project
+
+# Policy
+
+a. The organization must ensure that all applications it develops and/or acquires are securely configured and managed.
+
+a. The following security best practices must be considered and, if feasible, applied as a matter of the application’s security design:
+
+    i. Data handled and managed by the application must be classified in accordance with the Data Classification Policy (reference (a)).
+
+    i. If the application processes confidential information, a confidential record banner must be prominently displayed which highlights the type of confidential data being accessed (e.g., personally-identifiable information (PII), protected health information (PHI), etc.)
+
+    i. Sensitive data, especially data specifically restricted by law or policy (e.g., social security numbers, passwords, and credit card data) should not be displayed in plaintext.
+
+    i. Ensure that applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to cross-site scripting, buffer overflow errors, and injection flaws.
+
+    i. Ensure that applications execute proper error handling so that errors will not provide detailed system information to an unprivileged user, deny service, impair security mechanisms, or crash the system.
+
+    i. Where possible, authorize access to applications by affiliation, membership or employment, rather than by individual. Provide an automated review of authorizations on a regular basis, where possible.
+
+    i. Ensure that applications encrypt data at rest and in transit.
+
+    i. Implement application logging to the extent practical. Retain logs of all users and access events for at least 14 days.
+
+    i. Qualified peers conduct security reviews of code  for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of confidential data. Document all actions taken.
+
+    i. Implement a change management process for changes to existing software applications.
+
+    i. Standard configuration of the application must be documented. 
+
+    i. Default passwords used within the application, such as for administrative control panels or integration with databases must be changed immediately upon installation.
+
+    i. Applications must require complex passwords in accordance with current security best practices (at least 8 characters in length, combination of alphanumeric upper/lowercase characters and symbols).
+
+    i. During development and testing, applications must not have access to live data.
+
+a. Where applications are acquired from a third party, such as a vendor:
+
+    i. Only applications that are supported by an approved vendor shall be procured and used.
+
+    i. Full support contracts must be arranged with the application vendor for full life-cycle support.
+
+    i. No custom modifications may be applied to the application without confirmation that the vendor can continue to provide support.
+
+    i. Updates, patches and configuration changes issued by the vendor shall be implemented as soon as possible.
+
+    i. A full review of applications and licenses shall be completed at least annually, as part of regular software reviews.
+
+a. Web applications must be assessed according to the following criteria:
+
+    i. New or major application releases must have a full assessment prior to approval of the change control documentation and/or release into the production environment.
+
+    i. Third-party or acquired applications must have a full assessment prior to deployment.
+
+    i. Software releases must have an appropriate assessment, as determined by the organization’s information security manager, with specific evaluation criteria based on the security risks inherent in the changes made to the application’s functionality and/or architecture.
+
+    i. Emergency releases may forego security assessments and carry the assumed risk until a proper assessment can be conducted. Emergency releases must be approved by the Chief Information Officer or designee.
+
+a. Vulnerabilities that are discovered during application assessments must be mitigated based upon the following risk levels, which are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology (reference (b)):
+
+    i. High - issues categorized as high risk must be fixed immediately, otherwise alternate mitigation strategies must be implemented to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the production environment.
+
+    i. Medium - issues categorized as medium risk must be reviewed to determine specific items to be mitigated. Actions to implement mitigations must be scheduled. Applications with medium risk issues may be taken off-line or denied release into the production environment based on the number of issues; multiple issues may increase the risk to an unacceptable level. Issues may be fixed in patch releases unless better mitigation options are present.
+
+    i. Low - issues categorized as low risk must be reviewed to determine specific items to be mitigated. Actions to implement mitigations must be scheduled.
+
+a. Testing is required to validate fixes and/or mitigation strategies for any security vulnerabilities classified as Medium risk or greater.
+
+a. The following security assessment types may be leveraged to perform an application security assessment:
+
+    i. Full - comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide (reference (c)). A full assessment must leverage manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered issues.
+
+    i. Quick - consists of an automated scan of an application for, at a minimum, the OWASP Top Ten web application security risks (reference (d)).
+
+    i. Targeted - verifies vulnerability remediation changes or new application functionality.
+
+    i. To counter the risk of unauthorized access, the organization maintains a Data Center Security Policy (reference (c)).
+
+    i. Security requirements for the software development life cycle, including system development, acquisition and maintenance are defined in the Software Development Lifecycle Policy (reference (d)).
+
+    i. Security requirements for handling information security incidents are defined in the Security Incident Response Policy (reference (e)).
+
+    i. Disaster recovery and business continuity management policy is defined in the Disaster Recovery Policy (reference (f)).
+
+    i. Requirements for information system availability and redundancy are defined in the System Availability Policy (reference (g)).
+
--- a/example/policies/cyber.md
+++ b/example/policies/cyber.md
@@ -8,4 +8,61 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. The purpose of this policy is to define the procedures to assess and treat information security risks within the organization, and to define the acceptable level of risk overall.
+
+a. Risk assessment and risk treatment are applied to the entire scope of the organization’s information security program, and to all information systems which are used within the organization or which could have an impact on the organization’s information security.
+
+a. This policy applies to all management and employees that take part in the organization’s risk assessments. This policy must be made readily available to all whom it applies to.
+
+# Background
+
+a. This policy defines a step-by-step process for conducting risk assessments, as well as to treat identified risks from an information security perspective. This policy also describes how to prepare the Risk Assessment Report required as part of the risk assessment process.
+
+a. When conducting a risk assessment, the organization must identify all organizational information systems . It must then identify all threats and vulnerabilities having to do with such systems , and rate the severity of such threats and vulnerabilities according to a predefined rating scale. Asset and risk owners must be defined for each risk item.
+
+a. Once the risk assessment is completed, the organization shall determine how to manage risks where the overall assessed risk rating is deemed as too high. This management is known as risk treatment. Risk treatment options include but are not limited to applying security controls, outsourcing risk, accepting risk, or discontinuing the activity associated with the risk.
+
+a. A penetration test must be performed by a third party to verify the accuracy of the risk assessment and effectiveness of deployed risk treatments.
+
+# Procedure To Execute Risk Assessment Report
+
+a. Confirms that the entire risk assessment and risk treatment process has been carried out according to the Risk Assessment Policy.
+
+a. The purpose of the risk assessment was to identify all information systems  their vulnerabilities, and threats that could exploit vulnerabilities. These parameters were further evaluated in order to establish the criticality of individual risks.
+
+a. The purpose of the risk treatment was to define the systematic means of reducing or controlling the risks identified in the risk assessment.
+
+a. All risk assessment and treatment activities were completed within the scope of the organization’s information security program.
+
+a. The risk assessment was implemented in the period from [day/month/year] to [day/month/year]. The risk treatment was implemented from [day/month/year] to [day/month/year]. Final reports were prepared during [specify period].
+
+a. The risk assessment and risk treatment process was managed by [person responsible for managing the risk assessment process] with expert assistance provided by [person or company responsible for assistance].
+
+a. During the risk assessment, information was collected through questionnaires and interviews with responsible persons, namely the asset owners across organizational units.
+
+a. The process was conducted as follows:
+
+    i. All information systems and their owners were identified.
+
+    i. Threats were identified for each asset, and corresponding vulnerabilities were identified for each threat.
+    i. Risk owners were identified for each risk.
+
+    i. Consequences of the loss of confidentiality, integrity and availability were evaluated using a score from 0 to 2, with 0 being the lowest rating and 2 being the highest rating.
+
+    i. The likelihood of risk occurrence (i.e. that the threat will exploit the vulnerability) was evaluated using a score from 0 to 2, with 0 being the lowest rating and 2 being the highest rating.
+
+    i. The level of risk was calculated by adding up the consequence and likelihood.
+
+    i. Risks with a score of 3 or 4 were determined to be unacceptable risks.
+
+    i. For each unacceptable risk, a risk treatment option was considered, and appropriate information security controls were selected.
+
+    i. After controls were applied, residual risks were assessed.
+
+a. The following documents were used or generated during the implementation of risk assessment and risk treatment:
+    
+    i. Risk Assessment Table (Appendix A): for each combination of systems , vulnerabilities and threats, this table shows the values for consequence and likelihood, and calculates the risk.
+
+    i. Risk Treatment Table (Appendix B): defines the options for risk treatment, selection of controls for each unacceptable risk, and the level of residual risk.
--- a/example/policies/development.md
+++ b/example/policies/development.md
@@ -8,4 +8,188 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. The purpose of this policy is to define requirements for establishing and maintaining baseline protection standards for company software, network devices, servers, and desktops.
+
+a. This policy applies to all users performing software development, system administration, and management of these activities within the organization. This typically includes employees and contractors, as well as any relevant external parties involved in these activities (hereinafter referred to as “users”). This policy must be made readily available to all users.
+
+a. This policy also applies to enterprise-wide systems and applications developed by the organization or on behalf of the organization for production implementation.
+
+# Background
+
+a. The intent of this policy is to ensure a well-defined, secure and consistent process for managing the entire lifecycle of software and information systems, from initial requirements analysis until system decommission. The policy defines the procedure, roles, and responsibilities, for each stage of the software development lifecycle.
+
+a. Within this policy, the software development lifecycle consists of requirements analysis, architecture and design, development, testing, deployment/implementation, operations/maintenance, and decommission. These processes may be followed in any form; in a waterfall model, it may be appropriate to follow the process linearly, while in an agile development model, the process can be repeated in an iterative fashion.
+
+# References
+
+a. Risk Assessment Policy
+
+# Policy
+
+a. The organization’s Software Development Life Cycle (SDLC) includes the following phases:
+
+    i. Requirements Analysis
+
+    i. Architecture and Design
+
+    i. Testing
+
+    i. Deployment/Implementation
+
+    i. Operations/Maintenance
+
+    i. Decommission
+
+a. During all phases of the SDLC where a system is not in production, the system must not have live data sets that contain information identifying actual people or corporate entities, actual financial data such as account numbers, security codes, routing information, or any other financially identifying data. Information that would be considered sensitive must never be used outside of production environments.
+
+a. The following activities must be completed and/or considered during the requirements analysis phase:
+
+    i. Analyze business requirements.
+
+    i. Perform a risk assessment. More information on risk assessments is discussed in the Risk Assessment Policy (reference (a)).
+
+    i. Discuss aspects of security (e.g., confidentiality, integrity, availability) and how they might apply to this requirement.
+
+    i. Review regulatory requirements and the organization’s policies, standards, procedures and guidelines.
+
+    i. Review future business goals.
+
+    i. Review current business and information technology operations.
+
+    i. Incorporate program management items, including:
+
+        1. Analysis of current system users/customers.
+
+        1. Understand customer-partner interface requirements (e.g., business-level, network).
+
+        1. Discuss project timeframe.
+
+    i. Develop and prioritize security solution requirements.
+
+    i. Assess cost and budget constraints for security solutions, including development and operations.
+
+    i. Approve security requirements and budget.
+
+    i. Make “buy vs. build” decisions for security services based on the information above.
+
+a. The following must be completed/considered during the architecture and design phase:
+
+    i. Educate development teams on how to create a secure system.
+
+    i. Develop and/or refine infrastructure security architecture.
+
+    i. List technical and non-technical security controls.
+
+    i. Perform architecture walkthrough.
+
+    i. Create a system-level security design.
+
+    i. Create high-level non-technical and integrated technical security designs.
+
+    i. Perform a cost/benefit analysis for design components.
+
+    i. Document the detailed technical security design.
+
+    i. Perform a design review, which must include, at a minimum, technical reviews of application and infrastructure, as well as a review of high-level processes.
+
+    i. Describe detailed security processes and procedures, including: segregation of duties and segregation of development, testing and production environments. 
+
+    i. Design initial end-user training and awareness programs.
+
+    i. Design a general security test plan.
+
+    i. Update the organization’s policies, standards, and procedures, if appropriate.
+
+    i. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
+
+    i. Design and establish separate development and test environments.
+
+a. The following must be completed and/or considered during the development phase:
+
+    i. Set up a secure development environment (e.g., servers, storage).
+
+    i. Train infrastructure teams on installation and configuration of applicable software, if required.
+
+    i. Develop code for application-level security components.
+
+    i. Install, configure and integrate the test infrastructure.
+
+    i. Set up security-related vulnerability tracking processes.
+
+    i. Develop a detailed security test plan for current and future versions (i.e., regression testing).
+
+    i. Conduct unit testing and integration testing.
+
+a. The following must be completed and/or considered during the testing phase:
+
+    i. Perform a code and configuration review through both static and dynamic analysis of code to identify vulnerabilities. 
+
+    i. Test configuration procedures.
+
+    i. Perform system tests.
+
+    i. Conduct performance and load tests with security controls enabled.
+
+    i. Perform usability testing of application security controls.
+
+
+    i. Conduct independent vulnerability assessments of the system, including the infrastructure and application.
+
+a. The following must be completed and/or considered during the deployment phase:
+
+    i. Conduct pilot deployment of the infrastructure, application and other relevant components.
+
+    i. Conduct transition between pilot and full-scale deployment.
+
+    i. Perform integrity checking on system files to ensure authenticity.
+
+    i. Deploy training and awareness programs to train administrative personnel and users in the system’s security functions.
+
+    i. Require participation of at least two developers in order to conduct full-scale deployment to the production environment.
+
+a. The following must be completed and/or considered during the operations/maintenance phase:
+
+    i. Several security tasks and activities must be routinely performed to operate and administer the system, including but not limited to:
+
+        1. Administering users and access.
+
+        1. Tuning performance.
+
+        1. Performing backups according to requirements defined in the System Availability Policy 
+
+        1. Performing system maintenance (i.e., testing and applying security updates and patches).
+
+        1. Conducting training and awareness.
+
+        1. Conducting periodic system vulnerability assessments.
+
+        1. Conducting annual risk assessments.
+
+    i. Operational systems must:
+
+        1. Be reviewed to ensure that the security controls, both automated and manual, are functioning correctly and effectively.
+
+        1. Have logs that are periodically reviewed to evaluate the security of the system and validate audit controls.
+
+        1. Implement ongoing monitoring of systems and users to ensure detection of security violations and unauthorized changes.
+
+        1. Validate the effectiveness of the implemented security controls through security training as required by the Procedure For Executing Incident Response.
+
+        1. Have a software application and/or hardware patching process that is performed regularly in order to eliminate software bug and security problems being introduced into the organization’s technology environment. Patches and updates must be applied within ninety (90) days of release to provide for adequate testing and propagation of software updates. Emergency, critical, break-fix, and zero-day vulnerability patch releases must be applied as quickly as possible.
+
+a. The following must be completed and/or considered during the decommission phase:
+
+    i. Conduct unit testing and integration testing on the system after component removal.
+
+    i. Conduct operational transition for component removal/replacement.
+
+    i. Determine data retention requirements for application software and systems data.
+
+    i. Document the detailed technical security design.
+
+    i. Update the organization’s policies, standards and procedures, if appropriate.
+
+    i. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
+
--- a/example/policies/disaster.md
+++ b/example/policies/disaster.md
@@ -8,5 +8,144 @@ majorRevisions:
  - date: Jun 1 2018
    comment: Initial document
 ---
+#Purpose and Scope 

-# Coming Soon
+a. The purpose of this policy is to define the organization’s procedures to recover Information Technology (IT) infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident. The objective of this plan is to complete the recovery of IT infrastructure and IT services within a set Recovery Time Objective (RTO).
+
+a. This policy includes all resources and processes necessary for service and data recovery, and covers all information security aspects of business continuity management.
+
+a. This policy applies to all management, employees and suppliers that are involved in the recovery of IT infrastructure and services within the organization. This policy must be made readily available to all whom it applies to.
+
+# Background
+
+a. This policy defines the overall disaster recovery strategy for the organization. The strategy describes the organization’s Recovery Time Objective (RTO), which is defined as the duration of time and service level for critical business processes to be restored after a disaster or other disruptive event, as well as the procedures, responsibility and technical guidance required to meet the RTO. This policy also lists the contact information for personnel and service providers that may be needed during a disaster recovery event.
+
+a. The following conditions must be met for this plan to be viable:
+
+    i. All equipment, software and data (or their backups/failovers) are available in some manner.
+
+    i. If an incident takes place at the organization’s physical location, all resources involved in recovery efforts are able to be transferred to an alternate work site (such as their home office) to complete their duties.
+
+    i. The Information Security Officer is responsible for coordinating and conducting a bi-annual (at least) rehearsal of this continuity plan. 
+
+a. This plan does not cover the following types of incidents:
+
+    i. Incidents that affect customers or partners but have no effect on the organization’s systems; in this case, the customer must employ their own continuity processes to make sure that they can continue to interact with the organization and its systems.
+
+    i. Incidents that affect cloud infrastructure suppliers at the core infrastructure level, including but not limited to Google, Heroku, and Amazon Web Services. The organization depends on such suppliers to employ their own continuity processes.
+
+# Policy
+
+a. *Relocation*
+
+    i. If the organization’s primary work site is unavailable, an alternate work site shall be used by designated personnel. The organization’s alternate work site is located at [list the address of the alternate work site that the organization will use].
+
+    i. The personnel required to report to the alternate work site during a disaster includes [list the personnel titles responsible for reporting to the alternate work site].
+
+a. *Critical Services, Key Tasks and, Service Level Agreements (SLAs)*
+
+    i. The following services and technologies are considered to be critical for business operations, and must immediately be restored (in priority order):
+  
+        1. [list the critical services and technologies that must remain running during a disaster]
+
+    i. The following key tasks and SLAs must be considered during a disaster recovery event, in accordance with the organization’s objectives, agreements, and legal, contractual or regulatory obligations:
+
+        1. [list of key tasks / SLAs that must be kept operational, with respective deadlines]
+
+a. The organization’s Recovery Time Objective (RTO) is [set the maximum amount of time before critical processes must be restored, to include relocation and getting critical services/technologies back online]. Relocation and restoration of critical services and technologies must be completed within this time period.
+
+a. *Notification of Plan Initiation*
+
+    i. The following personnel must be notified when this plan is initiated:
+
+      1. [list all personnel (including titles) that must be notified of plan initiation ]
+
+    i. [person responsible for notifications, including title] is responsible for notifying the personnel listed above.
+
+a. *Plan Deactivation*
+
+    i. This plan must only be deactivated by [person or persons with authority to deactivate the plan, including job title].
+
+    i. In order for this plan to be deactivated, all relocation activities and critical service / technology tasks  as detailed above must be fully completed and/or restored. If the organization is still operating in an impaired scenario, the plan may still be kept active at the discretion of [person or persons with authority to deactivate the plan, including job title].
+
+    i. The following personnel must be notified when this plan is deactivated:
+
+        1. [list all personnel (including titles) that must be notified of plan activation]
+
+a. The organization must endeavor to restore its normal level of business operations as soon as possible.
+
+a. A list of relevant points of contact both internal and external to the organization is enclosed in Appendix A.
+
+a. During a crisis, it is vital for certain recovery tasks to be performed right away. The following actions are pre-authorized in the event of a disaster recovery event:
+
+    i. [job title] must take all steps specified in this disaster recovery plan in order to recover the organization’s information technology infrastructure and services.
+    
+    i. [job title] is authorized to make urgent purchases of equipment and services up to [amount].
+    
+    i. [job title] is authorized to communicate with clients.
+    
+    i. [job title] is authorized to communicate with the public.
+    
+    i. [job title] is authorized to communicate with public authorities such as state and local governments and law enforcement.
+    
+    i. [job title] is authorized to cooperate with [name of supplier/outsourcing partner].
+    
+    i. [add/modify/remove authorizations in this section as necessary]
+
+a. Specific recovery steps for information systems infrastructure and services are provided in Appendix B.
+
+\pagebreak 
+
+# Appendix A: Relevant Points of Contact
+
+Internal Contacts
+
+------------------+-------------------+------------------+------------------+-----------------+
+|       Name       |     Job Title     |   Phone Number   |  Email Address   |Alternate Contact|
+==================+===================+==================+==================+=================+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+
+External Contacts
+
+------------------+-------------------+------------------+------------------+-----------------+
+|       Name       |     Job Title     |   Phone Number   |  Email Address   |Alternate Contact|
+==================+===================+==================+==================+=================+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+
+\pagebreak
+
+# Appendix B: Recovery Steps for Information Systems Infrastructure & Services
+
+Specific recovery procedures are described in detail below:
+
+----------------------------+----------------------+------------------------------------+
+|     Recovery Procedure     |  Person Responsible  |  Person(s) Notified When Complete  |
+============================+======================+====================================+
+| System to be recovered:    |                      |                                    |                
+|                            |                      |                                    |                 
+----------------------------+----------------------+------------------------------------+
+| task 1:                    |                      |                                    |  
+|                            |                      |                                    |
+----------------------------+----------------------+------------------------------------+            
+| task 2:                    |                      |                                    |   
+|                            |                      |                                    |              
+----------------------------+----------------------+------------------------------------+
+| System to be recovered:    |                      |                                    |                
+|                            |                      |                                    |                 
+----------------------------+----------------------+------------------------------------+
+| task 1:                    |                      |                                    | 
+|                            |                      |                                    |    
+----------------------------+----------------------+------------------------------------+            
+| task 2:                    |                      |                                    |    
+|                            |                      |                                    |             
+----------------------------+----------------------+------------------------------------+
--- a/example/policies/media.md
+++ b/example/policies/media.md
@@ -8,4 +8,133 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. This removable media, cloud storage and Bring Your Own Device (BYOD) policy defines the objectives, requirements and implementing instructions for storing data on removable media, in cloud environments, and on personally-owned devices, regardless of data classification level.
+
+a. This policy applies to all information and data within the organization’s information security program, as well as all removable media, cloud systems and personally-owned devices either owned or controlled by the organization.
+
+a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
+
+# Background
+
+a. This policy defines the procedures for safely using  removable media, cloud storage and personally-owned devices to limit data loss or exposure.  Such forms of storage must be strictly controlled because of the sensitive data that can be stored on them. Because each of these storage types are inherently ephemeral or portable in nature, it is possible for the organization to lose the ability to oversee or control the information stored on them if strict security standards are not followed.
+
+a. This document consists of three sections pertaining to removable media, cloud storage, and personally-owned devices. Each section contains requirements and implementing instructions for the registration, management, maintenance, and disposition of each type of storage.
+
+a. Within this policy, the term sensitive information refers to information that is classified as RESTRICTED or CONFIDENTIAL in accordance with the Data Classification Policy (reference (a)).
+
+# References
+
+a. Data Classification Policy
+
+a. Asset Inventory
+
+a. Security Incident Response Policy
+
+a. Encryption Policy
+
+# Policy
+
+a. *Removable Media*
+
+    i. All removable media in active use and containing data pertinent to the organization must be registered in the organization’s Asset Inventory (reference (b)).
+
+    i. All removable media listed in reference (b) must be re-inventoried on a quarterly basis to ensure that it is still within the control of the organization.
+
+        1. To re-inventory an item, the owner of the removable media must check in the item with the organization’s Information Security Manager (ISM).
+
+        1. The ISM must treat any removable media that cannot be located as lost, and a security incident report must be logged in accordance with the Security Incident Response Policy (reference (c)).
+
+    i. The owner of the removable media must conduct all appropriate maintenance on the item at intervals appropriate to the type of media, such as cleaning, formatting, labeling, etc.
+
+    i. The owner of the removable media, where practical, must ensure that an alternate or backup copy of the information located on the device exists.
+
+    i. Removable media must be stored in a safe place that has a reduced risk of fire or flooding damage. 
+
+    i. If the storage item contains sensitive information, removable media must:
+
+        1. Be stored in a locked cabinet or drawer.
+
+        1. Store only encrypted data that is securely enciphered in accordance with the Encryption Policy (reference (d)).
+
+    i. All data on removable media devices must be erased, or the device must be destroyed, before it is reused or disposed of.
+
+    i. When removable media devices are disposed, the device owner must inform the ISM so that it can be removed from reference (b).
+
+a. *Cloud Storage*
+
+    i. All cloud storage systems in active use and containing data pertinent to the organization must be registered in reference (b). Registration may be accomplished by manual or automated means.
+
+
+    i. All cloud storage systems listed in reference (b) must be re-inventoried on a quarterly basis to ensure that it is still within the control of the organization. To re-inventory an item, the owner of the removable media must check in the item with the organization’s Information Security Manager (ISM). Re-inventory may be accomplished by manual or automated means.
+
+    i. The owner of the cloud storage system must conduct all appropriate maintenance on the system at regular intervals to include system configuration, access control, performance monitoring, etc.
+
+    i. Data on cloud storage systems must be replicated to at least one other physical location. Depending on the cloud storage provider, this replication may be automatically configured.
+
+    i. The organization must only use cloud storage providers that can demonstrate, either through security accreditation, demonstration, tour, or other means that their facilities are secured, both physically and electronically, using best practices.
+
+    i. If the cloud storage system contains sensitive information, that information must be encrypted in accordance with reference (d).
+
+    i. Data must be erased from from cloud storage systems using a technology and process that is approved by the ISM. 
+
+    i. When use of a cloud storage system is discontinued, the system owner must inform the ISM so that it can be removed from reference (b).
+
+a. *Personally-owned Devices*
+
+    i. Organizational data that is stored, transferred or processed on personally-owned devices remains under the organization’s ownership, and the organization retains the right to control such data even though it is not the owner of the device.
+
+    i. The ISM is responsible for conducting overall management of personally-owned devices, to include:
+
+        1. Installation and maintenance of Mobile Device Management (MDM) software that can effectively manage, control and wipe data under the organization’s control from personally-owned devices.
+
+        1. Maintain a list of job titles and/or persons authorized to use personally-owned devices for the organization’s business, as well as the applications and databases that may be accessed from such devices.
+
+        1. Maintain a list of applications prohibited from use on personally-owned devices, and ensuring that device users are aware of these restrictions.
+
+    i. Personally-identifiable information (PII) may not be stored, processed or accessed at any time on a personally-owned device.
+
+    i. The following acceptable use requirements must be observed by users of personally-owned devices:
+
+        1. All organizational data must be backed up at regular intervals.
+
+        1. MDM and endpoint protection software must be installed on the device at all times.
+
+        1. Sensitive information stored on the device must be encrypted in accordance with reference (d).
+
+        1. The device must be secured using a password, pin, unlock pattern, fingerprint or equivalent security mechanism.
+
+        1. The device must only connect to secure and encrypted wireless networks.
+
+        1. When using the device outside of the organization’s premises, it must not be left unattended, and if possible, physically secured.
+
+        1. When using the device in public areas, the owner must take measures to ensure that the data cannot be read or accessed by unauthorized persons.
+
+        1. Patches and updates must be installed regularly.
+
+        1. Classified information must be protected in accordance with reference (a).
+
+        1. The device owner must install the ISM before the device is disposed of, sold, or provided to a third party for servicing.
+
+        1. It is prohibited to:
+
+            a. Allow device access for anyone except its owner.
+        
+            a. Store illegal materials on the device.
+
+            a. Install unlicensed software.
+
+            a. Locally-store passwords.
+
+            a. Transfer organizational data to other devices which have not been approved by the organization.
+
+    i. The organization must reserve the right to view, edit, and/or delete any organizational information that is stored, processed or transferred on the device.
+
+    i. The organization must reserve the right to perform full deletion of all of its data on the device if it considers that necessary for the protection of company-related data, without the consent of the device owner.
+
+    i. The organization will not pay the employees (the owners of BYOD) any fee for using the device for work purposes.
+
+    i. The organization will pay for any new software that needs to be installed for company use.
+
+    i. All security breaches related to personally-owned devices must be reported immediately to the ISM. 
--- a/example/policies/remote.md
+++ b/example/policies/remote.md
@@ -10,4 +10,50 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. The purpose of this policy is to define requirements for connecting to the organization’s systems and networks from remote hosts, including personally-owned devices, in order to minimize data loss/exposure.
+
+a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily accessible to all users.
+
+# Background
+
+a. The intent of this policy is to minimize the organization’s exposure to damages which may result from the unauthorized remote use of resources, including but not limited to: the loss of sensitive, company confidential data and intellectual property; damage to the organization’s public image; damage to the organization’s internal systems; and fines and/or other financial liabilities incurred as a result of such losses.
+
+a. Within this policy, the following definitions apply:
+
+    i. *Mobile computing equipment:* includes portable computers, mobile phones, smart phones, memory cards and other mobile equipment used for storage, processing and transfer of data.
+
+    i. *Remote host:* is defined as an information system, node or network that is not under direct control of the organization.
+
+    i. *Telework:* the act of using mobile computing equipment and remote hosts to perform work outside the organization’s physical premises. Teleworking does not include the use of mobile phones.
+
+# Policy
+
+a. *Security Requirements for Remote Hosts and Mobile Computing Equipment*
+
+    i. Caution must be exercised when mobile computing equipment is placed or used in uncontrolled spaces such as vehicles, public spaces, hotel rooms, meeting places, conference centers, and other unprotected areas outside the organization’s premises.
+
+    i. When using remote hosts and mobile computing equipment, users must take care that information on the device (e.g. displayed on the screen) cannot be read by unauthorized persons if the device is being used to connect to the organization’s systems or work with the organization’s data.
+
+    i. Remote hosts must be updated and patched for the latest security updates on at least a monthly basis.
+
+    i. Remote hosts must have endpoint protection software (e.g. malware scanner) installed and updated at all times.
+
+    i. Persons using mobile computing equipment off-premises are responsible for regular backups of organizational data that resides on the the device.
+
+    i. Access to the organization’s systems must be done through an encrypted and authenticated VPN connection with multi-factor authentication enabled. All users requiring remote access must be provisioned with VPN credentials from the organization’s information technology team. VPN keys must be rotated at least twice per year. Revocation of VPN keys must be included in the Offboarding Policy. 
+
+    i. Information stored on mobile computing equipment must be encrypted using hard drive full disk encryption.
+
+a. *Security Requirements for Telework*
+
+    i. Employees must be specifically authorized for telework in writing from their hiring manager .
+
+    i. Only device’s assigned owner is permitted to use remote nodes and mobile computing equipment. Unauthorized users (such as others living or working at the location where telework is performed) are not permitted to use such devices.
+
+    i. Devices must be authorized using certificates
+
+    i. Users performing telework are responsible for the appropriate configuration of the local network used for connecting to the Internet at their telework location.
+
+    i. Users performing telework must protect the organization’s intellectual property rights, either for software or other materials that are present on remote nodes and mobile computing equipment.
--- a/example/policies/retention.md
+++ b/example/policies/retention.md
@@ -10,4 +10,79 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+#Appendices
+Appendix A: Retention Periods
+
+# Purpose and Scope
+
+a. This data retention policy defines the objectives and requirements for data retention within the organization.
+
+a. This policy covers all data within the organization’s custody or control, irregardless of the medium the data is stored in (electronic form, paper form, etc.) Within this policy, the medium which holds data is referred to as information, no matter what form it is in.
+
+a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information the organization owns or controls (hereinafter referred to as “users”). This policy must be made readily available to all users.
+
+# Background
+
+a. The organization is bound by multiple legal, regulatory and contractual obligations with regard to the data it retains. These obligations stipulate how long data can be retained, and how data must be destroyed. Examples of legal, regulatory and contractual obligations include laws and regulations in the local jurisdiction where the organization conducts business, and contracts made with employees, customers, service providers, partners and others.
+
+a. The organization may also be involved in events such as litigation or disaster recovery scenarios that require it to have access to original information in order to protect the organization’s interests or those of its employees, customers, service providers, partners and others. As a result, the organization may need to archive and store information for longer that it may be needed for day-to-day operations.
+ 
+ \pagebreak 
+
+# Policy
+
+a. *Information Retention*
+
+    i. Retention is defined as the maintenance of information in a production or live environment which can be accessed by an authorized user in the ordinary course of business. 
+
+    i. Information used in the development, staging, and testing of systems shall not be retained beyond their active use period nor copied into production or live environments.
+
+    i. By default, the retention period of information shall be an active use period of exactly two years from its creation unless an exception is obtained permitting a longer or shorter retention period. The business unit responsible for the information must request the exception.
+
+    i. After the active use period of information is over in accordance with this policy and approved exceptions, information must be archived for a defined period. Once the defined archive period is over, the information must be destroyed.
+
+    i. Each business unit is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy. The responsible business unit is considered to be the information owner.
+
+    i. The organization’s legal counsel may issue a litigation hold to request that information relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel.
+
+    i. Each employee and contractor affiliated with the company must return information in their possession or control to the organization upon separation and/or retirement.
+
+    i. Information owners must enforce the retention, archiving and destruction of information, and communicate these periods to relevant parties.
+
+a. *Information Archiving*
+
+    i. Archiving is defined as secured storage of information such that the information is rendered inaccessible by authorized users in the ordinary course of business but can be retrieved by an administrator designated by company management.
+
+        1. Physical (e.g., paper) records must be archived in secured storage (onsite or offsite) and clearly labeled in archive boxes naming the information owner.
+
+        1. Electronic records must be archived with strict access controls set by the information owner and appropriate to secure the confidentiality, integrity and accessibility of the information.
+
+    i. The default archiving period of information shall be 7 years unless an approved exception permits a longer or shorter period. Exceptions must be requested by the information owner.
+
+        1. As a guideline, an archiving period of more than 7 years may be granted for information with a vital historical purpose such as corporate records, contracts, and technical/trade secrets.
+
+        1. As a guideline, an archiving period of less than 7 years may be granted for information with a limited business purpose such as email, travel itineraries, pre-trip advisories, or to comply with specific legal, contractual and/or regulatory requirements (e.g., PCI DSS, GDPR, etc.)
+
+    i. Information must be destroyed (defined below) at the end of the elapsed archiving period.  
+
+a. *Information Destruction*
+
+    i. Destruction is defined as the physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially-available means.
+
+    i. The organization must maintain and enforce a detailed list of approved destruction methods appropriate for each type of information archived, whether in physical storage media such as CD-ROMs, DVDs, backup tapes, hard drives, mobile devices, portable drives or in database records or backup files. Physical information in paper form must be shredded using an authorized shredding device; waste must be periodically removed by approved personnel.
+
+a. Retention and archival periods for information that is created, processed, stored and used by the organization is defined in Appendix A, “Retention Periods.” 
+
+\pagebreak 
+
+# Appendix A: Retention Periods 
+
+------------------+-------------------+------------------+------------------+-----------------+
+| Information Type | Information Owner | Storage Location | Retention Period | Archival Period |
+==================+===================+==================+==================+=================+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
--- a/example/policies/vendor.md
+++ b/example/policies/vendor.md
@@ -8,4 +8,40 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. This policy defines the rules for relationships with the organization’s Information Technology (IT) vendors and partners. 
+
+a. This policy applies to all IT vendors and partners who have the ability to impact the confidentiality, integrity, and availability of the organization’s technology and sensitive information, or who are within the scope of the organization’s information security program.
+
+a. This policy applies to all employees and contractors that are responsible for the management and oversight of IT vendors and partners of the organization. 
+
+# Background
+
+a. The overall security of the organization is highly dependent on the security of its contractual relationships with its IT suppliers and partners. This policy defines  requirements for effective management and oversight of such suppliers and partners from an information security perspective. The policy prescribes minimum standards a vendor must meet from an information security standpoint, including security clauses, risk assessments, service level agreements, and incident management.
+
+# References
+
+a. Information Security Policy
+
+a. Security Incident Response Policy
+
+# Policy
+
+a. IT vendors are prohibited from accessing the organization’s information security assets until  a contract containing security controls is agreed to and signed by the appropriate parties.
+
+a. All IT vendors must comply with the security policies defined and derived from the Information Security Policy (reference (a)). 
+
+a. All security incidents by IT vendors or partners must be documented in accordance with the organization’s Security Incident Response Policy (reference (b)) and immediately forwarded to the Information Security Manager (ISM). 
+
+a. The organization must adhere to the terms of all Service Level Agreements (SLAs) entered into with IT vendors. As terms are updated, and as new ones are entered into, the organization must implement any changes or controls needed to ensure it remains in compliance. 
+
+a. Before entering into a contract and gaining access to the parent organization’s information systems, IT vendors must undergo a risk assessment. 
+
+    i. Security risks related to IT vendors and partners must be identified during the risk assessment process. 
+    
+    i. The risk assessment must identify risks related to information and communication technology, as well as risks related to IT vendor supply chains, to include sub-suppliers. 
+
+a. IT vendors and partners must ensure that organizational records are protected, safeguarded, and disposed of securely. The organization strictly adheres to all applicable legal, regulatory and contractual requirements regarding the collection, processing, and transmission of sensitive data such as Personally-Identifiable Information (PII). 
+
+a. The organization may choose to audit IT vendors and partners to ensure compliance with applicable security policies, as well as legal, regulatory and contractual obligations.
--- a/example/procedures/offboarding.md
+++ b/example/procedures/offboarding.md
@@ -2,4 +2,10 @@ id: "offboard"
 name: "Offboard User"
 ---

-# Coming Soon
+Resolve this ticket by executing the following steps:
+
+- [ ] Immediately suspend user in SSO
+- [ ] Append HR termination request e-mail to this ticket
+- [ ] Look up manually-provisioned applications for this role or user
+- [ ] Validate access revocation in each
+- [ ] Append confirmation or revocation to this ticket
--- a/example/procedures/onboarding.md
+++ b/example/procedures/onboarding.md
@@ -2,4 +2,11 @@ id: "onboard"
 name: "Onboard New User"
 ---

-# Coming Soon
+Resolve this ticket by executing the following steps:
+
+- [ ] Append HR add request e-mail to this ticket
+- [ ] Proactively validate role assignment with manager (see HR request e-mail)
+- [ ] Add user to default group for the specified role
+- [ ] Provision any manually-provisioned applications by role
+    - [ ] Append manual provisioning confirmation to this ticket
+- [ ] Proactively confirm with new user that they can access all provisioned systems
--- a/example/procedures/patch.md
+++ b/example/procedures/patch.md
@@ -1,6 +1,15 @@
 id: "patch"
 name: "Apply OS patches"
-cron: "0 0 1 * * *"
+cron: "0 0 0 15 * *"
 ---

-# Coming Soon
+# OS Patch Procedure
+
+Resolve this ticket by executing the following steps:
+
+- [ ] Pull the latest scripts from the Ops repository
+- [ ] Execute `ENV=staging patch-all.sh`
+- [ ] Inspect output
+    - [ ] Errors? Investigate and resolve
+- [ ] Execute `ENV=production patch-all.sh`
+- [ ] Attach log output to this ticket
--- a/example/procedures/workstation.md
+++ b/example/procedures/workstation.md
@@ -1,6 +1,40 @@
 id: "workstation"
 name: "Collect Workstation Details"
-cron: "0 0 * * * *"
+cron: "0 0 0 15 4 *"
 ---

-# Coming Soon
+Resolve this ticket by executing the following steps:
+
+- [ ] Send the communications below
+- [ ] For any email replies, attach content to this ticket
+- [ ] Validate responses are received from each
+
+
+```
+To: Desktop support
+Subject: Annual workstation inventory
+
+Please attach the current workstation inventory to the following ticket: [REPLACE WITH URL TO THIS TICKET]
+
+The workstation inventory shall include the following fields:
+    * Serial number
+    * Custodian
+    * Full disk encryption status
+    * Malware protection status
+```
+
+
+```
+To: Outsourced Call Center IT
+Subject: Annual workstation inventory
+
+As part of our ongoing compliance efforts and per our services agreement, we require a current inventory of workstations in use in the service of our account.
+
+Please respond to this message with the current inventory.
+
+The workstation inventory shall include the following fields:
+    * Serial number
+    * Custodian
+    * Full disk encryption status
+    * Malware protection status
+```
--- a/example/templates/index.ace
+++ b/example/templates/index.ace
@@ -15,20 +15,11 @@ html lang=en
        document.querySelectorAll('.cron').forEach(function(el) {
          el.innerHTML = prettyCron.toString((""+el.innerHTML).trim(),true) // 6-field expressions
        })
-        if (window.location.hash != "") {
-          var hashComponents = window.location.hash.split('#')
-          if (hashComponents.length>1) {
-            var destination = hashComponents[1]
-            if (["overview","narratives","policies","procedures","standards"].indexOf(destination) >= 0) {
-              show(destination)
-            }
-          }
-        }
      })

      function show(name) {
-        if(history.replaceState) {
-            history.replaceState(null, null, '#'+name);
+        if (history.replaceState) {
+            history.replaceState(null, null, '#'+name)
        }

        var items = document.getElementsByClassName('top-nav')
@@ -233,7 +224,14 @@ html lang=en
        .content.has-text-centered
          p {{.Project.OrganizationName}} Confidential 2018
  = javascript
-    // commented for development
    if (window.location.hash=="") {
      show('overview')
+    } else {
+      var hashComponents = window.location.hash.split('#')
+      if (hashComponents.length>1) {
+        var destination = hashComponents[1]
+        if (["overview","narratives","policies","procedures","standards"].indexOf(destination) >= 0) {
+          show(destination)
+        }
+      }
    }
--- a/internal/cli/app.go
+++ b/internal/cli/app.go
@@ -44,6 +44,7 @@ func newApp() *cli.App {
 	}

 	app.Commands = append(app.Commands, beforeCommand(buildCommand, projectMustExist))
+	app.Commands = append(app.Commands, beforeCommand(procedureCommand, projectMustExist))
 	app.Commands = append(app.Commands, beforeCommand(schedulerCommand, projectMustExist))
 	app.Commands = append(app.Commands, beforeCommand(serveCommand, projectMustExist))
 	app.Commands = append(app.Commands, beforeCommand(syncCommand, projectMustExist))
--- a/internal/cli/procedure.go
+++ b/internal/cli/procedure.go
@@ -0,0 +1,44 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/strongdm/comply/internal/model"
+	"github.com/urfave/cli"
+)
+
+var procedureCommand = cli.Command{
+	Name:      "procedure",
+	ShortName: "proc",
+	Usage:     "create ticket by procedure ID",
+	ArgsUsage: "procedureID",
+	Action:    procedureAction,
+	Before:    projectMustExist,
+}
+
+func procedureAction(c *cli.Context) error {
+	procedures, err := model.ReadProcedures()
+	if err != nil {
+		return err
+	}
+
+	if c.NArg() != 1 {
+		return cli.NewExitError("provide a procedure ID", 1)
+	}
+
+	procedureID := c.Args().First()
+
+	for _, procedure := range procedures {
+		if procedure.ID == procedureID {
+			// TODO: don't hardcode GH
+			tp := model.GetPlugin(model.GitHub)
+			tp.Create(&model.Ticket{
+				Name: procedure.Name,
+				Body: fmt.Sprintf("%s\n\n\n---\nProcedure-ID: %s", procedure.Body, procedure.ID),
+			}, []string{"comply", "comply-procedure"})
+			return nil
+		}
+	}
+
+	return cli.NewExitError(fmt.Sprintf("unknown procedure ID: %s", procedureID), 1)
+}
--- a/internal/render/html.go
+++ b/internal/render/html.go
@@ -9,6 +9,7 @@ import (
 	"sync"

 	"github.com/pkg/errors"
+	"github.com/skratchdot/open-golang/open"
 	"github.com/yosssi/ace"
 )

@@ -29,6 +30,8 @@ const websocketReloader = `<script>
 </script>`

 func html(output string, live bool, errCh chan error, wg *sync.WaitGroup) {
+	opened := false
+
 	for {
 		files, err := ioutil.ReadDir(filepath.Join(".", "templates"))
 		if err != nil {
@@ -56,9 +59,7 @@ func html(output string, live bool, errCh chan error, wg *sync.WaitGroup) {
 				return
 			}

-			if live {
-				fmt.Printf("%s -> %s\n", filepath.Join("templates", fileInfo.Name()), outputFilename)
-			}
+			fmt.Printf("%s -> %s\n", filepath.Join("templates", fileInfo.Name()), outputFilename)

 			tpl, err := ace.Load("", filepath.Join("templates", basename), aceOpts)
 			if err != nil {
@@ -77,10 +78,17 @@ func html(output string, live bool, errCh chan error, wg *sync.WaitGroup) {
 			}
 			w.Close()
 		}
-		if !live {
+
+		if live {
+			if !opened {
+				opened = true
+				open.Run("output/index.html")
+			}
+		} else {
 			wg.Done()
 			return
 		}
+
 		<-subscribe()
 	}
 }
--- a/internal/render/narrative.go
+++ b/internal/render/narrative.go
@@ -49,14 +49,6 @@ func renderNarrativeToDisk(wg *sync.WaitGroup, errOutputCh chan error, data *ren
 	go func(p *model.Narrative) {
 		defer wg.Done()

-		if live {
-			rel, err := filepath.Rel(config.ProjectRoot(), p.FullPath)
-			if err != nil {
-				rel = p.FullPath
-			}
-			fmt.Printf("%s -> %s\n", rel, filepath.Join("output", p.OutputFilename))
-		}
-
 		outputFilename := p.OutputFilename
 		// save preprocessed markdown
 		err = preprocessNarrative(data, p, filepath.Join(".", "output", outputFilename+".md"))
@@ -112,6 +104,13 @@ func renderNarrativeToDisk(wg *sync.WaitGroup, errOutputCh chan error, data *ren
 			errOutputCh <- err
 			return
 		}
+
+		rel, err := filepath.Rel(config.ProjectRoot(), p.FullPath)
+		if err != nil {
+			rel = p.FullPath
+		}
+		fmt.Printf("%s -> %s\n", rel, filepath.Join("output", p.OutputFilename))
+
 	}(narrative)
 }

--- a/internal/render/policy.go
+++ b/internal/render/policy.go
@@ -49,14 +49,6 @@ func renderPolicyToDisk(wg *sync.WaitGroup, errOutputCh chan error, data *render
 	go func(p *model.Policy) {
 		defer wg.Done()

-		if live {
-			rel, err := filepath.Rel(config.ProjectRoot(), p.FullPath)
-			if err != nil {
-				rel = p.FullPath
-			}
-			fmt.Printf("%s -> %s\n", rel, filepath.Join("output", p.OutputFilename))
-		}
-
 		outputFilename := p.OutputFilename
 		// save preprocessed markdown
 		err = preprocessPolicy(data, p, filepath.Join(".", "output", outputFilename+".md"))
@@ -110,6 +102,12 @@ func renderPolicyToDisk(wg *sync.WaitGroup, errOutputCh chan error, data *render
 			errOutputCh <- err
 			return
 		}
+
+		rel, err := filepath.Rel(config.ProjectRoot(), p.FullPath)
+		if err != nil {
+			rel = p.FullPath
+		}
+		fmt.Printf("%s -> %s\n", rel, filepath.Join("output", p.OutputFilename))
 	}(policy)
 }

--- a/internal/render/site.go
+++ b/internal/render/site.go
@@ -8,7 +8,6 @@ import (

 	"github.com/gorilla/websocket"
 	"github.com/pkg/errors"
-	"github.com/skratchdot/open-golang/open"
 	"github.com/yosssi/ace"
 )

@@ -103,10 +102,6 @@ func Build(output string, live bool) error {
 		close(wgCh)
 	}()

-	if live {
-		open.Run("output/index.html")
-	}
-
 	select {
 	case <-wgCh:
 		// success
--- a/internal/theme/themes_bindata.go
+++ b/internal/theme/themes_bindata.go
@@ -137,7 +137,7 @@ func complyBlankReadmeMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-blank/README.md", size: 1965, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-blank/README.md", size: 1965, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -157,7 +157,7 @@ func complyBlankTodoMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-blank/TODO.md", size: 1429, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-blank/TODO.md", size: 1429, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -277,12 +277,12 @@ func complyBlankTemplatesDefaultLatex() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-blank/templates/default.latex", size: 7649, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-blank/templates/default.latex", size: 7649, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complyBlankTemplatesIndexAce = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xdc\x59\x6d\x6f\x1b\xb9\x11\xfe\xee\x5f\x31\x5d\x7f\x90\x84\x58\x5c\xdb\x57\x5c\x0f\x97\xee\x15\x8e\x9d\x43\x83\xf3\xc5\x46\x6d\x14\x28\x82\xa0\xa0\xc8\x91\x96\x36\x97\xdc\x90\x5c\xd9\x8a\xa2\xff\x5e\x90\xfb\xa2\xd5\x6a\x65\x1b\x8d\x5c\x14\xe7\x0f\x32\xc5\x97\x79\x66\x86\x0f\x87\x33\x54\x02\x5c\x33\xb7\xc8\x11\x52\x97\xc9\x03\xff\x01\x92\xaa\x59\x82\xea\x00\x20\x45\xca\x0f\x00\x00\x32\x74\x14\x58\x4a\x8d\x45\x97\x14\x6e\x3a\xfe\x29\x74\x3b\xe1\x24\xc2\x72\x49\xae\x8d\xbe\x43\xe6\xc8\x47\x9a\xe1\x6a\x15\xc6\xa4\x50\xf7\x60\x50\x26\x91\x75\x0b\x89\x36\x45\x74\x11\xa4\x06\xa7\x49\x94\x3a\x97\xdb\x9f\xe3\x98\x71\x75\x67\x09\x93\xba\xe0\x53\x49\x0d\x12\xa6\xb3\x98\xde\xd1\xc7\x58\x8a\x89\x8d\x27\x85\xcc\x68\x7c\x4c\x7e\x24\xa7\x31\xb3\xd5\x77\x92\x09\x45\x98\xb5\xd1\x5e\x51\xec\x03\x75\x2c\xad\xb0\x2c\x55\xdc\x3a\xad\xb0\x3d\xb6\x89\x6b\x99\x11\xb9\x03\xef\xb9\x24\x72\xf8\xe8\xe2\x3b\x3a\xa7\x65\x6f\x04\xd6\xb0\x17\xc3\x67\x3a\x43\xe5\xc8\x9d\x8d\x4f\xc9\xe9\x29\x39\xae\x3b\x3c\xdc\xdd\xde\xd1\x24\x75\x68\xe2\x13\xe2\x81\x42\xfb\x95\x70\x72\x83\xce\x2d\x98\xd1\x2a\x3e\x26\x27\x27\xe4\xb8\xd5\xb3\x01\x19\x98\xa5\x68\x86\x49\x34\x17\xf8\x90\x6b\xe3\x22\x60\x5a\x39\x54\x2e\x89\x1e\x04\x77\x69\xc2\x71\x2e\x18\x8e\xc3\x97\x23\x10\x4a\x38\x41\xe5\xd8\x32\x2a\x31\x39\x29\xc5\x24\xc0\xac\xad\x5a\x6b\x9d\x43\x07\x78\x8a\x17\xc1\xa7\x94\xf3\xf7\x73\x54\xee\x52\x58\x87\x0a\xcd\x30\xba\xb8\xfa\xfd\xbc\x04\xbb\xd4\x94\x23\x8f\x8e\x60\x5a\x28\xe6\x84\x56\x43\xf4\x53\x47\xb0\xac\xa4\xb4\xe4\x7c\x29\xd0\x2c\x6e\x50\x22\x73\xda\x9c\x49\x39\x1c\x10\x6f\xd8\x60\x44\xa6\xda\xbc\xa7\x2c\x1d\xae\x85\xc8\xb6\x04\x00\x94\x44\x28\x85\xe6\xef\xb7\xbf\x5f\x42\x02\xa5\x57\xce\xbd\x57\x9c\xbe\x71\x46\xa8\xd9\x70\x18\x45\x6f\xda\xd3\x46\xc4\x19\x91\x0d\x47\x47\xce\x14\x38\x82\x38\x86\x1f\xc7\x53\x81\x92\x03\x3e\xe6\x06\xad\x15\x5a\xd9\x06\x62\x35\x6a\x9a\x62\x0a\xc3\x07\xa1\xb8\x7e\x20\x52\x33\xea\xf5\x21\x29\xb5\x29\xfc\x29\x81\x28\xda\xd4\x6b\x4e\x0d\xf8\xb1\x73\x9d\xe5\x5a\xa1\x72\x16\x12\xe8\x5b\x4c\x6c\x2e\x85\x1b\x0e\x0e\x07\xa3\xd6\x72\x0f\xb5\xb9\x9c\x48\x54\x33\x97\xfe\x72\xb2\x89\x53\x22\x71\xb4\x4e\xa8\x20\x14\x92\x0e\xee\xa7\x93\xcf\x1b\xf3\xbd\xe8\x4f\x91\x9e\xa3\xf1\x04\x89\x8e\x22\x45\x8d\xa1\x4e\xcc\xd1\x46\x47\x51\xae\xa5\x60\xa2\x6c\x1a\xcd\x90\x17\x26\x7c\xb1\x8e\x2a\x4e\x0d\xb7\xd1\x67\x22\x14\xc7\xc7\xab\xe9\xb0\x85\x3a\x82\x5f\x12\x38\xee\xaa\x06\x60\x53\xfd\xb0\x31\x6f\x63\x7c\x75\xd0\xd7\xae\x5b\xab\xd1\x41\xd5\xaa\x77\xbf\x14\xe7\xd9\xdd\x46\x12\xd3\x61\x2a\xac\xd3\x66\x41\x0c\xe6\x92\x32\xbc\x71\xd4\x61\x57\x99\xbe\x39\x43\x55\x48\x79\x04\xe5\xe7\xe0\x70\xf0\x26\xc8\x7e\xdb\x52\xe5\xa0\xed\x66\xe1\x30\xf3\xfb\xd8\x10\x77\x86\xee\xbd\x44\xdf\xb4\xef\x16\xe7\x92\x5a\xeb\x23\xf6\x70\xe0\x74\x3e\x56\x74\xde\xda\xd2\xa9\x36\x30\x0c\x32\x92\xe3\xb7\x20\xfe\x1a\x44\x55\x7b\xfa\x16\xc4\x9b\x37\xdb\xf4\xf1\x53\x20\x29\x41\x3f\x89\xcf\x1d\x76\xf8\x6e\xe2\xe8\xcc\x03\x42\x92\x24\x10\x5d\x7e\x88\xba\x36\xc7\x31\x28\x3a\x17\xb3\x92\x19\x8e\x4e\xec\x16\x15\x82\x1c\xe6\x55\xf7\xa7\x98\xf8\x50\x41\x85\xb2\xa5\x97\xb7\x37\xb4\x33\x9d\x72\x3e\x1c\x08\x3b\xa6\xcc\x13\x68\xd0\xd9\x5e\x40\x69\xf1\x39\x11\x06\x33\x3d\xc7\x27\xa4\x1c\x3c\x23\x31\x8e\xc1\x62\xe0\xc7\x0e\xeb\x04\x0f\x0e\xea\xf2\xe6\x39\x6d\x52\xc1\x39\xaa\xff\xca\xa6\xda\x2d\xfd\x22\x9e\x66\xfd\x01\xc0\x44\xf3\x45\x79\x81\x94\x76\x91\x14\x8d\x26\xc2\x8e\x73\x23\x32\x6a\x16\xbe\x69\x33\x2a\x65\xb5\x26\x8c\x8f\x9b\x55\xa1\xab\xda\x48\x34\x2d\xb4\xf4\x84\x3c\x95\x62\x94\x7f\x39\xb1\xc5\xa4\x9c\x76\xed\x83\xc1\xe2\x08\xae\xeb\x48\x70\x04\x54\x71\x38\x2b\xb8\x70\xe0\x0f\x50\x61\x37\x34\x98\x6a\xed\x1a\x49\x8a\xce\x89\x67\x9c\x57\x76\xa2\x1f\x91\xfb\xc6\xb4\x90\x32\xdc\x3b\x2d\xc0\x5e\x55\x01\x0a\x19\xcc\x14\x5f\x71\xfc\xe7\x8e\xb7\xa5\x20\xd5\x09\x23\x75\x1c\xeb\xcc\x00\xb0\xce\x68\x35\xdb\xea\x06\xa0\xa0\x15\x93\x82\xdd\x27\xd1\xfa\x66\xfb\x39\x44\x96\x41\x2d\x6d\x30\x8a\xe0\xaa\x5f\x72\x0b\x7b\x1d\x38\xf7\x83\xbe\x96\xe7\xf1\x3f\xee\x92\xde\xd2\xa0\x8e\xd6\xfb\xc1\xaf\xa5\x79\xf4\xeb\x7e\xc9\x6d\xec\xe6\x7a\xd8\x13\x7a\x23\x2f\xe0\xef\x92\xde\xd2\xa0\xb9\x93\xf6\xa3\x40\x23\xce\xe3\xdf\xec\x90\x1d\xb7\x15\xc0\xb9\xe0\xa8\x18\x6e\xcd\x79\x1a\xa8\x5e\xe6\x71\xde\x57\x6d\xf8\x27\x2d\x64\x79\x78\x0e\x6b\x16\x92\xfa\xf8\xd7\x78\xcd\x41\x21\x55\x46\x57\x01\x4f\xa4\x66\xf7\x5f\x0a\xed\xd6\x9a\xa4\x3f\xc0\x6d\x2a\x2c\x58\xe1\xd0\xe7\x7f\x56\x4b\xc1\xa9\x43\x0b\x54\xca\xe6\x02\xb3\x3e\xd7\xa7\x0e\x39\x38\x0d\x2e\xdd\x1d\x18\xd2\xfa\x6c\x12\xa6\x65\x91\xa9\x70\xaa\xe7\x0c\x95\x43\x83\xbc\x1d\x75\xfc\xa8\x1f\xd4\x0a\xc7\x2e\x15\x86\xb7\x9c\xc3\xc5\x7c\xc3\x55\xeb\x50\xe3\x57\xfc\xe0\xf3\xa1\xb1\x4f\x93\xc7\xb5\x60\xf0\xc9\xa4\xd1\x12\x6e\x0d\x65\xf7\xa2\xb5\xa5\x35\xd2\xd6\x92\x27\xe1\x7c\x01\x26\xd4\x0c\x6e\xa8\x13\x76\x2a\xd6\x00\xb6\x33\x31\x28\xd5\xd9\xd6\xe5\x92\xf8\x98\x67\x49\xbd\xa6\x91\xd2\x8a\x9f\xdf\xa7\xd7\xad\x76\x54\x7e\x97\x4e\x41\x42\xa3\xcf\xff\x78\xb7\x9a\x43\xbb\xef\xfd\x3a\x0b\x89\x01\xdc\x0a\x76\x8f\xee\x25\x7e\xa1\xe0\xa8\x99\xa1\x4b\xfe\x3d\x91\x54\xdd\x57\x15\xec\x72\x49\x2e\x85\xba\xb7\xa4\x51\xf4\x2a\x47\xb5\x5a\x45\x5b\x91\xa2\xf1\x6b\x67\xe6\x9e\xec\xb9\x92\x3e\x27\xae\xec\x79\x91\x39\x3d\x0a\x05\x19\x17\x74\x61\x57\x2b\xe0\x74\x61\xf7\xb4\xe7\x4f\x9a\xb4\xc5\x82\x2a\x19\xd8\xf3\x7e\x7b\x67\xc3\x3f\xf0\x4b\x81\x76\x1f\xdb\x1d\x74\x7c\x76\xab\x5b\xb3\xf6\x7a\x9c\xf7\x6c\xc7\x99\x94\xcf\x9b\xb1\xb7\x30\xd0\x1a\x74\x0f\xba\x1c\xb4\x4f\xba\x23\x86\xdc\xe8\x99\xaf\xa3\x49\xd3\x58\xa7\xae\x30\xa7\xb2\xc0\x64\x53\xdb\x73\xa9\xad\x8f\xa2\x90\xd1\xc7\x64\xb7\x21\x87\xeb\x04\xe9\xfb\xae\xc6\x76\xb6\xbb\xe1\xc8\x32\x6f\xd8\x95\x7a\x7d\xf3\x96\xf9\xfb\x1a\xa8\x82\xfa\x92\x06\x3d\x0d\x37\xa7\x36\x33\xaa\xc4\xd7\xb2\xd2\xf2\x59\xb2\xef\x64\x3a\xcb\xa5\xa0\xfe\x7e\x47\x35\x17\x46\xab\x50\x36\x56\x52\x1d\x9d\x48\x24\xe5\xe7\x76\xaa\xeb\x9a\xd7\xc2\xea\xfb\x66\x7a\xec\x52\xf0\x37\x74\xb7\xef\x8c\x19\xad\x16\x59\xb7\xfb\xfa\xe2\xd7\xb5\xe0\x8d\x42\xc1\x33\xc7\x50\x35\x43\x20\x6b\xb3\x61\xa3\x22\xe8\x22\x73\x4f\xb6\xad\xba\xa1\x1e\xa8\x34\xd8\x1a\xdb\xa2\x7a\x20\xf7\x72\x49\xae\x0a\x97\x17\xee\x57\x21\x51\x05\x99\x9b\x67\xa0\x8f\xe8\xdd\x15\x1b\xc6\xa0\xaa\xef\xe3\xc3\x3a\xa1\x7d\x5d\xb6\xf4\xa6\xca\xdf\x60\xe6\x19\xa2\x02\x0d\x26\x98\xd2\xb9\xd0\xc6\x73\xa5\x71\x1d\x60\x96\x4b\xbd\x40\x9f\x92\x29\x1e\xde\xe8\x0c\x65\x4e\x1b\xfb\xff\xca\x8f\xda\xd0\x3f\x0a\x3b\x9a\x12\xe3\x95\xf9\xd1\x5f\xca\xf8\x68\x82\xbe\x2e\x98\x20\xd8\x1c\x99\x98\x0a\x06\xd6\x61\x6e\xc1\xa5\xd4\x01\x35\x08\x8e\xde\xa3\x02\xa1\xc0\xa0\xcd\xb5\xb2\xe8\xf3\xf4\x7b\x5c\x40\x78\x4b\x7d\x55\xa2\x7c\xb8\xe8\xf6\xdc\xb0\x14\x79\x21\x11\x86\x7e\x0f\x61\xaa\x4d\x46\xdd\xe8\x05\xb4\x69\xec\xff\x1e\xe2\x7c\xb8\xe8\x74\x2f\x97\x62\x0a\xe4\xdc\x68\xb5\x35\x3f\xbc\x1e\xfb\x45\x3d\xa3\xcb\x25\x4a\xdb\x03\x71\xa5\x80\x63\x46\x15\xef\xce\x56\x7c\x37\x85\x9a\x92\xf1\x75\x19\xd4\x5f\x8c\x7e\xab\x68\xb3\xa8\xae\x9a\xb2\x00\x00\xdb\xd4\x36\x93\x45\xf7\x12\x0a\x17\x32\xcd\x9e\xe4\x4d\xff\x33\xcd\xf3\x24\xaa\x4b\xb5\xdf\x70\xf1\x12\x7e\x35\xc5\xd3\xdf\x76\x8e\xc0\xbb\xc5\xf3\xec\xaa\x0b\x9f\x17\x70\xab\x9a\xfa\x1b\x2e\x9e\x0b\x3f\x95\xdf\xfb\xf9\x08\xb0\x7e\x21\x5b\x2e\xc9\x05\x96\xc5\xbd\xe8\xa1\x9a\x67\x68\x5f\x95\x58\x82\x06\x9f\x17\x8c\xa1\xb5\xf0\xaf\x4e\x74\xd8\x45\xd3\x8f\xfa\x19\x7e\xf6\x58\xd3\xf8\xaa\x51\xe5\x5d\xd7\x03\x00\xb4\x61\xc0\x5f\x9a\xd8\xfb\x92\x68\xbb\x25\x68\xf7\x91\x09\x5d\x53\xad\x1d\x1a\x52\xfe\x5b\xe7\xa7\xdd\x17\xc0\xfa\xd8\x3c\x99\x6a\xe6\xed\xf7\x8a\xab\x56\x02\x56\xdd\xb0\xe7\x5a\x4d\x05\x47\xe5\x04\x95\x70\x7a\x7c\xf2\xd3\x41\xcf\xef\x59\x71\xec\x4f\x88\xcf\xcb\x90\x87\x67\x7a\x8e\x73\x94\x3a\xcf\xea\x43\xbb\xeb\x67\x9f\x24\x69\xff\xe8\xd3\x7d\x40\x0c\xdd\xab\xff\x04\x00\x00\xff\xff\x60\x35\xff\xbd\x10\x1e\x00\x00")
+var _complyBlankTemplatesIndexAce = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xdc\x59\x6d\x6f\x1b\xb9\x11\xfe\xee\x5f\x31\xd8\x7c\x90\x8c\x58\x94\x9d\x2b\xae\x87\xbb\xee\x15\x89\x9d\x43\x83\xcb\xc5\x41\x1d\x14\x28\x82\x43\x41\x91\x23\x2d\x6d\x2e\xb9\x21\x67\x65\xeb\x14\xff\xf7\x82\xdc\x17\xad\x56\x2b\xdb\x68\xe4\xa2\xa8\x3f\xc8\x14\x5f\xe6\x99\x19\x3e\x1c\xce\x50\x29\x48\x2b\x68\x55\x20\x64\x94\xeb\xa3\xf0\x01\x9a\x9b\x45\x8a\xe6\x08\x20\x43\x2e\x8f\x00\x00\x72\x24\x0e\x22\xe3\xce\x23\xa5\x25\xcd\x27\x3f\xc4\x6e\x52\xa4\x11\xd6\x6b\xf6\xd1\xd9\x6b\x14\xc4\x3e\xf0\x1c\xef\xef\xe3\x98\x56\xe6\x06\x1c\xea\x34\xf1\xb4\xd2\xe8\x33\x44\x4a\x20\x73\x38\x4f\x93\x8c\xa8\xf0\x3f\x4e\xa7\x42\x9a\x6b\xcf\x84\xb6\xa5\x9c\x6b\xee\x90\x09\x9b\x4f\xf9\x35\xbf\x9b\x6a\x35\xf3\xd3\x59\xa9\x73\x3e\x3d\x65\xdf\xb3\x57\x53\xe1\xeb\xef\x2c\x57\x86\x09\xef\x93\x83\xa2\xf8\x5b\x4e\x22\xab\xb1\x3c\x37\xd2\x93\x35\xd8\x1d\xdb\xc6\xf5\xc2\xa9\x82\x20\x78\x2e\x4d\x08\xef\x68\x7a\xcd\x97\xbc\xea\x4d\xc0\x3b\xf1\x64\xf8\xdc\xe6\x68\x88\x5d\xfb\xe9\x2b\xf6\xea\x15\x3b\x6d\x3a\x02\xdc\xf5\xc1\xd1\x34\x27\x74\xd3\x33\x16\x80\x62\xfb\x99\x70\x0a\x87\x44\x2b\xe1\xac\x99\x9e\xb2\xb3\x33\x76\xda\xe9\xd9\x82\x8c\xcc\x32\x3c\xc7\x34\x59\x2a\xbc\x2d\xac\xa3\x04\x84\x35\x84\x86\xd2\xe4\x56\x49\xca\x52\x89\x4b\x25\x70\x12\xbf\x9c\x80\x32\x8a\x14\xd7\x13\x2f\xb8\xc6\xf4\xac\x12\x93\x82\xf0\xbe\x6e\x6d\x74\x8e\x1d\x10\x28\x5e\x46\x9f\x72\x29\xdf\x2e\xd1\xd0\x7b\xe5\x09\x0d\xba\x71\x72\x71\xf9\xdb\x79\x05\xf6\xde\x72\x89\x32\x39\x81\x79\x69\x04\x29\x6b\xc6\x18\xa6\x1e\xc3\xba\x96\xd2\x91\xf3\xa5\x44\xb7\xba\x42\x8d\x82\xac\x7b\xad\xf5\x78\xc4\x82\x61\xa3\x63\x36\xb7\xee\x2d\x17\xd9\x78\x23\x44\x77\x25\x00\xa0\x66\xca\x18\x74\x7f\xfb\xf4\xdb\x7b\x48\xa1\xf2\xca\x79\xf0\x0a\xd9\x2b\x72\xca\x2c\xc6\xe3\x24\x79\xd9\x9d\x76\xcc\xc8\xa9\x7c\x7c\x7c\x42\xae\xc4\x63\x98\x4e\xe1\xfb\xc9\x5c\xa1\x96\x80\x77\x85\x43\xef\x95\x35\xbe\x85\xb8\x3f\x3e\x6a\x1b\x75\xab\x51\x06\x7c\x66\x6f\xc7\xc1\xd9\x5d\x9d\xd4\x1c\xc6\x99\xf2\x64\xdd\x8a\x39\x2c\x34\x17\x78\x45\x9c\x70\x5b\x6f\x80\xa1\x39\x63\x53\x6a\x7d\x02\xd5\xe7\xe8\xc5\xe8\x65\x14\xbe\xd1\xe5\xa8\x6d\x2e\xb9\x03\x45\x98\x7b\x48\x37\x7e\x5c\x20\xbd\xd5\x18\x9a\xfe\xcd\xea\x5c\x73\xef\x43\x00\x19\x8f\xc8\x16\x13\xc3\x97\xa3\x8d\xa4\xb9\x75\x30\x8e\x32\xd2\xd3\x9f\x40\xfd\x25\x8a\x62\x1a\xcd\x82\xb2\x9f\x40\xbd\x7c\xb9\xad\x6d\x83\x06\x69\x05\xfa\x59\xfd\xde\x19\x0d\x16\x87\x6e\x46\x7c\x11\x00\x21\x4d\x53\x48\xde\xbf\x4b\xfa\x26\x4f\xa7\x60\xf8\x52\x2d\x78\xf4\x1e\xf1\x99\xdf\x1a\x6e\xe5\x88\xa0\x7a\x20\x15\x0b\xcc\xe5\xca\xf8\xca\xcb\x7d\x79\x00\xbd\xe9\x5c\xca\xf1\x48\xf9\x09\x17\xa4\x96\xd8\xb1\x37\x7a\x0f\x50\x7b\x7c\x4c\x84\xc3\xdc\x2e\xf1\x01\x29\x47\x8f\x48\x9c\x4e\xc1\x63\xe4\xc7\x1e\xeb\x94\x8c\x0e\xea\xf3\xe6\x31\x6d\x32\x25\x25\x9a\xff\xc8\xa6\xc6\x2d\xc3\x22\x8e\x86\xda\x4d\x2b\xfc\x9f\x59\xb9\xaa\xe2\x59\x65\x17\xcb\xd0\x59\xa6\xfc\xa4\x70\x2a\xe7\x6e\x15\x9a\x3e\xe7\x5a\xd7\x6b\xe2\xf8\xa4\x5d\x15\xbb\xea\x8d\x44\xd7\x41\xcb\xce\xd8\x43\x37\x5e\xf5\x57\x30\x5f\xce\xaa\x69\x1f\xad\x56\x62\x75\x02\x1f\x9d\x15\x28\x4b\x87\x27\xc0\x8d\x84\xd7\xa5\x54\x04\xe1\xfc\x94\x7e\x4b\x83\xb9\xb5\xd4\x4a\x32\x7c\xc9\x02\xe3\x82\xb2\x33\x7b\x87\x32\x34\xe6\xa5\xd6\x31\x0c\x76\x00\x07\x55\x05\x28\x75\x34\x53\xfd\x81\x93\x3f\xf5\xbc\xad\x15\xab\x4f\x18\xb3\x4b\x74\x21\xee\xf6\x66\x00\x78\x72\xd6\x2c\x76\xba\x01\x38\x58\x23\xb4\x12\x37\x69\xb2\x09\xb4\x3f\xc6\xc8\x32\x6a\xa4\x8d\x8e\x13\xb8\x1c\x96\xdc\xc1\x36\xdc\x39\x1e\x18\xeb\x0f\x83\xbe\x91\x17\xf0\x3f\xec\x93\xde\xd1\xa0\x08\x1b\xa4\x0e\x85\xdf\x48\x0b\xe8\x1f\x87\x25\x77\xb1\x1b\x52\x1c\x0a\xbd\x95\x17\xf1\xf7\x49\xef\x68\xe0\x89\x1b\xc9\x9d\x3c\x90\x02\xad\xb8\x80\x7f\xb5\x47\xf6\xb4\xab\x00\x2e\x95\x44\x23\x70\x67\xce\xc3\x40\xcd\xb2\x80\xf3\xb6\x6e\xc3\x3f\x78\xa9\xab\xc3\xf3\xa2\x61\x21\x6b\x8e\x7f\x83\xd7\x1e\x14\x56\x27\x18\x35\xf0\x4c\x5b\x71\xf3\xa5\xb4\xb4\xd1\x24\xfb\x0e\x3e\x65\xca\x83\x57\x84\x21\x1d\xf1\x56\x2b\xc9\x09\x3d\x70\xad\xdb\x0b\xcc\x87\xd4\x93\x13\x4a\x20\x0b\x94\xed\x0f\x0c\x59\x73\x36\x99\xb0\xba\xcc\x4d\x3c\xd5\x4b\x81\x86\xd0\xa1\xec\x46\x9d\x30\x1a\x06\xad\xc1\x09\x65\xca\xc9\x8e\x73\xa4\x5a\x6e\xb9\x6a\x13\x6a\xc2\x8a\xef\x58\xc6\xfd\x24\x64\x6d\x93\x46\x30\x84\xdc\xc6\x59\x0d\x9f\x1c\x17\x37\xaa\xb3\xa5\x0d\xd2\xce\x92\x07\xe1\x42\x3d\xa0\xcc\x02\xae\x38\x29\x3f\x57\x1b\x00\xdf\x9b\x18\x95\xea\x6d\xeb\x7a\xcd\x42\xcc\xf3\xac\x59\xd3\x4a\xe9\xc4\xcf\x6f\xd3\xeb\x93\x25\xae\xbf\x49\xa7\x28\xa1\xd5\xe7\xbf\xbc\x5b\xed\xa1\x3d\xf4\x7e\xbd\x8e\x89\x01\x7c\x52\xe2\x06\xe9\x29\x7e\xe1\x40\xdc\x2d\x90\xd2\x7f\xcd\x34\x37\x37\x75\x41\xb5\x5e\xb3\xf7\xca\xdc\x78\xd6\x2a\x7a\x59\xa0\xb9\xbf\x4f\x76\x22\x45\xeb\xd7\xde\xcc\x03\xd9\x73\xa9\x25\x7a\xaa\xed\x79\x92\x39\x03\x0a\x45\x19\x17\x7c\xe5\xef\xef\x41\xf2\x95\x3f\xd0\x9e\x3f\x68\xd2\x0e\x0b\xea\x64\xe0\xc0\xfb\x1d\x9c\x0d\x7f\xc7\x2f\x25\xfa\x43\x6c\x77\xd4\xf1\xd1\xad\xee\xcc\x3a\xe8\x71\x3e\xb0\x1d\xaf\xb5\x7e\xdc\x8c\x83\x85\x81\xce\x20\xdd\xda\x6a\xd0\x3f\xe8\x8e\x29\x14\xce\x2e\x42\x59\xc7\xda\xc6\x26\x75\x85\x25\xd7\x25\xa6\xdb\xda\x9e\x6b\xeb\x43\x14\x85\x9c\xdf\xa5\xfb\x0d\x79\xb1\x49\x90\xbe\xed\x6a\xec\x66\xbb\x5b\x8e\xac\xf2\x86\x7d\xa9\xd7\xd7\x60\x59\xb8\xaf\x81\x1b\x68\x2e\x69\xb0\xf3\x78\x73\x5a\xb7\xe0\x46\xfd\x51\x55\x5a\x21\x4b\x0e\x9d\xc2\xe6\x85\x56\x3c\xdc\xef\x68\x96\xca\x59\x13\xcb\xc6\x5a\x2a\xf1\x99\x46\x56\x7d\xee\xa6\xba\xd4\x3e\x5e\xd5\xdf\xb7\xd3\x63\xca\x20\xdc\xd0\xfd\xbe\xd7\xa1\x8e\x5f\xe5\xfd\xee\x8f\x17\xbf\x6c\x04\x6f\x15\x0a\x81\x39\x8e\x9b\x05\x02\xdb\x98\x0d\x5b\x15\x41\x1f\x59\x06\xb2\xed\xd4\x0d\xcd\x40\xad\xc1\xce\xd8\x0e\xd5\x23\xb9\xd7\x6b\x76\x59\x52\x51\xd2\x2f\x4a\xa3\x89\x32\xb7\xcf\xc0\x10\xd1\xfb\x2b\xb6\x8c\x41\xd3\xdc\xc7\x2f\x9a\x84\xf6\x79\xd9\x32\x98\x2a\x7f\x85\x45\x60\x88\x89\x34\x98\x61\xc6\x97\xca\xba\xc0\x95\xd6\x75\x80\x79\xa1\xed\x0a\x43\x4a\x66\x64\x7c\x32\x72\x5c\x90\x75\xfe\x7f\x95\x1f\x8d\xa1\xff\x2f\xec\x68\x4b\x8c\x67\xe6\xc7\x70\x29\x13\xa2\x09\x86\xba\x60\x86\xe0\x0b\x14\x6a\xae\x04\x78\xc2\xc2\x03\x65\x9c\x80\x3b\x04\xe2\x37\x68\x40\x19\x70\xe8\x0b\x6b\x3c\x86\x3c\xfd\x06\x57\x10\x9f\xf6\x9e\x95\x28\xef\x2e\xfa\x3d\x57\x22\x43\x59\x6a\x84\x71\xd8\x43\x98\x5b\x97\x73\x3a\x7e\x02\x6d\x5a\xfb\xbf\x85\x38\xef\x2e\x7a\xdd\xeb\xb5\x9a\x03\x3b\x77\xd6\xec\xcc\x8f\x8f\x99\x61\xd1\xc0\xe8\x7a\x8d\xda\x0f\x40\x5c\x1a\x90\x98\x73\x23\xfb\xb3\x8d\xdc\x4f\xa1\xb6\x64\x7c\x5e\x06\x0d\x17\xa3\x5f\x6b\xda\xac\xea\xab\xa6\x2a\x00\xc0\xb7\xb5\xcd\x6c\xd5\xbf\x84\xe2\x85\xcc\xf3\x07\x79\x33\xfc\x4c\xf3\x38\x89\x9a\x52\xed\x57\x5c\x3d\x85\x5f\x6d\xf1\xf4\xd7\xbd\x23\xf0\x66\xf5\x38\xbb\x9a\xc2\xe7\x09\xdc\xaa\xa7\xfe\x8a\xab\xc7\xc2\x4f\xed\xf7\x61\x3e\x02\x6c\x5e\xc8\xd6\x6b\x76\x81\x55\x71\xaf\x06\xa8\x16\x18\x3a\x54\x25\x56\xa0\xd1\xe7\xa5\x10\xe8\x3d\xfc\xb3\x17\x1d\xf6\xd1\xf4\x83\x7d\x84\x9f\x03\xd6\xb4\xbe\x6a\x55\x79\xd3\xf7\x00\x00\x6f\x19\xf0\xe7\x36\xf6\x3e\x25\xda\xee\x08\xda\x7f\x64\x62\xd7\xdc\x5a\x42\xc7\xaa\x7f\x9b\xfc\xb4\xff\x02\xd8\x1c\x9b\x07\x53\xcd\xa2\xfb\x5e\x71\xd9\x49\xc0\xea\x1b\xf6\xdc\x9a\xb9\x92\x68\x48\x71\x0d\xaf\x4e\xcf\x7e\x38\x1a\xf8\x79\x45\xcd\x61\x7c\xab\x8c\xb4\xb7\x4c\x5b\xc1\xab\xf7\x56\xee\xb3\x34\x4d\x3a\xef\xe9\xfd\xf7\xc1\xd8\xdd\x7b\x0c\x5e\x72\x07\x61\xe5\xb9\xcd\x0b\x6b\xe2\xf3\x4a\x0a\x43\xa2\x99\x2f\xb4\xa2\xf1\xe8\x45\xfb\x32\x1c\x7f\xc3\xd8\x5a\x5a\xff\x36\xf0\xf3\x59\xf7\xc9\x3a\x20\x84\xaa\x4f\x99\x2a\xcf\x4c\x7b\x78\x9f\xcf\x36\x3f\x13\x04\x91\x9f\x93\x46\xe3\xe4\x24\xd9\x64\xcf\xc9\x49\xd2\xa4\x46\xa1\xd9\xc6\xe7\xe4\x24\x69\x23\x5a\xf2\x3b\x53\x46\xe2\xdd\xe5\x7c\xdc\x41\x3c\x86\x9f\x53\x38\xdd\x7e\x45\x8f\xae\xe9\xce\x69\xc7\xba\x6f\xda\x00\xf7\xff\x0e\x00\x00\xff\xff\x7b\xf4\xc8\x89\xac\x1d\x00\x00")

 func complyBlankTemplatesIndexAceBytes() ([]byte, error) {
 	return bindataRead(
@@ -297,7 +297,7 @@ func complyBlankTemplatesIndexAce() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-blank/templates/index.ace", size: 7696, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-blank/templates/index.ace", size: 7596, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -317,7 +317,7 @@ func complySoc2ReadmeMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/README.md", size: 1965, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/README.md", size: 1965, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -337,7 +337,7 @@ func complySoc2TodoMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/TODO.md", size: 1429, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/TODO.md", size: 1429, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -357,7 +357,7 @@ func complySoc2NarrativesReadmeMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/narratives/README.md", size: 96, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/narratives/README.md", size: 96, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -377,7 +377,7 @@ func complySoc2NarrativesControlMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/narratives/control.md", size: 387, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/narratives/control.md", size: 387, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -397,7 +397,7 @@ func complySoc2NarrativesOrganizationalMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/narratives/organizational.md", size: 2378, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/narratives/organizational.md", size: 2378, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -417,7 +417,7 @@ func complySoc2NarrativesProductsMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/narratives/products.md", size: 232, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/narratives/products.md", size: 232, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -437,7 +437,7 @@ func complySoc2NarrativesSecurityMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/narratives/security.md", size: 327, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/narratives/security.md", size: 327, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -457,7 +457,7 @@ func complySoc2NarrativesSystemMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/narratives/system.md", size: 257, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/narratives/system.md", size: 257, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -477,7 +477,7 @@ func complySoc2PoliciesReadmeMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/README.md", size: 71, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/README.md", size: 71, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -497,12 +497,12 @@ func complySoc2PoliciesAccessMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/access.md", size: 200, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/access.md", size: 200, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2PoliciesApplicationMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8b\xb1\x8a\xc3\x30\x10\x05\xfb\xfd\x8a\x07\x57\xeb\x38\xbb\x38\x82\x3a\xa3\x2a\xa9\x4c\x94\x1f\x58\x64\x25\x6c\xb0\x76\x8d\x25\x07\xfc\xf7\xc1\xae\x06\x86\x19\xe5\x92\x3d\x86\x65\x99\x25\x71\x13\x53\xc4\x9c\xb6\x55\xda\x8e\xd1\x66\x49\x3b\x71\x5a\x4d\xf7\xe2\x31\xc4\x91\x2a\x37\xa9\x4f\xc9\xd5\x13\xf0\x88\xe1\x00\xe0\x10\xc2\xff\x6f\x4f\x85\xdf\xb6\xde\xf3\x47\xaa\x98\x9e\x89\xc3\xc4\x2d\x7b\xdc\x36\x45\x87\xfe\xaf\xbb\x9c\x43\xb2\x52\xb2\x36\x8f\xab\x4a\x13\x9e\x31\x59\xda\x0e\x43\xce\x39\xa2\x1f\x04\x2b\xa2\x2f\x44\x33\xfd\x06\x00\x00\xff\xff\x42\x28\xec\xa1\xa2\x00\x00\x00")
+var _complySoc2PoliciesApplicationMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xc4\x59\xcd\x72\xe4\xc6\x91\xbe\xf3\x29\x32\x62\x2f\xc3\x88\x66\x6b\xa5\xd8\xd8\x50\x8c\x4e\xdc\x19\xad\x45\x87\xa4\x19\x73\xc6\xd6\xb9\xba\x2a\xd1\x48\xb1\x50\x05\xd5\x4f\x37\xa1\x93\x5f\xc3\xaf\xe7\x27\x71\x64\x56\x01\x28\x34\x9b\xb2\x1c\x3e\xf8\xc4\x60\x03\x95\x95\xbf\x5f\x7e\x99\x70\x6a\xc0\xb7\x70\x3f\x8e\x96\xb4\x4a\xe4\x1d\x7c\x42\x9d\x03\xa5\x09\x3e\x7a\x4b\x7a\xba\x51\x3a\x78\x37\x0d\x6f\xe1\xfe\xd3\xc7\x9b\xa8\x12\xc5\x8e\x30\xbe\xbd\x01\xf8\xfc\xe9\x1d\xff\x01\xb8\x83\x77\xef\xfe\x77\xff\xd5\xcd\xa0\x7e\xf6\xe1\x11\x4f\x14\xc9\x3b\x79\xe5\x0e\x8c\x4a\xf8\x16\xfe\x98\x1d\x7c\x09\x5f\xfd\xf7\x97\x5f\xcb\x01\xed\x87\x01\x5d\x7a\x0b\x0f\x8e\x12\x29\x0b\xc6\xeb\xcc\xbf\xdc\xdc\xdd\xdd\xdd\xdc\xfc\x17\x7c\xcc\x61\xf4\x11\x41\x39\x03\x9f\xb4\x1f\xf1\xe6\x46\xed\xe1\x73\x4f\x11\x54\xa3\x6b\x9c\x75\x1d\x45\x57\x30\xd8\x91\xc3\x08\xa9\xc7\xf5\x59\x17\xd4\x80\x67\x1f\x9e\x44\x5a\xc0\x5f\x32\x05\xe4\xcb\x22\x74\x3e\xb4\xf2\xe2\x0e\x9c\x4f\xea\x60\x27\x38\xe3\xe1\xe2\xc9\x99\x52\x4f\x4e\x44\xfb\x70\x54\x8e\x7e\x95\x27\x7f\xff\xeb\xdf\x22\x8c\xc1\x9b\xac\x45\x25\x74\x27\x0a\xde\xb1\xfc\xfd\xaa\xf4\x6c\x1f\x28\x1b\x3d\xbf\x7e\x22\x83\x11\x68\x18\xad\xa8\x42\xee\x08\xda\xbb\x14\xbc\x8d\xa2\x26\xb9\x98\x42\x11\x59\xd4\xbc\x50\x68\x31\x6f\x07\xc9\x03\x39\x6d\xb3\x41\x18\x31\x90\x37\xa4\xe1\x94\xad\xc3\xa0\x0e\x64\xd9\x03\x51\x2b\x57\xc4\xfa\xd4\x63\x80\x34\x8d\x18\xc1\x77\x80\x27\x65\x73\x31\x50\x1e\xab\x18\x31\x46\xf1\x4d\xa3\x7c\x75\xae\xdc\xce\xce\xf5\xa0\xac\xdd\x78\xe7\x37\x9c\xf3\x8a\x6f\x76\xa0\x22\x9c\x91\xe5\x44\x50\x66\x20\x47\x31\x05\x95\x7c\x28\x9a\xe4\x88\x41\x54\x4c\x3d\x72\x1e\x34\x97\x55\xad\xd2\x34\x92\x56\xd6\x4e\xb3\xf5\x11\x70\x18\xad\x9f\x10\x8b\x08\xf1\xa7\xd2\x2c\x72\xcf\x39\xf5\x7f\x4a\x3f\x1d\x83\xcf\xce\x88\x69\x6d\xce\xb7\xee\x12\x13\x17\xd9\x4a\x6b\x9f\x5d\x92\x10\xb0\x75\x56\x85\x23\xc6\x04\x2e\x0f\x07\x0c\xac\x20\xd5\x14\x56\x29\x29\xfd\x04\x27\xd4\xc5\x88\x2e\x61\x80\x41\xd9\xb3\x0a\x08\xe4\x3a\xd4\x55\xfb\xfb\x08\x0a\x02\xc6\x6c\xd3\x0e\x28\x01\x49\x1e\xf8\x90\x94\x4b\x90\x7a\x95\xb6\xae\xe5\xe3\x06\x23\x1d\x1d\x1a\xf1\xf3\x9a\xd9\xe4\x60\x20\x67\x76\x62\xae\x9c\x4c\x3d\x4e\x72\x82\x43\xce\x07\x66\x47\x90\xcb\x3e\x47\x3b\xc1\xe0\x1d\x25\x1f\xd0\x88\x49\x83\xb2\xa4\xc9\xe7\x08\x4a\x27\x3a\xb1\x50\x91\xa3\x7d\xb6\x9c\x84\x86\xd5\x40\x50\x10\xa7\x98\x70\xe0\xc2\x1d\x83\x1f\x28\xe2\x1e\xde\x53\xd4\xfe\x84\x61\x92\x4b\x62\x3e\x44\xfc\x25\x73\x8e\x0f\x94\xe8\x58\x1c\xeb\xbb\x4d\xd2\x5e\xfa\xf9\x4c\xd6\x82\xa5\x81\xd2\xf5\xba\xaa\x3e\x8d\x39\x74\x4a\x63\xb1\x13\x5d\xcc\x81\x43\x0c\x07\x15\xd1\x92\x43\xb0\x78\x42\xcb\x77\x2d\x9e\x61\xd0\x8a\x51\xf2\xb4\x68\x5e\xf3\xf9\xc1\x81\x32\x86\x44\x99\xe4\x8b\x97\xb8\xf6\x8e\x99\x8c\x72\x7c\x45\x6a\x33\x9e\x8b\x75\xc1\x14\xd4\xbd\xe3\xac\xd8\x42\x08\xab\x34\x06\xaf\xd1\x88\x56\x2c\xb5\x68\xf8\x4a\x28\xc7\xe0\x47\x0c\x76\x82\x5e\x05\x83\x1c\x22\x72\x92\x65\x41\x14\xb8\x88\xf0\x81\x73\x6d\xe4\x2c\x26\x8d\x25\x8d\x1f\xb1\xc3\x80\x4e\x63\x14\x8b\xde\xab\xa4\xe0\x9d\x55\x31\x52\x37\xbb\xb9\x22\x37\x3f\xfe\xf0\xd3\xfd\xa7\x8f\xf0\x48\xf1\x09\x1e\x95\xc0\xcc\x0f\x98\x7a\x6f\xbc\xf5\xc7\xf6\x8d\xcf\x18\xe5\xe9\x1f\x32\x19\x6c\x7f\xf7\x23\x7c\x46\x07\x1f\x83\xff\x19\x75\x12\x6c\x5e\xa5\x7f\xbe\x08\x1a\x0c\x39\xa6\xad\xfd\x97\x48\x41\x09\x0c\x87\xcb\x8f\xe2\xbb\x2f\x18\x81\xb5\xf8\xb3\xf8\x47\x4c\x47\x3b\x71\xd6\x76\x74\xcc\xa1\x26\xf1\xa0\x9c\x3a\xa2\xd9\x2f\xf7\x76\xde\x5a\x7f\x66\x9d\x5f\xf1\x56\x51\xe6\x80\x2c\x29\x92\xc1\x2a\x69\x07\xd4\x41\x87\x2a\xd2\xc1\x72\x4a\x09\xaa\x19\x81\x21\x18\x54\x4a\xa5\xaa\x39\x1d\x1b\xbd\x25\x1b\x97\x7b\x4a\x39\xbe\xbd\x91\x5e\x46\x35\x06\xbd\x72\xc6\x6e\x95\x85\xc3\x74\x29\x68\x55\xaa\x86\xec\x7a\x02\xf0\xa9\xd7\x23\x0b\x6f\xc2\x9c\x04\xf0\x46\xdd\xde\xee\x17\x4d\x1e\x5e\x68\x5e\x92\x93\x71\xbd\x78\xd4\x70\xb7\x51\x96\x11\xc9\x87\x41\x5e\xd9\x81\xda\x3e\x0b\xc8\xda\xc0\x81\x21\x24\x2c\x1a\x4b\xe1\x3b\x74\xc9\x4e\x60\x28\x8e\x56\x4d\x8c\x48\x3d\xe9\x1e\x7a\x3a\xf6\x96\x8e\x7d\x2a\xbd\x97\x1b\x0c\x7b\x71\x23\xd5\xb0\x3d\x07\xe4\x88\x29\x2d\x2a\x19\x78\x83\xfb\xe3\x7e\xc7\x7d\x2b\x7a\xc7\x80\x7b\x57\x5e\xef\x48\x1d\x2c\xb6\x4a\xc2\x9b\x8f\x0f\x0f\xb7\x3b\xd6\x22\xa1\x4e\x68\xa0\x47\x65\x53\x7f\xf1\xce\x77\xfc\x0e\x26\xbd\xbf\x5d\x7c\xf2\x09\x5d\xa4\x44\x27\x14\x0d\x76\x80\x71\x44\x4d\x82\xee\xa2\x92\xfc\xdb\x55\xbc\x0f\x18\x53\x20\x91\x7f\x98\xc0\xaa\x33\xf8\x30\xc3\x41\x55\x36\x7a\x3e\xbd\x66\x43\x69\x05\x71\x07\xa3\x8a\xf1\xec\x83\x89\x05\xa8\x74\x40\x43\x09\xb4\x0a\x46\x2e\xba\x85\xd8\x0b\xac\x3a\x2f\xfe\x5c\x7d\x48\x0e\x46\xab\xc8\x25\x7c\x4e\x6b\x2c\xbf\x7d\x0d\x46\x4e\xca\x12\xd3\x2a\x20\x37\xe6\xb4\x22\x4a\xa1\x37\x45\x7f\x3a\xa1\x9d\x76\x5c\x7e\xa5\x46\xbc\xb3\x9c\x8b\xcc\xa9\x96\xee\x5f\x8e\x17\xf9\x01\xe1\xc9\xf9\xb3\xa0\xa2\x94\x4c\x08\xa8\xd3\x1e\xbe\x7d\x56\xcc\x51\xe2\xdc\x64\x77\x70\xc8\xe5\x75\xb6\x42\xa0\x1b\x0d\x1f\x12\xc0\xbd\x8b\x94\xb8\xf7\x04\x1a\x19\x4d\xf8\xe5\xae\xe3\x82\x3a\x61\xe8\xac\x3f\x03\x86\xe0\x43\xf5\x0f\xb9\x9f\x4b\x4f\x84\xce\xaa\x73\xfc\x1d\x86\xe3\x33\xea\x9c\x66\x0c\x2d\xc2\x4a\xdd\x09\x0c\xf8\x72\xa4\xdc\x51\x7a\x0b\x2b\x59\xd9\x16\x18\x4c\x8a\xb8\x42\x6b\x2f\x6b\x13\x87\x39\x8d\x83\xec\xc6\x40\x27\xb2\xc8\xb5\xcb\x0c\x64\x07\x06\xdd\x04\x11\xc3\x89\xb8\x39\xd0\x30\x2a\x0a\x6b\xe8\x07\xd4\xbd\x72\x14\x87\xb8\xe3\x3c\xd1\x41\xc5\x52\xbb\xe5\x8a\xd5\xa4\x9f\x7a\x64\xec\xf7\x71\x46\x9d\x9c\x7a\x1f\xe8\x57\xac\xa5\x20\x0a\xb4\xa6\x1e\x26\x50\x5d\x47\x96\x6a\x85\x0e\x28\x49\xd6\xd3\xc8\x17\x15\xa2\x53\x78\x54\x50\x85\xd3\xf5\xca\xf1\x29\xee\xd9\x27\x32\x59\xd9\x3d\x83\xb6\x58\xae\x1c\x5f\xe8\x07\xc5\xb1\x0a\x78\x22\x3c\x4b\x67\xae\x4a\xd4\x2b\xbd\x13\x5e\x72\xcc\x56\x05\xee\xad\xc4\xa4\x77\xa3\xf7\xef\x09\x91\xd3\x61\x1a\x53\xa9\x2c\x95\x24\x1f\x6b\xb4\x21\x05\xc5\x95\xd8\xa0\xd5\x4c\x7f\x37\x80\x65\xfd\xf1\xc8\xf1\x4c\x5e\x5c\x89\xcf\x89\xdf\xa8\xb0\xce\x66\x3d\x72\x20\xe5\x3d\x49\x63\x6e\x31\x85\x2e\x0a\x85\x2d\xfe\xc4\xd3\x4a\xf0\x13\x58\x54\x31\xc1\x97\xff\x03\x46\x4d\x4d\xa2\xfd\x29\x2b\x5b\x20\x78\x44\x3e\xaf\xbd\x63\xaa\xba\xc6\xb7\xf8\x2a\x16\x28\x33\x08\x45\x1e\xe7\x15\x0a\x30\x70\x1b\x10\xe8\x10\x50\x1c\xbc\x29\xd2\x5a\x8f\x7c\x03\xa3\x0a\x89\x34\x7b\x95\x2b\xb2\xd6\xa0\x38\xae\x63\x52\x28\x46\x6a\x6f\x6d\x29\x86\x1d\xdb\xb2\x9b\x5b\x63\xc5\x88\xab\x58\xba\x87\xf7\xeb\x54\x61\x85\xc0\x71\x04\x92\x7a\x42\x77\xd5\xc7\xc0\xc9\x7a\xc4\xda\x9d\x86\xe2\x55\x69\x0e\x62\x57\x79\x2a\xa9\x88\xcf\x54\xe8\x40\xf4\x5d\x12\x02\xbb\x21\xe0\x2b\xb4\x26\xe5\x0c\xe3\xdb\xdc\xac\x17\xd6\xf7\x5a\xdb\x9b\x07\x21\x34\x7b\x58\xfb\x27\x76\x2a\xdb\xb4\x02\x28\xfb\xc0\xb4\x43\x45\x23\x6a\x07\x31\xeb\x9e\xfb\xb5\x04\x63\x1d\x1d\x18\xe1\xeb\x0c\x05\xa3\x72\x68\x23\x87\x88\x51\xf5\x58\xf5\x92\xd6\xca\xae\x63\xe6\xd8\xf0\x03\x31\xdc\x00\x0d\x03\x1a\x52\x89\xd9\x47\x1e\xbd\x93\x21\x4c\x59\x2b\x87\x57\xa3\xef\xdb\x7c\x17\x19\x95\x10\x0a\x3b\xb6\xf8\xdc\xd8\x71\xa5\xb5\xeb\x1c\x02\xbb\xfe\x35\xd6\xf2\x66\xc9\xd7\xaf\x59\x33\xfe\x9d\x73\x93\x13\x1e\xdd\x31\xf5\x3b\xbe\xe6\x40\x6e\x25\xd8\x76\xec\x95\xcb\x03\x06\xd2\x90\xc7\x11\xc3\x17\xd6\x9f\x31\x68\x15\xb1\x95\x20\x2c\x7d\x1a\x0e\xde\xc6\x86\x31\xbc\xcf\x81\x03\x5d\x39\x59\x49\x14\x9e\x26\x0a\x1f\xdc\x6d\xab\x5b\xac\x65\x4c\xed\xd5\xa9\x85\x2e\x3b\x77\xd7\x42\xcf\x0a\xda\xbd\xa0\xbe\x95\xe7\x19\xe8\x82\x1f\x40\x31\xd5\x0e\x46\xca\x63\x5a\x83\xaa\xe0\x84\xce\xf8\xb0\xb2\xab\x0f\xdc\xba\x36\xc2\x96\x96\x15\xf3\xc8\x83\x53\x69\xd6\x8c\x72\x23\x83\x3d\x9a\x2a\x03\x62\xcf\x95\x51\xb8\x8b\x5e\xa8\x24\x27\xd7\xea\x80\xff\xcf\x3c\x24\x14\x41\xcb\xcc\xb8\x26\x87\x0a\xa1\x64\xc7\xc2\xcb\x36\x03\x4d\xb9\x87\x33\xb1\xcb\x32\xcb\x74\x78\xa7\x27\x6d\x17\xdd\xd6\x8b\x7e\xf4\xa0\x73\x4c\x7e\xa8\x40\xb1\x38\x55\x4d\x72\x51\x25\xa2\x15\xf6\xda\x5b\xf8\x6a\x9f\x53\xa9\xb2\xa5\x65\xd5\x79\x6f\xd6\x41\x2b\x37\x4f\x7a\xc8\x42\xe6\xb6\xf7\x42\x8f\x3f\x8f\x4c\x1e\x84\xaf\x24\xdd\xaf\xc3\x72\x53\xc0\x33\x14\x50\x8c\x79\xa5\xb1\x97\x4e\x5d\xb6\x17\x85\x3e\x47\xcf\x1d\x24\x5e\xe9\x16\xf7\xc5\x39\x4d\xe7\xd9\xa4\x86\x33\x60\x49\xa3\xe3\x9a\x5c\x84\x97\x5a\x12\xd1\x73\x3d\x28\xe7\x32\x93\x34\xd9\x1d\x70\xda\xb0\xa8\xb9\x61\x2d\x48\x55\x31\xbb\x66\xe2\xc5\x1a\x67\x0d\xab\x6c\x3a\xd0\xd4\xf2\x6c\xfa\xcd\x3a\x57\xe8\x40\x09\x03\xa9\x35\x15\x7f\x2c\xb0\x2f\x7b\xae\x4d\x84\x02\xb2\x8a\x33\xa6\x94\xea\x28\x46\xaf\x2b\x15\x18\x03\xf9\x50\x3b\x7d\xf0\x27\x65\x67\xa0\xac\xb8\x3c\x83\xd7\x8c\x91\x45\x74\xed\x04\xf5\x06\xc6\xb3\xa2\xe7\xab\x3b\xa7\xaa\xeb\x67\xae\xae\x3b\xa9\x2e\x58\x87\x2c\x73\xc5\x1d\xff\x4c\x5d\x83\x33\xdb\x68\x90\x7f\x75\xf7\x4b\xcb\x6b\x21\x8e\x81\x64\x79\xb0\x88\x94\xc0\x19\x4c\x18\x78\x90\x58\xf2\xea\xc5\xd8\xdf\x32\xb3\x95\x6b\x49\xd7\x0a\xbb\x3a\x21\x57\xd2\xde\xac\xb0\x96\x78\xc9\x62\xc0\x80\x77\xdb\x3d\x60\xa0\xf8\xc4\xb2\x19\x9c\x5c\x82\xda\x59\xe6\x54\x1f\x94\xc1\x2b\xb5\x27\xfa\x74\xd9\x89\xa3\x95\x6c\xd3\xe6\xa9\x35\xe8\x9e\x78\x14\xc9\xa1\x25\x46\x03\x86\x23\x3a\x3d\x35\x8e\x51\x13\x03\x04\x1e\x7d\xb3\x9f\x58\x17\x6d\xa5\xfc\x54\x08\x75\x56\x8c\x31\x0f\x4c\xd3\x78\x64\xcf\x2e\x91\x05\x35\x13\xde\x26\x38\x5c\xed\x65\xb4\xe5\x24\xe0\x6e\x7a\xed\xe6\x39\xd9\x67\x58\xac\x0e\x7f\xd7\x13\x76\xf0\xd0\x78\xf9\x43\xd7\x91\x66\xa2\x1e\xe6\x5d\x13\x96\x02\xfa\xcb\xe5\x66\x6c\x86\x5e\x53\xb7\x3f\x68\xc0\x94\x16\xd2\xd6\x43\x6b\xdf\xac\x45\x5d\x0b\xb1\x1a\x12\x1f\x69\xb1\xdb\x8a\x13\xa3\x65\x9b\x23\xdc\x93\x27\x4b\xbe\x6b\x13\xcf\x0f\x23\x3a\xa9\xeb\xeb\x4b\xeb\xb2\xa7\x80\x37\xb2\xbe\xb8\x7d\x6d\xf3\xb1\x99\xa0\x0f\xb7\xb7\x6b\x89\x7f\x47\xc7\x1e\xee\x0a\xf2\x45\xd0\x2a\xe1\x51\x88\xba\x40\x1c\x8f\xb9\x45\xc9\xd9\xa8\x8e\x9e\xb7\xcc\x61\x57\x76\xac\x67\x8a\x08\xca\x26\x0c\x8e\x6b\xa0\x59\x89\x09\x57\xc1\x23\x35\xf1\x69\x81\x54\xba\xe9\x40\x09\xf0\x79\xf4\x42\xb2\x0f\xc8\xd9\xd3\x56\xe1\x96\x82\x48\x3d\xac\x9a\x55\xcd\x4b\x7b\x3c\x88\x33\x64\xa6\x13\x88\x63\x6e\x08\xbe\xeb\xee\x64\x6f\x26\xd1\x76\x24\x43\xc1\xbf\x88\x2e\x3f\xa0\xa1\x3c\xbc\xea\xa8\xa1\x3c\xde\xb8\xaa\x00\x73\x31\x71\x01\x81\xb5\x90\x29\xe1\x10\xeb\xf8\xb9\xa4\xca\x1e\xee\x67\x5a\xeb\x57\x37\x35\xee\x5c\x9d\x18\x75\x8f\x26\x5b\x39\xf3\xc2\x3d\xad\x3e\x55\xe3\xda\x76\xff\x5d\x97\x6c\x93\xb3\x59\x0b\xcb\x2d\xdf\xc0\x90\x6d\xa2\xd1\x62\x7b\x2d\x39\x1d\x44\x36\x1f\x11\x9d\xe6\xf9\x93\x29\xd5\x98\x64\xf7\x21\x65\xb0\x87\x87\x8d\xb6\x35\xdd\x5c\xe9\xdd\x6b\xa5\x67\x67\x99\x8a\x1d\x50\xf6\x57\xed\x02\x76\x6c\x57\x8f\x18\x37\x41\xfc\xde\x9f\x5f\x8d\x20\x4f\xeb\xff\x99\xf0\x95\x0d\x5f\xdd\x47\x52\x9c\xd9\xb5\x5c\xbc\xac\x3e\xd8\x11\xcb\x02\xf1\x7a\x75\xc9\x78\x20\xd3\x7b\xc5\x86\xcb\xed\x73\xb3\x82\x53\x71\xce\x68\xb1\xd9\x07\x38\x06\x54\x09\xc3\x6f\xee\x1b\x1b\x3c\x2e\x4b\x95\x1a\x25\x0e\x5d\x90\x05\x20\xf3\x30\x0c\x8c\xb3\xb5\x2b\xbe\xfc\x74\xb5\x0a\x79\xbb\xe5\xa4\x77\x65\xdb\x4e\x92\x5e\x9d\x30\xf2\xb8\x0c\xa0\x65\x59\x73\xf9\x51\xe8\xd2\xc2\x1c\x59\xdf\x83\x4f\x7d\xb3\x00\xa8\x0b\xca\xac\x2c\x24\xef\x6d\xbc\x80\xd7\x97\xeb\xe0\x0d\x58\xea\xdb\xdb\x85\xd0\x35\xf6\x4b\x18\x67\xbb\x67\xf1\x23\x3a\x4c\x95\x52\xd6\x81\xa2\xae\xd1\x7f\xc9\x65\xd0\x5c\xe2\xd9\xb4\x93\x17\x1f\x63\xda\x7c\x13\xbe\xc0\xb7\x30\x9f\x94\x50\x75\x12\x64\x19\xfd\xad\x6d\xe5\x94\xbc\x6e\xa7\x7d\xd2\x4f\xe2\x55\x17\x89\x7d\x29\x47\x1b\xc7\x44\x6e\xaa\xf5\xc7\xc6\xa9\x9d\x0f\x3b\x26\xa1\x0a\x78\xd4\x1c\xf2\xb0\x6b\x1d\x55\xf7\xe3\xaf\x7d\x9e\xab\xac\xa3\xf5\xa0\x69\x17\xb6\x9f\x55\x38\x0a\xcb\xbd\x83\x13\x06\x4e\xc6\x78\xf1\xf1\x2e\x60\xe9\x2d\x2d\x2f\xf7\x41\x36\x10\x1b\x2d\x5b\x8e\xd2\xc8\xf7\x20\x1f\xb0\x30\xac\x60\xe3\x3b\x46\x9a\x79\x03\x35\xaf\x4c\x76\x2f\xb8\x18\x0c\x8a\x5c\x52\xc4\xf0\x51\xb7\xd1\x28\x92\x2e\x3e\x11\xbf\xc8\x8f\x66\xf5\xba\x2c\x52\x2e\xbe\xba\x0a\x33\x9b\x39\x64\x3b\x7c\xf2\x04\x05\x32\x41\xed\xea\xce\x51\x4a\xae\xac\xec\x9a\x17\x77\x85\xd1\x46\x9a\x49\x72\xd1\x16\x9d\x4c\xda\x45\x6a\x47\xf5\xfb\x0a\xdf\xb6\x30\xd6\xf7\xcd\x6d\xdf\x53\x87\x65\x5c\xbb\x62\x8a\xf9\x7d\xa6\x2c\x0b\xc8\xab\xb4\x95\x9c\x96\xad\x4d\xbc\xaa\xd3\xfc\xd6\x43\x7d\x0b\x1e\x31\x8e\xde\xc5\xab\xfa\x60\xab\xcf\x7b\x8a\x2a\x72\x30\x02\x36\x5f\xe1\x0e\x5c\xf1\xdc\x09\xea\x24\xb8\x12\xe7\x42\xe9\x8b\x50\x8a\x97\x8a\x2c\xd2\x1e\x67\x69\x57\xee\xef\xda\xfb\x1f\x2f\xdd\xb0\xb1\xbe\x84\x4b\x9d\x14\xd9\x39\x8f\xcb\x76\xda\x64\x67\x14\x93\xd4\x6b\xde\x28\xa7\xee\xdb\x53\x57\xd4\x38\x8a\x1a\xff\x08\x00\x00\xff\xff\x81\x18\x4c\xd8\xb9\x20\x00\x00")

 func complySoc2PoliciesApplicationMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -517,7 +517,7 @@ func complySoc2PoliciesApplicationMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/application.md", size: 162, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/application.md", size: 8377, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -537,7 +537,7 @@ func complySoc2PoliciesAvailabilityMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/availability.md", size: 164, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/availability.md", size: 164, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -557,7 +557,7 @@ func complySoc2PoliciesChangeMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/change.md", size: 2793, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/change.md", size: 2793, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -577,7 +577,7 @@ func complySoc2PoliciesClassificationMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/classification.md", size: 161, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/classification.md", size: 161, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -597,7 +597,7 @@ func complySoc2PoliciesConductMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/conduct.md", size: 4492, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/conduct.md", size: 4492, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -617,7 +617,7 @@ func complySoc2PoliciesConfidentialityMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/confidentiality.md", size: 3653, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/confidentiality.md", size: 3653, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -637,12 +637,12 @@ func complySoc2PoliciesContinuityMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/continuity.md", size: 5043, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/continuity.md", size: 5043, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2PoliciesCyberMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8d\x31\x8a\xc3\x30\x10\x45\xfb\x39\xc5\x87\xad\xb5\xac\xb7\xda\x55\x17\x54\x25\x95\xb1\x73\x01\x45\x9e\x84\x49\xac\x19\xf0\xc8\x01\xdf\x3e\xd8\xd5\x87\xcf\x7b\x3c\xcd\x95\x23\xd2\x76\xe3\x05\x83\xf8\x0b\x27\x77\x76\xaf\xac\x0d\xbd\xcd\x52\x36\xca\x65\x31\xdd\x6a\x44\x1a\x7a\xf2\xdc\xc4\xef\xc2\x1e\x09\xb8\x8e\x69\x1f\x20\x20\xa5\xff\xef\x8e\x6a\x7e\xda\x32\xf0\x5b\x5c\x4c\x0f\x24\x60\xca\x8d\x23\x2e\xab\xa2\xc3\xef\x4f\xf7\x77\x08\xc5\xea\x9e\x88\x38\xab\x34\xc9\x33\x26\x2b\xeb\xfe\x50\x08\x81\xe8\x0b\xc9\xaa\xe8\x03\xa3\x99\x7e\x02\x00\x00\xff\xff\x69\x84\x0b\x8f\xa3\x00\x00\x00")
+var _complySoc2PoliciesCyberMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xbc\x58\xcd\x6e\x23\xb9\x11\xbe\xeb\x29\x0a\xc8\x65\x07\x90\xb5\x33\x93\x1c\x12\xdf\xbc\x4e\x16\xd8\x5c\x32\xf0\x1a\xc8\x61\x30\x07\x8a\xac\x56\x57\xcc\x66\xf5\x14\x49\x69\x94\x53\x5e\x23\xaf\x97\x27\x09\x8a\x64\xff\x48\x96\x07\x49\x0e\x39\x19\x6e\x92\xc5\xfa\xf9\xea\xfb\x8a\x0a\x66\xc0\x7b\x78\x3c\xef\x51\xe0\x89\xe2\x0b\x3c\xc4\x88\x31\x0e\x18\x12\x7c\x62\x4f\xf6\xbc\x31\x56\x38\x9c\x87\x7b\x78\x7c\xfa\xb4\x89\x26\x51\xec\x08\xe3\xfd\x06\xe0\xf9\xd7\x47\xfd\x03\x70\x07\x8f\x8f\x7f\xd8\x7d\xd8\x0c\xe6\x6f\x2c\x4f\x78\xa4\x48\x1c\xca\x96\x3b\x70\x26\xe1\x3d\xfc\x39\x07\xf8\x00\x1f\xdf\x7f\xf8\x7d\x39\x60\x79\xd0\x2b\xee\xe1\x97\x40\x89\x8c\x07\xc7\x36\xeb\x97\xcd\xdd\xdd\xdd\x66\xf3\x1b\xf8\x94\x65\xe4\x88\x60\x82\x83\x5f\x2d\x8f\xb8\xd9\x98\x1d\x3c\xf7\x08\x63\x5b\xe1\x0e\x52\x4f\x11\xc6\xe2\x25\x50\x84\xc4\xe0\xb0\xa3\x80\x90\x74\x9f\xb0\x45\x97\x05\xcb\x82\x29\x61\x15\x73\x49\xd0\x24\xa0\xd0\xb1\x0c\x26\x11\x07\x88\x68\xb3\x50\x3a\x83\x50\x7c\x89\x70\xa2\xd4\x53\x28\x46\x58\x0e\x26\xd0\xdf\xcb\xb6\x6d\x3d\x7d\x71\x89\xb1\x16\xc7\x64\xf6\x1e\xc1\xe3\x11\xbd\x7a\xa5\x46\x80\x8f\x28\xc6\xfb\x5d\x71\xbb\x24\xd6\x2c\x89\x55\x3b\x65\x57\x71\xa5\x7e\x12\x04\x33\x8e\x9e\xb0\x5c\xa1\xb6\x31\x24\x12\x84\xa8\xd1\xd7\x68\x2f\xfd\xf9\xd7\x3f\xfe\x19\x6f\x87\x31\x0a\x1f\xc4\x0c\xb3\xc3\xc6\xfb\xcb\x8d\xe7\x98\x70\x88\x70\xea\xc9\xf6\xe5\xea\x1c\xd1\xbd\x15\x37\xb0\xb4\x9d\x96\xb3\x77\xd0\x9b\xa3\xd6\x05\x68\x18\x8d\x4d\xc0\xaf\x4f\xbc\xe9\xd9\xae\x55\x71\x29\x5b\x8d\x39\x4e\x5e\x0e\x26\x98\x03\xce\x49\xc2\x61\xf4\x7c\x46\x5d\xef\x4d\x82\x64\x5e\x10\x46\x23\x5a\xbd\xdb\x97\xca\x65\xa6\xe3\xe5\x65\x43\x8e\x09\xf6\x08\x83\x71\x08\x82\xc6\x91\x3f\x83\x39\x1a\xf2\xa5\x82\xcd\x87\x53\xcf\x03\x50\x5a\xb9\xb6\x53\x44\xfe\x64\xec\xcb\x41\x38\x07\xf7\x2a\x88\x0a\x88\x08\x06\x62\xc2\xf1\x6e\x7f\xbe\xd3\xbf\x15\x81\x31\x42\xc7\x02\x96\x83\xcb\x36\x51\x38\xbc\xf2\x71\x0b\x26\xc2\x09\xbd\xd7\xbf\x5a\xfb\x8a\x4f\xa7\xf5\xef\x14\x0f\x15\x95\x9d\xf0\x50\xd2\x7e\xb3\xe2\x28\x71\x44\x9b\xe8\x88\x57\xf9\xf5\x51\x01\x1b\xad\xd0\x1e\x23\xf4\x7c\xd2\x2b\x46\xc1\x51\xcb\xae\x39\xbc\xee\xfa\x27\x1c\x59\x12\x08\x7e\xcd\x24\xe8\xd4\xa9\x92\xf2\x86\xc0\x2b\xef\xa7\x20\x6b\x65\xff\xda\x63\x58\x87\x6a\xae\xb7\x6f\x5f\xa3\xab\x14\xa5\x45\x7b\x2e\x05\x58\x2f\x9b\xdb\xc8\xdd\xc1\x2f\xa9\x9e\x4c\x7a\xe5\xc5\xf1\xd4\x6b\x02\x6b\xaf\x1f\xb3\x0f\x28\x66\x4f\x9e\x92\xd6\xb2\x37\x47\xf5\x4b\x9b\x98\x0b\xde\x21\x66\xdb\xcf\x66\x6b\xc7\x88\x49\x35\x35\x11\x8f\x58\xd2\xcb\x5d\xdd\xf7\x3d\xd3\xc6\x5a\x16\xd7\xac\x1b\x4d\x71\x85\x45\xb1\xa7\x9f\xa3\x35\x1e\x77\x25\xd5\x2b\x0a\xe0\x53\x40\x89\x33\x34\xa7\x33\x8a\x19\x34\xb6\xaf\x9b\x28\xe1\x50\x33\xfc\x97\x60\xf1\x66\x1d\x28\x2a\xa9\x8e\x1e\x13\xba\x1b\x59\x8e\xbd\xa6\xc6\x61\x42\x19\x94\xbc\x1a\x10\x6a\xbf\x4d\xbc\xd7\x63\xc3\x44\x63\xaf\x66\xbf\x41\x70\x8a\x83\x22\x38\xc4\xa1\x42\x23\x31\x43\x4f\x87\xbe\xa1\x6e\xd5\xbf\x14\xe1\x25\xf0\x29\xe8\xae\x4b\xb2\x6b\x84\xb8\x90\x1f\x8f\xea\xa3\x52\x86\xf5\xd9\x21\xec\x73\x25\xc4\xc0\x09\x3c\x0d\x94\x2a\x29\x6a\x43\x9e\x4b\x26\x27\xd8\x5b\x0e\x49\xd8\xc7\x2d\x70\x4e\x91\xb3\xd8\xa9\xc1\xb6\x8d\x9a\x97\xff\x59\xc0\x51\xd4\x13\x14\x72\x29\x53\xe1\xef\x44\x47\xb5\x64\x62\x64\x4b\x26\x35\x1a\x9c\x53\x5c\xb3\xfe\x00\x23\x06\x4c\x52\x73\x99\x30\xa6\xb9\x60\x23\x8a\xc2\x13\x1d\xec\xcf\x60\x54\x92\xc4\x95\x86\x39\xab\xcb\x8a\x9f\xee\x3c\x49\x45\x16\x63\xcf\x6f\x35\x52\xe1\xbb\xae\xab\x4d\x1c\x94\x37\xb8\x03\x87\x85\x00\xaf\xe5\x22\x16\x46\xfa\x34\x29\x1c\x3c\x33\xfc\xe9\x1b\xda\x9c\xde\x6a\xe7\x12\xc5\x23\x87\x8e\x64\x98\xc8\x74\x91\x98\x5b\xae\x5c\xe9\xd3\xc4\x65\xbd\x89\xb0\x47\xed\x72\x23\xa2\xe4\xc4\x5a\xab\x35\xf4\x6f\x71\x4a\x9d\x24\x76\xb7\x35\xfc\xf5\xfd\xa7\x4a\x84\x17\x5d\x7d\x8b\x05\xf4\x30\xc9\x75\x27\x36\xd9\x6b\xad\x5a\x62\xad\xc2\x85\xdf\x46\xcf\x94\xae\xf7\x17\x97\x62\x11\x16\x33\x68\x83\x28\x1b\x0b\x42\x97\x25\xf5\x28\x80\x47\xe3\x73\x41\x06\xa9\x16\x3a\x14\x75\x0e\xa3\xca\x3e\xc5\x0a\x15\x2b\x94\xc8\x1a\xdf\xc8\x82\x82\xa3\x23\xb9\x6c\x7c\x6d\xad\xef\x47\xbe\x64\xb9\x05\xbe\x1a\x30\x6a\xa8\x26\x91\x85\x01\x4d\x28\xa0\x10\x74\xb9\x00\xbd\xea\x8a\x76\x80\x9f\x00\x5d\x3b\x79\x25\x1e\x4d\x29\xaf\x52\xdc\x60\xed\xfd\xcd\xda\xaf\xc6\x92\xda\x1f\xca\x6f\x25\x27\x33\xc5\xac\x87\x85\xff\x7d\x42\x59\xf2\x72\x0b\x02\xa4\x77\xe9\x7f\x4b\x18\x23\x0a\xb1\xab\x5a\xf8\xd9\x99\xf3\x8f\x03\x87\xd4\xff\x78\x46\x23\x5f\x34\x73\xd7\xdf\x56\xc6\x2f\xb3\xbc\xb6\xfd\x5f\x58\xfb\x99\x54\x91\xa4\xf4\x54\x4b\x49\xd3\x52\x07\x2e\x8b\x56\xe1\xb3\x0a\xb1\xa2\xb6\xfa\xfa\xe5\xed\x18\xbf\xd3\x66\xea\x62\xe5\xd2\xc2\x2b\x9f\x55\xdf\x39\x80\x60\x1c\x39\x44\xd2\x69\x45\x15\xa2\x6c\x59\x97\xfe\x86\x32\x7f\xa9\x84\x86\xdf\x46\x94\xa4\xeb\x14\x93\x51\x15\x19\x85\x8f\xe4\x2e\x2f\x28\x88\x1a\x46\x13\xce\xaf\xee\x5a\x4e\xb6\x90\xfe\x58\xe3\xbd\x71\xf5\xf6\xa2\xe8\x1a\x8b\x65\xef\xd1\x16\x1e\xef\x85\xf3\xa1\x87\xaf\x19\xa3\x2e\x07\x43\x3a\xa2\x6b\x2e\x28\x24\x94\x23\xe1\xa9\x8e\xe0\x17\x1e\x54\xff\xe2\x16\xf4\xc1\xe2\x1b\xa3\x16\x25\x6d\x02\xaa\xaf\x14\xe5\xcc\xcb\xd9\x21\x07\x4a\xeb\xee\x5b\xa5\xb7\x8d\x29\x55\xc6\x3a\xf6\x9e\x4f\xf1\x7e\x53\x5e\x27\x54\x5b\xe3\x16\xe5\x54\x6a\x51\xd6\x69\xf7\x16\x0c\x2c\xfd\xb6\x9b\x2d\x3c\x37\x02\xba\xda\xb0\x28\x7b\x71\xbf\x92\x95\x65\xa9\xc1\x16\x12\xbd\x9e\x2c\xde\xb4\x50\x39\x6e\x37\xdd\xf8\xb4\x9a\x27\xde\x3c\xd3\x44\xad\x1d\x79\xe4\x10\xf1\x6b\xc6\x60\x31\x4e\x1d\xec\xb9\x6a\x8f\x55\xb9\x28\x16\x0a\xaf\x6d\x4b\x7d\x0e\xa5\x7d\xd5\xe7\x36\x37\x53\xe1\xbc\x72\xdd\x42\x94\x39\xd6\xe9\x2f\x5a\x56\x22\xd5\xfe\x7a\xaf\x0d\xf5\x71\x5b\x2b\xfb\x1e\xf6\x38\x61\xc7\xf3\x49\xf5\xb4\x0d\x17\x6a\xf9\xe3\x6a\x55\x67\x8b\x65\x79\x9d\x5d\x04\x4f\x2f\xe8\xa9\x67\x76\xcb\xb3\x4b\x45\x56\x34\x1c\xf8\x81\x76\xb8\x5b\xa4\xae\xe6\x0a\x4e\xe4\xfd\x2c\x04\xfa\x7d\x9d\xec\xf3\xbb\x82\x8c\xff\x7b\x1c\x17\x2f\xc7\x82\x4d\xe3\x6d\xf6\xc5\x05\x9d\x2a\x5c\x81\x45\x1e\xab\xd4\x2c\x25\x2b\xb7\x2c\x59\x58\xac\x3e\xcd\xef\xd8\xd9\x79\xee\xe0\xb7\xda\xde\xbf\xab\xb5\x9a\x27\xc1\x32\x59\xed\x11\x72\x58\xbd\x65\x27\xd1\x6a\xe6\x7e\x9e\xc0\xf3\x6a\xd3\x76\x1a\xf1\xaf\x87\xb9\xa9\xc5\x22\x39\x14\x9d\x48\x0b\x64\xc6\x51\x78\x14\x1d\xb3\x6e\xcb\xc2\x34\xcf\x55\x1f\x23\x56\xce\x58\x1c\x79\xe8\x12\xca\xd5\xae\xf6\x6a\xde\x2a\x5d\xac\x24\xb7\x2d\xb6\x01\x76\xa1\x80\xda\xe9\x9a\xcf\xe9\x27\x87\xb6\xb5\x3c\x81\x59\xe0\x80\x8a\x87\xb4\x10\xba\x26\x7d\x96\x8b\xf6\x22\xee\xfe\x03\x32\xaf\x3f\x8d\x5c\x34\xe7\x6a\x24\x7a\x2e\x39\xfc\xe1\x61\x1c\x31\x38\xfa\x06\x0f\xef\xee\x97\x26\xb5\x3c\xec\x29\xcc\x77\x2d\xcf\x93\x57\x8f\x8e\x65\xd2\xd9\xd6\x9f\x43\x6a\x6d\x62\xcf\xa7\x58\xf1\x6d\x7c\xc6\xf9\x0d\xfa\x06\x72\x1a\x0b\x4d\xa8\x8b\xeb\xf1\x77\xed\xff\xf3\x5c\xe5\x6b\xf7\x7f\x7a\x77\x3f\x3f\x83\xcb\x18\xd0\x46\x7a\xbd\xf7\x32\x2d\xdb\x56\xd7\x16\xdb\x5c\xcc\xee\x7b\x20\xab\xac\xbb\xea\x94\x75\xad\x77\xff\x0e\x00\x00\xff\xff\xf5\x1c\xb7\x64\xc5\x12\x00\x00")

 func complySoc2PoliciesCyberMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -657,7 +657,7 @@ func complySoc2PoliciesCyberMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/cyber.md", size: 163, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/cyber.md", size: 4805, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -677,12 +677,12 @@ func complySoc2PoliciesDatacenterMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/datacenter.md", size: 3014, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/datacenter.md", size: 3014, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2PoliciesDevelopmentMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8d\x31\x8a\xc3\x30\x10\x45\x7b\x9d\xe2\xc3\xd6\x5a\xd6\x5b\x19\xb5\x72\xb3\x8b\x0b\x13\xe5\x02\x42\x1e\x87\x09\xd2\x4c\xb0\x64\x07\xdf\x3e\xd8\xd5\x87\xcf\x7b\x3c\x89\x85\x1c\x82\x2e\xed\x1d\x57\xc2\x40\x3b\x65\x7d\x15\x92\x86\x91\x17\x4a\x47\xca\x84\x49\x33\xa7\xc3\xc4\xb4\xaa\x1c\xc5\x21\x0c\xa3\x9f\x4c\x8d\x8d\xeb\xc2\x54\x9d\x01\xee\xc1\x9f\x03\x58\x78\xdf\x7f\x77\xa6\xc4\xa7\xae\x37\xda\xb9\xb2\xca\x85\x58\xcc\xb1\x91\xc3\xff\x26\xe8\xf0\xfb\xd3\xf5\x97\x90\xb4\x9c\x39\x87\x3f\xe1\xc6\x31\x63\xd6\xb4\x9d\x8f\xb1\xd6\x1a\xf3\x05\xaf\x85\xe5\x81\xa0\x2a\x9f\x00\x00\x00\xff\xff\x38\xd7\x26\x45\xae\x00\x00\x00")
+var _complySoc2PoliciesDevelopmentMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xcc\x5a\xcf\x92\xdc\xb6\xf1\xbe\xef\x53\x74\xd5\xef\xb2\x5b\x35\x33\x6b\xfd\x4e\x8e\x72\x92\x77\x9d\x8a\x52\x76\x65\x4b\x92\x93\x33\x06\x68\x92\xf0\x82\x00\x0d\x80\x33\xa6\x4e\x7a\x8d\x54\xc5\x2f\xa7\x27\x49\x75\x03\x20\x41\xce\xac\x2d\x57\x7c\x88\x2f\x9a\x9d\x01\x81\x46\xf7\xf7\x7d\xfd\x87\xb6\xa2\xc7\xd7\xf0\xde\x35\xf1\x2c\x3c\xc2\x23\x9e\xd0\xb8\xa1\x47\x1b\xe1\x3b\xdd\xa0\x9c\xa4\x41\x78\x72\x46\xcb\xe9\x46\x48\xef\xec\xd4\xbf\x86\xf7\x8f\xdf\x3d\x3c\xdd\x04\x11\x75\x68\x34\x86\xd7\x37\x00\x1f\xde\x3f\xd0\x3f\x00\x7b\x78\x78\xf8\xfa\xf0\xea\xa6\x17\x3f\x3a\xff\x0e\x4f\x3a\x68\x67\x79\xc9\x1e\x94\x88\xf8\x1a\xfe\x36\x5a\x78\x05\xff\xff\xd5\xab\xaf\xf9\x01\xe9\x7a\x3a\xee\x35\xbc\xb5\x3a\x6a\x61\x40\x39\x39\xd2\x37\x37\xfb\xfd\xfe\xe6\xe6\xff\xe0\x69\xf4\x83\x0b\x08\xc2\x2a\x78\x2f\xdd\x80\x37\x37\xe2\x00\x1f\x3a\x84\x21\xff\xe2\x1a\x88\x9d\x0e\x30\xb0\x9d\xa0\x03\x44\x07\x0a\x1b\x6d\x11\x3c\xfe\x34\x6a\x8f\xb4\x61\x80\xc6\x79\xc0\x10\xc5\xd1\xe8\xd0\x69\xdb\xf2\x9e\xbd\xd0\x36\x0a\x6d\xe9\xef\xa3\x08\x68\xe8\xb1\xc1\xbb\x88\x32\x6a\x67\x21\x44\x61\x95\xf0\x2a\x3d\x2e\x5d\x3f\x08\x3b\x41\xc8\x2e\xdb\x81\xc5\x78\x76\xfe\x19\x14\x9e\xb4\xc4\xb0\x83\x80\xfe\x84\x3e\xec\x78\x77\x85\xe1\x39\xba\x21\x1c\xb2\xd5\x8b\x99\x62\x18\x8c\x46\xb6\x55\x18\x03\x63\x40\x1f\x60\x40\xdf\x38\xdf\x93\x2d\xe5\x04\xda\xb8\x04\x65\x07\x61\x0a\x11\x7b\x10\xaa\xd7\x56\x87\xe8\x05\xd9\xb8\xcb\x17\xb1\xa2\xe5\x9b\x26\x8f\x20\x39\x4d\x46\x7d\xd2\x91\xce\x39\xeb\xd8\x69\x4b\xdf\x83\xf3\xad\xb0\xfa\x23\x3f\x9b\x8d\x8a\xd3\xa0\xa5\x30\x66\x02\x6d\xa5\x19\x15\x06\xc0\x7e\x30\x6e\x42\x0c\xbc\xbb\x74\x36\x7a\x21\xa3\xe3\x9b\x05\x38\xa3\x31\xf4\x2f\x39\xc3\xa3\xc1\x93\xb0\x11\xf0\xe7\x88\xde\x0a\x03\x83\xf0\x7c\xa8\xb6\x27\x67\x4e\xa8\x20\x9d\xbc\xb6\xe8\xb6\x43\x8f\xda\x8a\x26\xa2\x07\x8f\x0d\x7a\x8f\x8a\xfd\x11\xe0\xf3\xa7\x7f\xb3\x47\x3e\x7f\xfa\xe5\x6e\xed\xb7\x7e\x0c\x11\x8e\x08\xbd\x50\x14\x5e\xa1\xb4\x99\x40\x9c\x84\x36\xe2\x68\x70\xe5\xce\x2b\x4e\x37\xc1\xd5\x9e\x47\x1b\xd1\x0f\x5e\x07\xdc\x9f\xb5\xc2\xec\xde\x74\x63\x5e\x26\xd9\x49\xa1\x04\x01\x15\x1c\xa7\x0b\x1f\x82\xf3\xe0\x2c\x1c\xb1\x13\xa6\xc9\xce\x5f\x2f\x20\xe8\x0c\xde\xa9\x31\x61\x4a\xf7\x83\xe1\x48\xa5\x10\x10\xcc\xbf\x11\xf2\xb9\xf5\x6e\xb4\x6a\xc6\xb7\xb6\x71\x0e\xe6\x16\xde\x68\xc3\xe8\x11\x04\xc7\x61\x9f\xc0\xae\x08\x7b\x92\xbf\x4e\x01\x0b\x3a\xf0\x0e\x83\x77\x12\x43\x02\x30\xa3\x84\xf0\x45\x36\xa2\x8d\xda\x23\x98\x99\xea\xae\x59\x70\x47\x9b\x68\x4b\x70\x4c\x77\xc8\xbe\xd9\x41\xe3\x5d\x0f\x3a\xd3\x75\x45\x30\x61\x85\x99\x82\x0e\x30\xda\xa8\x4d\x01\xab\x42\x22\xb9\x0e\x21\xc3\x0d\xcb\x55\x92\xd9\x81\x4d\x61\x1b\xd5\x48\x8c\xf2\xce\x60\xa6\x8f\xc7\x30\xd0\x3d\x8e\xda\x30\x66\x76\x89\xc3\x42\x76\xc4\xcb\x16\x8b\xb3\xaf\x91\x65\xb9\x56\xc2\xc1\x3f\x0b\x01\x66\x5f\xee\xbe\xe0\xd9\xe2\xc7\x40\x47\x5d\xbd\xec\x0e\x84\x97\x9d\x26\xbd\x28\xbe\x57\x18\x74\x6b\x77\x6b\xea\x46\x0c\x51\xdb\x96\xbe\x25\x62\xd1\x97\xf7\x6b\x20\xec\xc0\x0d\x98\x28\x1d\xee\x59\x97\xd0\x0a\x2b\xb1\x48\xc9\xc6\x8d\x01\x4b\x64\x31\x40\x2f\x26\x62\x45\xe3\x8c\x71\xe7\x44\x38\xa2\x26\x85\xef\xcf\xfc\x07\x9c\x45\x44\xdf\x10\x39\x7a\xa7\xd0\xec\x40\xc7\xf2\x94\x18\x06\xef\x06\xaf\x45\x64\x02\xa5\x4d\x96\xb0\x84\x00\xa4\x8a\xc2\x9b\x69\x07\xe7\x4e\x1b\x4c\xdb\x83\x68\xe9\x73\xed\xb7\xbc\x75\xfd\xa8\x14\x44\x0d\xf0\x38\xa0\x88\xc5\x32\xd0\x91\x6f\x7a\x42\x68\x44\xe8\x0a\x0b\xde\x91\x0a\xa0\x95\x18\x38\x64\xef\x74\x78\x86\x37\x74\xbf\xc0\xbb\xe7\x4c\x44\x59\x21\x7f\xca\x54\xa9\xc9\xf6\xf9\xd3\xbf\xc2\xcb\x29\x0d\x1e\x38\xaa\xb7\x94\xc4\xee\x16\xb1\x23\x83\xd3\xb5\x89\x1b\x43\x27\x02\x25\x36\xce\x50\xfa\x00\xef\xea\xb8\xbf\xc9\x71\x9f\x7f\x7d\xb3\x0d\xff\x23\x87\x7f\xfe\xfd\x43\x0a\xfc\xfc\xf7\xe3\x12\xff\xb7\xab\xf8\xcf\x2b\xfe\xbe\xc0\xe0\xfb\x05\x06\xd5\x06\x0b\x12\xd8\x05\x8f\xa3\xe7\x74\x66\x4c\x36\xbd\xf0\x82\x6e\x09\x67\xd2\x59\x10\x85\x8e\x3a\x80\x75\x91\xc2\xb0\x28\x52\x66\x42\x5a\xc0\x0a\x4b\x4b\x3a\x71\x22\x71\x38\x21\xa5\x6e\x01\x01\x23\x39\x4a\x44\x4e\x06\x42\xdb\x95\x3c\x68\x45\x6a\xd2\x4c\x6c\x88\x8c\x23\x65\x01\x74\x03\x89\x0a\xa5\x4d\x3f\x38\x4f\xf0\xa2\x45\x89\xc9\x79\x51\xa3\xe9\x72\x9c\xf9\xf9\x90\x51\x76\x9c\x57\xa4\x74\xa3\x8d\x60\xc7\xfe\xc8\xd9\x94\xa5\x4d\xc7\x09\xa4\x53\xf4\xb8\x77\x23\x79\xb5\xb6\x61\x47\x47\x11\xea\x5d\xec\xd0\x2f\x3b\x53\x56\xab\xac\xa3\x73\x0e\xf0\xb6\xb2\x9d\x2f\x75\x76\xa3\x51\x84\x54\x66\xbc\x42\x4a\x46\x01\x6d\xd0\x8c\xd2\xe4\x14\x3c\xa1\xa7\x25\x63\x40\x05\x6e\x8c\xb4\x8e\x7c\x5d\x69\x3b\xda\x93\xf6\xce\x32\x56\x0e\x33\x40\x17\x6c\x55\x09\xb0\xa4\x32\x2a\x2a\x0c\x12\x37\x84\x55\xf7\xec\xae\xd9\x02\x95\x42\x4b\xe1\xb9\x2e\xb5\x1c\xf0\x05\xaa\x8c\xce\x8f\x08\xc7\x31\x90\xb6\x86\xd5\x53\x87\x79\xd9\x53\x2a\x34\x40\x80\x27\x8e\x89\x99\x63\x07\xf8\xde\x79\x5c\x45\xd6\xd9\xed\xa2\x40\x20\x52\x3a\xc8\x31\x84\x39\xb9\xbf\xc0\x56\xb8\xf5\x85\xd4\x70\x2b\xee\xee\x16\x1b\x1e\xd3\x06\x20\xc2\x80\x32\x09\xec\x1c\xe4\x5b\x3c\xb4\x87\x1d\x39\xa2\x49\xa1\x13\x46\xc7\x69\xc7\x39\xb1\xf5\xfc\x31\xe7\x7c\xca\x0c\xd3\x1d\xf3\xae\x4b\xa2\x35\x41\xaf\xdb\x2e\x72\x02\x9f\x48\xcf\x58\xf2\x2b\x3f\x1c\x2a\x62\x9f\x34\x9e\xc1\x63\x3b\x1a\x11\x9d\x9f\xb6\x4e\x56\x17\xb9\x9c\xe5\x85\xf3\x07\xa3\x78\x2e\x0f\x77\x4b\x0a\x4b\x0f\xb6\xa3\x56\x5c\x4d\x86\x8b\xf3\x9a\x91\xb5\x62\x8e\x51\xeb\x84\xb9\x5c\x25\x47\xef\xc9\x8f\xf3\xb2\x6d\x46\x8e\x28\x3b\xeb\x8c\x6b\xa7\x2a\x71\x2c\xdb\xbc\xb5\x0b\xed\x06\xef\x5a\x2f\xfa\xba\x48\xd4\x29\x9b\x27\x09\xd4\xb6\xcd\x18\xa2\xff\x5e\x1d\x66\x95\xa3\xa8\x14\x43\xb2\x3e\x70\x6d\x75\x2f\xc7\x10\x5d\x9f\xaa\xac\xea\xb9\x1f\xac\x42\xcf\x4e\x81\xb2\x62\x4f\xd5\xa0\x45\xcf\xc1\xf3\x8d\x90\x1b\x28\xe7\x58\x97\x6b\xee\x0d\x49\xf6\x5c\x58\xdf\xad\xf7\x2f\xa0\x19\xbc\xfb\x11\x65\x84\xa8\x7b\x6c\xbc\xe8\xb1\xc2\x55\x92\x7c\x76\xd7\xe0\xb5\xf3\x3a\xea\x8f\xb8\x60\x2b\x38\x33\xb2\xff\xae\x53\x23\x21\x18\xa4\x0b\x91\xb7\x38\x8e\xaa\x45\xd6\x3c\xaa\xb7\x75\x69\x24\x2e\xb6\xab\x7d\xb9\xca\x89\xb4\xc9\xb5\xf8\xbc\xa1\xac\x7b\xaa\x0c\xbb\xc0\x5e\x3a\x7a\x79\xe2\x7b\xf1\x8c\x54\x1a\x1f\xc7\x09\x4e\xe1\x00\xc7\x51\x1b\xf5\xf9\xd3\x2f\x54\x1b\xa4\x4e\x6b\x63\x1a\x7a\x6e\x4a\xb8\xb1\x51\xe0\x12\x4f\x6b\x08\x89\xa3\x3b\xe1\x35\x99\xba\xd0\xa6\xfb\xeb\xa2\xf4\x42\xed\xb3\x95\xa5\x6f\xd5\x28\x09\x87\xb5\x5f\x22\x8a\x3e\x90\x51\xcc\x5b\x07\xd2\x53\x81\x40\x89\x2a\x55\xb1\x09\x6e\x57\xe3\x4a\x22\xe9\x53\x87\xa7\x6d\xe3\x45\x88\x7e\x4c\x26\xcc\x77\xaf\x0d\x5b\xf6\xf8\x4e\x87\x98\x78\x43\xed\x0e\x1b\x6c\x9d\xdd\x2f\xdf\x54\x69\xc6\x46\xef\xcc\x35\xcd\xac\xaf\x7c\x16\xe6\x39\x76\xde\x8d\x6d\xb7\xac\x7c\x98\x6f\xc2\x57\x48\x88\x5e\xb6\x4e\x2e\xba\x58\xde\xe9\xb6\xcb\x4b\xd7\x36\x25\xde\x93\xf0\x71\x01\x75\xc5\xd8\xb4\xe3\x55\x7d\x27\x1c\xdf\x1f\xd1\x62\xa3\xe3\x92\x35\x08\x26\x39\x52\x14\x61\x67\xd7\x1c\x78\xcc\x4d\x38\x87\x58\x61\x14\xda\xfc\xda\xc1\xd7\xce\xcd\xbb\x7b\xd6\x32\x2e\x1b\x65\x97\x50\x95\x8b\xae\x1d\x88\x08\x02\xa8\x91\xed\xc7\x7e\x57\xed\x9e\x9e\x61\xe9\xa9\x9a\xb0\x22\x7f\x55\xb4\xd7\x9d\x68\x7e\x8e\x1e\xab\x5c\x39\x97\xc8\x35\x90\x82\xf4\xfa\x58\xdd\x6c\xbe\xcf\x52\x50\x27\xf5\x28\x8a\x5e\xeb\x24\x04\x6c\x3d\xb6\x39\x39\x36\xa0\x46\xce\xe6\xf4\xc0\xf6\x97\x2b\xf5\x7f\xd9\xf8\x6a\xbd\x00\xb5\x8d\xe4\xbe\xd2\x66\xa1\x55\x7b\xd2\x5d\x60\x09\x2a\xdb\x08\x2a\x71\x39\x35\x64\x7d\x5f\x5f\x92\x36\x10\xd0\xa2\x45\x5f\xc7\x8c\x0c\x81\xc1\x88\x2a\x6c\x3f\x0c\x8a\x6b\xff\x2f\xce\x75\x17\xde\x69\xea\x26\xe2\x42\x4c\x59\x18\x0a\xa6\x32\xdd\x7b\x1d\x75\x4b\xa7\x7a\x0c\x5a\x51\x29\xf8\xeb\xc1\x86\xd3\x68\xe8\x26\xa5\x17\xbc\xbc\xaa\x55\xcb\x78\x07\x02\x0e\xc2\x6f\x25\x87\x13\x3a\x5d\xff\xb7\xaa\xb4\xdf\x59\x9a\xd5\x67\x6c\x94\xef\x3d\x46\x18\x87\x45\xd5\xea\xa5\x95\x15\x25\x0b\xce\xd3\xa3\x10\x9d\x17\x2d\x56\xf5\xd2\x07\x9f\x6b\xee\xda\x29\xb3\x88\x6a\x1b\xa2\x30\x66\xf1\x1e\xd7\x4e\xed\xe8\x67\x34\x66\xf7\x1e\x0d\x56\xe3\x2b\x3d\x77\xb5\xea\x52\x69\xa9\xd4\x66\xa9\xa8\x22\xb3\x15\xb3\x6b\xf2\xf1\x36\xd9\xb2\x9b\x6d\xc0\xb5\x86\xb1\xcf\x38\x0e\xeb\xdb\x1c\xb6\x5e\x2b\xa7\xec\x3d\x1a\xd6\xbe\x1a\x03\x13\x91\x41\x3e\x73\xc3\x76\x8d\xe4\x39\x5b\x5c\x61\xf9\xcc\x80\x34\xd3\xcb\xe5\x0d\x99\x98\x2b\x33\x0a\x01\xa7\xd3\x5b\x7d\xc0\xc3\x8e\x0a\x44\x8f\xdc\x6f\x15\x1a\x57\x71\x79\x70\x96\xc8\x0c\xa3\xd5\x71\xc5\xf2\x72\xdf\xea\xb1\x3f\x00\x6b\xe5\x84\x0d\xce\x6a\xc5\x57\x78\x05\x01\x59\x1d\x73\xb2\x82\xa3\x8b\x3c\x44\x89\x5a\x26\x7a\x4e\x56\xf4\xfc\xb9\x2a\xfc\x68\xa7\xe8\xe6\xee\xe9\x82\x82\xb0\x6a\x72\x37\x07\x2e\xfa\x70\x99\x1f\x72\x29\x49\x77\x09\x97\x9e\xcc\x63\x50\x6a\x7a\xd9\x36\xe3\x44\xe2\x6d\x1a\x63\x5e\x26\x69\x40\x4b\xb8\x56\x97\x07\x8d\x61\x06\x4b\xf6\xdb\x26\xab\x5c\x4b\xf8\x5b\x7b\xb4\x55\x38\xa0\x25\x2f\x6c\x10\x58\xf7\x44\x65\x16\xc5\x57\xab\x8b\xc1\x5c\x74\xd5\xb4\xdd\x0c\x18\xff\x10\x09\x2a\x53\x85\x2d\x32\x66\xaf\x6a\xe3\x62\xbd\x2e\x1b\x7c\x91\x53\x37\x32\x9c\xba\xe9\x79\xc8\x7b\x8d\xf0\xe5\x88\xe8\x05\x37\xcc\x3c\x0d\x8d\x67\x44\x9b\x4f\x4d\xdc\x32\x66\x1f\xa4\x30\xb5\xb1\x97\x11\x9b\x5b\x3c\x90\x1d\x26\x7a\xcf\xd3\x47\x68\xb4\xc1\xd5\x00\x74\x8c\x1d\x61\x53\xea\x38\x1d\x36\x13\x96\xdf\xca\x95\xdc\x1a\xb2\xa6\xd6\xe3\xf4\x13\x12\xfc\x82\xb3\x16\x53\xe5\x95\x26\xf3\xb9\xc7\x4d\x66\x70\x5e\x9c\x81\xd3\x8c\x56\x6e\x4a\xfb\x3c\x30\x4a\x73\x70\xa9\x87\x45\x83\x23\x18\x14\x54\x83\x9e\xdd\x3c\x54\x4e\xdb\x3b\xaf\x28\xbf\x3b\x8a\x2f\x3b\xf3\xaa\xbf\x52\x3f\x8b\x2f\x54\x10\x7f\x00\x8e\xae\x8f\x20\x2f\xb3\xda\x69\x53\x54\x88\xf0\x9c\xe7\xe6\x97\x03\x8e\x34\xab\x41\x33\x15\x66\xa7\x39\x7f\x3a\x2a\x93\x21\x87\x80\x5c\x70\x95\x44\xc7\x31\x0d\xa5\x8c\xee\x35\x57\xc1\x6e\xd3\xb0\xce\x1b\xd0\xea\x14\xb4\x64\x0e\x65\x86\x75\x13\xf9\x61\x64\x58\x54\x32\xb3\xfe\xfd\x69\x79\x0d\x73\x14\xf2\x79\x1c\xd2\x3c\xca\x27\x36\xbb\x75\xa3\x96\x87\xef\x05\x21\xef\x13\x50\xdf\x54\xd3\x89\x32\x09\x79\xe9\x8c\x32\x77\xab\xdc\x9d\xf3\x4e\x9d\x4d\x78\x9c\xc1\xcb\x8b\xcf\x47\xae\xda\x72\xa9\x2a\xa2\xec\x30\x6c\xba\xe5\xcc\x4b\x36\xfb\x2a\x19\x5e\x5c\x3e\xa0\xd7\x4e\x69\x59\x8c\x7b\x51\xf6\x5e\xdc\x41\x58\x4b\x45\xdd\x76\x74\x74\xb8\x9c\x72\x0a\x33\xbf\x78\x21\xc4\xac\xe3\xfa\x0d\xe6\xcc\x95\x30\x93\x79\xcf\x13\x3b\x06\xca\x56\xbe\x77\x29\xb3\x89\x31\xba\x5e\x64\xb4\x43\x2f\xc8\x96\x1d\x08\x8f\x33\x5d\xc9\x46\xe9\xbc\x47\x19\xcd\x94\x8a\xc7\xa6\x41\x02\x2f\x9a\x69\x7d\xab\xbf\xf2\x20\xd4\xb5\x79\xfc\x49\xbb\x14\xff\xf0\x74\x71\x65\xe0\x49\x98\xb1\xd4\x38\xb3\x75\xab\xdc\xc0\x87\x9d\x84\xd1\x5c\x74\x8b\x51\xe9\xb8\x6d\x37\xf3\xc1\xf3\x7c\x18\x9c\x6d\x1d\xb3\xd9\x59\x1d\x9d\xcf\x89\xac\x7e\x5f\x95\x20\xbf\xb8\x48\x61\x79\x85\x59\x0f\xd6\x4e\xda\x99\xfc\x4e\x8b\x1f\xb2\xa4\xa0\xce\xeb\x8f\xa8\x40\x76\xc2\xb6\xb8\x31\xe1\x1f\xc5\x4e\x7e\x61\x54\x3c\xc4\x42\x5a\xf2\x47\x31\xb2\x2e\xb1\xe6\xcc\x5c\xea\x8d\x45\x29\x66\x20\xce\x43\xb9\xf9\xad\xda\x53\x29\x19\xe0\x2f\xce\xc3\xb7\x3f\xa3\x4c\x43\xde\xb7\x56\x72\x0d\x02\xef\xd2\x0b\x21\xbc\x12\x1f\x51\xbd\xba\x5a\x67\x30\x12\xbb\x4e\x78\xc5\xbf\x31\x51\xaa\x9a\x31\x85\x54\x87\x4a\x9a\xd2\x38\xd0\xf3\xcb\xd0\x45\x96\x91\x94\xc7\x92\x27\xe6\x73\x8e\x63\x9b\xdb\xbe\xa5\x7d\x3c\x1a\x0a\xc8\x11\xd3\x6c\x3a\xb2\x4c\xb3\x3a\x64\xe1\xbe\xe8\xaf\xaa\x29\x5e\xad\xe4\xf0\x94\x18\x9d\xc2\x94\x99\x5e\x04\x35\xbd\xc2\x54\xe5\xa5\xae\xd5\x16\xe3\x04\xb7\x7f\xfa\xea\x0e\x94\x98\xf2\xbb\x2a\x4a\x34\x5c\xbe\x0d\xde\x9d\x74\xa9\xe4\x15\xfe\x94\xe0\xb9\x6e\x47\x07\xb1\xb4\xad\xf3\xfd\xf2\xb1\x07\xf8\xb6\x47\xdf\xa2\x95\xd3\x0e\xa4\xd7\x91\x60\xbf\x83\xa3\x47\xf1\xbc\x6f\xf4\xcf\xa9\x1d\xfc\x88\xde\xed\x95\x98\x36\x52\xc1\xfe\x2e\xd6\x5c\xde\x40\x04\xf8\x69\xd4\xf2\x99\x28\x48\xbd\x66\x08\xfa\x68\xbe\x6c\x22\xf5\x5b\xf5\xd0\xf2\x92\xe4\xa5\x8a\xe8\x4b\x2a\xf6\x32\x35\x2b\xd4\xe5\xb7\xd5\x73\x0d\x04\x1e\x7b\x77\x12\xe6\xb2\x14\x72\x95\xba\x55\x65\x51\xf9\x9f\x08\x56\x4f\xdf\x7b\x1c\x8c\x90\x9b\xe1\xf4\x23\x46\xa4\x04\x91\x5f\xbf\x78\x8c\x54\xe9\x6c\xe6\x96\xdb\xf6\x6c\xfd\xfe\xb6\xe8\x03\xbf\xf2\xf8\xef\xa7\x3b\xbf\x73\x4c\xf0\x3f\x32\x25\xf8\x4f\x00\x00\x00\xff\xff\xbe\x37\xed\x94\xe5\x22\x00\x00")

 func complySoc2PoliciesDevelopmentMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -697,12 +697,12 @@ func complySoc2PoliciesDevelopmentMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/development.md", size: 174, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/development.md", size: 8933, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2PoliciesDisasterMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x44\xca\x31\x8a\xc3\x30\x10\x85\xe1\x5e\xa7\x78\xb0\xb5\x96\xb5\xb7\x09\xea\x82\xdd\x24\x95\xb1\x73\x81\x41\x9e\x84\x09\xd6\x0c\x48\xb2\xc1\xb7\x0f\x76\x93\xea\x3d\x7e\x3e\xa5\xc4\x01\xbd\x14\x2a\x95\x33\x46\x8e\xb6\x71\xde\x31\xd8\x22\x71\x77\x14\xb3\xe9\x9e\x02\xfa\x71\x70\x85\xaa\x94\xa7\x70\x09\x0e\x78\x4c\xdd\x31\x80\xc7\xb5\xf9\x6d\xbf\xf7\xdf\x25\x7a\x5b\x1e\x79\x93\x22\xa6\x27\xf6\x98\xa9\x72\xc0\x7d\x55\x34\x68\xff\x9a\xcb\xe9\xa3\xa5\xc4\x5a\x03\x6e\x2a\x55\x68\xc1\x6c\x71\x3d\x8a\xf3\xde\x3b\xf7\x83\xce\x92\xe8\x0b\x93\x99\x7e\x02\x00\x00\xff\xff\x9a\x7d\xe7\x10\xa9\x00\x00\x00")
+var _complySoc2PoliciesDisasterMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x5a\xcd\x6e\x1c\xb9\xf1\xbf\xcf\x53\x14\xb0\xc0\x1f\x92\x77\x34\xfa\x7b\x73\x09\x14\xe4\x20\xdb\x8b\x44\x9b\x85\x2d\x48\x02\xf6\xa0\xe8\x50\x4d\x56\x4f\xd3\x62\x93\x1d\x92\x3d\xe3\x31\x7c\xc8\x6b\xe4\xf5\xf2\x24\x41\x91\xdd\xec\xee\xf9\xb0\xe4\x18\x63\x60\x03\xcf\xc5\x23\x0e\x9b\xf5\xf5\xab\x5f\x55\xb1\x6d\xb0\xa6\x0b\x78\xa3\x3c\xfa\x40\x0e\x6e\x48\xd8\x15\xb9\x0d\x5c\x5b\xad\xc4\x66\x86\xc2\x59\xb3\xa9\x2f\xe0\xcd\xcd\xf5\xcc\x63\x50\xbe\x54\xe4\x2f\x66\x00\x77\xb7\xaf\xf9\x1f\x80\x33\xb8\x7c\xb9\xf8\x69\xf8\xfa\x87\x59\x8d\xef\xad\xbb\xa1\x95\xf2\xca\x9a\xb8\xf9\x0c\x24\x06\xba\x80\x5f\x5a\x03\x2f\xe1\xa7\xff\x7f\xf9\xc7\xb8\x5f\xd8\xba\x26\x13\x2e\xe0\xca\xa8\xa0\x50\x83\xb4\xa2\xe5\x95\xd9\xd9\xd9\xd9\xec\x87\xeb\xd6\x35\xd6\x13\xa0\x91\x70\x2b\x6c\x43\x30\x9b\xe1\x02\xee\x2a\x82\xa6\xfb\xc9\x96\x10\x2a\xe5\xa1\x89\xea\x82\xf2\x10\x2c\x48\x2a\x95\x21\x08\x15\x81\x75\x4b\x34\xea\x23\x06\x65\xcd\xbf\xff\xf9\x2f\x0f\x8d\xb3\x82\x64\xeb\x28\xee\x74\xc9\x5c\xb8\x32\xa5\x75\x75\xdc\x05\x77\x24\x2a\x63\xb5\x5d\x6e\xe0\xe4\xea\xee\x14\x94\x29\x1d\xfa\xe0\x5a\x11\x5a\x97\x94\xb9\xba\x03\x4f\x6e\xa5\x04\x79\x58\xab\x50\x29\x03\x9e\x02\x48\x42\xa9\x95\x21\x0f\xca\x44\xe9\x02\x93\x8a\x08\xb2\x77\xb0\x75\x60\x43\x45\x8e\x57\x5c\xdb\x04\xb5\x22\x50\x46\x28\x49\x26\x24\xd3\x6c\xf1\x9e\x44\x5c\xcf\xc6\x69\x34\x9d\x69\xc2\xd6\x8d\xa6\x90\x8c\x73\x7d\xb0\x6c\xc9\x2a\x3d\x4f\x51\x8c\xaa\xe6\x38\xdf\xa9\x9a\xe0\x5d\x16\x79\x72\x73\xf7\xee\x74\xd1\xb9\x79\xe4\x57\x23\x74\x2b\xc9\x03\x6a\x0d\x8e\xbc\x6d\x1d\x1f\xc9\x22\xa2\x43\xbd\x27\x0f\x86\xf8\x0b\xba\x0d\x94\xd6\xf5\x72\xe3\x1e\x89\x01\xb3\xb6\xf3\xb8\x14\xbf\xa7\xf3\xd4\xc8\xf9\x9e\x44\xeb\x54\xd8\x00\xfa\x86\x44\xf0\x6c\x5a\xd1\x7a\x76\xaa\x07\x61\x4d\x50\xa6\xe5\x9f\x6b\x34\xb8\x24\x86\xca\xae\xb2\xd8\x34\x5a\xa5\xf8\xf2\xf1\xc3\xd6\x39\x50\xdd\x68\xbb\xa1\x4e\x75\xdf\xc6\x9d\xce\x43\xa8\x30\x00\x3a\x0e\xc5\xca\xea\x15\xc9\x3e\x82\x4f\xbb\x78\xdb\xbf\xdb\xa8\x9b\xea\x56\xb7\x3e\x40\x41\x50\xa3\xe4\xc3\x51\x2a\xbd\x01\x5c\xa1\xd2\x58\x68\xea\x55\x5e\x57\xb6\x06\x15\x46\x96\x2c\x66\xb3\x1f\xe0\x15\x8a\xc7\xa5\xb3\xad\x91\x3b\x36\x27\xc8\xfb\x24\x7d\x45\x8e\x4f\xc9\x98\xcb\x46\xf8\xe0\x30\xd0\x32\x05\x68\x9f\xa2\x34\x6c\x91\xe4\x85\x53\x45\x7f\xe6\x76\x1e\x7d\x16\x40\x73\x58\x57\x4a\x54\x8c\xd9\xa4\x98\x04\x4c\xe7\xc8\xd6\xa5\x40\x33\xb6\xf9\xc9\x91\x0b\x41\xd3\x8a\x74\xd4\x4d\x38\x15\x94\x40\x3d\xc4\x7e\x80\x59\xb0\xec\x40\x47\x3e\x58\xc7\x07\x97\x6c\xe2\x13\x19\x46\xab\x18\x7e\xf4\xb0\x26\xad\x7b\x65\x06\x2e\x98\xf3\x79\x8d\x35\x5e\x15\x4a\x47\xf8\x19\x09\x81\x89\x20\x6a\xb1\x6c\x95\x44\x23\x58\xea\x3f\x5a\xc5\x52\x83\x85\x9a\x28\xc4\x63\x6e\xee\xde\x6d\x01\x50\x7b\x0b\x5a\xf9\x90\xc4\x30\x6c\x51\x84\x09\xce\xd9\xc8\x86\x9c\xb7\xc6\x90\x9e\x38\xa1\x71\x76\xa5\x64\x06\x65\x8d\x1b\x36\xd7\x10\x49\x92\xec\x3e\x65\x96\x63\x6b\x73\x6c\xa3\x89\x8b\x4c\x90\xa5\xd5\xda\xae\x79\xb3\xb0\x46\x2a\x16\xea\x07\xf4\x51\xe8\x20\xd0\xb3\x4b\x72\xea\x4a\x31\x0a\x2f\x66\x91\x9c\xd5\x02\x2e\xb5\x06\xb6\xb8\x49\xd9\xe3\x6d\x19\xd6\xe8\x46\x39\x7d\x92\x70\xa4\x1c\x14\x28\x1e\xdb\xc6\x9f\x97\xa8\x74\x4c\xed\xd3\x98\x4f\x03\xb4\x99\x23\x6d\xcd\xc8\x37\x86\xdc\x22\xcb\xb8\x2a\x81\xd9\xad\xa3\x40\x08\xf8\x48\x51\x27\xa6\x8e\x70\x80\xc3\xab\x8d\x8f\x71\xd1\x56\xc4\xd5\xf9\x16\x2f\x8d\xb3\x78\x70\x50\x59\x5a\x17\x7c\x52\xab\x4b\xb6\x82\x20\x38\x34\xbe\x24\xd7\x45\x15\x0d\xa0\x0e\xe4\x0c\x06\x82\xb5\x75\x8f\xe0\x55\x20\x38\xf1\xad\xa8\x3a\xdc\x28\x07\x15\x5b\x62\xcb\x52\x09\x3a\xdd\xa6\x65\xe5\x40\xb6\x41\x91\x1f\x6c\xe4\x80\x8c\x4b\xcc\x6d\xcf\x72\xef\xe2\x11\x8e\x13\x25\x03\x50\x53\x4a\x01\x6b\x9d\x54\x06\x43\x0c\x78\x64\x4c\x23\x5b\x91\xfe\x84\x42\x9d\xa1\x31\x2d\x6a\x38\xc1\x00\x9a\xd0\x87\x53\x70\x54\x11\x3a\x8f\x3a\x57\x8e\x11\x63\x72\x98\x17\x30\x22\x0e\x0e\xbb\xb4\xcc\xdb\x36\x24\x3a\x8e\xde\x1e\x80\x13\x36\x0d\x45\x02\xee\x83\xe3\x07\x64\x5c\xf5\x4b\x1d\x75\x96\x25\x89\x00\xa2\xf5\xc1\xd6\x8c\x5d\x86\x37\xba\x60\xf8\x7b\xd1\x06\xa8\x70\x45\x60\x2c\x07\x81\x37\xda\x5d\x9e\x8c\x91\xf5\x1b\x1f\xa8\xf6\x7f\x4a\xf4\xcb\x06\xa0\xa7\x79\xca\xa2\xee\xec\x04\xe2\x44\xe4\x9d\xbb\xed\xda\x4c\x2c\x1d\x53\x45\x8d\x8f\x04\x9e\xc9\x3a\x2a\x1a\x2a\xda\x80\xc0\xbc\x3f\xa2\x40\x99\x40\x8e\x33\x94\x29\x7c\x47\xb1\xe8\x7c\x15\xb2\x72\x8b\xa7\x9c\xa0\x6d\x2b\xb7\x2b\xc5\x50\x6a\x3a\x50\x0b\x1b\xab\xcd\x64\x53\xe4\xbf\x79\x57\x6c\x39\x02\xec\x39\x8e\x8e\x56\xb5\x0a\x09\x9f\x7f\xb1\x76\xa9\x69\x0e\x7f\x25\x67\x1f\xdb\x54\x4b\x2f\x6b\xfc\x68\x0d\xfc\x46\x05\xdc\x76\xd5\xa8\x6b\x25\xc6\x66\x48\x6a\xc8\x48\xcf\xbe\x8f\x60\x1e\x55\x3f\xfb\x3c\x7f\xc6\x22\xd4\x35\x86\x8c\xa3\x17\x37\xd4\x67\xe0\x8b\x71\x3e\x1f\x68\xbc\x54\xcd\xbd\xc1\x90\x53\xca\x43\x6b\x32\x41\xcc\x0f\xa5\x9e\xaf\x38\xb9\x0b\x82\xd6\x93\x84\x22\x56\x26\xb5\xe4\x4d\x72\xa0\xd0\x5d\x7b\xa3\xd0\x7d\xe7\x29\x9f\x78\x83\x6b\x47\x80\x7b\xe6\xe9\xa8\x31\x4a\xe9\xb8\xd2\xd8\x64\xc0\xbe\x47\x7b\x08\x4d\x1d\xbb\x56\x5a\xb3\x72\x0f\xd3\x84\x1f\xe8\x7d\x5c\x35\x1c\x35\xd6\x05\xfe\x76\x48\xc8\x2e\xc7\xe7\xee\x6b\x50\x76\x38\x3c\xa8\xa0\x69\x97\x3e\x92\x9c\x98\xc6\x07\x45\x3d\xa4\x72\xf1\xe2\x75\x5f\x6d\x7b\xf4\xcc\xe1\x6f\xb4\x81\x3b\xf4\x8f\xb1\x51\x9a\xf7\x3f\xc0\xaf\xb1\x42\x5f\x2e\x1d\xc5\x86\xca\xc3\xc9\xed\xaf\x97\xfe\xf4\xc5\xc4\xf0\x81\x41\x72\x6f\x94\xcb\x29\xf7\xd5\xdc\xd1\x30\x09\x0b\xd6\x57\x52\xe7\x98\x82\x86\xaa\xcf\x06\xe4\xca\x6f\x1b\x4a\x3d\x83\x4f\x68\x8f\xf9\xaf\xea\x9a\xa4\xc2\x40\x7a\x33\xe9\x06\x4e\x94\x61\xa4\xd9\xc8\xae\xd6\x49\x72\xa7\x3c\x7f\x44\xf5\xf8\xf3\x72\x31\x72\x62\x96\x77\x58\xcf\x54\x83\x59\xa2\xa3\x1a\xb9\x9c\xb4\xc6\xb0\x69\x3b\x51\x7a\x38\xe0\x83\x47\xda\x40\xe8\x3d\x09\xec\xae\x5c\x86\x47\x0e\x78\xaa\xb0\x33\x2b\x00\x0a\x61\x5d\x6a\x44\xf6\x32\x55\x84\x7c\x1e\x1f\xd8\x5d\x39\x50\xc9\x75\x9a\x96\xa8\xe7\x31\xb7\x99\xef\xb8\x7c\x44\xa8\x2c\x5b\x8d\xc1\x72\x97\x5b\x68\xb5\x4c\xce\xee\xb8\x7e\xe2\x34\x5b\x8e\xcc\x39\x4f\xc6\x0c\x1e\x2a\x08\x1e\xa9\x09\x43\xc0\x58\x56\x54\x94\xc1\xd9\xf5\x87\x79\x46\x7a\xc8\xad\xca\x97\xf5\x96\x9c\xbf\xf7\xbe\x6b\xbd\x6a\xfc\xa0\xea\xb6\x06\xac\x6d\x6b\x42\x6e\x2a\x0b\x2a\x99\x5e\x73\x7c\x87\x8a\xd0\x2b\xda\x03\x66\x9e\xf8\x3f\xe6\x17\xb8\x4c\x67\xd1\x5b\x4b\x0a\x31\x81\x76\x60\x72\x3e\x81\x08\x77\x3e\x60\x0d\x1b\xf5\xb0\x80\x9b\xe9\x19\x49\x4e\x6e\x79\x9f\x81\xb8\x01\x1c\xa9\xa5\x90\xc3\x60\xc1\x23\x20\x9b\xd7\x90\x53\x56\x76\xc9\xfb\xd6\x06\x55\x2a\x91\x45\x5c\x73\x5d\x4f\xf3\xf4\x94\x98\xa7\xb0\x1c\x08\xa4\x17\x68\xe2\x41\x2c\xaf\x22\x33\x1d\x3c\x55\x3a\x8e\x64\x06\x45\x86\x04\x73\xf3\x70\xd6\xc9\x50\xbb\x12\x2f\x9d\x4e\xf1\x91\x65\xd8\xb2\x3b\x3c\x2b\x0a\x43\x02\xdd\xa7\x03\x77\x38\xcd\x8c\x4c\xf5\xe3\x3a\x19\x65\x3d\xec\xeb\xa2\xe2\x23\x9b\xb8\x67\xc2\x9a\xac\x3b\x17\x80\xc2\xae\xa8\x73\x64\x74\xdc\x1b\x42\xc6\xda\x8e\xeb\x7a\x67\x44\x43\xac\x49\xac\x23\xfb\xcd\xa9\x2e\xf5\x6a\xe7\xd6\x3e\xcd\x84\x80\x6d\xa8\x12\x21\xc5\xbb\x89\xfe\x99\xa4\x91\x46\x33\xb6\xe4\xbd\x2d\x3a\x6b\xc6\x6d\x46\x62\xb2\xbd\x2d\xfb\x48\x87\xbe\x0b\x1e\x00\xc8\xbf\xa8\xa0\x3a\x98\x6d\x83\x0f\xce\x07\xe4\xf5\x49\xcd\x2d\xae\xa4\x80\x4a\xf7\xde\xc9\xb1\x2b\x5b\xad\x37\x23\x58\xa2\x91\xe7\x91\x3d\x52\x26\xed\xad\xfc\x1c\x12\x1f\xb8\x3e\x76\xa4\x60\x96\x91\xc8\x0c\xa8\xba\xc1\x58\x13\xbd\x20\x83\x4e\xd9\x79\xf6\x47\x9c\x79\xd2\x53\x3d\xa5\x60\x22\x80\xae\xfa\x4a\xe5\x85\xa3\x1e\xf0\xc7\x72\xfb\x57\xe4\xcb\x28\x28\xfb\x68\xf4\x2b\x73\x66\x40\xe8\x7e\x0e\xed\x3a\x64\x23\x09\x57\x8c\x18\xdb\xc7\x28\x76\xb1\x86\xa7\x10\xdd\xcd\xda\xe3\xdb\x95\xa1\xce\x32\x08\xbc\x65\x00\xf1\x48\xeb\x63\x36\xa5\x24\xb9\x84\xbe\x0e\x38\xd2\xb4\x42\x13\xa0\xb1\xca\xa4\x7b\x9a\x7e\xce\x2d\x6c\xa8\x52\x4f\x6d\x30\xcd\xb6\xf4\xa1\xfb\xa3\xeb\x45\xb6\x21\x42\x46\x68\xeb\xd3\xbc\x76\xd9\x70\x9b\xaa\x3e\xc0\x65\x12\xf9\xa6\xaf\x8c\xc2\x29\xaf\x38\xed\x03\x3f\xb2\x52\xa1\x6b\x14\x04\xb9\x80\xe3\x41\x2f\x21\x39\xa5\x47\x43\x8e\xc7\x2e\x92\xe0\xd4\xb2\x0a\x80\x6b\xdc\x6c\x87\x96\xfd\x19\xad\x76\x3c\x7d\xd3\x59\x07\x9c\x8f\xc3\x2d\x50\x2c\xc1\x5b\x17\x79\xd3\xfa\x3c\x4c\x46\xf7\x03\x96\x52\x20\x78\xa2\x8d\x21\xf7\x81\x1a\x0f\x5c\x09\x53\x3c\x7b\x4e\xdf\x3d\xb2\xa3\xc6\x2e\xed\x47\xf7\x94\x7b\x2b\xfe\xf8\x5e\x61\x94\xd0\x9f\xb9\xab\x5a\x44\x65\xf7\x69\xac\x3c\x8c\xcc\xef\xe7\xa7\xd6\x2d\xd9\x01\x4d\xeb\x44\x85\x3e\x0d\x85\xf9\x5e\x60\x7a\x0b\xd6\x36\xfc\xd4\x7d\x2a\xc8\x0f\x5f\x20\x48\xd8\xba\x6e\x0d\xb3\x7b\xd7\xdd\x08\xad\xb8\x73\xf9\x9a\x23\x62\xaa\xb7\x85\x56\xe2\x6b\x4e\x49\x27\x64\x3e\x61\x3a\xed\x6f\x03\x7c\xe0\x5d\xb1\xb5\xb2\xf1\xa2\x88\xa3\x64\x52\x6b\x1c\x57\x71\x0d\xc4\xe1\x11\xdd\x5d\xe5\x17\x68\x91\xf2\xb1\xd3\xe1\xde\x60\xbc\x71\xc8\x53\xdb\xb9\x6d\x43\xbc\xee\x88\xe4\x94\x46\xed\x6d\x77\xa3\x94\xe7\xb5\x95\xaa\xdc\x9c\x3b\xaa\x99\xcb\x7b\x19\x5d\x9e\xf7\x08\xf4\x24\x52\xc1\x18\x5d\xe2\x26\x6e\xb9\x4d\x68\x15\xe3\x3b\x44\x46\x31\x27\xde\xe4\xde\x36\xcd\xc6\x9f\xbd\x20\x4d\xf9\x15\x6f\xb7\xa6\x99\xfe\x6a\x31\x9b\xfd\xbd\xc1\x25\x15\x8e\xf0\x11\x78\xca\x1c\x58\xe0\x82\x5b\xaa\x44\x35\xd7\x99\x6a\x5e\x27\xaa\x99\xcd\xae\x7a\x9a\xe9\x56\xfc\x6c\xf6\xe3\xd9\xce\x67\xcf\xd2\xbe\xb5\x67\x2d\xfd\x38\xfb\xd4\xf1\xf9\x5b\x0e\x49\xfa\xa4\xa5\x5f\x6c\x01\x77\x1c\xcf\xbc\x76\x5d\x59\x43\xf0\xb6\xad\x0b\x72\x69\xe9\xe7\x1a\x95\x86\xcb\x6e\xd6\x04\xf8\x74\x99\xe7\xb2\xce\x84\x4f\xb3\x1f\xff\xbc\xf3\xd9\xb3\xb4\x6f\xed\x59\x4b\x83\x05\xa3\xcf\x9e\xa5\x7d\x6b\xcf\x5a\xfa\x74\x7c\x01\xdf\x2c\xc8\x47\xb3\xe0\xf7\xef\xa2\xd9\xcf\x1f\xbe\x27\xdf\xf7\xe4\x3b\x62\x90\x8f\x66\xc1\xef\xdf\x45\xa3\x82\x39\xa9\x97\xaf\x2e\x86\xeb\x93\xdb\x5c\xaa\x27\x2f\x1f\xba\x52\x7d\x35\x2d\xd5\xff\x97\x6f\xff\x66\xb3\xdd\xaa\x3f\x7a\x6d\xce\x65\xbc\x7f\x39\x18\xeb\x78\x9a\x17\xa1\x20\x6d\xd7\x17\x7b\x29\xe0\xf3\x4e\x38\xbc\xbc\x6d\x74\xf2\xf4\xf0\x7f\x14\x7a\xa5\xfa\x30\x5c\xa7\x49\xf0\x66\x74\x09\x30\x2c\x9f\xf8\x53\x78\xdb\xcf\x52\xbf\xf1\xcc\xf6\xba\x7f\x6b\x03\x7b\xd3\xfe\xf3\x04\x70\x78\x79\x37\xe1\x93\xcb\xf3\x9b\xcb\xa8\x3e\xc9\x8b\x43\xb0\x3b\xbc\xfc\xc4\xa6\x7d\xb8\x7e\xf2\xcc\xff\x4e\x14\x1c\x37\xce\x3c\xc3\xc1\xcb\x8b\x23\x98\x71\x44\x1f\x1d\xd1\x25\x63\x39\xbd\x7b\x7e\x3a\x86\x7b\xbe\x1d\x86\x8e\x0b\xa0\xef\x29\xf7\xa5\x1e\x3b\x5a\xca\x1d\xd9\x45\xff\x13\x59\xf7\xcd\x70\x74\x44\x6f\xfd\x27\x00\x00\xff\xff\xa3\x09\x5f\x0d\x4b\x28\x00\x00")

 func complySoc2PoliciesDisasterMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -717,7 +717,7 @@ func complySoc2PoliciesDisasterMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/disaster.md", size: 169, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/disaster.md", size: 10315, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -737,7 +737,7 @@ func complySoc2PoliciesEncryptionMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/encryption.md", size: 151, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/encryption.md", size: 151, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -757,7 +757,7 @@ func complySoc2PoliciesIncidentMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/incident.md", size: 8552, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/incident.md", size: 8552, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -777,7 +777,7 @@ func complySoc2PoliciesInformationMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/information.md", size: 5359, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/information.md", size: 5359, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -797,12 +797,12 @@ func complySoc2PoliciesLogMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/log.md", size: 4307, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/log.md", size: 4307, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2PoliciesMediaMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8b\xc1\x4a\xc6\x30\x10\x06\xef\x79\x8a\x0f\x3c\x47\xac\x07\x95\x5c\x73\x52\x28\x94\xd6\x17\x58\x93\xb5\xec\x4f\xb2\x0b\x4d\x5a\xe8\xdb\xff\xb4\xa7\x81\x61\x46\xa9\x72\xc0\xcc\xd5\x0e\xfa\x2b\x8c\x91\xb3\x10\x48\x33\x62\xb1\x3d\x63\xe9\xb6\xd1\xca\x98\xac\x48\x3a\x1d\xa5\xcd\xf4\xac\x01\x63\x9c\x5c\xa3\x2e\xed\x5f\xb8\x05\x07\xfc\x2e\xf1\x02\xe0\x11\xe3\xc7\xeb\xa7\xab\xf4\xb0\x6d\xe6\x43\x9a\x98\xde\x89\x47\xa6\xce\x01\x3f\xbb\x62\xc0\xfb\xdb\xf0\x75\x0f\xc9\x6a\x65\xed\x01\xdf\x2a\x5d\xa8\x20\x5b\xda\x2f\xe3\xbc\xf7\xce\xbd\x20\x5a\x15\x5d\xb1\x98\xe9\x33\x00\x00\xff\xff\xac\xf1\x27\xb5\xaf\x00\x00\x00")
+var _complySoc2PoliciesMediaMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xcc\x5a\xcd\x6e\x1c\x47\x92\xbe\xf3\x29\x02\xf0\x85\x32\x9a\xdc\xf5\x1e\x76\x17\xba\x59\xa4\x06\xe8\x81\x69\x09\x24\x01\xc3\xc7\xe8\xac\xa8\xae\x30\xb3\x32\xcb\x99\x59\xdd\x6a\x9f\xfc\x1a\x03\xcc\xbc\x9c\x9f\x64\x10\x91\x59\x7f\xfd\x43\x49\x83\x19\xc0\x3a\x48\x54\x77\x65\xc6\xff\x17\x5f\x44\xd1\x61\x4b\x6f\xe1\x91\x5a\xbf\xc3\x8d\x25\x78\xa0\x8a\x11\xd0\x55\x70\x67\x7d\x5f\xc1\x53\xf2\x01\xb7\x04\x1f\xbd\x65\x73\xb8\x42\x13\xbc\x3b\xb4\x6f\xe1\xe1\xee\xe3\x55\xc4\xc4\xb1\x66\x8a\x6f\xaf\x00\x9e\x9f\xee\xe4\x1f\x80\x1b\xb8\xbb\xfb\xdf\xdb\xff\xbb\x6a\xf1\x17\x1f\x1e\x69\xc7\x91\xbd\xd3\x47\x6e\xa0\xc2\x44\x6f\xe1\xaf\xbd\x83\xef\xe0\x7f\xfe\xfb\xbb\xff\xd7\x03\xc6\xb7\x2d\xb9\xf4\x16\xd6\x8e\x13\xa3\x85\xca\x9b\x5e\x3e\xb9\xba\xb9\xb9\xb9\xba\xfa\x06\x3e\xf6\xa1\xf3\x91\x54\xab\x27\xe3\x3b\xba\xba\xc2\x5b\x78\x6e\x38\x42\x18\x15\x6f\x45\xf1\x15\x18\xd5\x3a\x16\xad\xe5\xc4\xbb\xc0\x6e\x0b\x3f\xfb\x3e\xc0\x87\xbd\x83\x7b\xda\xb1\x21\xb8\x7e\xf7\xf3\x87\xfb\x37\xd0\xa9\x59\x50\x51\xcd\x8e\x22\xa4\x86\xc0\x6f\x7e\x21\x93\x78\x47\x71\x05\x81\x7e\xed\x39\x90\x28\x13\xf5\x32\x6e\x3b\xab\xff\x95\x3b\xd9\xc5\x14\x7a\x93\xc4\x3e\xa8\x7d\x50\xb1\xf2\x45\x85\x09\xc1\xbb\x53\xed\xd8\x15\x05\xc9\xed\x38\x78\xa7\x17\xaf\xf4\x66\xef\xa0\xa3\x10\xbd\x43\x6b\x0f\x37\x7e\xef\xa8\x82\x4a\x75\x55\x3d\xb6\x18\x2a\x4b\x31\x82\xaf\xf3\xf5\xc6\x62\x8c\x5c\xb3\x41\x91\x0f\x96\x76\x64\x6f\x27\xc7\x14\xc3\xb0\xeb\x2c\x8b\x61\x1e\xd0\x5a\x60\x57\xfb\xd0\xe6\x13\x22\x54\x6f\xda\x73\x6a\xd8\x65\xdb\xc3\x16\x1d\xff\xa6\x0f\xfc\xf1\xfb\xdf\xe2\xe2\x40\x24\xd3\x07\x4e\x07\xe8\x82\xdf\x06\x6c\x57\x80\x11\xf6\x64\xad\xfc\x2b\xb7\x5f\x0a\xc6\x21\x26\x6a\xb3\xff\x2e\x99\x08\xc4\xa9\xa1\x00\xf9\x43\x1f\xc0\x78\x97\x82\xb7\x96\x2a\xd8\x1c\x4e\x74\xfb\xac\xa1\x7d\xa4\xa0\xbe\x5a\x18\x50\x14\xb9\x60\x70\xb9\x30\x1d\x3a\x36\xa2\x21\xb0\x33\xb6\xaf\x44\xb9\xb6\xb3\xfe\x40\x94\x6d\x50\xd5\xd0\x24\x1f\xe2\xd2\x05\xee\x00\xf4\x29\x51\x70\x68\xa1\xc3\x90\x54\x9f\x06\x93\x64\x38\x01\xbb\xe4\xf5\x2c\x9a\xa4\x2a\x2c\x1c\x33\xd7\xf3\x75\xdb\xe1\xba\xa1\x40\xec\xb0\x4e\x14\x20\x50\x4d\x21\x50\xa5\x86\x47\xf8\xe3\xf7\xbf\xab\xe9\x7f\xfc\xfe\x8f\x37\x4b\x07\xb5\x7d\x4c\xb0\x21\x68\xb1\x22\x08\x84\x15\xdb\x03\xe0\x0e\xd9\x6a\xc4\xe6\x7e\xbb\x95\xa2\x7b\x87\xe6\x65\x1b\x7c\xef\xaa\x13\x5f\xcf\xab\xa5\x0b\xde\x50\xd5\x07\x2a\x15\x80\x35\xd9\x03\xf4\x51\xca\xe0\x4b\xaa\xf3\x62\x42\x24\x0f\x96\x5b\x4e\x39\x47\xad\x97\xd4\x0f\x40\x9f\x3a\x1f\xfb\x40\xb7\x00\x4f\xbd\x69\x44\x66\xab\x71\x1e\xee\x1c\xcc\x8c\x29\xb0\x49\xf6\xb0\x70\x26\x19\xec\x23\xc9\xe3\xa2\x7a\x24\x17\x59\x0a\x3d\x8b\xc8\x91\x42\x97\x4f\x7b\xf1\xa9\xd7\x24\x69\x6f\xe1\x5d\x39\x49\x68\x9a\x72\x3c\xd2\x28\x33\x1d\x3a\x49\x8d\x20\x31\x96\xd8\x38\x91\x4b\x5d\x43\x2d\x05\xb4\xa2\x76\xe7\x43\x52\x3f\xb0\x03\x87\xa9\x0f\xb4\x02\x4e\xa0\x2e\x8d\x91\xe5\x1b\xf1\xde\x49\xa8\xc5\x09\x82\x7c\xf2\x05\x6e\xd8\x4a\xf5\x25\x0f\x7e\x47\x21\x12\xcd\xea\x44\x9f\x58\xe4\xfa\xc2\x02\xe0\xba\x78\x64\xaa\xe2\x98\xd0\x55\x18\xaa\xac\xb9\xf3\x09\x6a\x6f\xad\xdf\x53\x35\xab\xae\x01\x8a\x45\x4e\xe4\x98\x62\xb6\x3e\x90\xb8\xaf\x20\x5f\x47\x21\x21\x3b\x89\x78\xf2\x9f\x89\xf9\xea\xd5\xa0\xdf\xc2\x7b\x71\x70\xb9\x39\x17\x0b\xbb\xf8\xb5\x30\x2c\xbe\x08\xb4\xe5\x98\x82\x3a\x63\x05\x2d\x3a\xdc\xea\x01\xf9\x99\x5d\x22\x87\xce\x14\x6d\x2a\x8e\x9d\x97\x4c\xf0\x4e\xac\xd3\x18\x4b\x48\x67\x69\x95\x3d\xf2\xd3\x80\x1b\x63\x29\xac\x54\x56\xa2\xd0\xce\xb2\x69\x1e\x06\x2d\x4f\x4d\xe6\xf9\xa7\x9a\x6a\x1c\x47\x0c\xa7\x4a\x6a\xf7\xf1\xfd\xd3\xf3\xe3\xfa\xee\xf9\xfd\xbd\x04\xf6\xee\xc3\x8f\x7f\x59\xdf\xbf\xff\xf1\x79\xfd\xfd\x0f\x92\x36\x68\x8c\x0f\x95\x68\x9d\xc1\x43\x04\xdf\x4b\xde\xde\x2d\x1b\x41\x6e\xd4\x70\xad\x92\x49\x1e\xbf\xc6\x37\x6f\xb4\xa4\x1f\x87\x8f\xa2\x9a\x73\xf9\xb4\x7e\xfd\x7d\x8c\x94\x60\xed\x76\xe4\x92\x0f\xf9\xb3\xa7\x21\x79\xd6\xce\x70\x25\x79\xf1\x48\xb1\xf3\x2e\xd2\xfc\xe4\x7b\x67\xc2\xa1\x5b\xdc\xf7\xcd\xfc\xfb\x6f\x8f\xe8\xc6\xb7\x57\xca\x03\xf8\x16\xbe\x3f\xed\x22\xd9\x76\x75\x6c\x5f\x38\x40\xc9\x8b\xb1\xd3\x4a\x02\xb2\x13\x6d\x92\x3f\xad\xa1\x01\x11\x72\x46\x90\x54\xc5\xa5\x6e\x77\x64\xf2\xc2\x89\x1b\x75\xe2\x2b\x7a\x5a\xb9\x5d\xef\x5e\x9c\x9a\xc9\xbf\xe1\x72\x33\xe7\xca\x44\xf8\xb5\xc7\x90\x28\xd8\x03\x6c\x30\xb2\xe6\x09\x39\xc1\xb7\x92\x22\x9a\x25\x31\xb1\xb5\xf3\xa6\x35\xd4\x7c\xc1\xb1\xa3\xc6\x08\xe5\xcf\x77\xb7\xf0\xec\xe7\x52\x0f\x80\x0e\x38\x51\x9b\xb3\x56\x2a\x2f\x0c\x77\x1c\x1b\xa3\x4a\x9b\x86\xcc\xcb\xe0\x2c\x39\x38\x65\xde\x89\xeb\xd6\xb3\xf4\x1e\xb3\xe4\x41\xcb\x2e\xc0\xf5\xfa\xe9\xe1\xcd\x91\x6a\x0d\xc1\xfa\xe9\x21\x0b\x4a\x81\x30\x69\xff\x3c\xd6\x63\x00\x65\x81\xa7\x0d\x81\xf5\x06\x53\xae\x16\xeb\x63\xca\xf5\x8b\x13\xa6\xf1\x90\x96\x81\x04\x72\x47\xdf\x5b\xbf\xdd\xe6\xd8\x9c\x2b\xa3\xcf\x66\xf5\x22\x11\xcc\x3c\x11\x9e\xbf\xcc\x91\xde\x55\xbd\x49\xda\x61\xb1\xeb\x82\xef\x02\x63\xa2\x39\x14\x15\xa4\xce\x6e\x96\xd0\xbb\x44\x61\x87\x36\x2e\x0e\x94\xfc\x1e\xd0\xa9\x20\x6c\x94\x4e\x88\x02\x27\x84\x52\x15\x2b\xc8\xb1\x48\xfa\xb3\xc5\x0d\x59\xfd\x89\x92\xf9\x72\xcd\x57\xb0\x97\x5e\x06\x9d\x50\x1d\x21\x44\xab\x6c\xcb\x3c\x3f\xd1\x01\x5a\x25\x3c\x49\x9b\xd1\x06\xcd\x4b\xdf\x81\xf1\xdd\x61\xb8\x75\x0e\x7b\x43\xf4\x8a\xa9\x19\xf4\x81\x3e\x49\x5f\x99\x14\x7b\x3c\xe7\xc1\xa9\x27\x4b\x0c\x95\x66\x40\x67\xd1\x14\x45\x1a\xa1\x5f\x10\xa8\xea\x0d\x55\x10\x38\xbe\x88\xfc\x9a\x83\xaa\x55\x5b\xef\xab\x8c\x16\xad\x80\x39\x8c\xb2\xd6\x85\x09\x94\x46\xae\xce\x1f\xbb\xce\x59\x44\x5f\x9d\x8d\xf0\xdb\x45\x6e\xbf\x5b\x2a\x6b\xbd\x79\xa1\x0a\x0c\x6e\xd8\x51\x12\x85\xaa\x80\x7b\x0a\xcb\x82\x90\x41\x4b\xb2\x40\xa8\x43\xc6\x4f\xaa\x66\xc4\x44\x70\x40\xd2\x94\xf2\xf7\xdc\x35\x03\x92\x9d\xcb\xe8\x13\x04\x5e\x64\x70\x75\x0c\x65\x17\xe6\x95\x91\x8b\x0d\x21\xa0\x80\x91\xaa\x15\x94\x1e\x5b\x02\x38\x7c\x5b\x51\x4c\xc1\x1f\xe4\x81\x0d\xd5\x62\x4d\xc6\xaf\x40\x7d\xcc\xa4\x3e\x77\x5a\xf9\xb9\x9e\x14\xf8\xa9\xa1\xcb\x92\x85\x9a\x0c\xa7\x56\x73\xa1\x39\x75\x55\x74\x8e\x8e\x7e\x29\x88\x12\xfd\x08\x9e\x85\xcd\xe9\xe5\x54\x41\x1d\x7c\xbb\x04\xe7\xdc\xd7\xbf\x5d\x8c\xba\xcb\x6e\xb4\x64\xac\x03\x63\xff\xcf\xf4\xa4\xa5\x6a\xf0\x38\xa3\x30\xd0\xe2\x41\x0e\x48\xb0\xdb\xce\x72\x6c\xf2\x70\xd0\xa2\xeb\x33\xc5\xc4\x3e\xf9\x56\xcb\xab\x25\x74\x52\x4f\x9f\x37\xe3\xcf\xd1\xb2\xfe\x64\x6d\x0a\x1e\xe7\xba\xfc\x0b\x7e\xbf\x04\xb0\xe7\x62\xf0\xd5\xfd\xa1\x1c\x43\x69\x71\xdb\xde\x62\x98\x75\x0a\x65\x99\x3a\xb2\x0e\x8f\x19\xef\x6a\xde\xf6\x03\x0d\x46\x63\x28\xc6\x21\x18\x2b\x49\x52\x75\x87\xdc\xdf\x7a\xc7\x79\x7d\x71\xd4\x28\xee\x0b\x38\x9c\x4f\xa1\x29\x55\x3a\xcb\x19\xde\x65\x94\x4c\x60\x09\x63\x02\xef\x08\xbc\x4e\xf6\x5d\x73\x88\xd2\x46\x72\x17\xd0\xb8\xdf\x53\x47\x4e\x81\xb9\x18\xb7\x14\xd1\x05\xbf\xe3\x8a\xc2\x2a\x33\xee\x41\xc2\xbc\x1a\xb2\xef\xcb\xb8\x3e\x18\xab\x03\xcc\x3c\x08\x27\x95\xa7\x28\x2b\x95\x7b\x5e\x60\x9c\x66\xc1\x8a\x5a\xef\xb4\x08\x69\x35\xec\x28\x52\x13\x7c\xbf\x6d\x26\xd6\x81\xc6\x04\xaa\x38\x15\x2f\x4f\x67\xf4\xbf\xc9\xf7\x41\x21\x33\xfb\x41\xb3\x24\x0b\x48\x0d\x71\x80\x1a\x8d\x0c\x76\x5c\xd0\x2e\xa3\xbc\x60\xa8\x4f\xcd\xe8\x35\x99\xd5\x5d\x05\x64\xc9\xa4\xe0\x5d\xfe\x68\x55\xe6\xec\x0d\xc5\x34\xf4\x69\x9a\x65\xe0\xfa\x95\xbc\xfb\x5c\x97\xcb\xc5\x3c\xab\x96\xb1\x07\x8c\xcd\xe9\x4c\xef\x59\x34\x99\xa3\x14\x5a\x36\x91\x0c\xc6\xfa\xd7\xf9\xc4\xca\xa6\x21\x24\x32\x8d\xf3\xd6\x6f\xb3\x07\x74\xdf\x10\xe3\xd8\x14\xb5\x5c\x76\xd3\xa6\x64\xfd\xf4\x30\xeb\xef\xda\x5b\xca\xc8\x8f\xe7\x1d\x21\x43\x2e\x47\x71\x07\xbb\x7e\x68\x32\xe5\xbb\x7f\x6b\x93\xf9\x78\x3c\xf4\xe6\x4d\x64\x9c\xfa\xcd\x87\x59\xa2\xa2\x3d\x6a\xfe\x4a\x28\x56\x90\x02\xba\x58\x56\x3e\x3e\x0c\xee\xa0\x57\xf7\x87\xa2\x9b\xc6\xba\x77\x15\x9d\x6e\x19\x14\x18\xd5\xd4\xd8\x70\x97\x39\xf5\x49\xc7\x0a\x94\xd3\x45\x51\x98\xb7\x8d\xf6\xb5\x01\xd5\x95\x80\xaa\xba\xb4\x23\x29\x65\xad\x8f\xdc\x0a\x84\xb9\x9f\xe0\x78\x56\x6c\x59\xa6\xe2\x56\x2d\x73\xa5\xde\xe3\x4e\xa4\x60\xa3\xa2\xc4\x8e\x82\x40\xe4\x34\xcd\xcb\x7d\x97\xb7\xa6\x13\x1e\x2e\xf9\xd9\xda\xc5\x84\xd6\x4e\x6b\xd0\x05\xce\xd6\xf0\xe0\x37\x6c\x69\xd8\x14\x3f\x4c\xd2\xae\x1f\xee\x1f\xde\x40\xf4\x75\xda\xe3\xd0\xf0\x24\xfc\x54\xd7\x79\x65\x6c\x0f\x45\xb9\xd5\xe8\x1b\xb9\x7f\xcf\x5d\x59\x32\xbd\x12\x81\xe1\x80\x26\xd0\xc5\x0d\xc9\xc2\x90\x07\xd1\x1b\x33\xc9\xe4\xa8\xde\xf8\xc5\x6f\x20\x71\xb2\x79\x57\xf9\x5f\x92\x22\x7a\x55\x14\xb0\x6c\x7c\xe0\xdf\x32\x42\x4b\x51\x5c\xcc\x97\x73\xbb\x28\xd5\x71\x23\x55\x49\x71\xb9\xf7\xd4\xe5\x54\x37\x82\x73\x1c\x37\xcb\x1b\x8c\xc3\x06\x74\x6a\xa3\x39\x5b\xd5\xc8\x9c\x36\x5f\x68\xd8\x42\x42\x17\x7c\xc3\x1b\x4e\xc3\x4d\x5a\xe2\xaf\x2d\xd0\x15\x3c\x85\xa6\xe8\x96\x4a\x34\x2a\x3c\x32\x2f\x8a\x25\x9a\xa8\x31\x1d\x97\x7b\x81\xf2\xc2\x4c\xe4\x4d\x89\x3a\x2b\x62\x9d\x14\xb9\xe6\xb2\xd7\x9b\x90\xf2\xfa\xe3\x7a\xfd\x46\x2d\x2e\x53\xeb\x50\xbb\xb3\x62\x0d\x93\x2b\xca\xe4\x9b\xb8\xa5\xcc\xb0\x2e\x58\xb1\xac\x96\xbc\xab\x53\x88\x34\x86\xba\xbc\x5d\xec\x55\xef\xd9\xae\x6c\xc0\x5c\xbf\x89\x14\x0a\x4a\x8e\xab\xf1\x4b\xde\x5a\x16\x8b\xb0\x47\x7f\x06\x98\x86\xab\x65\xe6\xa3\x0a\xfa\xee\x2c\x27\x39\x0a\xeb\xfd\x43\x89\x44\xd5\x79\x76\xd2\xb4\x7c\x2a\xcb\xbe\xb1\xaa\x86\x8b\x39\x57\xe9\xc9\xbc\x88\x99\x27\x89\xbf\x8e\xae\x7f\x3a\xbb\x82\x5b\x6c\x42\x8f\x67\x96\xaf\xee\x66\xb3\xf5\xc5\xd1\x55\xa5\x71\x8f\x8d\xab\xc3\x18\xf7\x3e\x48\xdc\xd9\xad\xa0\x77\x32\x07\x42\x87\x49\x06\xe6\x15\xd4\xec\xb6\x14\xba\x20\x6e\xf0\x01\x24\x6a\x3b\xb4\x82\x32\x23\xaf\x68\xc9\x34\xe8\x38\xb6\xaf\xcb\x56\x36\x63\xbc\x73\x64\x14\x95\xb3\x22\xc5\xd1\x83\x79\x7b\x0e\xa4\xef\x8f\x1c\xa5\xbd\x0f\x2f\x47\xae\x2b\x8d\x32\x57\xc7\x34\x64\xf5\x29\x72\x45\xe7\x58\xbb\xc2\x41\x17\xa8\xe5\x28\xf5\xc5\x65\xd7\x32\xec\x69\xa8\x4e\xd0\x3b\xb1\xd5\x55\x92\xfa\xba\xb4\xad\xc7\x6d\xf7\x6a\x4e\x6c\x8a\xe3\xbe\x44\x21\x76\xd0\xf5\x1b\xcb\x46\x2a\x16\xe3\x7c\x42\xc8\x8b\x24\x7c\x91\xd1\x00\xa3\xbe\x90\x38\x1a\x4d\xf4\x1e\x7d\x75\x36\xee\x93\x02\xe1\xb2\x18\xa5\x3e\xdc\x0c\x29\x0b\x78\x2e\x75\xfb\x88\xc9\x34\xe5\x65\x50\xdf\x55\x98\x66\x23\xf2\x94\xb5\xa5\x16\xec\x61\x79\xf8\x6e\xda\xf9\x9e\xa3\x57\xa5\x22\x3e\x9b\x90\x78\x39\x21\x17\xac\x45\xb5\x19\x69\x4b\x99\xcb\xe7\x1e\x8d\xf3\xa9\x7c\x05\xd1\xdb\x3c\xe0\x17\x32\x9c\xe9\xbc\x30\xf0\x50\xe9\x4b\xad\x43\x7e\xcf\x43\x61\xc7\x86\xdd\x76\xa9\xc5\x3a\xbf\xd3\x98\xd0\x39\xf9\x19\x9a\xc8\x1f\x54\x44\xf1\xfb\xb1\x9a\xf3\x48\x22\x77\xa2\x3b\xc8\xb8\x40\x9f\x04\xcf\x80\x53\x21\x25\xb7\xe3\xf9\xe3\x8b\xf2\xca\x84\xad\xa5\x2d\x0a\x2b\x48\x14\x58\xe6\xa0\x45\xa9\xdf\x9e\xc8\x2f\xed\x5f\x2a\x92\x0d\x39\xb1\x7c\x00\x9f\xd3\x87\x7f\xf0\x9a\xa4\x37\x8a\x22\x63\x4d\xc7\xd3\x07\x9f\x0b\x31\x3b\x0b\x96\xc9\x17\xf6\x3f\x74\xd8\x7d\xc3\xa6\x81\x06\x77\x54\x4a\x86\xdc\x09\x95\x3d\xb3\xd7\xbd\x38\xd1\x04\x52\x80\x5f\xd2\xb3\x1d\xd3\x7e\x05\x32\x99\xac\x06\x32\x50\x91\xa5\x44\xda\x70\x8e\xf4\x3c\xf7\x7e\xe2\x6c\xe3\x5a\x30\xd0\x33\x9e\xfe\x3a\x1d\xcb\x08\x0a\x75\x6f\x6d\xd6\xae\xbc\x86\x91\x08\xf9\x5a\xd3\x60\x58\x4f\xcd\xd3\xb6\x56\xea\x2d\x44\x71\x1a\xd8\x1c\x89\x96\x18\x0e\x23\x81\x99\xf5\x17\x5f\x83\x8c\xf0\xe8\x0e\x37\x81\x2c\x0e\xdb\xb5\x95\x56\x96\xef\xd3\xb0\xa6\x88\x85\x56\x1e\xef\x9a\x5e\xb1\x6e\xcf\xd6\x6a\x18\x3b\xcc\x91\x9b\xde\x17\x5f\x8f\x00\xa5\x2d\x37\xff\xd2\x81\x78\xbf\xa6\x4c\x6f\x4f\x20\x4e\x3e\x14\x80\x86\x2e\xff\xd6\xc3\xf1\x46\xe1\x44\xb0\x08\x2d\xe5\x03\x8e\xf6\x47\xf4\xd4\x11\x55\x8a\x84\x0b\x6c\xca\xc4\x5a\xbd\x21\x7c\x60\xb9\x0d\x1c\xfb\xcf\x26\x10\x2a\xd0\x0d\x0e\xcb\xf1\x3a\xcf\x19\x67\x8b\x00\x1f\x14\xbf\x5a\xdd\xd1\x24\x21\xc5\x65\x07\x96\x87\xb3\x7f\x06\x00\x00\xff\xff\xae\x5e\x22\x54\x73\x22\x00\x00")

 func complySoc2PoliciesMediaMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -817,7 +817,7 @@ func complySoc2PoliciesMediaMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/media.md", size: 175, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/media.md", size: 8819, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -837,7 +837,7 @@ func complySoc2PoliciesOfficeMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/office.md", size: 3927, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/office.md", size: 3927, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -857,7 +857,7 @@ func complySoc2PoliciesPasswordMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/password.md", size: 1796, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/password.md", size: 1796, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -877,7 +877,7 @@ func complySoc2PoliciesPolicyMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/policy.md", size: 892, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/policy.md", size: 892, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -897,7 +897,7 @@ func complySoc2PoliciesPrivacyMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/privacy.md", size: 346, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/privacy.md", size: 346, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -917,12 +917,12 @@ func complySoc2PoliciesProcessingMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/processing.md", size: 210, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/processing.md", size: 210, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2PoliciesRemoteMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x4c\xcb\x31\x8a\xc3\x30\x10\x85\xe1\x5e\xa7\x78\xb0\xb5\x96\xb5\x8b\xdd\x45\x9d\x11\x29\x92\xca\xd8\xb9\x80\x90\x27\x61\x82\x67\x06\x2c\x39\xe0\xdb\x07\xbb\x72\xf5\x7e\x1e\x7c\x9a\x84\x02\x06\x12\xab\x84\x2e\x67\x2a\x05\xbd\xcd\x9c\x37\x97\xf2\x62\xba\x49\xc0\x70\xe9\x7a\x57\x52\xe5\xf2\x60\x2a\xc1\x01\xf7\x31\xee\x03\x78\xc4\xf8\xfb\xdd\x9c\xba\x3d\xf5\x9f\x93\xf4\xb2\x65\xa0\x37\x17\x36\x3d\xa8\xc7\x94\x2a\x05\xdc\x56\x45\x83\xf6\xa7\xf9\x3f\x40\x36\x11\xd2\x1a\x70\x55\xae\x9c\x66\x4c\x96\xd7\xfd\x71\xde\x7b\xe7\xbe\x10\x4d\x58\x9f\x18\xcd\xf4\x13\x00\x00\xff\xff\x4e\x47\x83\x97\xb4\x00\x00\x00")
+var _complySoc2PoliciesRemoteMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x94\x57\xcd\x72\xdc\xc8\x0d\xbe\xcf\x53\xa0\x2a\x17\x5b\x35\x9a\x8d\xf7\x90\xa4\xb4\x27\x47\x71\x55\x9c\xaa\x64\x55\xb2\x37\x7b\xee\x69\x82\x43\x44\xcd\x06\x83\x06\x35\xa6\x4f\x7e\x8d\x54\x25\x2f\xe7\x27\x49\x01\x4d\x72\x46\x96\x64\x25\xa7\xf9\x61\xff\x7c\xc0\xf7\xe1\x03\x98\x43\x8f\x57\x70\x8b\x3d\x2b\xc2\xdb\x18\xb1\x14\xb8\xe1\x44\x71\xda\x84\x28\x9c\xa7\xfe\x0a\x6e\xdf\xbd\xbd\xd9\x94\xa0\x54\x5a\xc2\x72\xb5\x01\xf8\xf8\xe1\xda\x3e\x00\x2e\xe1\xfa\xfa\x77\xbb\x37\x67\xdf\x7f\x3c\xfb\xfe\xfb\x4d\x1f\xfe\xc1\x72\x8b\xf7\x54\x88\xb3\x6f\xbd\x84\x26\x28\x5e\xc1\x5f\xc6\x0c\x6f\xe0\xc7\xdf\xbe\xf9\x83\x6f\x88\xdc\xf7\x98\xf5\x0a\xde\x67\x52\x0a\x09\x1a\x8e\xa3\xfd\xb3\xb9\xbc\xbc\xdc\x6c\x7e\x03\x37\xa3\x0c\x5c\x10\x42\x6e\xe0\x43\xe4\x01\x37\x9b\xb0\x83\x8f\x1d\xc2\x30\x3f\xe1\x16\xb4\xa3\x02\x83\xc3\x07\x2a\xa0\x0c\x0d\xb6\x94\x11\x04\xff\x39\x92\xa0\x1d\x58\xa0\x65\x81\xc8\x39\x63\x54\xca\x07\x5b\xa5\x1d\x02\xcb\x21\x64\xfa\x1c\x94\x38\x7f\xfd\xf2\xaf\x02\x65\x2a\x8a\x7d\xf1\x1b\x33\xea\x91\xe5\xae\x40\x2b\xdc\x83\xd4\x74\x75\x5c\xb4\x6c\x81\x72\x4c\x63\x63\x27\x0d\x28\x85\x73\x48\x69\xba\xe4\x63\xc6\x06\x1a\xbc\xa7\x88\xbe\x06\x58\x1a\x14\xbb\xac\xa7\x4c\x3d\x7d\x46\x4b\x44\x80\xc4\xa5\xfc\x80\x9f\x06\x2e\xa3\xe0\x6e\x0e\xea\x14\x45\x18\x86\x44\xe8\xa1\x84\x94\x60\x2c\x28\xc5\x22\xa5\xdc\xb2\xf4\x0e\x76\x05\x7a\x24\xed\x28\x3f\x0a\x66\x3e\x50\xa7\x81\xa2\x61\x9b\x01\x63\x01\xec\x87\xc4\x13\x62\x8d\x31\x72\x56\x09\x51\x59\xca\x16\x42\x81\x23\xa6\x64\x9f\x21\x4f\x80\x9f\x14\x25\x87\x04\x43\x10\x75\x3c\x5d\x50\x23\x0d\x81\xb2\xb2\xef\x0d\x51\x1d\xc2\x83\xc4\x9d\xe3\xf4\x0b\x38\x25\x6c\x60\x3f\x3d\x82\x09\xaf\x3a\x14\xa4\x1c\x5a\x45\x01\xc1\x16\x45\xb0\xf1\xc0\x0b\x7c\xfd\xf2\x6f\x0f\xfd\xeb\x97\xff\xbc\x7e\x98\xa0\x7e\x2c\x0a\x7b\x84\x3e\x34\x46\x73\x68\x28\x4d\x10\x5c\xc8\xb4\x4f\xf8\x20\x71\x3b\x13\xd2\x1f\x43\xbc\x3b\x08\x8f\xb9\x59\x15\x44\x59\x31\xeb\xd3\x02\x5a\xd9\x7a\x52\x23\x0b\x71\x2e\xb5\xd0\x87\x03\x16\x38\x76\x14\x3b\xe8\xc3\x04\x82\x65\x4c\x5a\x35\x63\xdb\xc7\x1c\x46\xed\x58\xe8\x33\x36\x8b\x88\xc6\xaa\x5c\xc1\xc2\xa3\xcc\x5a\x59\xf4\xb4\x1f\x15\x32\x2b\x24\xea\x49\x3d\x17\x57\x7e\x8e\x69\xc6\x36\x15\xcc\x85\x94\xee\x71\x6b\x54\x0c\x46\x54\xe4\xdc\x52\x83\xb9\xd6\x90\x09\xac\xb2\xa0\x98\x12\x46\x1d\x8d\x42\xe1\x01\x45\xa7\x9f\x66\xc4\xcf\x16\xc0\x30\xee\x13\x45\x20\x5b\xf4\xe2\x62\xbb\xc2\x15\x32\xb3\xff\x93\x5f\x6c\xc5\xe7\x42\xf8\x81\x05\x58\x3b\x14\xfb\x2b\xe4\x68\xf0\x12\x85\x3d\x25\x72\x3d\x51\x8e\xa3\xf3\x6d\x82\x5b\x12\x67\x21\x8e\xb1\xf3\x78\xb1\xd4\xe2\xf8\x75\x11\xf9\x4a\xd4\xd6\x01\xb5\x9c\x12\x1f\x2d\x6b\x5e\xf2\x64\xc0\x8a\x97\xcf\x74\xb5\x71\x8b\xa1\x1d\x5c\xfc\x95\xf7\x94\xd0\xb3\x35\x7a\xf1\x9b\x2f\x0c\xee\x3c\x17\xa7\xba\x18\x58\x34\xec\xd7\x75\x68\x05\xd1\xd7\x9d\x43\xc7\xd9\x48\x2a\x7d\x10\x5d\x7f\xf5\xd8\xb3\x4c\x10\x83\x34\x55\xf6\x35\xd4\x79\xcf\x7a\x87\x91\xdd\xb8\xfd\x14\x65\x09\x07\xdc\x1a\x19\x2e\xd5\x7c\xf0\x7d\x2a\x21\x97\x16\xc5\x42\x37\xf6\x76\x27\xe8\xb7\x27\xd3\x31\xac\x65\xb6\xb6\x9a\xb1\xfc\x84\x21\x6c\x21\x73\x63\x4c\x2d\xee\x55\x8b\x96\x8a\x6b\x6a\xcc\x66\x47\x0d\x09\x46\x5d\x2a\xb3\x56\xc0\x37\xee\x71\x42\xf0\x11\x13\xda\x39\x57\x17\xbe\xca\xea\x9d\x5b\x18\x1d\x7c\xff\x6c\x62\x3d\xae\x73\xc7\x34\x09\x0d\x28\x06\x17\x1c\x16\x8f\x5a\xa8\x79\xa6\xc2\x86\x6e\x2a\xe6\x5b\x30\x08\xf6\x64\x32\x80\x05\x87\x93\xcd\x58\xe3\x99\xc9\xab\x75\x56\x6b\xea\x01\x65\x5e\xfb\x73\x67\x33\x1d\x5d\x7c\xc0\x38\x0a\xe9\x04\xb7\xdf\xf6\x86\x39\xd3\x7f\x76\xb0\x86\x7e\x56\xcd\xf5\x1a\xdc\xbb\x25\xb8\x8b\x35\x3b\xd7\x61\xf4\xdc\x2f\x7e\x84\x9f\x50\x22\x19\xdf\xc7\x0e\xf3\xf7\xf2\x63\x42\x4e\x21\x62\x63\x54\xb9\x42\x28\xc3\x98\xcf\xdc\xb2\x0c\x21\x62\xa9\xb5\x10\x0a\xdc\x63\x47\x31\x99\xee\xe6\x0a\xad\xcf\xb7\xd0\xb1\x62\x02\x61\xee\x5d\x93\xe8\x17\xf9\xd9\x65\xeb\xce\x80\x82\x39\x22\x44\xcc\x55\xd4\x27\xa9\x8e\x79\x10\x56\x8c\x66\x33\x41\x30\x94\x17\x58\x59\xc8\x58\xe3\xff\xd5\xa2\xac\x5a\x78\x40\xb6\x5d\xf1\x7c\xf0\xdb\xb9\xa3\x79\xd6\x34\xdc\xa1\xd5\x10\xce\x42\x3d\x53\x34\xd7\xb6\x56\xfb\x29\xbc\xc2\xdd\x61\x07\x0d\x95\x21\x85\xc9\xf2\x56\x9f\x96\x28\x88\xf9\x35\xc4\x90\x4d\x11\xfb\xda\x0f\xac\xd7\x3c\x30\xde\xda\xa5\x0b\x50\x7b\x7e\x26\x15\xd8\xa3\x61\x73\x06\x6a\x4b\xb3\x09\xe1\xc5\xf1\x80\xa5\xaa\xd8\x5b\xdf\x93\x2b\x1f\x16\xf2\xed\x79\x76\x16\xb5\x8c\x83\x4d\x45\x8d\x67\x6b\x08\x1a\xbb\xd9\x27\xdc\xed\x83\x62\x51\x28\x8b\x5e\xeb\xda\x62\x51\x07\x85\x84\xa1\x28\x04\xe8\x39\x6b\x97\x26\xd8\x87\x42\xe5\x7b\xb7\x75\xe1\x1e\x01\x73\x33\x30\x65\x85\x99\x75\x77\x0d\x6e\xf5\x68\xd9\xaf\xe9\xed\x43\xf2\x5f\xc5\xd2\x89\xf2\x1a\x28\x17\x0d\xae\x47\x43\xb9\x22\x56\xef\xaf\x4a\xfd\xb9\x1a\x6e\xe6\x1c\xbf\x68\x0e\xdc\xb6\x97\x8b\x98\x4c\x78\x66\xfd\x03\xe7\xda\xbb\x2d\x03\x82\x87\x31\x05\x81\x7d\x88\x77\xe3\xe0\x6d\xef\x3c\xc1\x4b\x97\x73\xc5\x08\x9a\x62\xcb\xa2\x87\x13\xbb\x27\x60\xf3\x88\xfb\x12\xa9\x0b\x2f\x0d\x67\x3b\x47\x78\x3c\x74\xe6\xb2\x98\xa3\x4c\xc3\xc2\x94\x89\xca\x5a\x6d\xf4\x4c\xfc\xfd\xe6\x6f\xeb\x58\xc9\xb9\xea\xa1\x1f\x93\xd2\x65\xeb\x53\xd5\xf9\x72\x5b\x80\xd9\x7a\x4c\xb3\x83\xb7\xeb\x60\x57\xc7\xd4\xb3\x1a\xaa\x83\xcc\x0a\x67\x10\xae\xa3\xb4\xd9\x8a\x9d\xef\x77\x0a\xce\x0d\xbf\x9c\x46\x8d\x27\xfa\xf3\xa9\x9a\x14\x63\x97\x39\xf1\x61\x02\xc5\xd0\xef\xfc\x98\x3b\x9c\x4e\x17\x09\xeb\xc2\x6e\x15\x98\x1e\xad\x48\x06\x14\x98\x30\x88\xe9\xea\x9e\xe7\x38\xb8\x7d\xbc\x7f\x76\x63\xb7\x32\x83\xf3\x73\xdb\xee\x39\x88\x4f\x35\xd5\x84\x77\xb0\x72\xf2\xfe\xbc\x75\x29\x4b\xad\xe8\xef\x88\x66\xf5\xd8\x95\x8d\xaa\xb3\x2e\x48\x03\x8d\xd0\x3d\x42\x3b\xa6\x64\x0e\x71\xb7\x2c\xaa\xad\xec\xfb\xc6\xbf\x34\x96\x93\xab\xbf\x5b\x27\xe4\xe5\xce\x32\x60\xa4\x76\x9e\xa4\xcf\x5c\xc5\xab\x75\xde\x6f\x51\x1f\x85\x1c\xf5\xc2\x08\x09\x74\x95\xda\x3e\xe4\x70\x40\x81\x93\x28\x7f\xce\x69\x9a\x95\xea\x5c\x85\x52\xe8\x60\x1c\xdb\x5b\x84\x78\x83\x40\xe9\x49\xeb\x0c\xe8\xed\x6d\xd6\x87\x75\xf8\x97\x3c\x76\x07\xbf\x9c\xdb\x5f\x55\xda\xab\xa5\x99\xb8\xfd\x17\x48\x74\x6f\x9b\x66\x33\xf3\x71\x44\xe7\x59\x73\xa6\xf9\x68\xe3\xf9\x59\x88\x65\x69\xe2\xd8\xbc\xf6\xca\x35\xcf\x7d\x84\xd3\xaf\x99\x5f\x83\x4e\x01\xff\xa9\xfe\xb1\x26\xf5\x01\x3c\xbb\x3c\xa2\xa8\x67\x59\xb1\xac\xbb\x7e\x71\xe4\xf3\xad\xfe\xe6\xb6\x80\x79\xca\x38\x7c\x44\x19\x6c\xd8\x15\x0a\x8a\x75\x32\x3e\x8c\xb2\x8a\x76\x89\x2e\xad\xf3\xd1\x3a\x9e\x3d\x7e\x3b\x7c\xef\xe3\x2d\xea\x9c\x16\x3a\x23\x7b\xc9\xd0\xee\x7f\x00\xea\x01\xcf\x9e\xfb\xfc\x1c\xfd\x68\x54\x07\xa1\x43\x67\xef\x9a\x48\x75\x86\xb6\x11\x72\xb1\xeb\x75\xb2\xee\x83\xa2\xb8\x0d\xb8\x1b\xda\xb3\x41\xb0\xb8\xcd\xe6\xff\x4b\x31\x9b\xff\x06\x00\x00\xff\xff\xfd\x98\xef\x1a\x17\x10\x00\x00")

 func complySoc2PoliciesRemoteMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -937,12 +937,12 @@ func complySoc2PoliciesRemoteMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/remote.md", size: 180, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/remote.md", size: 4119, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2PoliciesRetentionMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x3c\xcb\xb1\x8a\xc3\x30\x10\x04\xd0\x5e\x5f\x31\x70\xb5\xcc\xd9\xdc\x1d\x87\x5a\xa5\x49\x2a\x63\xe7\x07\x16\x59\x09\x1b\xac\x5d\xb0\xd6\x01\xff\x7d\xb0\x09\xa9\xe6\x31\xcc\x08\x95\x1c\x70\x22\x23\x0c\xd9\xb2\x18\xab\xa0\xd7\x99\xd3\xe6\x28\x2d\x2a\x5b\x09\x18\x7a\x57\xc9\xb8\xde\x38\xd7\xe0\x80\xeb\x18\xf7\x00\x3c\x62\x6c\x9b\xee\xe3\xbf\xe6\xf7\xed\xfe\xa7\xe9\x5c\xa1\x87\x2e\x43\x7e\x72\x65\x95\xe3\xe9\x31\x91\xe5\x80\xcb\x2a\x68\xd1\x7d\xb7\xff\xc7\x3e\x69\x29\x59\x2c\xe0\x2c\x6c\x4c\x33\x26\x4d\xeb\xde\x38\xef\xbd\x73\x5f\x88\x5a\x58\xee\x18\x55\xe5\x15\x00\x00\xff\xff\xf1\xef\x33\xc8\xb2\x00\x00\x00")
+var _complySoc2PoliciesRetentionMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xd4\x58\xcd\x8e\x1c\xb7\x11\xbe\x0f\xf2\x10\x05\xf8\x22\xd9\xbd\xe3\xc8\xc8\x1f\x36\xc8\x41\xd6\x0a\x81\x83\x04\x5a\x48\x42\x72\xc9\xa5\x86\xac\x99\x2e\x89\x4d\x76\x48\xf6\xcc\xb6\xa1\x83\x5e\x23\x80\xfd\x72\x7a\x92\xa0\x8a\xec\x9e\x9e\x1f\x29\x72\x02\x07\xc8\x1c\xb4\x2d\x76\x93\xac\x9f\xaf\xbe\xaf\x48\x8f\x1d\xdd\xc2\x1d\x66\x84\x97\x94\xc9\x67\x0e\x1e\xee\x83\x63\x33\xae\xd0\xc4\xe0\xc7\xee\x16\x5e\xde\xaf\x12\x66\x4e\x5b\xa6\x74\xbb\x02\x78\xfd\xea\x99\xfc\x01\xb8\x81\x67\xcf\x9e\xac\xbf\x99\x9f\x7f\xb3\xfe\x75\x7d\xbe\xff\xd5\xfa\x9b\x55\x87\x6f\x42\x7c\x49\x7b\x4e\x1c\xbc\xce\xbc\x01\x8b\x99\x6e\xe1\x4f\x83\x87\x27\xf0\xcd\x2f\x9f\xfc\x4e\xbf\x37\xa1\xeb\xc8\xe7\x5b\xf8\xce\x73\x66\x74\x60\x83\x19\x64\x64\x75\x73\x73\xb3\x5a\x7d\xf1\xb4\xef\xc9\x5b\x36\x94\x56\xf5\xf1\x01\x9e\xde\x2e\x2d\xa6\xc8\xc1\xa6\xd5\xea\x0b\xb8\x1f\x62\x1f\x12\x01\x7a\x0b\xaf\x4c\xe8\x69\xb5\xc2\x35\xbc\x6e\x39\xc9\xde\x08\x71\x9e\xd4\xab\x9b\x60\x69\xcb\x9e\x12\xe4\x96\x20\x6c\xde\x90\xc9\xbc\xa7\xa4\xf3\x23\xfd\x63\xe0\x48\x62\x49\x82\x6d\x88\xe7\x2b\x1c\x38\xb7\xec\xcb\xcc\xb8\x43\xcf\xdf\xa3\x8c\xaf\x8f\x5b\xd6\x3d\x4c\xd8\x53\x4c\x80\xce\x95\x25\x3e\x32\xf1\xc3\xfb\x7f\x26\x30\x43\xca\xc1\x8e\x10\x22\x98\xe0\x73\x0c\xae\x01\x8e\x91\x76\x18\xad\xa3\x94\x20\x6c\x75\x62\x47\x96\x87\x4e\x1f\x75\x4d\x4e\x90\x72\x88\x64\x81\x3d\x3c\x22\x47\x26\xc7\xe0\xd9\x88\xe1\x5d\x03\x3d\xf6\x14\xeb\x33\x65\xb3\x7e\x0c\x7f\x9b\x8c\x98\xed\x6c\x96\x0b\x1f\x5a\x36\x2d\xb4\xc1\xd9\x34\x6f\x10\x69\x4b\x51\xb6\xc8\x01\x30\x01\x7b\x59\x4f\x4d\x6f\xc0\x07\xe8\x30\x67\x8a\x70\x68\x31\xeb\x4e\xc0\x59\x66\xf1\x95\x88\x60\xdf\x3b\x96\xa8\x07\x8d\xca\x90\x24\x3e\x61\xbb\x5c\x12\xd2\x98\x32\x75\xe9\xa3\x61\x2e\x0b\xe6\xb1\x67\x83\xce\x8d\xc0\xde\xb8\xc1\x52\x02\xea\x7a\x17\x46\xaa\x59\xd4\x28\xa2\xc9\x21\xa6\x46\xac\x3e\x90\x73\xf2\x17\xfd\x08\xf4\x90\x29\x7a\x74\xd0\x63\xcc\x6a\x8f\xd8\x6e\x42\x47\xc0\x3e\x07\x9d\x8b\x26\xab\x09\xb3\x3d\xb2\xe8\xd2\xce\x73\xc3\x20\x1c\x7c\x5a\xe4\x2f\xc1\xa3\x96\x22\xb1\xc7\xad\x84\xe7\x2c\x88\x1f\xde\xff\xa0\xde\x7f\x78\xff\xe3\xe3\xd3\x18\x75\x43\xca\xb0\x21\xe8\xd0\x12\x44\x42\xcb\x6e\x04\xdc\x23\x3b\xdc\x38\x3a\x09\xdd\x5a\xa0\xff\x2d\x9a\xb7\xbb\x18\x06\x6f\x6b\xb8\xcf\xcc\xe2\x04\x1b\x79\x0b\x1b\x59\xdb\x65\xee\x1d\x81\xa3\x1d\xba\x06\x22\xed\x06\x87\x39\xc4\xf1\x24\x66\x03\x3a\x08\x1b\xc7\x3b\x5d\xa1\xa4\x02\x0a\x16\x65\xff\x23\xf8\xb2\x94\x05\xb2\x4f\xba\x6f\xa2\x93\x59\x29\x73\x2f\xab\x13\xb4\xe1\x00\x2e\xf8\x5d\x99\x65\xd0\x8b\x7f\x65\x26\xd9\x46\xb7\x96\x4f\xf4\xed\xe4\xbe\xa5\x94\x63\x18\xc9\xae\xe1\xf9\x03\x76\xbd\x23\x45\xca\x4f\x33\xbc\x62\x03\x1c\x1e\xa6\xda\xd6\x79\xf5\xa5\x7a\xe2\x82\x41\x07\x6f\x86\xc8\xc9\xb2\x29\x15\x2e\x89\xbb\x4c\xb0\x09\xde\x0e\x26\x27\xd8\x0c\x49\xc8\x23\x35\x27\x9b\xa7\x92\x32\x0d\xd6\x8c\xc5\xa6\x54\x76\x47\x02\xc3\x44\x71\xcf\x86\xa0\x8f\x61\xcf\x56\x87\x04\x81\x5e\x59\xc2\x5b\x08\xb9\x2d\x59\xbd\x96\xc7\x0e\x47\x40\x97\x82\x04\x87\xfd\x3e\xb8\x7d\x29\x7a\xda\x2b\x51\xa5\xc1\xb4\x02\x2c\xc7\xb9\xba\x2f\x58\xb4\x9c\x30\x15\xf8\x29\x1b\x8d\x90\x0c\x79\x8c\x1c\x2a\xe8\x2b\xd9\x49\x2a\x73\x80\x16\xf7\x04\x68\x8c\x10\x4e\x0e\x10\x22\xef\x58\xea\x64\x89\x7b\x96\x85\x2d\x45\xf9\xa0\x8f\x21\x93\xc9\xd7\x29\x8d\x7d\xa6\x48\x29\x6b\x51\xe4\x56\xe8\x59\x4a\x3d\xa7\xff\x2e\x3a\xf0\x34\x81\xd0\x71\x1a\x5c\x6e\x2e\x93\x24\x61\xf2\x54\xeb\x2c\x9a\x96\xf7\x45\x15\x94\x25\x4f\x1c\x11\x6a\x17\x54\x8a\x2b\x12\x0a\xce\x3a\x79\x43\x3a\x9f\x6c\xe5\xfe\xf1\x26\x87\x1b\x8b\x23\x84\x9e\x62\x81\xce\x7a\x05\x2b\xf8\x7b\x8f\x3b\xda\x44\xc2\xb7\xa0\x0a\x54\xe4\x53\x52\xf7\xe5\x77\x8b\x5d\x66\xb9\xfa\x72\xa5\xaa\xc7\xeb\x85\x82\x89\x3c\xa9\x10\x59\x49\x9d\xd2\x30\x4a\xd8\x3c\x7a\x43\xe7\xc4\xc8\x1e\x50\x82\x23\x18\xac\xe9\x75\xe2\x1d\xf9\x3d\xc7\xe0\x45\xaf\x2a\x7d\xd7\x0a\x2b\x89\x24\xad\x7c\xf4\x80\x43\x6e\x43\xe4\xef\xc9\x2a\x7b\xc0\x4c\xae\x96\x3d\x46\x91\xab\x21\x96\x1c\x4d\xf8\x5e\xc3\x6c\xf3\xd2\xa5\x21\x15\xe4\x29\x0f\xd0\x9e\x5c\xe8\x65\xf3\x06\x52\xc6\x1d\xfb\x5d\x29\x8b\x4c\x29\xb3\xdf\xc9\x7a\x13\x85\xa6\x56\xa8\xcb\x87\xbc\xac\x7f\xd8\xd0\x18\xe4\xfb\x96\x38\x02\xaa\x10\xcb\x16\xd0\xab\xbc\x83\x57\x4a\xed\x59\xf7\x2c\x98\xfb\x44\x04\xa4\x7a\xaa\xc9\xdf\xaa\xca\xe3\x0c\x93\x45\x0f\x50\x56\x3e\x17\x1e\xb5\x4e\xe2\xe6\xaf\x98\x11\xb6\x40\x0f\x68\xb2\x1b\x21\x1f\x02\x8c\x84\x31\xc1\x36\x86\x4e\x11\x6d\x22\xd5\xd8\x78\x55\x6b\xf4\x40\x0f\x86\xfa\x29\xcb\x61\x53\x9d\xed\x29\x76\x9c\x35\x30\x38\xa1\x2f\x44\x48\x6d\x88\xa5\x4c\x4f\x6d\x2c\x3c\x30\xe5\x03\x06\xaf\x94\x9b\xfa\xe0\x13\x8b\x1a\x6c\xb5\xb4\x4e\x71\xad\x0c\x2a\x75\x4d\xa9\x54\xe6\x6c\xc9\x31\x36\x4f\x55\x93\xe4\xe5\x55\x4f\x4f\x60\x97\x40\x98\x43\xe1\x67\x4c\x88\x56\xb1\xa9\x2c\x97\x97\xd2\xee\xad\xc8\x7b\x0c\x42\x4b\xf3\x8e\xa9\xb9\x34\x4d\x22\x5c\x0a\xb3\x94\x18\xce\x35\x30\xf9\xfc\x42\x76\x28\xe8\xaa\xc5\x51\x0b\xb9\x5a\x58\x4d\x6a\xae\xbb\x7e\x22\x1e\xb3\xc7\xcf\xd1\xb4\x67\x81\xd4\xd6\xe6\xd3\xb1\xe4\x5c\x52\x2b\x54\x35\x24\xf9\x57\x79\x44\xa8\x29\x06\xad\xae\xc2\x4d\x75\x43\x51\x04\x8d\x91\xe4\xb7\x2a\xe5\x49\x3b\xa9\x5d\xdc\x1c\xb4\x92\xdd\xa5\x0d\x17\x06\x1a\x79\x63\xa9\x36\x0e\x1b\xba\xb0\x30\x1c\x3c\xc5\xa3\x9b\xe7\xb2\xa1\x4c\xac\xa2\x29\xf5\xed\x13\x39\x25\x39\x4e\x69\x20\x41\xe0\x51\x2d\xa4\xe7\x93\x3d\x8e\xc8\x11\x4e\x5c\xec\x14\x49\x94\xb3\x38\xd6\x07\xc5\xa9\xc8\xad\xd6\xac\x08\xef\x71\xad\x06\x30\x6e\x38\xc7\x59\x86\x94\xba\xc1\x38\xe4\x2e\x35\x60\xa9\x43\x6f\xe5\x81\x53\x3f\x64\x52\x81\x58\x2a\x7a\xa9\xee\x25\x47\x5c\x01\x1f\xfb\x94\x63\x21\x82\x5a\x88\xaa\xe6\x4b\x57\xcf\xb2\x3f\xc9\xce\x59\x7f\x08\xb8\xdd\xb2\x63\xcc\x64\x27\x58\x93\x34\x83\xbd\xb4\x8a\xb5\x98\xf2\x10\xfd\x39\x19\x17\xc2\xea\x83\x80\x20\x55\x47\x6b\xef\x37\xe5\xfe\x44\x99\x86\x5e\x48\x86\x7a\xac\x71\x41\x6f\xbf\x56\xc7\x73\x85\xc7\xfa\x2a\xdb\x6a\x82\x53\x31\x84\x64\xbc\xd6\xc6\x4c\x15\x4d\x2d\x0f\xe5\x94\x09\x8b\x13\x43\x6e\x4f\xdb\xf5\xe2\x79\xd7\x0d\x9e\x8d\x74\x66\x59\xbb\xb6\x52\x56\xa9\x64\xdf\xd1\x1e\x7d\x9e\x5a\xe3\xf5\xa5\xa2\x3d\x9d\x76\x3b\x2a\xda\x3c\x74\xa6\x68\x89\xcc\x20\xd0\x95\xa2\xc1\xdd\x85\xa2\x69\xcf\xa2\x38\xbb\xa8\x3b\x29\x4d\x5f\x70\xcf\xbe\x08\x59\x29\x90\xf1\x5c\xc7\xd2\x67\x08\x19\x6c\x86\xbc\xe8\x3b\x23\xd3\xfe\x28\x8b\xb6\x63\xcf\x49\xd0\x2a\x7a\x4f\x89\x77\x5e\xb1\xb0\x19\x8f\x28\x40\x8f\xbb\x65\x8e\xe4\xf7\x64\x0d\xf7\xed\x98\xe4\x18\x02\x8f\x68\xbd\x5b\xd7\xe3\xd6\x63\x6d\xb6\xa2\x4d\x97\x74\xc7\xfe\x22\x24\x8f\xa4\xc0\x33\x69\x95\x6c\xb7\xf2\xf8\xb8\x64\xc9\x11\x46\x37\x82\xc3\x0d\xb9\x5a\x01\x95\x05\x37\xe1\x81\x12\x78\xec\xb4\x18\x3f\xc1\x07\xd5\xca\xe7\xc7\x53\xe1\x47\x2d\x2b\x47\x9d\x1c\xd9\xe4\xa9\x01\x9c\xcf\x31\x89\xb2\x04\xe3\xea\x4e\x47\xde\xef\x23\x2b\xa2\x42\x75\xb1\x96\x91\xdf\xb2\x2d\x54\xc1\x79\x6c\xb4\x29\xdc\x45\xce\x55\x30\x6a\x62\x59\x5e\x4e\x47\xdc\xc5\x1e\xa7\xbc\x56\xd5\x7c\x01\xf7\x7f\x23\xe4\xbf\xad\x32\x7d\x14\xe5\x4b\x85\xaa\x8a\x9c\xae\xca\xf1\x24\x48\xcf\x67\x3d\x9b\x23\x57\x69\xb2\xe0\xe4\x33\x92\xa0\x5d\xeb\x6e\x60\x4b\x8e\x3d\x35\x6a\xcc\x15\x3f\xba\xa0\x91\x43\x3f\x1b\x5f\x7b\xd2\x5d\x44\x9f\xab\x62\x2e\xb7\xd2\xc4\x21\xec\x39\xa3\x83\x96\x05\x56\x8a\xc8\xbe\xde\x88\x4c\xe7\x02\x13\x62\x1f\xa2\x64\xa8\x62\xa0\x39\x1e\x5c\xa6\x86\xcd\xb4\x42\x0b\xee\xeb\x1c\xe5\x20\x93\xc8\x44\x9a\x1b\xaa\x9f\xe6\x86\xc6\xfb\x3f\x70\xc3\x71\xc7\x1a\xd3\xa9\x70\xcf\xdd\xa0\x0e\xd9\x35\x90\x23\xee\xc9\x01\x67\xf6\x14\x31\x72\x51\x64\xba\xc9\x91\x7b\x40\xbb\xe7\x14\xca\x60\xd0\x73\x8a\xd4\xb1\x1b\x2b\xc8\x7b\x32\xbc\x65\x33\x1d\x25\x97\x67\xc7\x99\x92\x67\x2d\x3a\x51\xef\x5a\xe5\xf7\xcf\xbe\x83\xbb\x57\xaf\x1a\xf8\xe3\xdd\xfd\xcb\x7a\xaf\x72\x95\xba\x2f\xda\x11\x78\x34\x91\xe3\x86\x5c\x38\x3c\x86\x4a\x7d\xe4\xed\x84\x7e\x72\xd8\xa7\xb9\xe5\x39\x46\x75\x0d\x70\x49\xc5\x77\x47\xaa\x3f\x92\xf1\x62\xf0\xca\x01\xa3\x9f\x28\x4b\x22\x33\x65\xfc\x44\x33\xd2\xb0\xdd\xb2\x61\x39\x4e\xa8\x20\x78\x4b\x97\x8d\x91\x5e\x91\x4c\xd2\xac\xad\x5a\xbd\xbc\xd3\x5b\x2b\x65\x58\xac\x7c\xbd\xe0\xe5\xae\xa3\x68\x18\x9d\x1b\x6f\x8e\x37\x1a\x1d\xa1\x4f\x1f\xef\x60\x4a\x14\xf5\x5c\x84\xac\xaa\x39\xcb\xa0\x74\x8e\x19\x59\xe8\xd1\x71\xca\x12\xc2\xb9\xc0\x97\x1e\x75\x94\x5b\xd1\xb7\x25\x4f\x09\x00\x49\xba\x82\x3c\xf6\x17\xc2\x34\xd1\x62\x03\x87\x96\xb4\x77\x61\x7f\x8c\xdc\x44\xdd\x1d\x59\xc6\x19\x99\xcf\xee\x6e\x5e\xbe\xf8\x4b\x6a\xe0\xee\xaf\x77\xa9\x81\x0d\x9a\xb7\x43\x0f\x19\x7b\x81\x61\x8b\xd1\x82\x8d\xbc\x97\xff\x74\x61\xc3\x4e\x8f\x4e\x6c\x14\xb8\x21\x66\x8d\x44\xf9\x00\xb4\x34\xf4\x36\x64\x83\x69\xae\x57\x19\xae\x8b\x6e\xd9\x51\x5a\xa8\xcf\x59\x63\x72\xbc\xf4\x9b\x11\x98\xda\x48\xd6\xaa\x62\x96\x36\x61\xa9\xa2\xe5\xa5\x8c\x17\x93\x7e\x0f\x07\x4c\x99\xe6\xc9\x05\x80\xf5\xba\x2d\x52\x17\x26\xf1\x9c\x62\xdd\x53\x4c\xc1\x7b\x6d\xb8\x70\x79\xbe\x55\x8e\xd7\x58\x0a\x23\xd5\x2e\xe3\xbc\xf4\x4b\xa3\x59\xcf\x50\x12\xf3\xa9\xb5\xb6\xcd\x74\xb7\x29\xeb\x0c\xe9\xc8\xb5\xe7\x17\x5c\x13\xc6\xd9\xc3\xf1\xaa\xb8\x81\x0f\xef\x7f\xb8\xb8\x2d\x5e\x7f\x78\xff\x23\xac\x7e\xb1\x3a\x3b\xbe\x7f\xf2\x86\x19\x56\xab\xaf\x6e\x2e\x7e\x57\x86\xae\x8d\x7d\xd6\xd0\x57\xab\x77\x27\xcc\xf1\x5a\x40\x79\x3a\xf4\x42\xe5\xf6\x1d\xbc\xaa\xe8\xfb\x73\x30\xe5\xc5\xbb\x0b\x83\xe1\x5d\xed\xc8\xd0\xcd\x23\xab\xaf\xfe\x70\xf1\xbb\x32\x74\x6d\xec\xb3\x86\xc4\x83\x8b\xdf\x95\xa1\x6b\x63\x9f\x35\xf4\xee\xe7\xdf\xe0\x7f\x90\xe4\x9f\xd9\x83\xff\xfb\x10\xfd\x2b\x00\x00\xff\xff\x8e\x64\x5d\xe4\x9b\x1a\x00\x00")

 func complySoc2PoliciesRetentionMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -957,7 +957,7 @@ func complySoc2PoliciesRetentionMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/retention.md", size: 178, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/retention.md", size: 6811, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -977,12 +977,12 @@ func complySoc2PoliciesRiskMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/risk.md", size: 158, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/risk.md", size: 158, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2PoliciesVendorMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x1c\x8d\xc1\xaa\x83\x30\x10\x45\xf7\xf9\x8a\x0b\x6f\x9d\x47\x75\xd5\x66\x9b\x55\x0b\x82\xd4\xe2\x7e\x88\x53\x99\x62\x66\xc0\xc4\x82\x7f\x5f\x74\x75\xe1\x72\x0e\x47\x29\x73\xc0\xc8\x3a\xd9\x8a\x8e\x94\x66\xce\xac\x15\xbd\x2d\x92\x76\x47\x69\x35\xdd\x73\xc0\xd8\xf5\xae\x50\x95\xf2\x16\x2e\xc1\x01\xaf\x21\x1e\x03\x78\xc4\x78\xfb\x6f\x5d\xa6\x8f\xad\x4f\xfe\x4a\x11\xd3\x13\xf1\x98\xa8\x72\xc0\x63\x53\x34\x68\x2f\xcd\xf5\x14\x92\xe5\x23\x11\x70\x57\xa9\x42\x0b\x26\x4b\xdb\xf1\x38\xef\xbd\x73\x7f\x88\x96\x45\x67\x0c\x66\xfa\x0b\x00\x00\xff\xff\x8a\x18\x1b\xc5\x9f\x00\x00\x00")
+var _complySoc2PoliciesVendorMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x8c\x56\xcd\x6e\x1b\x47\x0c\xbe\xeb\x29\x08\xe4\x62\x03\xb2\xd0\xe4\xd4\xfa\xe6\xe4\xa4\x22\x01\x8c\x58\xc8\x9d\x9a\xa1\x76\xd9\xcc\xce\x6c\xc9\x59\x19\xdb\x53\x5f\xa3\xaf\xd7\x27\x29\x38\xb3\x2b\xad\x63\xc9\xe9\xc9\xf2\xce\x0f\x3f\x7e\xfc\xf8\x71\x22\x76\x74\x0f\xdf\x28\xfa\x24\xf0\x05\x23\x36\xd4\x51\xcc\xf0\x98\x02\xbb\x71\x85\x4e\x52\x1c\xbb\x7b\xf8\xf6\xe5\x71\xa5\x98\x59\x0f\x4c\x7a\xbf\x02\xd8\x3d\x7d\xb2\x3f\x00\x77\xf0\xe9\xd3\x6f\x9b\x0f\xab\x0e\xff\x48\xf2\x95\x8e\xac\x9c\x62\xd9\x72\x07\x1e\x33\xdd\xc3\xef\x43\x84\xf7\xf0\xe1\x97\xf7\xbf\x96\x03\x2e\x75\x16\xe2\x1e\xb6\x91\x33\x63\x00\x9f\xdc\x60\x5f\x56\x77\x77\x77\xab\xd5\x3b\x78\x1c\xa4\x4f\x4a\x80\xd1\xc3\x93\x4b\x3d\xad\x56\xb8\x81\x5d\xcb\x0a\x7d\x81\x05\x9e\x0e\x1c\x49\x21\xb7\x04\x32\x04\x52\x38\x24\x01\xa1\x80\xd9\x82\xb7\xdc\x2b\x3c\x73\x6e\xcb\x86\x24\x0d\x46\xfe\xab\x2c\xfd\xfb\xf7\x3f\x0a\xdb\x78\x48\xd2\x95\xff\x61\x47\xae\x8d\x29\xa4\x66\x84\x9b\xed\xee\x16\x8e\x85\x09\x2d\xb1\x7b\x94\x1c\x49\x74\x03\xaf\x00\x60\xdf\x07\x36\x00\x09\x30\x04\xd8\xee\x2e\x1e\x84\xe7\x36\x41\x8b\x47\x2a\x38\x70\xcf\x81\xf3\x68\x67\xb8\xeb\xd1\xe5\xf2\xd5\xa5\x78\x60\x4f\xd1\x98\xe0\x3c\xae\x81\x63\xa6\x46\xca\x4f\xbb\x0b\x8f\xc8\x61\x3e\x9a\x0e\x97\x33\xca\xe7\x2c\xec\x8c\x52\x54\xce\x7c\x24\xe0\x73\xaa\x6b\x48\x52\x00\xa1\x50\x21\x87\x63\xb9\x4c\x8d\xe1\xab\x37\x2f\x2e\x00\x25\x37\x18\x30\xe8\x25\x35\x82\xdd\xe6\x67\xb4\x50\xd7\x87\x34\x12\x55\x56\x5c\x8a\x59\xd0\x65\x63\x29\xb7\x98\x0b\x10\x21\xed\x53\x54\xde\x07\x2a\x35\x34\x10\xdd\x59\x86\x76\x2e\x1d\x49\x94\x9b\x36\x1b\xc8\x6b\x4c\x5f\xc0\x6f\x65\x7b\x07\x1f\xd1\x7d\x6f\x24\x0d\xd1\x4f\x68\xa9\x5c\x68\xf0\x4e\xf9\x5c\x38\x0c\xac\xd0\x72\xd3\x06\x13\x5b\x4f\xd1\x2a\x04\x69\x62\x6c\x71\x8e\xb3\x9e\x12\x1b\x30\x5c\xd2\xa0\x6d\xd9\xee\x40\x87\x42\xce\x2b\x6d\x5d\xd2\x35\x08\xfd\x39\xb0\x14\x0e\xaa\xb6\xe9\x70\x20\x57\x4a\xfa\x16\x3b\x3a\xb8\xf6\x4a\x20\x38\x48\xea\x00\xe3\x95\x8a\x92\x68\x5f\x03\x54\x8e\x26\x40\xbd\x90\x3a\xe1\x3d\x29\x74\x1c\xb9\x1b\x3a\xd0\x8c\xd1\xa3\x78\x05\x9c\x4a\x01\xdd\xa0\x19\x3a\xa2\xfc\x76\x90\x72\xb2\x4f\x1c\xb3\xa9\xdc\x85\xc1\x73\x6c\xce\xcb\x2e\xe0\xa0\xa4\x6b\x10\xd6\xef\x80\xaa\xa4\x5a\x08\x58\x83\x92\x1c\xd9\x11\x04\x3a\x52\x00\x6c\x84\x68\x5a\xb1\x14\x39\xba\xd2\x41\x0b\x6a\x36\x56\xfa\xaf\x74\x20\xa1\xe8\x48\x4b\xe9\x97\x6d\xff\x34\x07\x9d\x7c\xce\xd6\x4f\xdf\xb6\xf3\x7d\x5f\xab\x38\xe9\xb4\xeb\xdd\x72\xff\x52\x8a\x42\xd6\x14\x2d\xef\x39\x93\x9f\x58\x70\x8e\x54\x2d\xc3\xff\xdf\x58\x96\x74\x56\x18\x62\xe6\x00\x80\x27\x65\x95\x1f\xc8\xf1\x25\x5f\xb6\x98\x82\x9a\x54\x0b\x25\xbe\xf4\x9d\xf5\x3f\x37\x91\x3c\xec\xc7\xea\x3b\x7d\x2f\xa9\x17\xc6\x4c\x45\x0d\x4c\x5a\x3b\xf7\xe1\xa5\x73\x95\x2a\xba\xd4\xf5\x61\x3c\x9b\xe7\x59\x21\x96\xb8\xf5\x76\xd5\xa8\x2f\x81\x3c\x09\x1f\xe7\x84\x6d\xfb\x1b\x1c\xc3\x8d\xcc\xf5\x80\x1b\xbc\xbd\x9d\x5c\xf5\x61\xd9\x88\x73\x25\xd5\xb0\x2f\xa0\x25\x39\xeb\xb8\xc0\xdc\xd3\x69\x6a\x90\x09\xc0\xd8\x4e\xe2\xd1\x2e\xbf\x6e\xfc\x3f\xad\xf0\x0b\x8c\xfb\xdb\xdb\x2a\xaf\xae\x23\x6f\xec\x85\xd1\x5a\xf1\x19\xc5\x57\xaa\xaf\x26\x5c\xe7\xa8\xc0\xcd\xf6\xe9\xcb\xed\x69\x7a\xfc\x60\x30\x25\x0f\xf4\x2d\x09\xcd\x97\x65\x92\xae\x58\x99\xb9\xd3\xd3\xa4\xf9\xcf\x45\xf3\x0f\x27\xcd\xc3\xcd\xd3\xe7\x07\xbd\x05\x4b\x5d\x4a\xf2\x39\xd5\x9c\xcf\x84\x6d\xe0\x41\xa7\xdb\x4c\x9a\x43\x6f\x83\xd8\x4f\x03\x45\x21\xd2\x33\x24\xf3\x19\x5b\x5c\xde\xb3\x7e\xed\x83\x05\x26\x77\x7d\x98\x2d\x67\x04\xd7\x62\x6c\xa8\x54\xe5\xa4\xc1\x48\x34\xb1\x42\x51\x07\x21\xe0\x0c\x42\x1d\x72\x34\xa9\x57\x59\xb1\x95\x67\xa2\xe3\x23\x1d\xd2\x1c\xdc\x54\x5d\xb2\x58\x08\xde\x90\x36\x93\xe2\x6b\x27\xcd\x24\xf5\x28\xc5\x8b\xdf\x6c\xa8\x51\x33\x75\xba\x7e\x25\xef\x21\x7a\x92\xc6\x22\xfd\x60\x32\x06\xcb\x1e\x27\xbc\xf0\x01\xdb\xa2\xd5\xd1\x6b\x6a\xd7\x86\xcf\x2c\xc9\x3a\xc7\x0f\x4c\x1e\xfc\x20\x73\xeb\xff\x10\xc9\x8c\xc2\xf2\xd9\x40\x09\x38\x47\xdd\x5d\xd8\x59\xb9\xaf\x97\x5e\x80\xb3\xcc\xb8\x0e\xd8\xae\x1b\x22\xbb\xfa\xe5\xfc\x26\x58\x5b\xcd\x9f\x29\x04\xfb\x7b\x3d\xa9\x3a\x38\x4a\x79\x39\xea\xba\x46\x30\x97\x26\xd0\x61\x7f\x77\x1a\x2b\x53\x05\xdf\x24\x63\x12\x41\x19\xf3\xcb\x4a\x95\x09\x69\x9d\x7a\xf2\xcc\x4c\xae\x48\x53\xf1\x40\xcd\x50\x7a\xab\xea\xd4\xb3\xda\x2b\xd0\x97\xb9\x66\x25\xa1\x30\x5e\x68\x23\xcd\xc2\x2e\x87\x71\x6a\xa5\xd3\xdb\xa3\x3c\x45\x1c\xda\xbb\x22\x50\x83\x61\x0d\x42\xcd\x10\x30\x27\x19\x5f\x3c\x47\xea\xd4\x5e\x8c\x5b\xa1\x06\xc5\xcf\xd5\x73\x29\x04\x1b\x8c\xf6\x80\x9a\x2a\xc7\xb1\xa9\x10\xb3\x60\xd4\x8e\xd5\x5e\xbc\x15\xe6\xfc\xee\xf2\x98\xb1\x4e\x63\x54\x78\x24\x51\x4b\x3d\x8c\x77\xdb\x49\x21\x05\xd7\xd2\x3b\x6e\x1e\xb7\xdb\xeb\x56\x81\x56\x95\x64\x6f\x62\xcb\x6e\xf0\x9c\xaf\xd2\x7f\xee\xc0\x73\xcf\x55\x7b\x58\x30\xf2\xca\xd5\x5f\x48\xe4\xe7\x7c\xa5\x7d\xe0\xa6\xbe\x73\x36\xab\xff\x02\x00\x00\xff\xff\x5f\xf9\x43\x4e\x43\x0c\x00\x00")

 func complySoc2PoliciesVendorMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -997,7 +997,7 @@ func complySoc2PoliciesVendorMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/vendor.md", size: 159, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/vendor.md", size: 3139, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -1017,7 +1017,7 @@ func complySoc2PoliciesWorkstationMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/policies/workstation.md", size: 1791, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/policies/workstation.md", size: 1791, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -1037,12 +1037,12 @@ func complySoc2ProceduresReadmeMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/procedures/README.md", size: 92, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/procedures/README.md", size: 92, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2ProceduresOffboardingMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xca\x4c\xb1\x52\x50\xca\x4f\x4b\x4b\xca\x4f\x2c\x4a\x51\xe2\xca\x4b\xcc\x4d\xb5\x52\x50\xf2\x87\x0a\x28\x84\x16\xa7\x16\x29\x71\xe9\xea\xea\x72\x71\x29\x2b\x38\xe7\xe7\x66\xe6\xa5\x2b\x04\xe7\xe7\xe7\x01\x02\x00\x00\xff\xff\x79\xa2\x7a\x63\x37\x00\x00\x00")
+var _complySoc2ProceduresOffboardingMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x54\x8e\xb1\x6e\x2a\x31\x10\x45\xfb\xfd\x8a\xab\xed\xf7\x07\xe8\x5e\xf7\x22\x45\x42\x02\x25\x4d\x94\x62\xf0\xce\x86\x11\xb6\xc7\x99\x19\x93\xf0\xf7\x11\xb0\x05\x94\xf6\x9c\x73\x75\x64\xde\x60\xd4\x65\x39\x28\xd9\x3c\x0e\x95\x0a\x6f\x30\x6e\xd7\x0f\xbc\x39\xdb\x38\x4c\xd3\x34\x0c\x3b\x76\xcd\x67\x46\x1c\xc5\x11\x92\x4e\x1c\x38\x5c\xc0\xbf\x9c\x7a\x48\xfd\x42\x1c\x19\x8b\xe6\xac\x3f\xd7\x97\x07\x37\xdf\x0c\xc3\x84\x0f\x7c\xe2\xa5\x14\x9e\x85\x82\xf3\x05\xde\xbd\x71\x9d\xd1\x9d\x0d\x52\xb1\xdf\x6f\x57\xea\x5f\xbb\x1d\xfe\xef\x10\x6c\x45\x2a\x85\x68\x85\xf1\x77\x67\x0f\xf0\x54\x48\x32\x42\x1f\x13\x56\xf3\x55\xf5\x84\xde\x50\xa8\x76\xca\xf9\x32\x35\xd3\xb3\xb8\x68\xe5\x19\xd4\x5a\x96\x74\x1b\x73\x2c\x6a\x77\xdf\x34\x33\xd4\x6e\x19\xeb\xca\x3b\x65\x99\x29\x18\x94\x12\xbb\xc3\xf8\xac\x77\xef\xda\xc9\x94\x8e\xcf\xa1\x49\xeb\x22\x56\xee\x84\xda\x23\xff\x5c\xf9\x17\x00\x00\xff\xff\xdb\xfb\x69\xca\x66\x01\x00\x00")

 func complySoc2ProceduresOffboardingMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -1057,12 +1057,12 @@ func complySoc2ProceduresOffboardingMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/procedures/offboarding.md", size: 55, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/procedures/offboarding.md", size: 358, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2ProceduresOnboardingMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xca\x4c\xb1\x52\x50\xca\xcf\x4b\xca\x4f\x2c\x4a\x51\xe2\xca\x4b\xcc\x4d\xb5\x52\x50\xf2\x87\xf0\x15\xfc\x52\xcb\x15\x42\x8b\x53\x8b\x94\xb8\x74\x75\x75\xb9\xb8\x94\x15\x9c\xf3\x73\x33\xf3\xd2\x15\x82\xf3\xf3\xf3\x00\x01\x00\x00\xff\xff\x25\x8d\x3b\x1b\x39\x00\x00\x00")
+var _complySoc2ProceduresOnboardingMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x84\x90\xb1\x6e\xeb\x30\x0c\x45\x77\x7f\xc5\x85\xa7\xf7\x06\xff\x40\xb6\x6e\x9d\xda\x22\x40\xa7\xa2\x03\x23\xd1\x36\x51\x59\x52\x45\xda\xae\xff\xbe\x90\x93\xb4\xc9\xd4\x91\x82\x0e\xcf\xe5\x15\x7f\x40\x9b\xe2\x29\x51\xf1\x6d\x13\x69\xe2\x03\xda\xe7\xf3\x8c\x27\x5e\xf1\xaa\x5c\xda\xa6\xeb\xba\xa6\x39\xb2\xa6\xb0\x30\x6c\x14\x85\x89\xfb\x60\xc3\x69\x03\x7f\xb1\x9b\x4d\xe2\x00\x1b\x19\x7d\x0a\x21\xad\x75\x52\xe3\xac\x87\xa6\xe9\xf0\x86\x77\x3c\xe4\xcc\xd1\xe3\xf1\x08\xf2\x1e\x85\x3f\x67\x56\x03\x77\x13\x49\x80\xa5\xdb\xa5\x17\xe2\xa5\x24\x72\x26\x0b\x87\x0d\x0b\x05\xf1\x64\x8c\x92\x02\x83\x54\x65\x88\x13\x47\xc3\x2a\x36\x62\xa2\x48\x03\x17\xfc\x53\xe6\x6a\xb8\xdf\xfe\xff\x9a\xc0\x7b\xcc\xca\xa5\xda\x3c\xf7\x34\x07\xc3\x50\xd2\x9c\xd1\xa7\xb2\x67\xd7\xcc\x4e\x7a\x61\xbf\x6b\x7e\x63\x2c\xa2\x92\x22\x28\x6e\x55\x35\x53\x08\x5b\x97\xaf\xcf\xec\x41\x39\x07\x71\x64\x92\xa2\xd6\x46\x76\x1a\x00\xee\x4e\x3f\xa3\xf8\x01\x6b\x47\x2e\xc5\x5e\xca\xb4\xa3\x7f\xb7\x70\xf9\x7d\x3e\x3a\xf2\x7a\x39\x67\x24\xab\xf1\x37\x38\x8a\x20\xe7\x58\x15\x14\x6e\x4c\xec\xa1\x9b\x1a\x4f\xfa\x1d\x00\x00\xff\xff\x15\x19\xab\x13\xef\x01\x00\x00")

 func complySoc2ProceduresOnboardingMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -1077,12 +1077,12 @@ func complySoc2ProceduresOnboardingMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/procedures/onboarding.md", size: 57, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/procedures/onboarding.md", size: 495, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2ProceduresPatchMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xca\x4c\xb1\x52\x50\x2a\x48\x2c\x49\xce\x50\xe2\xca\x4b\xcc\x4d\xb5\x52\x50\x72\x2c\x28\xc8\xa9\x54\xf0\x0f\x56\x00\x0b\xa7\x16\x2b\x71\x25\x17\xe5\xe7\x59\x29\x28\x19\x28\x18\x28\x18\x2a\x68\x81\xa0\x12\x97\xae\xae\x2e\x17\x97\xb2\x82\x73\x7e\x6e\x66\x5e\xba\x42\x70\x7e\x7e\x1e\x20\x00\x00\xff\xff\xc9\x3a\x76\x1b\x4b\x00\x00\x00")
+var _complySoc2ProceduresPatchMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x6c\x90\x31\x4b\x03\x41\x10\x85\xfb\xfd\x15\x8f\xb3\x0b\x9c\x68\x61\x73\x20\x92\x22\x45\x1a\x13\x14\x6c\x44\xc8\xba\x37\xb9\x5b\xdc\xec\x2c\x33\xb3\xd1\xfc\x7b\xb9\xf3\x0a\x8b\x30\xd5\x3c\xbe\x79\x8f\x37\xb1\xef\xd0\x14\x6f\x61\x6c\x5c\xf6\x27\xea\xd0\xac\x4b\x49\x17\xec\x5e\x31\xcb\xa4\x8d\x0b\xc2\xb9\x43\x73\x87\x69\xee\x1f\xb0\xc2\xaa\x71\x6d\xdb\x3a\x77\x33\x71\xfb\x89\xc3\x5e\x38\x50\x5f\x85\x9c\x7b\x21\xe5\x74\x26\xd8\x18\x15\x16\xc3\x17\x19\x3e\x2f\xa0\x1f\x0a\xd5\x62\x1e\x60\x23\xe1\xc8\x29\xf1\xf7\xb4\xa9\x51\xd1\xce\xb9\x16\xef\xf8\xc0\xbe\xa6\x34\x03\xc9\x1b\xa9\x41\x83\xc4\x62\x8a\xa3\xf0\x69\xd6\x77\x45\x21\x54\x58\xa3\xb1\x5c\x96\xab\xcd\xec\x4d\x38\x6c\x9e\xdf\x1e\xd5\xfc\x30\x19\xcf\x05\x5a\x9f\xd2\xad\x8e\x87\x05\xdc\x66\x2d\x14\x0c\x5c\xad\x54\x73\x00\xb0\x38\x88\xb0\xe8\x13\xb6\xf9\x4c\x6a\x71\xf0\x46\xf0\xb9\x87\xfc\x95\xb9\x96\x53\x84\xfb\x1a\x2c\x72\xbe\x1a\xb5\x36\xf3\x61\x44\xe2\x61\x49\x83\xf1\xff\x9f\xfc\x06\x00\x00\xff\xff\xb4\x3f\x07\x6a\x7c\x01\x00\x00")

 func complySoc2ProceduresPatchMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -1097,12 +1097,12 @@ func complySoc2ProceduresPatchMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/procedures/patch.md", size: 75, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/procedures/patch.md", size: 380, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2ProceduresWorkstationMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xca\x4c\xb1\x52\x50\x2a\xcf\x2f\xca\x2e\x2e\x49\x2c\xc9\xcc\xcf\x53\xe2\xca\x4b\xcc\x4d\xb5\x52\x50\x72\xce\xcf\xc9\x49\x4d\x2e\x51\x08\x47\xc8\x29\xb8\xa4\x96\x24\x66\xe6\x14\x2b\x71\x25\x17\xe5\xe7\x59\x29\x28\x19\x28\x18\x28\x68\x41\xa0\x12\x97\xae\xae\x2e\x17\x97\xb2\x82\x73\x7e\x6e\x66\x5e\xba\x42\x70\x7e\x7e\x1e\x20\x00\x00\xff\xff\x20\xf0\xa9\x34\x5c\x00\x00\x00")
+var _complySoc2ProceduresWorkstationMd = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xd4\x92\x41\x4f\x1b\x31\x10\x85\xef\xfe\x15\x4f\x39\x22\x82\x5a\xa9\xbd\xec\x0d\x05\x10\x51\xa9\x40\x64\x5b\x0e\x08\x09\xc7\x3b\x9b\xb8\xf1\xce\x6c\x3d\xe3\xa4\xf9\xf7\xd5\x86\x10\xd2\xaa\x95\x7a\xad\xf6\xb0\x1a\x7b\xec\xf7\xfc\xbd\x89\x4d\x85\xd1\x46\xf2\x4a\xcd\x5b\x14\x1e\x39\xf6\x1d\x55\x18\x4d\x24\x25\x0a\x86\x87\xb7\x3d\x5c\x90\xf9\x98\x74\xe4\x42\x16\xae\x30\x7a\x87\xe1\x7b\xff\x11\x1f\x70\x32\x72\xe3\xf1\xd8\xb9\x7b\x52\x49\x6b\x82\x2d\xa3\xc2\x62\x58\x91\x61\xbe\x05\xfd\xa0\x50\x2c\xf2\x02\xb6\x24\xb4\x92\x92\x6c\x86\x4a\x8d\x7a\xad\x9c\x1b\xe3\x11\x4f\x98\x11\x37\xbb\x86\x20\x5d\x57\x38\x86\x9d\xac\x62\x4e\x49\x36\xfb\x9e\x2b\xc9\xf0\xbc\x05\x75\x3e\x26\x64\xea\x53\x24\x3d\x85\x37\xf3\x61\x89\x20\x6c\xc4\x06\x93\x63\x07\xfb\xa3\x5f\x7d\x8a\x8d\x37\x42\x26\xed\x85\x95\x14\x3e\x0f\x55\xa0\xb8\xa6\x06\x6d\x96\x0e\xe4\xc3\xd2\x39\xf7\xfc\xfc\xec\x6a\xa9\x70\x41\xba\x32\xe9\xa1\xa5\xef\x25\x9b\x9b\x95\xf9\x37\x0a\x56\xe1\x9c\xb9\xf8\x84\x23\x74\x88\xbc\x26\x36\xc9\x5b\xe7\xee\x12\x79\xa5\x57\x57\xbb\x27\x95\x9c\x07\x67\x7f\x3c\xf0\xe2\xf7\x18\xcc\x8b\xf1\x0a\x8f\xf7\x97\x77\x37\xe7\x93\x4b\x3c\x4c\xeb\x6b\x7c\xb9\xbf\x41\x7d\x8b\xfa\x7a\x3a\x43\x3d\x9d\x7c\xba\xac\x9f\x9c\xab\x97\xf4\x97\x5b\x75\xe9\x53\x42\xe4\x90\x4a\x43\xbf\x09\xb4\x91\x52\xa3\x95\x03\x80\x13\xcc\x28\x47\x9f\xc0\xa5\x9b\x53\xde\xaf\x4d\x8a\x9a\x34\xd1\xf3\xbe\xbe\x2a\x29\xa1\x89\xba\x02\x71\xc8\xdb\x7e\x27\x36\x88\x16\xdd\x77\x7c\xf6\x69\x33\x10\xed\xb3\x18\x85\xe3\xfd\x01\xe7\x1b\xd4\xdb\x62\x2a\x25\x07\x6a\x30\x19\x1c\x4e\x88\x8d\x32\xa6\xf5\xbf\xe2\x3d\x57\xf4\x3e\x1b\xa4\x85\x94\x0c\xe1\x85\x0c\x6f\x0a\xd2\xf5\x29\x7a\x0e\x04\x6a\x5b\xc9\xa6\xf0\xdc\xa0\xa7\xbc\x6b\x53\xca\xeb\x18\x86\xd4\x17\x99\xa8\x23\xb6\x53\x6c\x86\xfc\xbf\x97\x98\x09\xfe\x90\xd1\x1b\x41\x69\x8f\x2d\x28\x22\xa3\x28\x0d\xbf\x81\xe6\xfe\xc2\x57\x1b\x3e\x04\x29\x6c\x67\x87\xf8\x5f\xe6\xac\x39\x4c\x63\x47\xaa\x7e\x41\xd8\x44\xfb\x75\x28\x0e\x82\x67\xff\x4d\x9c\x3f\x03\x00\x00\xff\xff\x89\xd2\xee\x65\x39\x04\x00\x00")

 func complySoc2ProceduresWorkstationMdBytes() ([]byte, error) {
 	return bindataRead(
@@ -1117,7 +1117,7 @@ func complySoc2ProceduresWorkstationMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/procedures/workstation.md", size: 92, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/procedures/workstation.md", size: 1081, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -1137,7 +1137,7 @@ func complySoc2StandardsReadmeMd() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/standards/README.md", size: 282, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/standards/README.md", size: 282, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -1157,7 +1157,7 @@ func complySoc2StandardsTsc2017Yml() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/standards/TSC-2017.yml", size: 16305, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/standards/TSC-2017.yml", size: 16305, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
@@ -1177,12 +1177,12 @@ func complySoc2TemplatesDefaultLatex() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/templates/default.latex", size: 7649, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/templates/default.latex", size: 7649, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }

-var _complySoc2TemplatesIndexAce = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xdc\x59\x6d\x6f\x1b\xb9\x11\xfe\xee\x5f\x31\x5d\x7f\x90\x84\x58\x5c\xdb\x57\x5c\x0f\x97\xee\x15\x8e\x9d\x43\x83\xf3\xc5\x46\x6d\x14\x28\x82\xa0\xa0\xc8\x91\x96\x36\x97\xdc\x90\x5c\xd9\x8a\xa2\xff\x5e\x90\xfb\xa2\xd5\x6a\x65\x1b\x8d\x5c\x14\xe7\x0f\x32\xc5\x97\x79\x66\x86\x0f\x87\x33\x54\x02\x5c\x33\xb7\xc8\x11\x52\x97\xc9\x03\xff\x01\x92\xaa\x59\x82\xea\x00\x20\x45\xca\x0f\x00\x00\x32\x74\x14\x58\x4a\x8d\x45\x97\x14\x6e\x3a\xfe\x29\x74\x3b\xe1\x24\xc2\x72\x49\xae\x8d\xbe\x43\xe6\xc8\x47\x9a\xe1\x6a\x15\xc6\xa4\x50\xf7\x60\x50\x26\x91\x75\x0b\x89\x36\x45\x74\x11\xa4\x06\xa7\x49\x94\x3a\x97\xdb\x9f\xe3\x98\x71\x75\x67\x09\x93\xba\xe0\x53\x49\x0d\x12\xa6\xb3\x98\xde\xd1\xc7\x58\x8a\x89\x8d\x27\x85\xcc\x68\x7c\x4c\x7e\x24\xa7\x31\xb3\xd5\x77\x92\x09\x45\x98\xb5\xd1\x5e\x51\xec\x03\x75\x2c\xad\xb0\x2c\x55\xdc\x3a\xad\xb0\x3d\xb6\x89\x6b\x99\x11\xb9\x03\xef\xb9\x24\x72\xf8\xe8\xe2\x3b\x3a\xa7\x65\x6f\x04\xd6\xb0\x17\xc3\x67\x3a\x43\xe5\xc8\x9d\x8d\x4f\xc9\xe9\x29\x39\xae\x3b\x3c\xdc\xdd\xde\xd1\x24\x75\x68\xe2\x13\xe2\x81\x42\xfb\x95\x70\x72\x83\xce\x2d\x98\xd1\x2a\x3e\x26\x27\x27\xe4\xb8\xd5\xb3\x01\x19\x98\xa5\x68\x86\x49\x34\x17\xf8\x90\x6b\xe3\x22\x60\x5a\x39\x54\x2e\x89\x1e\x04\x77\x69\xc2\x71\x2e\x18\x8e\xc3\x97\x23\x10\x4a\x38\x41\xe5\xd8\x32\x2a\x31\x39\x29\xc5\x24\xc0\xac\xad\x5a\x6b\x9d\x43\x07\x78\x8a\x17\xc1\xa7\x94\xf3\xf7\x73\x54\xee\x52\x58\x87\x0a\xcd\x30\xba\xb8\xfa\xfd\xbc\x04\xbb\xd4\x94\x23\x8f\x8e\x60\x5a\x28\xe6\x84\x56\x43\xf4\x53\x47\xb0\xac\xa4\xb4\xe4\x7c\x29\xd0\x2c\x6e\x50\x22\x73\xda\x9c\x49\x39\x1c\x10\x6f\xd8\x60\x44\xa6\xda\xbc\xa7\x2c\x1d\xae\x85\xc8\xb6\x04\x00\x94\x44\x28\x85\xe6\xef\xb7\xbf\x5f\x42\x02\xa5\x57\xce\xbd\x57\x9c\xbe\x71\x46\xa8\xd9\x70\x18\x45\x6f\xda\xd3\x46\xc4\x19\x91\x0d\x47\x47\xce\x14\x38\x82\x38\x86\x1f\xc7\x53\x81\x92\x03\x3e\xe6\x06\xad\x15\x5a\xd9\x06\x62\x35\x6a\x9a\x62\x0a\xc3\x07\xa1\xb8\x7e\x20\x52\x33\xea\xf5\x21\x29\xb5\x29\xfc\x29\x81\x28\xda\xd4\x6b\x4e\x0d\xf8\xb1\x73\x9d\xe5\x5a\xa1\x72\x16\x12\xe8\x5b\x4c\x6c\x2e\x85\x1b\x0e\x0e\x07\xa3\xd6\x72\x0f\xb5\xb9\x9c\x48\x54\x33\x97\xfe\x72\xb2\x89\x53\x22\x71\xb4\x4e\xa8\x20\x14\x92\x0e\xee\xa7\x93\xcf\x1b\xf3\xbd\xe8\x4f\x91\x9e\xa3\xf1\x04\x89\x8e\x22\x45\x8d\xa1\x4e\xcc\xd1\x46\x47\x51\xae\xa5\x60\xa2\x6c\x1a\xcd\x90\x17\x26\x7c\xb1\x8e\x2a\x4e\x0d\xb7\xd1\x67\x22\x14\xc7\xc7\xab\xe9\xb0\x85\x3a\x82\x5f\x12\x38\xee\xaa\x06\x60\x53\xfd\xb0\x31\x6f\x63\x7c\x75\xd0\xd7\xae\x5b\xab\xd1\x41\xd5\xaa\x77\xbf\x14\xe7\xd9\xdd\x46\x12\xd3\x61\x2a\xac\xd3\x66\x41\x0c\xe6\x92\x32\xbc\x71\xd4\x61\x57\x99\xbe\x39\x43\x55\x48\x79\x04\xe5\xe7\xe0\x70\xf0\x26\xc8\x7e\xdb\x52\xe5\xa0\xed\x66\xe1\x30\xf3\xfb\xd8\x10\x77\x86\xee\xbd\x44\xdf\xb4\xef\x16\xe7\x92\x5a\xeb\x23\xf6\x70\xe0\x74\x3e\x56\x74\xde\xda\xd2\xa9\x36\x30\x0c\x32\x92\xe3\xb7\x20\xfe\x1a\x44\x55\x7b\xfa\x16\xc4\x9b\x37\xdb\xf4\xf1\x53\x20\x29\x41\x3f\x89\xcf\x1d\x76\xf8\x6e\xe2\xe8\xcc\x03\x42\x92\x24\x10\x5d\x7e\x88\xba\x36\xc7\x31\x28\x3a\x17\xb3\x92\x19\x8e\x4e\xec\x16\x15\x82\x1c\xe6\x55\xf7\xa7\x98\xf8\x50\x41\x85\xb2\xa5\x97\xb7\x37\xb4\x33\x9d\x72\x3e\x1c\x08\x3b\xa6\xcc\x13\x68\xd0\xd9\x5e\x40\x69\xf1\x39\x11\x06\x33\x3d\xc7\x27\xa4\x1c\x3c\x23\x31\x8e\xc1\x62\xe0\xc7\x0e\xeb\x04\x0f\x0e\xea\xf2\xe6\x39\x6d\x52\xc1\x39\xaa\xff\xca\xa6\xda\x2d\xfd\x22\x9e\x66\xfd\x01\xc0\x44\xf3\x45\x79\x81\x94\x76\x91\x14\x8d\x26\xc2\x8e\x73\x23\x32\x6a\x16\xbe\x69\x33\x2a\x65\xb5\x26\x8c\x8f\x9b\x55\xa1\xab\xda\x48\x34\x2d\xb4\xf4\x84\x3c\x95\x62\x94\x7f\x39\xb1\xc5\xa4\x9c\x76\xed\x83\xc1\xe2\x08\xae\xeb\x48\x70\x04\x54\x71\x38\x2b\xb8\x70\xe0\x0f\x50\x61\x37\x34\x98\x6a\xed\x1a\x49\x8a\xce\x89\x67\x9c\x57\x76\xa2\x1f\x91\xfb\xc6\xb4\x90\x32\xdc\x3b\x2d\xc0\x5e\x55\x01\x0a\x19\xcc\x14\x5f\x71\xfc\xe7\x8e\xb7\xa5\x20\xd5\x09\x23\x75\x1c\xeb\xcc\x00\xb0\xce\x68\x35\xdb\xea\x06\xa0\xa0\x15\x93\x82\xdd\x27\xd1\xfa\x66\xfb\x39\x44\x96\x41\x2d\x6d\x30\x8a\xe0\xaa\x5f\x72\x0b\x7b\x1d\x38\xf7\x83\xbe\x96\xe7\xf1\x3f\xee\x92\xde\xd2\xa0\x8e\xd6\xfb\xc1\xaf\xa5\x79\xf4\xeb\x7e\xc9\x6d\xec\xe6\x7a\xd8\x13\x7a\x23\x2f\xe0\xef\x92\xde\xd2\xa0\xb9\x93\xf6\xa3\x40\x23\xce\xe3\xdf\xec\x90\x1d\xb7\x15\xc0\xb9\xe0\xa8\x18\x6e\xcd\x79\x1a\xa8\x5e\xe6\x71\xde\x57\x6d\xf8\x27\x2d\x64\x79\x78\x0e\x6b\x16\x92\xfa\xf8\xd7\x78\xcd\x41\x21\x55\x46\x57\x01\x4f\xa4\x66\xf7\x5f\x0a\xed\xd6\x9a\xa4\x3f\xc0\x6d\x2a\x2c\x58\xe1\xd0\xe7\x7f\x56\x4b\xc1\xa9\x43\x0b\x54\xca\xe6\x02\xb3\x3e\xd7\xa7\x0e\x39\x38\x0d\x2e\xdd\x1d\x18\xd2\xfa\x6c\x12\xa6\x65\x91\xa9\x70\xaa\xe7\x0c\x95\x43\x83\xbc\x1d\x75\xfc\xa8\x1f\xd4\x0a\xc7\x2e\x15\x86\xb7\x9c\xc3\xc5\x7c\xc3\x55\xeb\x50\xe3\x57\xfc\xe0\xf3\xa1\xb1\x4f\x93\xc7\xb5\x60\xf0\xc9\xa4\xd1\x12\x6e\x0d\x65\xf7\xa2\xb5\xa5\x35\xd2\xd6\x92\x27\xe1\x7c\x01\x26\xd4\x0c\x6e\xa8\x13\x76\x2a\xd6\x00\xb6\x33\x31\x28\xd5\xd9\xd6\xe5\x92\xf8\x98\x67\x49\xbd\xa6\x91\xd2\x8a\x9f\xdf\xa7\xd7\xad\x76\x54\x7e\x97\x4e\x41\x42\xa3\xcf\xff\x78\xb7\x9a\x43\xbb\xef\xfd\x3a\x0b\x89\x01\xdc\x0a\x76\x8f\xee\x25\x7e\xa1\xe0\xa8\x99\xa1\x4b\xfe\x3d\x91\x54\xdd\x57\x15\xec\x72\x49\x2e\x85\xba\xb7\xa4\x51\xf4\x2a\x47\xb5\x5a\x45\x5b\x91\xa2\xf1\x6b\x67\xe6\x9e\xec\xb9\x92\x3e\x27\xae\xec\x79\x91\x39\x3d\x0a\x05\x19\x17\x74\x61\x57\x2b\xe0\x74\x61\xf7\xb4\xe7\x4f\x9a\xb4\xc5\x82\x2a\x19\xd8\xf3\x7e\x7b\x67\xc3\x3f\xf0\x4b\x81\x76\x1f\xdb\x1d\x74\x7c\x76\xab\x5b\xb3\xf6\x7a\x9c\xf7\x6c\xc7\x99\x94\xcf\x9b\xb1\xb7\x30\xd0\x1a\x74\x0f\xba\x1c\xb4\x4f\xba\x23\x86\xdc\xe8\x99\xaf\xa3\x49\xd3\x58\xa7\xae\x30\xa7\xb2\xc0\x64\x53\xdb\x73\xa9\xad\x8f\xa2\x90\xd1\xc7\x64\xb7\x21\x87\xeb\x04\xe9\xfb\xae\xc6\x76\xb6\xbb\xe1\xc8\x32\x6f\xd8\x95\x7a\x7d\xf3\x96\xf9\xfb\x1a\xa8\x82\xfa\x92\x06\x3d\x0d\x37\xa7\x36\x33\xaa\xc4\xd7\xb2\xd2\xf2\x59\xb2\xef\x64\x3a\xcb\xa5\xa0\xfe\x7e\x47\x35\x17\x46\xab\x50\x36\x56\x52\x1d\x9d\x48\x24\xe5\xe7\x76\xaa\xeb\x9a\xd7\xc2\xea\xfb\x66\x7a\xec\x52\xf0\x37\x74\xb7\xef\x8c\x19\xad\x16\x59\xb7\xfb\xfa\xe2\xd7\xb5\xe0\x8d\x42\xc1\x33\xc7\x50\x35\x43\x20\x6b\xb3\x61\xa3\x22\xe8\x22\x73\x4f\xb6\xad\xba\xa1\x1e\xa8\x34\xd8\x1a\xdb\xa2\x7a\x20\xf7\x72\x49\xae\x0a\x97\x17\xee\x57\x21\x51\x05\x99\x9b\x67\xa0\x8f\xe8\xdd\x15\x1b\xc6\xa0\xaa\xef\xe3\xc3\x3a\xa1\x7d\x5d\xb6\xf4\xa6\xca\xdf\x60\xe6\x19\xa2\x02\x0d\x26\x98\xd2\xb9\xd0\xc6\x73\xa5\x71\x1d\x60\x96\x4b\xbd\x40\x9f\x92\x29\x1e\xde\xe8\x0c\x65\x4e\x1b\xfb\xff\xca\x8f\xda\xd0\x3f\x0a\x3b\x9a\x12\xe3\x95\xf9\xd1\x5f\xca\xf8\x68\x82\xbe\x2e\x98\x20\xd8\x1c\x99\x98\x0a\x06\xd6\x61\x6e\xc1\xa5\xd4\x01\x35\x08\x8e\xde\xa3\x02\xa1\xc0\xa0\xcd\xb5\xb2\xe8\xf3\xf4\x7b\x5c\x40\x78\x4b\x7d\x55\xa2\x7c\xb8\xe8\xf6\xdc\xb0\x14\x79\x21\x11\x86\x7e\x0f\x61\xaa\x4d\x46\xdd\xe8\x05\xb4\x69\xec\xff\x1e\xe2\x7c\xb8\xe8\x74\x2f\x97\x62\x0a\xe4\xdc\x68\xb5\x35\x3f\xbc\x1e\xfb\x45\x3d\xa3\xcb\x25\x4a\xdb\x03\x71\xa5\x80\x63\x46\x15\xef\xce\x56\x7c\x37\x85\x9a\x92\xf1\x75\x19\xd4\x5f\x8c\x7e\xab\x68\xb3\xa8\xae\x9a\xb2\x00\x00\xdb\xd4\x36\x93\x45\xf7\x12\x0a\x17\x32\xcd\x9e\xe4\x4d\xff\x33\xcd\xf3\x24\xaa\x4b\xb5\xdf\x70\xf1\x12\x7e\x35\xc5\xd3\xdf\x76\x8e\xc0\xbb\xc5\xf3\xec\xaa\x0b\x9f\x17\x70\xab\x9a\xfa\x1b\x2e\x9e\x0b\x3f\x95\xdf\xfb\xf9\x08\xb0\x7e\x21\x5b\x2e\xc9\x05\x96\xc5\xbd\xe8\xa1\x9a\x67\x68\x5f\x95\x58\x82\x06\x9f\x17\x8c\xa1\xb5\xf0\xaf\x4e\x74\xd8\x45\xd3\x8f\xfa\x19\x7e\xf6\x58\xd3\xf8\xaa\x51\xe5\x5d\xd7\x03\x00\xb4\x61\xc0\x5f\x9a\xd8\xfb\x92\x68\xbb\x25\x68\xf7\x91\x09\x5d\x53\xad\x1d\x1a\x52\xfe\x5b\xe7\xa7\xdd\x17\xc0\xfa\xd8\x3c\x99\x6a\xe6\xed\xf7\x8a\xab\x56\x02\x56\xdd\xb0\xe7\x5a\x4d\x05\x47\xe5\x04\x95\x70\x7a\x7c\xf2\xd3\x41\xcf\xef\x59\x71\xec\x4f\x88\xcf\xcb\x90\x87\x67\x7a\x8e\x73\x94\x3a\xcf\xea\x43\xbb\xeb\x67\x9f\x24\x69\xff\xe8\xd3\x7d\x40\x0c\xdd\xab\xff\x04\x00\x00\xff\xff\x60\x35\xff\xbd\x10\x1e\x00\x00")
+var _complySoc2TemplatesIndexAce = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xdc\x59\x6d\x6f\x1b\xb9\x11\xfe\xee\x5f\x31\xd8\x7c\x90\x8c\x58\x94\x9d\x2b\xae\x87\xbb\xee\x15\x89\x9d\x43\x83\xcb\xc5\x41\x1d\x14\x28\x82\x43\x41\x91\x23\x2d\x6d\x2e\xb9\x21\x67\x65\xeb\x14\xff\xf7\x82\xdc\x17\xad\x56\x2b\xdb\x68\xe4\xa2\xa8\x3f\xc8\x14\x5f\xe6\x99\x19\x3e\x1c\xce\x50\x29\x48\x2b\x68\x55\x20\x64\x94\xeb\xa3\xf0\x01\x9a\x9b\x45\x8a\xe6\x08\x20\x43\x2e\x8f\x00\x00\x72\x24\x0e\x22\xe3\xce\x23\xa5\x25\xcd\x27\x3f\xc4\x6e\x52\xa4\x11\xd6\x6b\xf6\xd1\xd9\x6b\x14\xc4\x3e\xf0\x1c\xef\xef\xe3\x98\x56\xe6\x06\x1c\xea\x34\xf1\xb4\xd2\xe8\x33\x44\x4a\x20\x73\x38\x4f\x93\x8c\xa8\xf0\x3f\x4e\xa7\x42\x9a\x6b\xcf\x84\xb6\xa5\x9c\x6b\xee\x90\x09\x9b\x4f\xf9\x35\xbf\x9b\x6a\x35\xf3\xd3\x59\xa9\x73\x3e\x3d\x65\xdf\xb3\x57\x53\xe1\xeb\xef\x2c\x57\x86\x09\xef\x93\x83\xa2\xf8\x5b\x4e\x22\xab\xb1\x3c\x37\xd2\x93\x35\xd8\x1d\xdb\xc6\xf5\xc2\xa9\x82\x20\x78\x2e\x4d\x08\xef\x68\x7a\xcd\x97\xbc\xea\x4d\xc0\x3b\xf1\x64\xf8\xdc\xe6\x68\x88\x5d\xfb\xe9\x2b\xf6\xea\x15\x3b\x6d\x3a\x02\xdc\xf5\xc1\xd1\x34\x27\x74\xd3\x33\x16\x80\x62\xfb\x99\x70\x0a\x87\x44\x2b\xe1\xac\x99\x9e\xb2\xb3\x33\x76\xda\xe9\xd9\x82\x8c\xcc\x32\x3c\xc7\x34\x59\x2a\xbc\x2d\xac\xa3\x04\x84\x35\x84\x86\xd2\xe4\x56\x49\xca\x52\x89\x4b\x25\x70\x12\xbf\x9c\x80\x32\x8a\x14\xd7\x13\x2f\xb8\xc6\xf4\xac\x12\x93\x82\xf0\xbe\x6e\x6d\x74\x8e\x1d\x10\x28\x5e\x46\x9f\x72\x29\xdf\x2e\xd1\xd0\x7b\xe5\x09\x0d\xba\x71\x72\x71\xf9\xdb\x79\x05\xf6\xde\x72\x89\x32\x39\x81\x79\x69\x04\x29\x6b\xc6\x18\xa6\x1e\xc3\xba\x96\xd2\x91\xf3\xa5\x44\xb7\xba\x42\x8d\x82\xac\x7b\xad\xf5\x78\xc4\x82\x61\xa3\x63\x36\xb7\xee\x2d\x17\xd9\x78\x23\x44\x77\x25\x00\xa0\x66\xca\x18\x74\x7f\xfb\xf4\xdb\x7b\x48\xa1\xf2\xca\x79\xf0\x0a\xd9\x2b\x72\xca\x2c\xc6\xe3\x24\x79\xd9\x9d\x76\xcc\xc8\xa9\x7c\x7c\x7c\x42\xae\xc4\x63\x98\x4e\xe1\xfb\xc9\x5c\xa1\x96\x80\x77\x85\x43\xef\x95\x35\xbe\x85\xb8\x3f\x3e\x6a\x1b\x75\xab\x51\x06\x7c\x66\x6f\xc7\xc1\xd9\x5d\x9d\xd4\x1c\xc6\x99\xf2\x64\xdd\x8a\x39\x2c\x34\x17\x78\x45\x9c\x70\x5b\x6f\x80\xa1\x39\x63\x53\x6a\x7d\x02\xd5\xe7\xe8\xc5\xe8\x65\x14\xbe\xd1\xe5\xa8\x6d\x2e\xb9\x03\x45\x98\x7b\x48\x37\x7e\x5c\x20\xbd\xd5\x18\x9a\xfe\xcd\xea\x5c\x73\xef\x43\x00\x19\x8f\xc8\x16\x13\xc3\x97\xa3\x8d\xa4\xb9\x75\x30\x8e\x32\xd2\xd3\x9f\x40\xfd\x25\x8a\x62\x1a\xcd\x82\xb2\x9f\x40\xbd\x7c\xb9\xad\x6d\x83\x06\x69\x05\xfa\x59\xfd\xde\x19\x0d\x16\x87\x6e\x46\x7c\x11\x00\x21\x4d\x53\x48\xde\xbf\x4b\xfa\x26\x4f\xa7\x60\xf8\x52\x2d\x78\xf4\x1e\xf1\x99\xdf\x1a\x6e\xe5\x88\xa0\x7a\x20\x15\x0b\xcc\xe5\xca\xf8\xca\xcb\x7d\x79\x00\xbd\xe9\x5c\xca\xf1\x48\xf9\x09\x17\xa4\x96\xd8\xb1\x37\x7a\x0f\x50\x7b\x7c\x4c\x84\xc3\xdc\x2e\xf1\x01\x29\x47\x8f\x48\x9c\x4e\xc1\x63\xe4\xc7\x1e\xeb\x94\x8c\x0e\xea\xf3\xe6\x31\x6d\x32\x25\x25\x9a\xff\xc8\xa6\xc6\x2d\xc3\x22\x8e\x86\xda\x4d\x2b\xfc\x9f\x59\xb9\xaa\xe2\x59\x65\x17\xcb\xd0\x59\xa6\xfc\xa4\x70\x2a\xe7\x6e\x15\x9a\x3e\xe7\x5a\xd7\x6b\xe2\xf8\xa4\x5d\x15\xbb\xea\x8d\x44\xd7\x41\xcb\xce\xd8\x43\x37\x5e\xf5\x57\x30\x5f\xce\xaa\x69\x1f\xad\x56\x62\x75\x02\x1f\x9d\x15\x28\x4b\x87\x27\xc0\x8d\x84\xd7\xa5\x54\x04\xe1\xfc\x94\x7e\x4b\x83\xb9\xb5\xd4\x4a\x32\x7c\xc9\x02\xe3\x82\xb2\x33\x7b\x87\x32\x34\xe6\xa5\xd6\x31\x0c\x76\x00\x07\x55\x05\x28\x75\x34\x53\xfd\x81\x93\x3f\xf5\xbc\xad\x15\xab\x4f\x18\xb3\x4b\x74\x21\xee\xf6\x66\x00\x78\x72\xd6\x2c\x76\xba\x01\x38\x58\x23\xb4\x12\x37\x69\xb2\x09\xb4\x3f\xc6\xc8\x32\x6a\xa4\x8d\x8e\x13\xb8\x1c\x96\xdc\xc1\x36\xdc\x39\x1e\x18\xeb\x0f\x83\xbe\x91\x17\xf0\x3f\xec\x93\xde\xd1\xa0\x08\x1b\xa4\x0e\x85\xdf\x48\x0b\xe8\x1f\x87\x25\x77\xb1\x1b\x52\x1c\x0a\xbd\x95\x17\xf1\xf7\x49\xef\x68\xe0\x89\x1b\xc9\x9d\x3c\x90\x02\xad\xb8\x80\x7f\xb5\x47\xf6\xb4\xab\x00\x2e\x95\x44\x23\x70\x67\xce\xc3\x40\xcd\xb2\x80\xf3\xb6\x6e\xc3\x3f\x78\xa9\xab\xc3\xf3\xa2\x61\x21\x6b\x8e\x7f\x83\xd7\x1e\x14\x56\x27\x18\x35\xf0\x4c\x5b\x71\xf3\xa5\xb4\xb4\xd1\x24\xfb\x0e\x3e\x65\xca\x83\x57\x84\x21\x1d\xf1\x56\x2b\xc9\x09\x3d\x70\xad\xdb\x0b\xcc\x87\xd4\x93\x13\x4a\x20\x0b\x94\xed\x0f\x0c\x59\x73\x36\x99\xb0\xba\xcc\x4d\x3c\xd5\x4b\x81\x86\xd0\xa1\xec\x46\x9d\x30\x1a\x06\xad\xc1\x09\x65\xca\xc9\x8e\x73\xa4\x5a\x6e\xb9\x6a\x13\x6a\xc2\x8a\xef\x58\xc6\xfd\x24\x64\x6d\x93\x46\x30\x84\xdc\xc6\x59\x0d\x9f\x1c\x17\x37\xaa\xb3\xa5\x0d\xd2\xce\x92\x07\xe1\x42\x3d\xa0\xcc\x02\xae\x38\x29\x3f\x57\x1b\x00\xdf\x9b\x18\x95\xea\x6d\xeb\x7a\xcd\x42\xcc\xf3\xac\x59\xd3\x4a\xe9\xc4\xcf\x6f\xd3\xeb\x93\x25\xae\xbf\x49\xa7\x28\xa1\xd5\xe7\xbf\xbc\x5b\xed\xa1\x3d\xf4\x7e\xbd\x8e\x89\x01\x7c\x52\xe2\x06\xe9\x29\x7e\xe1\x40\xdc\x2d\x90\xd2\x7f\xcd\x34\x37\x37\x75\x41\xb5\x5e\xb3\xf7\xca\xdc\x78\xd6\x2a\x7a\x59\xa0\xb9\xbf\x4f\x76\x22\x45\xeb\xd7\xde\xcc\x03\xd9\x73\xa9\x25\x7a\xaa\xed\x79\x92\x39\x03\x0a\x45\x19\x17\x7c\xe5\xef\xef\x41\xf2\x95\x3f\xd0\x9e\x3f\x68\xd2\x0e\x0b\xea\x64\xe0\xc0\xfb\x1d\x9c\x0d\x7f\xc7\x2f\x25\xfa\x43\x6c\x77\xd4\xf1\xd1\xad\xee\xcc\x3a\xe8\x71\x3e\xb0\x1d\xaf\xb5\x7e\xdc\x8c\x83\x85\x81\xce\x20\xdd\xda\x6a\xd0\x3f\xe8\x8e\x29\x14\xce\x2e\x42\x59\xc7\xda\xc6\x26\x75\x85\x25\xd7\x25\xa6\xdb\xda\x9e\x6b\xeb\x43\x14\x85\x9c\xdf\xa5\xfb\x0d\x79\xb1\x49\x90\xbe\xed\x6a\xec\x66\xbb\x5b\x8e\xac\xf2\x86\x7d\xa9\xd7\xd7\x60\x59\xb8\xaf\x81\x1b\x68\x2e\x69\xb0\xf3\x78\x73\x5a\xb7\xe0\x46\xfd\x51\x55\x5a\x21\x4b\x0e\x9d\xc2\xe6\x85\x56\x3c\xdc\xef\x68\x96\xca\x59\x13\xcb\xc6\x5a\x2a\xf1\x99\x46\x56\x7d\xee\xa6\xba\xd4\x3e\x5e\xd5\xdf\xb7\xd3\x63\xca\x20\xdc\xd0\xfd\xbe\xd7\xa1\x8e\x5f\xe5\xfd\xee\x8f\x17\xbf\x6c\x04\x6f\x15\x0a\x81\x39\x8e\x9b\x05\x02\xdb\x98\x0d\x5b\x15\x41\x1f\x59\x06\xb2\xed\xd4\x0d\xcd\x40\xad\xc1\xce\xd8\x0e\xd5\x23\xb9\xd7\x6b\x76\x59\x52\x51\xd2\x2f\x4a\xa3\x89\x32\xb7\xcf\xc0\x10\xd1\xfb\x2b\xb6\x8c\x41\xd3\xdc\xc7\x2f\x9a\x84\xf6\x79\xd9\x32\x98\x2a\x7f\x85\x45\x60\x88\x89\x34\x98\x61\xc6\x97\xca\xba\xc0\x95\xd6\x75\x80\x79\xa1\xed\x0a\x43\x4a\x66\x64\x7c\x32\x72\x5c\x90\x75\xfe\x7f\x95\x1f\x8d\xa1\xff\x2f\xec\x68\x4b\x8c\x67\xe6\xc7\x70\x29\x13\xa2\x09\x86\xba\x60\x86\xe0\x0b\x14\x6a\xae\x04\x78\xc2\xc2\x03\x65\x9c\x80\x3b\x04\xe2\x37\x68\x40\x19\x70\xe8\x0b\x6b\x3c\x86\x3c\xfd\x06\x57\x10\x9f\xf6\x9e\x95\x28\xef\x2e\xfa\x3d\x57\x22\x43\x59\x6a\x84\x71\xd8\x43\x98\x5b\x97\x73\x3a\x7e\x02\x6d\x5a\xfb\xbf\x85\x38\xef\x2e\x7a\xdd\xeb\xb5\x9a\x03\x3b\x77\xd6\xec\xcc\x8f\x8f\x99\x61\xd1\xc0\xe8\x7a\x8d\xda\x0f\x40\x5c\x1a\x90\x98\x73\x23\xfb\xb3\x8d\xdc\x4f\xa1\xb6\x64\x7c\x5e\x06\x0d\x17\xa3\x5f\x6b\xda\xac\xea\xab\xa6\x2a\x00\xc0\xb7\xb5\xcd\x6c\xd5\xbf\x84\xe2\x85\xcc\xf3\x07\x79\x33\xfc\x4c\xf3\x38\x89\x9a\x52\xed\x57\x5c\x3d\x85\x5f\x6d\xf1\xf4\xd7\xbd\x23\xf0\x66\xf5\x38\xbb\x9a\xc2\xe7\x09\xdc\xaa\xa7\xfe\x8a\xab\xc7\xc2\x4f\xed\xf7\x61\x3e\x02\x6c\x5e\xc8\xd6\x6b\x76\x81\x55\x71\xaf\x06\xa8\x16\x18\x3a\x54\x25\x56\xa0\xd1\xe7\xa5\x10\xe8\x3d\xfc\xb3\x17\x1d\xf6\xd1\xf4\x83\x7d\x84\x9f\x03\xd6\xb4\xbe\x6a\x55\x79\xd3\xf7\x00\x00\x6f\x19\xf0\xe7\x36\xf6\x3e\x25\xda\xee\x08\xda\x7f\x64\x62\xd7\xdc\x5a\x42\xc7\xaa\x7f\x9b\xfc\xb4\xff\x02\xd8\x1c\x9b\x07\x53\xcd\xa2\xfb\x5e\x71\xd9\x49\xc0\xea\x1b\xf6\xdc\x9a\xb9\x92\x68\x48\x71\x0d\xaf\x4e\xcf\x7e\x38\x1a\xf8\x79\x45\xcd\x61\x7c\xab\x8c\xb4\xb7\x4c\x5b\xc1\xab\xf7\x56\xee\xb3\x34\x4d\x3a\xef\xe9\xfd\xf7\xc1\xd8\xdd\x7b\x0c\x5e\x72\x07\x61\xe5\xb9\xcd\x0b\x6b\xe2\xf3\x4a\x0a\x43\xa2\x99\x2f\xb4\xa2\xf1\xe8\x45\xfb\x32\x1c\x7f\xc3\xd8\x5a\x5a\xff\x36\xf0\xf3\x59\xf7\xc9\x3a\x20\x84\xaa\x4f\x99\x2a\xcf\x4c\x7b\x78\x9f\xcf\x36\x3f\x13\x04\x91\x9f\x93\x46\xe3\xe4\x24\xd9\x64\xcf\xc9\x49\xd2\xa4\x46\xa1\xd9\xc6\xe7\xe4\x24\x69\x23\x5a\xf2\x3b\x53\x46\xe2\xdd\xe5\x7c\xdc\x41\x3c\x86\x9f\x53\x38\xdd\x7e\x45\x8f\xae\xe9\xce\x69\xc7\xba\x6f\xda\x00\xf7\xff\x0e\x00\x00\xff\xff\x7b\xf4\xc8\x89\xac\x1d\x00\x00")

 func complySoc2TemplatesIndexAceBytes() ([]byte, error) {
 	return bindataRead(
@@ -1197,7 +1197,7 @@ func complySoc2TemplatesIndexAce() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "comply-soc2/templates/index.ace", size: 7696, mode: os.FileMode(420), modTime: time.Unix(1526606918, 0)}
+	info := bindataFileInfo{name: "comply-soc2/templates/index.ace", size: 7596, mode: os.FileMode(420), modTime: time.Unix(1526672106, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
--- a/themes/comply-blank/templates/index.ace
+++ b/themes/comply-blank/templates/index.ace
@@ -15,20 +15,11 @@ html lang=en
        document.querySelectorAll('.cron').forEach(function(el) {
          el.innerHTML = prettyCron.toString((""+el.innerHTML).trim(),true) // 6-field expressions
        })
-        if (window.location.hash != "") {
-          var hashComponents = window.location.hash.split('#')
-          if (hashComponents.length>1) {
-            var destination = hashComponents[1]
-            if (["overview","narratives","policies","procedures","standards"].indexOf(destination) >= 0) {
-              show(destination)
-            }
-          }
-        }
      })

      function show(name) {
-        if(history.replaceState) {
-            history.replaceState(null, null, '#'+name);
+        if (history.replaceState) {
+            history.replaceState(null, null, '#'+name)
        }

        var items = document.getElementsByClassName('top-nav')
@@ -233,7 +224,14 @@ html lang=en
        .content.has-text-centered
          p {{.Project.OrganizationName}} Confidential 2018
  = javascript
-    // commented for development
    if (window.location.hash=="") {
      show('overview')
+    } else {
+      var hashComponents = window.location.hash.split('#')
+      if (hashComponents.length>1) {
+        var destination = hashComponents[1]
+        if (["overview","narratives","policies","procedures","standards"].indexOf(destination) >= 0) {
+          show(destination)
+        }
+      }
    }
--- a/themes/comply-soc2/policies/application.md
+++ b/themes/comply-soc2/policies/application.md
@@ -8,4 +8,111 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. This application security policy defines the security framework and requirements for applications, notably web applications, within the organization’s production environment.
+
+a. This document also provides implementing controls and instructions for web application security, to include periodic vulnerability scans and other types of evaluations and assessments.
+
+a. This policy applies to all applications within the organization’ production environment, as well as administrators and users of these applications. This typically includes employees and contractors.
+
+# Background
+
+a. Application vulnerabilities typically account for the largest number of initial attack vectors after malware infections. As a result, it is important that applications are designed with security in mind, and that they are scanned and continuously monitored for malicious activity that could indicate a system compromise. Discovery and subsequent mitigation of application vulnerabilities will limit the organization’s attack surface, and ensures a baseline level of security across all systems.
+
+a. In addition to scanning guidance, this policy also defines technical requirements and procedures  to ensure that applications are properly hardened in accordance with security best practices.
+
+# References
+
+a. Data Classification Policy
+
+a. OWASP Risk Rating Methodology
+
+a. OWASP Testing Guide
+
+a. OWASP Top Ten Project
+
+# Policy
+
+a. The organization must ensure that all applications it develops and/or acquires are securely configured and managed.
+
+a. The following security best practices must be considered and, if feasible, applied as a matter of the application’s security design:
+
+    i. Data handled and managed by the application must be classified in accordance with the Data Classification Policy (reference (a)).
+
+    i. If the application processes confidential information, a confidential record banner must be prominently displayed which highlights the type of confidential data being accessed (e.g., personally-identifiable information (PII), protected health information (PHI), etc.)
+
+    i. Sensitive data, especially data specifically restricted by law or policy (e.g., social security numbers, passwords, and credit card data) should not be displayed in plaintext.
+
+    i. Ensure that applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to cross-site scripting, buffer overflow errors, and injection flaws.
+
+    i. Ensure that applications execute proper error handling so that errors will not provide detailed system information to an unprivileged user, deny service, impair security mechanisms, or crash the system.
+
+    i. Where possible, authorize access to applications by affiliation, membership or employment, rather than by individual. Provide an automated review of authorizations on a regular basis, where possible.
+
+    i. Ensure that applications encrypt data at rest and in transit.
+
+    i. Implement application logging to the extent practical. Retain logs of all users and access events for at least 14 days.
+
+    i. Qualified peers conduct security reviews of code  for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of confidential data. Document all actions taken.
+
+    i. Implement a change management process for changes to existing software applications.
+
+    i. Standard configuration of the application must be documented. 
+
+    i. Default passwords used within the application, such as for administrative control panels or integration with databases must be changed immediately upon installation.
+
+    i. Applications must require complex passwords in accordance with current security best practices (at least 8 characters in length, combination of alphanumeric upper/lowercase characters and symbols).
+
+    i. During development and testing, applications must not have access to live data.
+
+a. Where applications are acquired from a third party, such as a vendor:
+
+    i. Only applications that are supported by an approved vendor shall be procured and used.
+
+    i. Full support contracts must be arranged with the application vendor for full life-cycle support.
+
+    i. No custom modifications may be applied to the application without confirmation that the vendor can continue to provide support.
+
+    i. Updates, patches and configuration changes issued by the vendor shall be implemented as soon as possible.
+
+    i. A full review of applications and licenses shall be completed at least annually, as part of regular software reviews.
+
+a. Web applications must be assessed according to the following criteria:
+
+    i. New or major application releases must have a full assessment prior to approval of the change control documentation and/or release into the production environment.
+
+    i. Third-party or acquired applications must have a full assessment prior to deployment.
+
+    i. Software releases must have an appropriate assessment, as determined by the organization’s information security manager, with specific evaluation criteria based on the security risks inherent in the changes made to the application’s functionality and/or architecture.
+
+    i. Emergency releases may forego security assessments and carry the assumed risk until a proper assessment can be conducted. Emergency releases must be approved by the Chief Information Officer or designee.
+
+a. Vulnerabilities that are discovered during application assessments must be mitigated based upon the following risk levels, which are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology (reference (b)):
+
+    i. High - issues categorized as high risk must be fixed immediately, otherwise alternate mitigation strategies must be implemented to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the production environment.
+
+    i. Medium - issues categorized as medium risk must be reviewed to determine specific items to be mitigated. Actions to implement mitigations must be scheduled. Applications with medium risk issues may be taken off-line or denied release into the production environment based on the number of issues; multiple issues may increase the risk to an unacceptable level. Issues may be fixed in patch releases unless better mitigation options are present.
+
+    i. Low - issues categorized as low risk must be reviewed to determine specific items to be mitigated. Actions to implement mitigations must be scheduled.
+
+a. Testing is required to validate fixes and/or mitigation strategies for any security vulnerabilities classified as Medium risk or greater.
+
+a. The following security assessment types may be leveraged to perform an application security assessment:
+
+    i. Full - comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide (reference (c)). A full assessment must leverage manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered issues.
+
+    i. Quick - consists of an automated scan of an application for, at a minimum, the OWASP Top Ten web application security risks (reference (d)).
+
+    i. Targeted - verifies vulnerability remediation changes or new application functionality.
+
+    i. To counter the risk of unauthorized access, the organization maintains a Data Center Security Policy (reference (c)).
+
+    i. Security requirements for the software development life cycle, including system development, acquisition and maintenance are defined in the Software Development Lifecycle Policy (reference (d)).
+
+    i. Security requirements for handling information security incidents are defined in the Security Incident Response Policy (reference (e)).
+
+    i. Disaster recovery and business continuity management policy is defined in the Disaster Recovery Policy (reference (f)).
+
+    i. Requirements for information system availability and redundancy are defined in the System Availability Policy (reference (g)).
+
--- a/themes/comply-soc2/policies/cyber.md
+++ b/themes/comply-soc2/policies/cyber.md
@@ -8,4 +8,61 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. The purpose of this policy is to define the procedures to assess and treat information security risks within the organization, and to define the acceptable level of risk overall.
+
+a. Risk assessment and risk treatment are applied to the entire scope of the organization’s information security program, and to all information systems which are used within the organization or which could have an impact on the organization’s information security.
+
+a. This policy applies to all management and employees that take part in the organization’s risk assessments. This policy must be made readily available to all whom it applies to.
+
+# Background
+
+a. This policy defines a step-by-step process for conducting risk assessments, as well as to treat identified risks from an information security perspective. This policy also describes how to prepare the Risk Assessment Report required as part of the risk assessment process.
+
+a. When conducting a risk assessment, the organization must identify all organizational information systems . It must then identify all threats and vulnerabilities having to do with such systems , and rate the severity of such threats and vulnerabilities according to a predefined rating scale. Asset and risk owners must be defined for each risk item.
+
+a. Once the risk assessment is completed, the organization shall determine how to manage risks where the overall assessed risk rating is deemed as too high. This management is known as risk treatment. Risk treatment options include but are not limited to applying security controls, outsourcing risk, accepting risk, or discontinuing the activity associated with the risk.
+
+a. A penetration test must be performed by a third party to verify the accuracy of the risk assessment and effectiveness of deployed risk treatments.
+
+# Procedure To Execute Risk Assessment Report
+
+a. Confirms that the entire risk assessment and risk treatment process has been carried out according to the Risk Assessment Policy.
+
+a. The purpose of the risk assessment was to identify all information systems  their vulnerabilities, and threats that could exploit vulnerabilities. These parameters were further evaluated in order to establish the criticality of individual risks.
+
+a. The purpose of the risk treatment was to define the systematic means of reducing or controlling the risks identified in the risk assessment.
+
+a. All risk assessment and treatment activities were completed within the scope of the organization’s information security program.
+
+a. The risk assessment was implemented in the period from [day/month/year] to [day/month/year]. The risk treatment was implemented from [day/month/year] to [day/month/year]. Final reports were prepared during [specify period].
+
+a. The risk assessment and risk treatment process was managed by [person responsible for managing the risk assessment process] with expert assistance provided by [person or company responsible for assistance].
+
+a. During the risk assessment, information was collected through questionnaires and interviews with responsible persons, namely the asset owners across organizational units.
+
+a. The process was conducted as follows:
+
+    i. All information systems and their owners were identified.
+
+    i. Threats were identified for each asset, and corresponding vulnerabilities were identified for each threat.
+    i. Risk owners were identified for each risk.
+
+    i. Consequences of the loss of confidentiality, integrity and availability were evaluated using a score from 0 to 2, with 0 being the lowest rating and 2 being the highest rating.
+
+    i. The likelihood of risk occurrence (i.e. that the threat will exploit the vulnerability) was evaluated using a score from 0 to 2, with 0 being the lowest rating and 2 being the highest rating.
+
+    i. The level of risk was calculated by adding up the consequence and likelihood.
+
+    i. Risks with a score of 3 or 4 were determined to be unacceptable risks.
+
+    i. For each unacceptable risk, a risk treatment option was considered, and appropriate information security controls were selected.
+
+    i. After controls were applied, residual risks were assessed.
+
+a. The following documents were used or generated during the implementation of risk assessment and risk treatment:
+    
+    i. Risk Assessment Table (Appendix A): for each combination of systems , vulnerabilities and threats, this table shows the values for consequence and likelihood, and calculates the risk.
+
+    i. Risk Treatment Table (Appendix B): defines the options for risk treatment, selection of controls for each unacceptable risk, and the level of residual risk.
--- a/themes/comply-soc2/policies/development.md
+++ b/themes/comply-soc2/policies/development.md
@@ -8,4 +8,188 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. The purpose of this policy is to define requirements for establishing and maintaining baseline protection standards for company software, network devices, servers, and desktops.
+
+a. This policy applies to all users performing software development, system administration, and management of these activities within the organization. This typically includes employees and contractors, as well as any relevant external parties involved in these activities (hereinafter referred to as “users”). This policy must be made readily available to all users.
+
+a. This policy also applies to enterprise-wide systems and applications developed by the organization or on behalf of the organization for production implementation.
+
+# Background
+
+a. The intent of this policy is to ensure a well-defined, secure and consistent process for managing the entire lifecycle of software and information systems, from initial requirements analysis until system decommission. The policy defines the procedure, roles, and responsibilities, for each stage of the software development lifecycle.
+
+a. Within this policy, the software development lifecycle consists of requirements analysis, architecture and design, development, testing, deployment/implementation, operations/maintenance, and decommission. These processes may be followed in any form; in a waterfall model, it may be appropriate to follow the process linearly, while in an agile development model, the process can be repeated in an iterative fashion.
+
+# References
+
+a. Risk Assessment Policy
+
+# Policy
+
+a. The organization’s Software Development Life Cycle (SDLC) includes the following phases:
+
+    i. Requirements Analysis
+
+    i. Architecture and Design
+
+    i. Testing
+
+    i. Deployment/Implementation
+
+    i. Operations/Maintenance
+
+    i. Decommission
+
+a. During all phases of the SDLC where a system is not in production, the system must not have live data sets that contain information identifying actual people or corporate entities, actual financial data such as account numbers, security codes, routing information, or any other financially identifying data. Information that would be considered sensitive must never be used outside of production environments.
+
+a. The following activities must be completed and/or considered during the requirements analysis phase:
+
+    i. Analyze business requirements.
+
+    i. Perform a risk assessment. More information on risk assessments is discussed in the Risk Assessment Policy (reference (a)).
+
+    i. Discuss aspects of security (e.g., confidentiality, integrity, availability) and how they might apply to this requirement.
+
+    i. Review regulatory requirements and the organization’s policies, standards, procedures and guidelines.
+
+    i. Review future business goals.
+
+    i. Review current business and information technology operations.
+
+    i. Incorporate program management items, including:
+
+        1. Analysis of current system users/customers.
+
+        1. Understand customer-partner interface requirements (e.g., business-level, network).
+
+        1. Discuss project timeframe.
+
+    i. Develop and prioritize security solution requirements.
+
+    i. Assess cost and budget constraints for security solutions, including development and operations.
+
+    i. Approve security requirements and budget.
+
+    i. Make “buy vs. build” decisions for security services based on the information above.
+
+a. The following must be completed/considered during the architecture and design phase:
+
+    i. Educate development teams on how to create a secure system.
+
+    i. Develop and/or refine infrastructure security architecture.
+
+    i. List technical and non-technical security controls.
+
+    i. Perform architecture walkthrough.
+
+    i. Create a system-level security design.
+
+    i. Create high-level non-technical and integrated technical security designs.
+
+    i. Perform a cost/benefit analysis for design components.
+
+    i. Document the detailed technical security design.
+
+    i. Perform a design review, which must include, at a minimum, technical reviews of application and infrastructure, as well as a review of high-level processes.
+
+    i. Describe detailed security processes and procedures, including: segregation of duties and segregation of development, testing and production environments. 
+
+    i. Design initial end-user training and awareness programs.
+
+    i. Design a general security test plan.
+
+    i. Update the organization’s policies, standards, and procedures, if appropriate.
+
+    i. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
+
+    i. Design and establish separate development and test environments.
+
+a. The following must be completed and/or considered during the development phase:
+
+    i. Set up a secure development environment (e.g., servers, storage).
+
+    i. Train infrastructure teams on installation and configuration of applicable software, if required.
+
+    i. Develop code for application-level security components.
+
+    i. Install, configure and integrate the test infrastructure.
+
+    i. Set up security-related vulnerability tracking processes.
+
+    i. Develop a detailed security test plan for current and future versions (i.e., regression testing).
+
+    i. Conduct unit testing and integration testing.
+
+a. The following must be completed and/or considered during the testing phase:
+
+    i. Perform a code and configuration review through both static and dynamic analysis of code to identify vulnerabilities. 
+
+    i. Test configuration procedures.
+
+    i. Perform system tests.
+
+    i. Conduct performance and load tests with security controls enabled.
+
+    i. Perform usability testing of application security controls.
+
+
+    i. Conduct independent vulnerability assessments of the system, including the infrastructure and application.
+
+a. The following must be completed and/or considered during the deployment phase:
+
+    i. Conduct pilot deployment of the infrastructure, application and other relevant components.
+
+    i. Conduct transition between pilot and full-scale deployment.
+
+    i. Perform integrity checking on system files to ensure authenticity.
+
+    i. Deploy training and awareness programs to train administrative personnel and users in the system’s security functions.
+
+    i. Require participation of at least two developers in order to conduct full-scale deployment to the production environment.
+
+a. The following must be completed and/or considered during the operations/maintenance phase:
+
+    i. Several security tasks and activities must be routinely performed to operate and administer the system, including but not limited to:
+
+        1. Administering users and access.
+
+        1. Tuning performance.
+
+        1. Performing backups according to requirements defined in the System Availability Policy 
+
+        1. Performing system maintenance (i.e., testing and applying security updates and patches).
+
+        1. Conducting training and awareness.
+
+        1. Conducting periodic system vulnerability assessments.
+
+        1. Conducting annual risk assessments.
+
+    i. Operational systems must:
+
+        1. Be reviewed to ensure that the security controls, both automated and manual, are functioning correctly and effectively.
+
+        1. Have logs that are periodically reviewed to evaluate the security of the system and validate audit controls.
+
+        1. Implement ongoing monitoring of systems and users to ensure detection of security violations and unauthorized changes.
+
+        1. Validate the effectiveness of the implemented security controls through security training as required by the Procedure For Executing Incident Response.
+
+        1. Have a software application and/or hardware patching process that is performed regularly in order to eliminate software bug and security problems being introduced into the organization’s technology environment. Patches and updates must be applied within ninety (90) days of release to provide for adequate testing and propagation of software updates. Emergency, critical, break-fix, and zero-day vulnerability patch releases must be applied as quickly as possible.
+
+a. The following must be completed and/or considered during the decommission phase:
+
+    i. Conduct unit testing and integration testing on the system after component removal.
+
+    i. Conduct operational transition for component removal/replacement.
+
+    i. Determine data retention requirements for application software and systems data.
+
+    i. Document the detailed technical security design.
+
+    i. Update the organization’s policies, standards and procedures, if appropriate.
+
+    i. Assess and document how to mitigate residual application and infrastructure vulnerabilities.
+
--- a/themes/comply-soc2/policies/disaster.md
+++ b/themes/comply-soc2/policies/disaster.md
@@ -8,5 +8,144 @@ majorRevisions:
  - date: Jun 1 2018
    comment: Initial document
 ---
+#Purpose and Scope 

-# Coming Soon
+a. The purpose of this policy is to define the organization’s procedures to recover Information Technology (IT) infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident. The objective of this plan is to complete the recovery of IT infrastructure and IT services within a set Recovery Time Objective (RTO).
+
+a. This policy includes all resources and processes necessary for service and data recovery, and covers all information security aspects of business continuity management.
+
+a. This policy applies to all management, employees and suppliers that are involved in the recovery of IT infrastructure and services within the organization. This policy must be made readily available to all whom it applies to.
+
+# Background
+
+a. This policy defines the overall disaster recovery strategy for the organization. The strategy describes the organization’s Recovery Time Objective (RTO), which is defined as the duration of time and service level for critical business processes to be restored after a disaster or other disruptive event, as well as the procedures, responsibility and technical guidance required to meet the RTO. This policy also lists the contact information for personnel and service providers that may be needed during a disaster recovery event.
+
+a. The following conditions must be met for this plan to be viable:
+
+    i. All equipment, software and data (or their backups/failovers) are available in some manner.
+
+    i. If an incident takes place at the organization’s physical location, all resources involved in recovery efforts are able to be transferred to an alternate work site (such as their home office) to complete their duties.
+
+    i. The Information Security Officer is responsible for coordinating and conducting a bi-annual (at least) rehearsal of this continuity plan. 
+
+a. This plan does not cover the following types of incidents:
+
+    i. Incidents that affect customers or partners but have no effect on the organization’s systems; in this case, the customer must employ their own continuity processes to make sure that they can continue to interact with the organization and its systems.
+
+    i. Incidents that affect cloud infrastructure suppliers at the core infrastructure level, including but not limited to Google, Heroku, and Amazon Web Services. The organization depends on such suppliers to employ their own continuity processes.
+
+# Policy
+
+a. *Relocation*
+
+    i. If the organization’s primary work site is unavailable, an alternate work site shall be used by designated personnel. The organization’s alternate work site is located at [list the address of the alternate work site that the organization will use].
+
+    i. The personnel required to report to the alternate work site during a disaster includes [list the personnel titles responsible for reporting to the alternate work site].
+
+a. *Critical Services, Key Tasks and, Service Level Agreements (SLAs)*
+
+    i. The following services and technologies are considered to be critical for business operations, and must immediately be restored (in priority order):
+  
+        1. [list the critical services and technologies that must remain running during a disaster]
+
+    i. The following key tasks and SLAs must be considered during a disaster recovery event, in accordance with the organization’s objectives, agreements, and legal, contractual or regulatory obligations:
+
+        1. [list of key tasks / SLAs that must be kept operational, with respective deadlines]
+
+a. The organization’s Recovery Time Objective (RTO) is [set the maximum amount of time before critical processes must be restored, to include relocation and getting critical services/technologies back online]. Relocation and restoration of critical services and technologies must be completed within this time period.
+
+a. *Notification of Plan Initiation*
+
+    i. The following personnel must be notified when this plan is initiated:
+
+      1. [list all personnel (including titles) that must be notified of plan initiation ]
+
+    i. [person responsible for notifications, including title] is responsible for notifying the personnel listed above.
+
+a. *Plan Deactivation*
+
+    i. This plan must only be deactivated by [person or persons with authority to deactivate the plan, including job title].
+
+    i. In order for this plan to be deactivated, all relocation activities and critical service / technology tasks  as detailed above must be fully completed and/or restored. If the organization is still operating in an impaired scenario, the plan may still be kept active at the discretion of [person or persons with authority to deactivate the plan, including job title].
+
+    i. The following personnel must be notified when this plan is deactivated:
+
+        1. [list all personnel (including titles) that must be notified of plan activation]
+
+a. The organization must endeavor to restore its normal level of business operations as soon as possible.
+
+a. A list of relevant points of contact both internal and external to the organization is enclosed in Appendix A.
+
+a. During a crisis, it is vital for certain recovery tasks to be performed right away. The following actions are pre-authorized in the event of a disaster recovery event:
+
+    i. [job title] must take all steps specified in this disaster recovery plan in order to recover the organization’s information technology infrastructure and services.
+    
+    i. [job title] is authorized to make urgent purchases of equipment and services up to [amount].
+    
+    i. [job title] is authorized to communicate with clients.
+    
+    i. [job title] is authorized to communicate with the public.
+    
+    i. [job title] is authorized to communicate with public authorities such as state and local governments and law enforcement.
+    
+    i. [job title] is authorized to cooperate with [name of supplier/outsourcing partner].
+    
+    i. [add/modify/remove authorizations in this section as necessary]
+
+a. Specific recovery steps for information systems infrastructure and services are provided in Appendix B.
+
+\pagebreak 
+
+# Appendix A: Relevant Points of Contact
+
+Internal Contacts
+
+------------------+-------------------+------------------+------------------+-----------------+
+|       Name       |     Job Title     |   Phone Number   |  Email Address   |Alternate Contact|
+==================+===================+==================+==================+=================+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+
+External Contacts
+
+------------------+-------------------+------------------+------------------+-----------------+
+|       Name       |     Job Title     |   Phone Number   |  Email Address   |Alternate Contact|
+==================+===================+==================+==================+=================+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+
+\pagebreak
+
+# Appendix B: Recovery Steps for Information Systems Infrastructure & Services
+
+Specific recovery procedures are described in detail below:
+
+----------------------------+----------------------+------------------------------------+
+|     Recovery Procedure     |  Person Responsible  |  Person(s) Notified When Complete  |
+============================+======================+====================================+
+| System to be recovered:    |                      |                                    |                
+|                            |                      |                                    |                 
+----------------------------+----------------------+------------------------------------+
+| task 1:                    |                      |                                    |  
+|                            |                      |                                    |
+----------------------------+----------------------+------------------------------------+            
+| task 2:                    |                      |                                    |   
+|                            |                      |                                    |              
+----------------------------+----------------------+------------------------------------+
+| System to be recovered:    |                      |                                    |                
+|                            |                      |                                    |                 
+----------------------------+----------------------+------------------------------------+
+| task 1:                    |                      |                                    | 
+|                            |                      |                                    |    
+----------------------------+----------------------+------------------------------------+            
+| task 2:                    |                      |                                    |    
+|                            |                      |                                    |             
+----------------------------+----------------------+------------------------------------+
--- a/themes/comply-soc2/policies/media.md
+++ b/themes/comply-soc2/policies/media.md
@@ -8,4 +8,133 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. This removable media, cloud storage and Bring Your Own Device (BYOD) policy defines the objectives, requirements and implementing instructions for storing data on removable media, in cloud environments, and on personally-owned devices, regardless of data classification level.
+
+a. This policy applies to all information and data within the organization’s information security program, as well as all removable media, cloud systems and personally-owned devices either owned or controlled by the organization.
+
+a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
+
+# Background
+
+a. This policy defines the procedures for safely using  removable media, cloud storage and personally-owned devices to limit data loss or exposure.  Such forms of storage must be strictly controlled because of the sensitive data that can be stored on them. Because each of these storage types are inherently ephemeral or portable in nature, it is possible for the organization to lose the ability to oversee or control the information stored on them if strict security standards are not followed.
+
+a. This document consists of three sections pertaining to removable media, cloud storage, and personally-owned devices. Each section contains requirements and implementing instructions for the registration, management, maintenance, and disposition of each type of storage.
+
+a. Within this policy, the term sensitive information refers to information that is classified as RESTRICTED or CONFIDENTIAL in accordance with the Data Classification Policy (reference (a)).
+
+# References
+
+a. Data Classification Policy
+
+a. Asset Inventory
+
+a. Security Incident Response Policy
+
+a. Encryption Policy
+
+# Policy
+
+a. *Removable Media*
+
+    i. All removable media in active use and containing data pertinent to the organization must be registered in the organization’s Asset Inventory (reference (b)).
+
+    i. All removable media listed in reference (b) must be re-inventoried on a quarterly basis to ensure that it is still within the control of the organization.
+
+        1. To re-inventory an item, the owner of the removable media must check in the item with the organization’s Information Security Manager (ISM).
+
+        1. The ISM must treat any removable media that cannot be located as lost, and a security incident report must be logged in accordance with the Security Incident Response Policy (reference (c)).
+
+    i. The owner of the removable media must conduct all appropriate maintenance on the item at intervals appropriate to the type of media, such as cleaning, formatting, labeling, etc.
+
+    i. The owner of the removable media, where practical, must ensure that an alternate or backup copy of the information located on the device exists.
+
+    i. Removable media must be stored in a safe place that has a reduced risk of fire or flooding damage. 
+
+    i. If the storage item contains sensitive information, removable media must:
+
+        1. Be stored in a locked cabinet or drawer.
+
+        1. Store only encrypted data that is securely enciphered in accordance with the Encryption Policy (reference (d)).
+
+    i. All data on removable media devices must be erased, or the device must be destroyed, before it is reused or disposed of.
+
+    i. When removable media devices are disposed, the device owner must inform the ISM so that it can be removed from reference (b).
+
+a. *Cloud Storage*
+
+    i. All cloud storage systems in active use and containing data pertinent to the organization must be registered in reference (b). Registration may be accomplished by manual or automated means.
+
+
+    i. All cloud storage systems listed in reference (b) must be re-inventoried on a quarterly basis to ensure that it is still within the control of the organization. To re-inventory an item, the owner of the removable media must check in the item with the organization’s Information Security Manager (ISM). Re-inventory may be accomplished by manual or automated means.
+
+    i. The owner of the cloud storage system must conduct all appropriate maintenance on the system at regular intervals to include system configuration, access control, performance monitoring, etc.
+
+    i. Data on cloud storage systems must be replicated to at least one other physical location. Depending on the cloud storage provider, this replication may be automatically configured.
+
+    i. The organization must only use cloud storage providers that can demonstrate, either through security accreditation, demonstration, tour, or other means that their facilities are secured, both physically and electronically, using best practices.
+
+    i. If the cloud storage system contains sensitive information, that information must be encrypted in accordance with reference (d).
+
+    i. Data must be erased from from cloud storage systems using a technology and process that is approved by the ISM. 
+
+    i. When use of a cloud storage system is discontinued, the system owner must inform the ISM so that it can be removed from reference (b).
+
+a. *Personally-owned Devices*
+
+    i. Organizational data that is stored, transferred or processed on personally-owned devices remains under the organization’s ownership, and the organization retains the right to control such data even though it is not the owner of the device.
+
+    i. The ISM is responsible for conducting overall management of personally-owned devices, to include:
+
+        1. Installation and maintenance of Mobile Device Management (MDM) software that can effectively manage, control and wipe data under the organization’s control from personally-owned devices.
+
+        1. Maintain a list of job titles and/or persons authorized to use personally-owned devices for the organization’s business, as well as the applications and databases that may be accessed from such devices.
+
+        1. Maintain a list of applications prohibited from use on personally-owned devices, and ensuring that device users are aware of these restrictions.
+
+    i. Personally-identifiable information (PII) may not be stored, processed or accessed at any time on a personally-owned device.
+
+    i. The following acceptable use requirements must be observed by users of personally-owned devices:
+
+        1. All organizational data must be backed up at regular intervals.
+
+        1. MDM and endpoint protection software must be installed on the device at all times.
+
+        1. Sensitive information stored on the device must be encrypted in accordance with reference (d).
+
+        1. The device must be secured using a password, pin, unlock pattern, fingerprint or equivalent security mechanism.
+
+        1. The device must only connect to secure and encrypted wireless networks.
+
+        1. When using the device outside of the organization’s premises, it must not be left unattended, and if possible, physically secured.
+
+        1. When using the device in public areas, the owner must take measures to ensure that the data cannot be read or accessed by unauthorized persons.
+
+        1. Patches and updates must be installed regularly.
+
+        1. Classified information must be protected in accordance with reference (a).
+
+        1. The device owner must install the ISM before the device is disposed of, sold, or provided to a third party for servicing.
+
+        1. It is prohibited to:
+
+            a. Allow device access for anyone except its owner.
+        
+            a. Store illegal materials on the device.
+
+            a. Install unlicensed software.
+
+            a. Locally-store passwords.
+
+            a. Transfer organizational data to other devices which have not been approved by the organization.
+
+    i. The organization must reserve the right to view, edit, and/or delete any organizational information that is stored, processed or transferred on the device.
+
+    i. The organization must reserve the right to perform full deletion of all of its data on the device if it considers that necessary for the protection of company-related data, without the consent of the device owner.
+
+    i. The organization will not pay the employees (the owners of BYOD) any fee for using the device for work purposes.
+
+    i. The organization will pay for any new software that needs to be installed for company use.
+
+    i. All security breaches related to personally-owned devices must be reported immediately to the ISM. 
--- a/themes/comply-soc2/policies/remote.md
+++ b/themes/comply-soc2/policies/remote.md
@@ -10,4 +10,50 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. The purpose of this policy is to define requirements for connecting to the organization’s systems and networks from remote hosts, including personally-owned devices, in order to minimize data loss/exposure.
+
+a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily accessible to all users.
+
+# Background
+
+a. The intent of this policy is to minimize the organization’s exposure to damages which may result from the unauthorized remote use of resources, including but not limited to: the loss of sensitive, company confidential data and intellectual property; damage to the organization’s public image; damage to the organization’s internal systems; and fines and/or other financial liabilities incurred as a result of such losses.
+
+a. Within this policy, the following definitions apply:
+
+    i. *Mobile computing equipment:* includes portable computers, mobile phones, smart phones, memory cards and other mobile equipment used for storage, processing and transfer of data.
+
+    i. *Remote host:* is defined as an information system, node or network that is not under direct control of the organization.
+
+    i. *Telework:* the act of using mobile computing equipment and remote hosts to perform work outside the organization’s physical premises. Teleworking does not include the use of mobile phones.
+
+# Policy
+
+a. *Security Requirements for Remote Hosts and Mobile Computing Equipment*
+
+    i. Caution must be exercised when mobile computing equipment is placed or used in uncontrolled spaces such as vehicles, public spaces, hotel rooms, meeting places, conference centers, and other unprotected areas outside the organization’s premises.
+
+    i. When using remote hosts and mobile computing equipment, users must take care that information on the device (e.g. displayed on the screen) cannot be read by unauthorized persons if the device is being used to connect to the organization’s systems or work with the organization’s data.
+
+    i. Remote hosts must be updated and patched for the latest security updates on at least a monthly basis.
+
+    i. Remote hosts must have endpoint protection software (e.g. malware scanner) installed and updated at all times.
+
+    i. Persons using mobile computing equipment off-premises are responsible for regular backups of organizational data that resides on the the device.
+
+    i. Access to the organization’s systems must be done through an encrypted and authenticated VPN connection with multi-factor authentication enabled. All users requiring remote access must be provisioned with VPN credentials from the organization’s information technology team. VPN keys must be rotated at least twice per year. Revocation of VPN keys must be included in the Offboarding Policy. 
+
+    i. Information stored on mobile computing equipment must be encrypted using hard drive full disk encryption.
+
+a. *Security Requirements for Telework*
+
+    i. Employees must be specifically authorized for telework in writing from their hiring manager .
+
+    i. Only device’s assigned owner is permitted to use remote nodes and mobile computing equipment. Unauthorized users (such as others living or working at the location where telework is performed) are not permitted to use such devices.
+
+    i. Devices must be authorized using certificates
+
+    i. Users performing telework are responsible for the appropriate configuration of the local network used for connecting to the Internet at their telework location.
+
+    i. Users performing telework must protect the organization’s intellectual property rights, either for software or other materials that are present on remote nodes and mobile computing equipment.
--- a/themes/comply-soc2/policies/retention.md
+++ b/themes/comply-soc2/policies/retention.md
@@ -10,4 +10,79 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+#Appendices
+Appendix A: Retention Periods
+
+# Purpose and Scope
+
+a. This data retention policy defines the objectives and requirements for data retention within the organization.
+
+a. This policy covers all data within the organization’s custody or control, irregardless of the medium the data is stored in (electronic form, paper form, etc.) Within this policy, the medium which holds data is referred to as information, no matter what form it is in.
+
+a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information the organization owns or controls (hereinafter referred to as “users”). This policy must be made readily available to all users.
+
+# Background
+
+a. The organization is bound by multiple legal, regulatory and contractual obligations with regard to the data it retains. These obligations stipulate how long data can be retained, and how data must be destroyed. Examples of legal, regulatory and contractual obligations include laws and regulations in the local jurisdiction where the organization conducts business, and contracts made with employees, customers, service providers, partners and others.
+
+a. The organization may also be involved in events such as litigation or disaster recovery scenarios that require it to have access to original information in order to protect the organization’s interests or those of its employees, customers, service providers, partners and others. As a result, the organization may need to archive and store information for longer that it may be needed for day-to-day operations.
+ 
+ \pagebreak 
+
+# Policy
+
+a. *Information Retention*
+
+    i. Retention is defined as the maintenance of information in a production or live environment which can be accessed by an authorized user in the ordinary course of business. 
+
+    i. Information used in the development, staging, and testing of systems shall not be retained beyond their active use period nor copied into production or live environments.
+
+    i. By default, the retention period of information shall be an active use period of exactly two years from its creation unless an exception is obtained permitting a longer or shorter retention period. The business unit responsible for the information must request the exception.
+
+    i. After the active use period of information is over in accordance with this policy and approved exceptions, information must be archived for a defined period. Once the defined archive period is over, the information must be destroyed.
+
+    i. Each business unit is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy. The responsible business unit is considered to be the information owner.
+
+    i. The organization’s legal counsel may issue a litigation hold to request that information relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel.
+
+    i. Each employee and contractor affiliated with the company must return information in their possession or control to the organization upon separation and/or retirement.
+
+    i. Information owners must enforce the retention, archiving and destruction of information, and communicate these periods to relevant parties.
+
+a. *Information Archiving*
+
+    i. Archiving is defined as secured storage of information such that the information is rendered inaccessible by authorized users in the ordinary course of business but can be retrieved by an administrator designated by company management.
+
+        1. Physical (e.g., paper) records must be archived in secured storage (onsite or offsite) and clearly labeled in archive boxes naming the information owner.
+
+        1. Electronic records must be archived with strict access controls set by the information owner and appropriate to secure the confidentiality, integrity and accessibility of the information.
+
+    i. The default archiving period of information shall be 7 years unless an approved exception permits a longer or shorter period. Exceptions must be requested by the information owner.
+
+        1. As a guideline, an archiving period of more than 7 years may be granted for information with a vital historical purpose such as corporate records, contracts, and technical/trade secrets.
+
+        1. As a guideline, an archiving period of less than 7 years may be granted for information with a limited business purpose such as email, travel itineraries, pre-trip advisories, or to comply with specific legal, contractual and/or regulatory requirements (e.g., PCI DSS, GDPR, etc.)
+
+    i. Information must be destroyed (defined below) at the end of the elapsed archiving period.  
+
+a. *Information Destruction*
+
+    i. Destruction is defined as the physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially-available means.
+
+    i. The organization must maintain and enforce a detailed list of approved destruction methods appropriate for each type of information archived, whether in physical storage media such as CD-ROMs, DVDs, backup tapes, hard drives, mobile devices, portable drives or in database records or backup files. Physical information in paper form must be shredded using an authorized shredding device; waste must be periodically removed by approved personnel.
+
+a. Retention and archival periods for information that is created, processed, stored and used by the organization is defined in Appendix A, “Retention Periods.” 
+
+\pagebreak 
+
+# Appendix A: Retention Periods 
+
+------------------+-------------------+------------------+------------------+-----------------+
+| Information Type | Information Owner | Storage Location | Retention Period | Archival Period |
+==================+===================+==================+==================+=================+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
+|                  |                   |                  |                  |                 |
+|                  |                   |                  |                  |                 |
+------------------+-------------------+------------------+------------------+-----------------+
--- a/themes/comply-soc2/policies/vendor.md
+++ b/themes/comply-soc2/policies/vendor.md
@@ -8,4 +8,40 @@ majorRevisions:
    comment: Initial document
 ---

-# Coming Soon
+# Purpose and Scope
+
+a. This policy defines the rules for relationships with the organization’s Information Technology (IT) vendors and partners. 
+
+a. This policy applies to all IT vendors and partners who have the ability to impact the confidentiality, integrity, and availability of the organization’s technology and sensitive information, or who are within the scope of the organization’s information security program.
+
+a. This policy applies to all employees and contractors that are responsible for the management and oversight of IT vendors and partners of the organization. 
+
+# Background
+
+a. The overall security of the organization is highly dependent on the security of its contractual relationships with its IT suppliers and partners. This policy defines  requirements for effective management and oversight of such suppliers and partners from an information security perspective. The policy prescribes minimum standards a vendor must meet from an information security standpoint, including security clauses, risk assessments, service level agreements, and incident management.
+
+# References
+
+a. Information Security Policy
+
+a. Security Incident Response Policy
+
+# Policy
+
+a. IT vendors are prohibited from accessing the organization’s information security assets until  a contract containing security controls is agreed to and signed by the appropriate parties.
+
+a. All IT vendors must comply with the security policies defined and derived from the Information Security Policy (reference (a)). 
+
+a. All security incidents by IT vendors or partners must be documented in accordance with the organization’s Security Incident Response Policy (reference (b)) and immediately forwarded to the Information Security Manager (ISM). 
+
+a. The organization must adhere to the terms of all Service Level Agreements (SLAs) entered into with IT vendors. As terms are updated, and as new ones are entered into, the organization must implement any changes or controls needed to ensure it remains in compliance. 
+
+a. Before entering into a contract and gaining access to the parent organization’s information systems, IT vendors must undergo a risk assessment. 
+
+    i. Security risks related to IT vendors and partners must be identified during the risk assessment process. 
+    
+    i. The risk assessment must identify risks related to information and communication technology, as well as risks related to IT vendor supply chains, to include sub-suppliers. 
+
+a. IT vendors and partners must ensure that organizational records are protected, safeguarded, and disposed of securely. The organization strictly adheres to all applicable legal, regulatory and contractual requirements regarding the collection, processing, and transmission of sensitive data such as Personally-Identifiable Information (PII). 
+
+a. The organization may choose to audit IT vendors and partners to ensure compliance with applicable security policies, as well as legal, regulatory and contractual obligations.
--- a/themes/comply-soc2/procedures/offboarding.md
+++ b/themes/comply-soc2/procedures/offboarding.md
@@ -2,4 +2,10 @@ id: "offboard"
 name: "Offboard User"
 ---

-# Coming Soon
+Resolve this ticket by executing the following steps:
+
+- [ ] Immediately suspend user in SSO
+- [ ] Append HR termination request e-mail to this ticket
+- [ ] Look up manually-provisioned applications for this role or user
+- [ ] Validate access revocation in each
+- [ ] Append confirmation or revocation to this ticket
--- a/themes/comply-soc2/procedures/onboarding.md
+++ b/themes/comply-soc2/procedures/onboarding.md
@@ -2,4 +2,11 @@ id: "onboard"
 name: "Onboard New User"
 ---

-# Coming Soon
+Resolve this ticket by executing the following steps:
+
+- [ ] Append HR add request e-mail to this ticket
+- [ ] Proactively validate role assignment with manager (see HR request e-mail)
+- [ ] Add user to default group for the specified role
+- [ ] Provision any manually-provisioned applications by role
+    - [ ] Append manual provisioning confirmation to this ticket
+- [ ] Proactively confirm with new user that they can access all provisioned systems
--- a/themes/comply-soc2/procedures/patch.md
+++ b/themes/comply-soc2/procedures/patch.md
@@ -1,6 +1,15 @@
 id: "patch"
 name: "Apply OS patches"
-cron: "0 0 1 * * *"
+cron: "0 0 0 15 * *"
 ---

-# Coming Soon
+# OS Patch Procedure
+
+Resolve this ticket by executing the following steps:
+
+- [ ] Pull the latest scripts from the Ops repository
+- [ ] Execute `ENV=staging patch-all.sh`
+- [ ] Inspect output
+    - [ ] Errors? Investigate and resolve
+- [ ] Execute `ENV=production patch-all.sh`
+- [ ] Attach log output to this ticket
--- a/themes/comply-soc2/procedures/workstation.md
+++ b/themes/comply-soc2/procedures/workstation.md
@@ -1,6 +1,40 @@
 id: "workstation"
 name: "Collect Workstation Details"
-cron: "0 0 * * * *"
+cron: "0 0 0 15 4 *"
 ---

-# Coming Soon
+Resolve this ticket by executing the following steps:
+
+- [ ] Send the communications below
+- [ ] For any email replies, attach content to this ticket
+- [ ] Validate responses are received from each
+
+
+```
+To: Desktop support
+Subject: Annual workstation inventory
+
+Please attach the current workstation inventory to the following ticket: [REPLACE WITH URL TO THIS TICKET]
+
+The workstation inventory shall include the following fields:
+    * Serial number
+    * Custodian
+    * Full disk encryption status
+    * Malware protection status
+```
+
+
+```
+To: Outsourced Call Center IT
+Subject: Annual workstation inventory
+
+As part of our ongoing compliance efforts and per our services agreement, we require a current inventory of workstations in use in the service of our account.
+
+Please respond to this message with the current inventory.
+
+The workstation inventory shall include the following fields:
+    * Serial number
+    * Custodian
+    * Full disk encryption status
+    * Malware protection status
+```
--- a/themes/comply-soc2/templates/index.ace
+++ b/themes/comply-soc2/templates/index.ace
@@ -15,20 +15,11 @@ html lang=en
        document.querySelectorAll('.cron').forEach(function(el) {
          el.innerHTML = prettyCron.toString((""+el.innerHTML).trim(),true) // 6-field expressions
        })
-        if (window.location.hash != "") {
-          var hashComponents = window.location.hash.split('#')
-          if (hashComponents.length>1) {
-            var destination = hashComponents[1]
-            if (["overview","narratives","policies","procedures","standards"].indexOf(destination) >= 0) {
-              show(destination)
-            }
-          }
-        }
      })

      function show(name) {
-        if(history.replaceState) {
-            history.replaceState(null, null, '#'+name);
+        if (history.replaceState) {
+            history.replaceState(null, null, '#'+name)
        }

        var items = document.getElementsByClassName('top-nav')
@@ -233,7 +224,14 @@ html lang=en
        .content.has-text-centered
          p {{.Project.OrganizationName}} Confidential 2018
  = javascript
-    // commented for development
    if (window.location.hash=="") {
      show('overview')
+    } else {
+      var hashComponents = window.location.hash.split('#')
+      if (hashComponents.length>1) {
+        var destination = hashComponents[1]
+        if (["overview","narratives","policies","procedures","standards"].indexOf(destination) >= 0) {
+          show(destination)
+        }
+      }
    }
Author	SHA1	Message	Date
Justin McCarthy	80c8978034	increment patch for release (via Makefile)	2018-05-18 12:35:15 -07:00
Justin McCarthy	592852ad38	automated asset refresh (via Makefile)	2018-05-18 12:35:06 -07:00
Manisha Singh	179477b4ef	Merge branch 'master' of github.com:strongdm/comply	2018-05-18 12:33:51 -07:00
Manisha Singh	46fd0e6987	Initial commit of Vendor	2018-05-18 12:33:48 -07:00
Justin McCarthy	9a357f7bd6	workstation procedure example	2018-05-18 12:33:08 -07:00
Justin McCarthy	378a27542f	Merge branch 'master' of github.com:strongdm/comply	2018-05-18 12:21:00 -07:00
Justin McCarthy	1b010e0d04	Procedure examples	2018-05-18 12:20:53 -07:00
Manisha Singh	1eebcaeee1	Initial commit of Development	2018-05-18 12:11:48 -07:00
Manisha Singh	6973675228	Initial commit of Removable Media	2018-05-18 11:56:09 -07:00
Manisha Singh	5e82aa0cfe	Merge branch 'master' of github.com:strongdm/comply	2018-05-18 11:47:03 -07:00
Manisha Singh	ed8d8a9404	Initial commit of Remote Access	2018-05-18 11:46:58 -07:00
Justin McCarthy	f7b13952af	increment patch for release (via Makefile)	2018-05-18 11:38:32 -07:00
Justin McCarthy	d79d9a934b	automated asset refresh (via Makefile)	2018-05-18 11:38:23 -07:00
Justin McCarthy	f6410c6fb9	restore dependencies for release target	2018-05-18 11:38:13 -07:00
Justin McCarthy	14bde98a9f	release webhook	2018-05-18 11:37:18 -07:00
Manisha Singh	430e01fa7c	Initial commit of Disaster Recovery	2018-05-18 11:16:51 -07:00
Manisha Singh	0ba9f063c5	Initial commit of Data Retention	2018-05-18 10:48:56 -07:00
Manisha Singh	5c40d95dd0	Initial commit of Cyber Risk	2018-05-18 10:32:25 -07:00
Manisha Singh	fdc8038c95	Merge branch 'master' of github.com:strongdm/comply	2018-05-18 10:19:55 -07:00
Manisha Singh	1a92fc92c4	Initial commit of Application Security	2018-05-18 10:19:43 -07:00
Justin McCarthy	f0117bd807	increment patch for release (via Makefile)	2018-05-17 23:21:26 -07:00
Justin McCarthy	816be6d613	automated asset refresh (via Makefile)	2018-05-17 23:21:18 -07:00
Justin McCarthy	4c1b6fad7e	trigger procedure by ID	2018-05-17 23:08:34 -07:00
Justin McCarthy	8fbc7ab65a	more verbose output in the interest of educating users on input and output paths	2018-05-17 22:52:39 -07:00
Justin McCarthy	e97f0684ac	move all calls to show to bottom block	2018-05-17 22:46:17 -07:00
Justin McCarthy	7aa267dbb6	only open html after render is complete during serve	2018-05-17 22:45:39 -07:00
@@ -1 +1 @@
 .1.19
 .1.22